diff --git a/salt/common/tools/sbin/so-elasticsearch-component-templates-list b/salt/common/tools/sbin/so-elasticsearch-component-templates-list
new file mode 100755
index 000000000..69deb1873
--- /dev/null
+++ b/salt/common/tools/sbin/so-elasticsearch-component-templates-list
@@ -0,0 +1,23 @@
+#!/bin/bash
+#
+# Copyright 2014-2022 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
+. /usr/sbin/so-common
+if [ "$1" == "" ]; then
+ {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort
+else
+ {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template/$1 | jq
+fi
diff --git a/salt/common/tools/sbin/so-elasticsearch-index-templates-list b/salt/common/tools/sbin/so-elasticsearch-index-templates-list
new file mode 100755
index 000000000..84fecc565
--- /dev/null
+++ b/salt/common/tools/sbin/so-elasticsearch-index-templates-list
@@ -0,0 +1,23 @@
+#!/bin/bash
+#
+# Copyright 2014-2022 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
+. /usr/sbin/so-common
+if [ "$1" == "" ]; then
+ {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort
+else
+ {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template/$1 | jq
+fi
diff --git a/salt/elasticsearch/templates/component/ecs/aws.json b/salt/elasticsearch/templates/component/ecs/aws.json
new file mode 100644
index 000000000..ccea31e27
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/aws.json
@@ -0,0 +1,570 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "aws": {
+ "properties": {
+ "cloudtrail": {
+ "properties": {
+ "additional_eventdata": {
+ "fields": {
+ "text": {
+ "norms": false,
+ "type": "text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "api_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "console_login": {
+ "properties": {
+ "additional_eventdata": {
+ "properties": {
+ "login_to": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mfa_used": {
+ "type": "boolean"
+ },
+ "mobile_version": {
+ "type": "boolean"
+ }
+ }
+ }
+ }
+ },
+ "digest": {
+ "properties": {
+ "end_time": {
+ "type": "date"
+ },
+ "log_files": {
+ "type": "nested"
+ },
+ "newest_event_time": {
+ "type": "date"
+ },
+ "oldest_event_time": {
+ "type": "date"
+ },
+ "previous_hash_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "previous_s3_bucket": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "public_key_fingerprint": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "s3_bucket": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "s3_object": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "signature_algorithm": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "start_time": {
+ "type": "date"
+ }
+ }
+ },
+ "error_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "error_message": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "event_category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "event_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "event_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "flattened": {
+ "properties": {
+ "additional_eventdata": {
+ "type": "flattened"
+ },
+ "request_parameters": {
+ "type": "flattened"
+ },
+ "response_elements": {
+ "type": "flattened"
+ },
+ "service_event_details": {
+ "type": "flattened"
+ }
+ }
+ },
+ "insight_details": {
+ "type": "flattened"
+ },
+ "management_event": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "read_only": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "recipient_account_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "request_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "request_parameters": {
+ "fields": {
+ "text": {
+ "norms": false,
+ "type": "text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "resources": {
+ "properties": {
+ "account_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "arn": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "response_elements": {
+ "fields": {
+ "text": {
+ "norms": false,
+ "type": "text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "service_event_details": {
+ "fields": {
+ "text": {
+ "norms": false,
+ "type": "text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "shared_event_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user_identity": {
+ "properties": {
+ "access_key_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "arn": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "invoked_by": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "session_context": {
+ "properties": {
+ "creation_date": {
+ "type": "date"
+ },
+ "mfa_authenticated": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "session_issuer": {
+ "properties": {
+ "account_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "arn": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "principal_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "vpc_endpoint_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "cloudwatch": {
+ "properties": {
+ "message": {
+ "norms": false,
+ "type": "text"
+ }
+ }
+ },
+ "ec2": {
+ "properties": {
+ "ip_address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "elb": {
+ "properties": {
+ "action_executed": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "backend": {
+ "properties": {
+ "http": {
+ "properties": {
+ "response": {
+ "properties": {
+ "status_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "ip": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "port": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "backend_processing_time": {
+ "properties": {
+ "sec": {
+ "type": "float"
+ }
+ }
+ },
+ "chosen_cert": {
+ "properties": {
+ "arn": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "serial": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "classification": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "classification_reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "connection_time": {
+ "properties": {
+ "ms": {
+ "type": "long"
+ }
+ }
+ },
+ "error": {
+ "properties": {
+ "reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "incoming_tls_alert": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "listener": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "matched_rule_priority": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "protocol": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "redirect_url": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "request_processing_time": {
+ "properties": {
+ "sec": {
+ "type": "float"
+ }
+ }
+ },
+ "response_processing_time": {
+ "properties": {
+ "sec": {
+ "type": "float"
+ }
+ }
+ },
+ "ssl_cipher": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ssl_protocol": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "target_group": {
+ "properties": {
+ "arn": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "target_port": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "target_status_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tls_handshake_time": {
+ "properties": {
+ "ms": {
+ "type": "long"
+ }
+ }
+ },
+ "tls_named_group": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "trace_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "s3access": {
+ "properties": {
+ "authentication_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "bucket": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "bucket_owner": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "bytes_sent": {
+ "type": "long"
+ },
+ "cipher_suite": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "error_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "host_header": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "host_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "http_status": {
+ "type": "long"
+ },
+ "key": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "object_size": {
+ "type": "long"
+ },
+ "operation": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "referrer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "remote_ip": {
+ "type": "ip"
+ },
+ "request_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "request_uri": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "requester": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "signature_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tls_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "total_time": {
+ "type": "long"
+ },
+ "turn_around_time": {
+ "type": "long"
+ },
+ "user_agent": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "vpcflow": {
+ "properties": {
+ "account_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "action": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "instance_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "interface_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "log_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pkt_dstaddr": {
+ "type": "ip"
+ },
+ "pkt_srcaddr": {
+ "type": "ip"
+ },
+ "subnet_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tcp_flags": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tcp_flags_array": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vpc_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/azure.json b/salt/elasticsearch/templates/component/ecs/azure.json
new file mode 100644
index 000000000..5e1acaae5
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/azure.json
@@ -0,0 +1,604 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "azure": {
+ "properties": {
+ "activitylogs": {
+ "properties": {
+ "category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "event_category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "identity": {
+ "properties": {
+ "authorization": {
+ "properties": {
+ "action": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "evidence": {
+ "properties": {
+ "principal_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "principal_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "role": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "role_assignment_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "role_assignment_scope": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "role_definition_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "scope": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "claims": {
+ "properties": {
+ "*": {
+ "type": "object"
+ }
+ }
+ },
+ "claims_initiated_by_user": {
+ "properties": {
+ "fullname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "givenname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "schema": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "surname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "operation_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "properties": {
+ "type": "flattened"
+ },
+ "result_signature": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "result_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "auditlogs": {
+ "properties": {
+ "category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "identity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "operation_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "operation_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "properties": {
+ "properties": {
+ "activity_datetime": {
+ "type": "date"
+ },
+ "activity_display_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "correlation_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "initiated_by": {
+ "properties": {
+ "app": {
+ "properties": {
+ "appId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "displayName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "servicePrincipalId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "servicePrincipalName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "user": {
+ "properties": {
+ "displayName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ipAddress": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "userPrincipalName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "logged_by_service": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "operation_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "result": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "result_reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "target_resources": {
+ "properties": {
+ "*": {
+ "properties": {
+ "display_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ip_address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "modified_properties": {
+ "properties": {
+ "*": {
+ "properties": {
+ "display_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "new_value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "old_value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user_principal_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "result_signature": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tenant_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "consumer_group": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "correlation_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "enqueued_time": {
+ "type": "date"
+ },
+ "eventhub": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "offset": {
+ "type": "long"
+ },
+ "partition_id": {
+ "type": "long"
+ },
+ "platformlogs": {
+ "properties": {
+ "ActivityId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Caller": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Cloud": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Environment": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "EventTimeString": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ScaleUnit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ccpNamespace": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "event_category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "operation_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "properties": {
+ "type": "flattened"
+ },
+ "result_signature": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "result_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "resource": {
+ "properties": {
+ "authorization_rule": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "namespace": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "provider": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "sequence_number": {
+ "type": "long"
+ },
+ "signinlogs": {
+ "properties": {
+ "category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "identity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "operation_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "operation_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "properties": {
+ "properties": {
+ "app_display_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "app_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "authentication_processing_details": {
+ "type": "flattened"
+ },
+ "authentication_requirement": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "authentication_requirement_policies": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "autonomous_system_number": {
+ "type": "long"
+ },
+ "client_app_used": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "conditional_access_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "correlation_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "created_at": {
+ "type": "date"
+ },
+ "cross_tenant_access_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "device_detail": {
+ "properties": {
+ "browser": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "device_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "display_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "operating_system": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "trust_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "flagged_for_review": {
+ "type": "boolean"
+ },
+ "home_tenant_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "is_interactive": {
+ "type": "boolean"
+ },
+ "is_tenant_restricted": {
+ "type": "boolean"
+ },
+ "original_request_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "processing_time_ms": {
+ "type": "float"
+ },
+ "resource_display_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "resource_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "resource_tenant_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "risk_detail": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "risk_event_types": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "risk_event_types_v2": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "risk_level_aggregated": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "risk_level_during_signin": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "risk_state": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "service_principal_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "service_principal_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sso_extension_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "properties": {
+ "error_code": {
+ "type": "long"
+ }
+ }
+ },
+ "token_issuer_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "token_issuer_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user_display_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user_principal_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "result_description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "result_signature": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "result_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tenant_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "subscription_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tenant_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/cef.json b/salt/elasticsearch/templates/component/ecs/cef.json
new file mode 100644
index 000000000..376fbf26a
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/cef.json
@@ -0,0 +1,772 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "cef": {
+ "properties": {
+ "device": {
+ "properties": {
+ "event_class_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "product": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vendor": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "extensions": {
+ "properties": {
+ "Reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "agentAddress": {
+ "type": "ip"
+ },
+ "agentDnsDomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "agentHostName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "agentId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "agentMacAddress": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "agentNtDomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "agentReceiptTime": {
+ "type": "date"
+ },
+ "agentTimeZone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "agentTranslatedAddress": {
+ "type": "ip"
+ },
+ "agentTranslatedZoneExternalID": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "agentTranslatedZoneURI": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "agentType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "agentVersion": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "agentZoneExternalID": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "agentZoneURI": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "applicationProtocol": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "baseEventCount": {
+ "type": "long"
+ },
+ "bytesIn": {
+ "type": "long"
+ },
+ "bytesOut": {
+ "type": "long"
+ },
+ "categoryBehavior": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "categoryDeviceGroup": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "categoryDeviceType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "categoryObject": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "categoryOutcome": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "categorySignificance": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "categoryTechnique": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cp_app_risk": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cp_severity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "customerExternalID": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "customerURI": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destinationAddress": {
+ "type": "ip"
+ },
+ "destinationDnsDomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destinationGeoLatitude": {
+ "type": "double"
+ },
+ "destinationGeoLongitude": {
+ "type": "double"
+ },
+ "destinationHostName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destinationMacAddress": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destinationNtDomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destinationPort": {
+ "type": "long"
+ },
+ "destinationProcessId": {
+ "type": "long"
+ },
+ "destinationProcessName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destinationServiceName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destinationTranslatedAddress": {
+ "type": "ip"
+ },
+ "destinationTranslatedPort": {
+ "type": "long"
+ },
+ "destinationTranslatedZoneExternalID": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destinationTranslatedZoneURI": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destinationUserId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destinationUserName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destinationUserPrivileges": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destinationZoneExternalID": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destinationZoneURI": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceAction": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceAddress": {
+ "type": "ip"
+ },
+ "deviceCustomDate1": {
+ "type": "date"
+ },
+ "deviceCustomDate1Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomDate2": {
+ "type": "date"
+ },
+ "deviceCustomDate2Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomFloatingPoint1": {
+ "type": "double"
+ },
+ "deviceCustomFloatingPoint1Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomFloatingPoint2": {
+ "type": "double"
+ },
+ "deviceCustomFloatingPoint2Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomFloatingPoint3": {
+ "type": "double"
+ },
+ "deviceCustomFloatingPoint3Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomFloatingPoint4": {
+ "type": "double"
+ },
+ "deviceCustomFloatingPoint4Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomIPv6Address1": {
+ "type": "ip"
+ },
+ "deviceCustomIPv6Address1Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomIPv6Address2": {
+ "type": "ip"
+ },
+ "deviceCustomIPv6Address2Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomIPv6Address3": {
+ "type": "ip"
+ },
+ "deviceCustomIPv6Address3Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomIPv6Address4": {
+ "type": "ip"
+ },
+ "deviceCustomIPv6Address4Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomNumber1": {
+ "type": "long"
+ },
+ "deviceCustomNumber1Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomNumber2": {
+ "type": "long"
+ },
+ "deviceCustomNumber2Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomNumber3": {
+ "type": "long"
+ },
+ "deviceCustomNumber3Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomString1": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomString1Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomString2": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomString2Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomString3": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomString3Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomString4": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomString4Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomString5": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomString5Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomString6": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceCustomString6Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceDirection": {
+ "type": "long"
+ },
+ "deviceDnsDomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceEventCategory": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceExternalId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceFacility": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceFlexNumber1": {
+ "type": "long"
+ },
+ "deviceFlexNumber1Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceFlexNumber2": {
+ "type": "long"
+ },
+ "deviceFlexNumber2Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceHostName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceInboundInterface": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceMacAddress": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceNtDomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceOutboundInterface": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "devicePayloadId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceProcessId": {
+ "type": "long"
+ },
+ "deviceProcessName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceReceiptTime": {
+ "type": "date"
+ },
+ "deviceTimeZone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceTranslatedAddress": {
+ "type": "ip"
+ },
+ "deviceTranslatedZoneExternalID": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceTranslatedZoneURI": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceZoneExternalID": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceZoneURI": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "endTime": {
+ "type": "date"
+ },
+ "eventId": {
+ "type": "long"
+ },
+ "eventOutcome": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "externalId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fileCreateTime": {
+ "type": "date"
+ },
+ "fileHash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fileId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fileModificationTime": {
+ "type": "date"
+ },
+ "filePath": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "filePermission": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fileSize": {
+ "type": "long"
+ },
+ "fileType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "filename": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "flexDate1": {
+ "type": "date"
+ },
+ "flexDate1Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "flexString1": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "flexString1Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "flexString2": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "flexString2Label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ifname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "inzone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "layer_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "layer_uuid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "logid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "loguid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "managerReceiptTime": {
+ "type": "date"
+ },
+ "match_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "nat_addtnl_rulenum": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "nat_rulenum": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "oldFileCreateTime": {
+ "type": "date"
+ },
+ "oldFileHash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "oldFileId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "oldFileModificationTime": {
+ "type": "date"
+ },
+ "oldFileName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "oldFilePath": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "oldFilePermission": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "oldFileSize": {
+ "type": "long"
+ },
+ "oldFileType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "origin": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "originsicname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "outzone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "parent_rule": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "product": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "rawEvent": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "requestClientApplication": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "requestContext": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "requestCookies": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "requestMethod": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "requestUrl": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "rule_action": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "rule_uid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sequencenum": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "service_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sourceAddress": {
+ "type": "ip"
+ },
+ "sourceDnsDomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sourceGeoLatitude": {
+ "type": "double"
+ },
+ "sourceGeoLongitude": {
+ "type": "double"
+ },
+ "sourceHostName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sourceMacAddress": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sourceNtDomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sourcePort": {
+ "type": "long"
+ },
+ "sourceProcessId": {
+ "type": "long"
+ },
+ "sourceProcessName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sourceServiceName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sourceTranslatedAddress": {
+ "type": "ip"
+ },
+ "sourceTranslatedPort": {
+ "type": "long"
+ },
+ "sourceTranslatedZoneExternalID": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sourceTranslatedZoneURI": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sourceUserId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sourceUserName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sourceUserPrivileges": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sourceZoneExternalID": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sourceZoneURI": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "startTime": {
+ "type": "date"
+ },
+ "transportProtocol": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "type": "long"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "severity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/checkpoint.json b/salt/elasticsearch/templates/component/ecs/checkpoint.json
new file mode 100644
index 000000000..bb2f8f6de
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/checkpoint.json
@@ -0,0 +1,1615 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "checkpoint": {
+ "properties": {
+ "action_reason": {
+ "type": "long"
+ },
+ "action_reason_msg": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "additional_info": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "additional_ip": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "additional_rdata": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "alert": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "allocated_ports": {
+ "type": "long"
+ },
+ "analyzed_on": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "answer_rdata": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "anti_virus_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "app_desc": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "app_id": {
+ "type": "long"
+ },
+ "app_package": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "app_properties": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "app_repackaged": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "app_risk": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "app_severity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "app_sid_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "app_sig_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "app_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "appi_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "arrival_time": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "attachments_num": {
+ "type": "long"
+ },
+ "attack_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "audit_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "auth_method": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "authority_rdata": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "authorization": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "bcc": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "blade_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "broker_publisher": {
+ "type": "ip"
+ },
+ "browse_time": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "c_bytes": {
+ "type": "long"
+ },
+ "calc_desc": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "capacity": {
+ "type": "long"
+ },
+ "capture_uuid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cc": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "certificate_resource": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "certificate_validation": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cgnet": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "chunk_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "client_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "client_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "client_type_os": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "client_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cluster_info": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "community": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "confidence_level": {
+ "type": "long"
+ },
+ "connection_uid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "connectivity_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "connectivity_state": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "conns_amount": {
+ "type": "long"
+ },
+ "content_disposition": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "content_length": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "content_risk": {
+ "type": "long"
+ },
+ "content_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "context_num": {
+ "type": "long"
+ },
+ "cookie": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cookieI": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cookieR": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cp_message": {
+ "type": "long"
+ },
+ "cvpn_category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cvpn_resource": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "data_type_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dce-rpc_interface_uuid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "delivery_time": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "desc": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destination_object": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "detected_on": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "developer_certificate_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "diameter_app_ID": {
+ "type": "long"
+ },
+ "diameter_cmd_code": {
+ "type": "long"
+ },
+ "diameter_msg_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_action_reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_additional_action": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_categories": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_data_type_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_data_type_uid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_fingerprint_files_number": {
+ "type": "long"
+ },
+ "dlp_fingerprint_long_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_fingerprint_short_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_incident_uid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_recipients": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_related_incident_uid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_relevant_data_types": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_repository_directories_number": {
+ "type": "long"
+ },
+ "dlp_repository_files_number": {
+ "type": "long"
+ },
+ "dlp_repository_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_repository_not_scanned_directories_percentage": {
+ "type": "long"
+ },
+ "dlp_repository_reached_directories_number": {
+ "type": "long"
+ },
+ "dlp_repository_root_path": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_repository_scan_progress": {
+ "type": "long"
+ },
+ "dlp_repository_scanned_directories_number": {
+ "type": "long"
+ },
+ "dlp_repository_scanned_files_number": {
+ "type": "long"
+ },
+ "dlp_repository_scanned_total_size": {
+ "type": "long"
+ },
+ "dlp_repository_skipped_files_number": {
+ "type": "long"
+ },
+ "dlp_repository_total_size": {
+ "type": "long"
+ },
+ "dlp_repository_unreachable_directories_number": {
+ "type": "long"
+ },
+ "dlp_rule_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_subject": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_template_score": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_transint": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_violation_description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_watermark_profile": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dlp_word_list": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dns_query": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "drop_reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dropped_file_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dropped_file_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dropped_file_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dropped_file_verdict": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dropped_incoming": {
+ "type": "long"
+ },
+ "dropped_outgoing": {
+ "type": "long"
+ },
+ "dropped_total": {
+ "type": "long"
+ },
+ "drops_amount": {
+ "type": "long"
+ },
+ "dst_country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dst_phone_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dst_user_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dstkeyid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "duplicate": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "duration": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "elapsed": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email_content": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email_control": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email_control_analysis": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email_headers": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email_message_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email_queue_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email_queue_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email_recipients_num": {
+ "type": "long"
+ },
+ "email_session_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email_spam_category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email_spool_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email_subject": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "emulated_on": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "encryption_failure": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "end_time": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "end_user_firewall_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "esod_access_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "esod_associated_policies": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "esod_noncompliance_reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "esod_rule_action": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "esod_rule_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "esod_rule_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "esod_scan_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "event_count": {
+ "type": "long"
+ },
+ "expire_time": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "extension_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "extracted_file_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "extracted_file_names": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "extracted_file_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "extracted_file_uid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "extracted_file_verdict": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "failure_impact": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "failure_reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "file_direction": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "file_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "files_names": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "first_hit_time": {
+ "type": "long"
+ },
+ "frequency": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fs-proto": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ftp_user": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fw_message": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fw_subproduct": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "hide_ip": {
+ "type": "ip"
+ },
+ "hit": {
+ "type": "long"
+ },
+ "host_time": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "http_host": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "http_location": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "http_server": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "https_inspection_action": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "https_inspection_rule_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "https_inspection_rule_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "https_validation": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "icap_more_info": {
+ "type": "long"
+ },
+ "icap_server_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "icap_server_service": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "icap_service_id": {
+ "type": "long"
+ },
+ "icmp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "icmp_code": {
+ "type": "long"
+ },
+ "icmp_type": {
+ "type": "long"
+ },
+ "id": {
+ "type": "long"
+ },
+ "identity_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ike": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ike_ids": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "impacted_files": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "incident_extension": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "indicator_description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "indicator_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "indicator_reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "indicator_uuid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "info": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "information": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "inspection_category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "inspection_item": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "inspection_profile": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "inspection_settings_log": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "installed_products": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "int_end": {
+ "type": "long"
+ },
+ "int_start": {
+ "type": "long"
+ },
+ "integrity_av_invoke_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "interface_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "internal_error": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "invalid_file_size": {
+ "type": "long"
+ },
+ "ip_option": {
+ "type": "long"
+ },
+ "isp_link": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_hit_time": {
+ "type": "long"
+ },
+ "last_rematch_time": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "layer_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "layer_uuid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "limit_applied": {
+ "type": "long"
+ },
+ "limit_requested": {
+ "type": "long"
+ },
+ "link_probing_status_update": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "links_num": {
+ "type": "long"
+ },
+ "log_delay": {
+ "type": "long"
+ },
+ "log_id": {
+ "type": "long"
+ },
+ "logid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "long_desc": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "machine": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "malware_family": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "match_fk": {
+ "type": "long"
+ },
+ "match_id": {
+ "type": "long"
+ },
+ "matched_file": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "matched_file_percentage": {
+ "type": "long"
+ },
+ "matched_file_text_segments": {
+ "type": "long"
+ },
+ "media_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message_info": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message_size": {
+ "type": "long"
+ },
+ "method": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "methods": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mime_from": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mime_to": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mirror_and_decrypt_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mitre_collection": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mitre_command_and_control": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mitre_credential_access": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mitre_defense_evasion": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mitre_discovery": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mitre_execution": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mitre_exfiltration": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mitre_impact": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mitre_initial_access": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mitre_lateral_movement": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mitre_persistence": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mitre_privilege_escalation": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "monitor_reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "msgid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "nat46": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "nat_addtnl_rulenum": {
+ "type": "long"
+ },
+ "nat_exhausted_pool": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "nat_rulenum": {
+ "type": "long"
+ },
+ "needs_browse_time": {
+ "type": "long"
+ },
+ "next_hop_ip": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "next_scheduled_scan_date": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "number_of_errors": {
+ "type": "long"
+ },
+ "objecttable": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "objecttype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "observable_comment": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "observable_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "observable_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "operation": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "operation_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "origin_sic_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "original_queue_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "outgoing_url": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "packet_amount": {
+ "type": "long"
+ },
+ "packet_capture_unique_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "parent_file_hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "parent_file_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "parent_file_uid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "parent_process_username": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "parent_rule": {
+ "type": "long"
+ },
+ "peer_gateway": {
+ "type": "ip"
+ },
+ "peer_ip": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "peer_ip_probing_status_update": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "performance_impact": {
+ "type": "long"
+ },
+ "policy_mgmt": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "policy_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ports_usage": {
+ "type": "long"
+ },
+ "ppp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "precise_error": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "process_username": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "properties": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "protection_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "protection_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "protection_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "protocol": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "proxy_machine_name": {
+ "type": "long"
+ },
+ "proxy_src_ip": {
+ "type": "ip"
+ },
+ "proxy_user_dn": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "proxy_user_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "query": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "question_rdata": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "referrer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "referrer_parent_uid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "referrer_self_uid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "registered_ip-phones": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reject_category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reject_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "rematch_info": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "remediated_files": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reply_status": {
+ "type": "long"
+ },
+ "risk": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "rpc_prog": {
+ "type": "long"
+ },
+ "rule": {
+ "type": "long"
+ },
+ "rule_action": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "rulebase_id": {
+ "type": "long"
+ },
+ "scan_direction": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scan_hosts_day": {
+ "type": "long"
+ },
+ "scan_hosts_hour": {
+ "type": "long"
+ },
+ "scan_hosts_week": {
+ "type": "long"
+ },
+ "scan_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scan_mail": {
+ "type": "long"
+ },
+ "scan_result": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scan_results": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scheme": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scope": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scrub_activity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scrub_download_time": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scrub_time": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scrub_total_time": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scrubbed_content": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sctp_association_state": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sctp_error": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scv_message_info": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scv_user": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "securexl_message": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sensor_mode": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "session_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "session_uid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "severity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "short_desc": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sig_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "similar_communication": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "similar_hashes": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "similar_strings": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "similiar_iocs": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sip_reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "site_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source_interface": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source_object": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source_os": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "special_properties": {
+ "type": "long"
+ },
+ "specific_data_type_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "speed": {
+ "type": "long"
+ },
+ "spyware_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "spyware_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "spyware_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "src_country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "src_phone_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "src_user_dn": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "src_user_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "srckeyid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status_update": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_policy_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_policy_uid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subs_exp": {
+ "type": "date"
+ },
+ "subscriber": {
+ "type": "ip"
+ },
+ "summary": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "suppressed_logs": {
+ "type": "long"
+ },
+ "sync": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sys_message": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tcp_end_reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tcp_flags": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tcp_packet_out_of_state": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tcp_state": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "te_verdict_determined_by": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "termination_reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ticket_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tls_server_host_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "top_archive_file_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "total_attachments": {
+ "type": "long"
+ },
+ "triggered_by": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "trusted_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "unique_detected_day": {
+ "type": "long"
+ },
+ "unique_detected_hour": {
+ "type": "long"
+ },
+ "unique_detected_week": {
+ "type": "long"
+ },
+ "update_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "url": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user_agent": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "uuid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vendor_list": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "verdict": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "via": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "virus_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_attach_action_info": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_attach_sz": {
+ "type": "long"
+ },
+ "voip_call_dir": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_call_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_call_state": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_call_term_time": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_config": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_duration": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_est_codec": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_exp": {
+ "type": "long"
+ },
+ "voip_from_user_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_log_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_media_codec": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_media_ipp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_media_port": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_method": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_reason_info": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_reg_int": {
+ "type": "long"
+ },
+ "voip_reg_ipp": {
+ "type": "long"
+ },
+ "voip_reg_period": {
+ "type": "long"
+ },
+ "voip_reg_server": {
+ "type": "ip"
+ },
+ "voip_reg_user_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_reject_reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "voip_to_user_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vpn_feature_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "watermark": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "web_server_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "word_list": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/cisco.json b/salt/elasticsearch/templates/component/ecs/cisco.json
new file mode 100644
index 000000000..3800b79fc
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/cisco.json
@@ -0,0 +1,620 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "cisco": {
+ "properties": {
+ "amp": {
+ "properties": {
+ "bp_data": {
+ "type": "flattened"
+ },
+ "cloud_ioc": {
+ "properties": {
+ "description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "short_description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "command_line": {
+ "properties": {
+ "arguments": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "computer": {
+ "properties": {
+ "active": {
+ "type": "boolean"
+ },
+ "connector_guid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "external_ip": {
+ "type": "ip"
+ },
+ "network_addresses": {
+ "type": "flattened"
+ }
+ }
+ },
+ "connector_guid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "detection": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "detection_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "error": {
+ "properties": {
+ "description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "error_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "event_type_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "file": {
+ "properties": {
+ "archived_file": {
+ "properties": {
+ "disposition": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "identity": {
+ "properties": {
+ "md5": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha1": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha256": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "attack_details": {
+ "properties": {
+ "application": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "attacked_module": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "base_address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "indicators": {
+ "type": "flattened"
+ },
+ "suspicious_files": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "disposition": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "parent": {
+ "properties": {
+ "disposition": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "group_guids": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mitre_tactics": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mitre_techniques": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "network_info": {
+ "properties": {
+ "disposition": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "nfm": {
+ "properties": {
+ "direction": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "parent": {
+ "properties": {
+ "disposition": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "identify": {
+ "properties": {
+ "sha256": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "identity": {
+ "properties": {
+ "md5": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha1": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "related": {
+ "properties": {
+ "cve": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mac": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "scan": {
+ "properties": {
+ "clean": {
+ "type": "boolean"
+ },
+ "description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "malicious_detections": {
+ "type": "long"
+ },
+ "scanned_files": {
+ "type": "long"
+ },
+ "scanned_paths": {
+ "type": "long"
+ },
+ "scanned_processes": {
+ "type": "long"
+ }
+ }
+ },
+ "tactics": {
+ "type": "flattened"
+ },
+ "techniques": {
+ "type": "flattened"
+ },
+ "threat_hunting": {
+ "properties": {
+ "incident_end_time": {
+ "type": "date"
+ },
+ "incident_hunt_guid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "incident_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "incident_remediation": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "incident_report_guid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "incident_start_time": {
+ "type": "date"
+ },
+ "incident_summary": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "incident_title": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "severity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tactics": {
+ "type": "flattened"
+ },
+ "techniques": {
+ "type": "flattened"
+ }
+ }
+ },
+ "timestamp_nanoseconds": {
+ "type": "date"
+ },
+ "vulnerabilities": {
+ "type": "flattened"
+ }
+ }
+ },
+ "asa": {
+ "properties": {
+ "assigned_ip": {
+ "type": "ip"
+ },
+ "burst": {
+ "properties": {
+ "avg_rate": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "configured_avg_rate": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "configured_rate": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cumulative_count": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "current_rate": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "object": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "command_line_arguments": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "connection_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "connection_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dap_records": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destination_interface": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destination_username": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "icmp_code": {
+ "type": "short"
+ },
+ "icmp_type": {
+ "type": "short"
+ },
+ "mapped_destination_host": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mapped_destination_ip": {
+ "type": "ip"
+ },
+ "mapped_destination_port": {
+ "type": "long"
+ },
+ "mapped_source_host": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mapped_source_ip": {
+ "type": "ip"
+ },
+ "mapped_source_port": {
+ "type": "long"
+ },
+ "message_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "privilege": {
+ "properties": {
+ "new": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "old": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "rule_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "session_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source_interface": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source_username": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "suffix": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "termination_initiator": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "termination_user": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "threat_category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "threat_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tunnel_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "webvpn": {
+ "properties": {
+ "group_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "ftd": {
+ "properties": {
+ "connection_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "connection_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dap_records": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destination_interface": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destination_username": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "icmp_code": {
+ "type": "short"
+ },
+ "icmp_type": {
+ "type": "short"
+ },
+ "mapped_destination_host": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mapped_destination_ip": {
+ "type": "ip"
+ },
+ "mapped_destination_port": {
+ "type": "long"
+ },
+ "mapped_source_host": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mapped_source_ip": {
+ "type": "ip"
+ },
+ "mapped_source_port": {
+ "type": "long"
+ },
+ "message_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "rule_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "security": {
+ "type": "object"
+ },
+ "source_interface": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source_username": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "suffix": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "termination_initiator": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "termination_user": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "threat_category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "threat_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "webvpn": {
+ "properties": {
+ "group_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "ios": {
+ "properties": {
+ "access_list": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "facility": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "umbrella": {
+ "properties": {
+ "amp_disposition": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "amp_malware_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "amp_score": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "av_detections": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "blocked_categories": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "categories": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "content_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "datacenter": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "identities": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "identity_types": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "origin_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "policy_identity_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "puas": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha_sha256": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/cyberark.json b/salt/elasticsearch/templates/component/ecs/cyberark.json
new file mode 100644
index 000000000..20e90f6ea
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/cyberark.json
@@ -0,0 +1,305 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "cyberarkpas": {
+ "properties": {
+ "audit": {
+ "properties": {
+ "action": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ca_properties": {
+ "properties": {
+ "address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cpm_disabled": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cpm_error_details": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cpm_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "creation_method": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "customer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "database": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "device_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dual_account_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "group_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "in_process": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "index": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_fail_date": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_success_change": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_success_reconciliation": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_success_verification": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_task": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "logon_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "other": {
+ "type": "flattened"
+ },
+ "policy_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "port": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "privcloud": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reset_immediately": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "retries_count": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sequence_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tags": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user_dn": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "virtual_username": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "desc": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "extra_details": {
+ "properties": {
+ "ad_process_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ad_process_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "application_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "command": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "connection_component_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dst_host": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "logon_account": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "managed_account": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "other": {
+ "type": "flattened"
+ },
+ "process_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "process_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "protocol": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "psmid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "session_duration": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "session_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "src_host": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "username": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "file": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "gateway_station": {
+ "type": "ip"
+ },
+ "hostname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "iso_timestamp": {
+ "type": "date"
+ },
+ "issuer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "location": {
+ "doc_values": false,
+ "ignore_above": 4096,
+ "index": false,
+ "type": "keyword"
+ },
+ "message": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "product": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pvwa_details": {
+ "type": "flattened"
+ },
+ "raw": {
+ "doc_values": false,
+ "ignore_above": 4096,
+ "index": false,
+ "type": "keyword"
+ },
+ "reason": {
+ "norms": false,
+ "type": "text"
+ },
+ "rfc5424": {
+ "type": "boolean"
+ },
+ "safe": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "severity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source_user": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "station": {
+ "type": "ip"
+ },
+ "target_user": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timestamp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vendor": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/elasticsearch.json b/salt/elasticsearch/templates/component/ecs/elasticsearch.json
similarity index 100%
rename from salt/elasticsearch/templates/component/ecs/newcomponents/elasticsearch.json
rename to salt/elasticsearch/templates/component/ecs/elasticsearch.json
diff --git a/salt/elasticsearch/templates/component/ecs/fortinet.json b/salt/elasticsearch/templates/component/ecs/fortinet.json
new file mode 100644
index 000000000..1f9b7496d
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/fortinet.json
@@ -0,0 +1,1627 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "fortinet": {
+ "properties": {
+ "file": {
+ "properties": {
+ "hash": {
+ "properties": {
+ "crc32": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "firewall": {
+ "properties": {
+ "acct_stat": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "acktime": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "act": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "action": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "activity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "addr": {
+ "type": "ip"
+ },
+ "addr_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "addrgrp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "adgroup": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "admin": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "age": {
+ "type": "long"
+ },
+ "agent": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "alarmid": {
+ "type": "long"
+ },
+ "alert": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "analyticscksum": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "analyticssubmit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ap": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "app-type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "appact": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "appid": {
+ "type": "long"
+ },
+ "applist": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "apprisk": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "apscan": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "apsn": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "apstatus": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "aptype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "assigned": {
+ "type": "ip"
+ },
+ "assignip": {
+ "type": "ip"
+ },
+ "attachment": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "attack": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "attackcontext": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "attackcontextid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "attackid": {
+ "type": "long"
+ },
+ "auditid": {
+ "type": "long"
+ },
+ "auditscore": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "audittime": {
+ "type": "long"
+ },
+ "authgrp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "authid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "authproto": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "authserver": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "bandwidth": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "banned_rule": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "banned_src": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "banword": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "botnetdomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "botnetip": {
+ "type": "ip"
+ },
+ "bssid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "call_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "carrier_ep": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cat": {
+ "type": "long"
+ },
+ "category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cc": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cdrcontent": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "centralnatid": {
+ "type": "long"
+ },
+ "cert": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cert-type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "certhash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cfgattr": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cfgobj": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cfgpath": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cfgtid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cfgtxpower": {
+ "type": "long"
+ },
+ "channel": {
+ "type": "long"
+ },
+ "channeltype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "chassisid": {
+ "type": "long"
+ },
+ "checksum": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "chgheaders": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cldobjid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "client_addr": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cloudaction": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "clouduser": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "column": {
+ "type": "long"
+ },
+ "command": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "community": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "configcountry": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "connection_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "conserve": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "constraint": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "contentdisarmed": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "contenttype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cookies": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "count": {
+ "type": "long"
+ },
+ "countapp": {
+ "type": "long"
+ },
+ "countav": {
+ "type": "long"
+ },
+ "countcifs": {
+ "type": "long"
+ },
+ "countdlp": {
+ "type": "long"
+ },
+ "countdns": {
+ "type": "long"
+ },
+ "countemail": {
+ "type": "long"
+ },
+ "countff": {
+ "type": "long"
+ },
+ "countips": {
+ "type": "long"
+ },
+ "countssh": {
+ "type": "long"
+ },
+ "countssl": {
+ "type": "long"
+ },
+ "countwaf": {
+ "type": "long"
+ },
+ "countweb": {
+ "type": "long"
+ },
+ "cpu": {
+ "type": "long"
+ },
+ "craction": {
+ "type": "long"
+ },
+ "criticalcount": {
+ "type": "long"
+ },
+ "crl": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "crlevel": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "crscore": {
+ "type": "long"
+ },
+ "cveid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "daemon": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "datarange": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "date": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ddnsserver": {
+ "type": "ip"
+ },
+ "desc": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "detectionmethod": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "devcategory": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "devintfname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "devtype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dhcp_msg": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dintf": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "disk": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "disklograte": {
+ "type": "long"
+ },
+ "dlpextra": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "docsource": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "domainctrlauthstate": {
+ "type": "long"
+ },
+ "domainctrlauthtype": {
+ "type": "long"
+ },
+ "domainctrldomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "domainctrlip": {
+ "type": "ip"
+ },
+ "domainctrlname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "domainctrlprotocoltype": {
+ "type": "long"
+ },
+ "domainctrlusername": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "domainfilteridx": {
+ "type": "long"
+ },
+ "domainfilterlist": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ds": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dst_int": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dstcountry": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dstdevcategory": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dstdevtype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dstfamily": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dsthwvendor": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dsthwversion": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dstinetsvc": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dstintfrole": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dstosname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dstosversion": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dstserver": {
+ "type": "long"
+ },
+ "dstssid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dstswversion": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dstunauthusersource": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dstuuid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "duid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "eapolcnt": {
+ "type": "long"
+ },
+ "eapoltype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "encrypt": {
+ "type": "long"
+ },
+ "encryption": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "epoch": {
+ "type": "long"
+ },
+ "espauth": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "esptransform": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "eventtype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "exch": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "exchange": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "expectedsignature": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "expiry": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fams_pause": {
+ "type": "long"
+ },
+ "fazlograte": {
+ "type": "long"
+ },
+ "fctemssn": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fctuid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "field": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "filefilter": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "filehashsrc": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "filtercat": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "filteridx": {
+ "type": "long"
+ },
+ "filtername": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "filtertype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fortiguardresp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "forwardedfor": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fqdn": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "frametype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "freediskstorage": {
+ "type": "long"
+ },
+ "from": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "from_vcluster": {
+ "type": "long"
+ },
+ "fsaverdict": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fwserver_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "gateway": {
+ "type": "ip"
+ },
+ "green": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "groupid": {
+ "type": "long"
+ },
+ "ha-prio": {
+ "type": "long"
+ },
+ "ha_group": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ha_role": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "handshake": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "hash": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "hbdn_reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "highcount": {
+ "type": "long"
+ },
+ "host": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "iaid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "icmpcode": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "icmpid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "icmptype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "identifier": {
+ "type": "long"
+ },
+ "in_spi": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "incidentserialno": {
+ "type": "long"
+ },
+ "infected": {
+ "type": "long"
+ },
+ "infectedfilelevel": {
+ "type": "long"
+ },
+ "informationsource": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "init": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "initiator": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "interface": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "intf": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "invalidmac": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ip": {
+ "type": "ip"
+ },
+ "iptype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "keyword": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "kind": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "lanin": {
+ "type": "long"
+ },
+ "lanout": {
+ "type": "long"
+ },
+ "lease": {
+ "type": "long"
+ },
+ "license_limit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "limit": {
+ "type": "long"
+ },
+ "line": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "live": {
+ "type": "long"
+ },
+ "local": {
+ "type": "ip"
+ },
+ "log": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "login": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "lowcount": {
+ "type": "long"
+ },
+ "mac": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "malform_data": {
+ "type": "long"
+ },
+ "malform_desc": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "manuf": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "masterdstmac": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mastersrcmac": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mediumcount": {
+ "type": "long"
+ },
+ "mem": {
+ "type": "long"
+ },
+ "meshmode": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "method": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mgmtcnt": {
+ "type": "long"
+ },
+ "mode": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "module": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "monitor-name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "monitor-type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mpsk": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "msgproto": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mtu": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "nat": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "netid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "new_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "new_value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "newchannel": {
+ "type": "long"
+ },
+ "newchassisid": {
+ "type": "long"
+ },
+ "newslot": {
+ "type": "long"
+ },
+ "nextstat": {
+ "type": "long"
+ },
+ "nf_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "noise": {
+ "type": "long"
+ },
+ "old_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "old_value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "oldchannel": {
+ "type": "long"
+ },
+ "oldchassisid": {
+ "type": "long"
+ },
+ "oldslot": {
+ "type": "long"
+ },
+ "oldsn": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "oldwprof": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "onwire": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "opercountry": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "opertxpower": {
+ "type": "long"
+ },
+ "osname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "osversion": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "out_spi": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "outintf": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "passedcount": {
+ "type": "long"
+ },
+ "passwd": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "path": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "peer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "peer_notif": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "phase2_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "phone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pid": {
+ "type": "long"
+ },
+ "policytype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "poolname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "port": {
+ "type": "long"
+ },
+ "portbegin": {
+ "type": "long"
+ },
+ "portend": {
+ "type": "long"
+ },
+ "probeproto": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "process": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "processtime": {
+ "type": "long"
+ },
+ "profile": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "profile_vd": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "profilegroup": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "profiletype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "qtypeval": {
+ "type": "long"
+ },
+ "quarskip": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "quotaexceeded": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "quotamax": {
+ "type": "long"
+ },
+ "quotatype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "quotaused": {
+ "type": "long"
+ },
+ "radioband": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "radioid": {
+ "type": "long"
+ },
+ "radioidclosest": {
+ "type": "long"
+ },
+ "radioiddetected": {
+ "type": "long"
+ },
+ "rate": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "rawdata": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "rawdataid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "rcvddelta": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "received": {
+ "type": "long"
+ },
+ "receivedsignature": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "red": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "referralurl": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "remote": {
+ "type": "ip"
+ },
+ "remotewtptime": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reporttype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reqtype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "request_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "result": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "role": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "rssi": {
+ "type": "long"
+ },
+ "rsso_key": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ruledata": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ruletype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "scanned": {
+ "type": "long"
+ },
+ "scantime": {
+ "type": "long"
+ },
+ "scope": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "security": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sensitivity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sensor": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sentdelta": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "seq": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "serial": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "serialno": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "server": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "session_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sessionid": {
+ "type": "long"
+ },
+ "setuprate": {
+ "type": "long"
+ },
+ "severity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "shaperdroprcvdbyte": {
+ "type": "long"
+ },
+ "shaperdropsentbyte": {
+ "type": "long"
+ },
+ "shaperperipdropbyte": {
+ "type": "long"
+ },
+ "shaperperipname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "shaperrcvdname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "shapersentname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "shapingpolicyid": {
+ "type": "long"
+ },
+ "signal": {
+ "type": "long"
+ },
+ "size": {
+ "type": "long"
+ },
+ "slot": {
+ "type": "long"
+ },
+ "sn": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "snclosest": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sndetected": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "snmeshparent": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "spi": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "src_int": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "srccountry": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "srcfamily": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "srchwvendor": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "srchwversion": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "srcinetsvc": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "srcintfrole": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "srcname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "srcserver": {
+ "type": "long"
+ },
+ "srcssid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "srcswversion": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "srcuuid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sscname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ssid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sslaction": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ssllocal": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sslremote": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "stacount": {
+ "type": "long"
+ },
+ "stage": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "stamac": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "stitch": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "submodule": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subservice": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subtype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "suspicious": {
+ "type": "long"
+ },
+ "switchproto": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sync_status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sync_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sysuptime": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tamac": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "threattype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "time": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "to": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "to_vcluster": {
+ "type": "long"
+ },
+ "total": {
+ "type": "long"
+ },
+ "totalsession": {
+ "type": "long"
+ },
+ "trace_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "trandisp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "transid": {
+ "type": "long"
+ },
+ "translationid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "trigger": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "trueclntip": {
+ "type": "ip"
+ },
+ "tunnelid": {
+ "type": "long"
+ },
+ "tunnelip": {
+ "type": "ip"
+ },
+ "tunneltype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ui": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "unauthusersource": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "unit": {
+ "type": "long"
+ },
+ "urlfilteridx": {
+ "type": "long"
+ },
+ "urlfilterlist": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "urlsource": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "urltype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "used": {
+ "type": "long"
+ },
+ "used_for_type": {
+ "type": "long"
+ },
+ "utmaction": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "utmref": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vap": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vapmode": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vcluster": {
+ "type": "long"
+ },
+ "vcluster_member": {
+ "type": "long"
+ },
+ "vcluster_state": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vd": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vdname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vendorurl": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vip": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "virus": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "virusid": {
+ "type": "long"
+ },
+ "voip_proto": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vpn": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vpntunnel": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vpntype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vrf": {
+ "type": "long"
+ },
+ "vulncat": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vulnid": {
+ "type": "long"
+ },
+ "vulnname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vwlid": {
+ "type": "long"
+ },
+ "vwlquality": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vwlservice": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vwpvlanid": {
+ "type": "long"
+ },
+ "wanin": {
+ "type": "long"
+ },
+ "wanoptapptype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "wanout": {
+ "type": "long"
+ },
+ "weakwepiv": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "xauthgroup": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "xauthuser": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "xid": {
+ "type": "long"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/gcp.json b/salt/elasticsearch/templates/component/ecs/gcp.json
new file mode 100644
index 000000000..5ac9dcbe4
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/gcp.json
@@ -0,0 +1,267 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "gcp": {
+ "properties": {
+ "audit": {
+ "properties": {
+ "authentication_info": {
+ "properties": {
+ "authority_selector": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "principal_email": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "method_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "num_response_items": {
+ "type": "long"
+ },
+ "request": {
+ "properties": {
+ "filter": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "proto_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "resource_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "request_metadata": {
+ "properties": {
+ "caller_ip": {
+ "type": "ip"
+ },
+ "caller_supplied_user_agent": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "resource_location": {
+ "properties": {
+ "current_locations": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "resource_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "response": {
+ "properties": {
+ "details": {
+ "properties": {
+ "group": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "kind": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "uid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "proto_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "service_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "properties": {
+ "code": {
+ "type": "long"
+ },
+ "message": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "destination": {
+ "properties": {
+ "instance": {
+ "properties": {
+ "project_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "zone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "vpc": {
+ "properties": {
+ "project_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subnetwork_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vpc_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "firewall": {
+ "properties": {
+ "rule_details": {
+ "properties": {
+ "action": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destination_range": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "direction": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "priority": {
+ "type": "long"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source_range": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source_service_account": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source_tag": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "target_service_account": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "target_tag": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "source": {
+ "properties": {
+ "instance": {
+ "properties": {
+ "project_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "zone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "vpc": {
+ "properties": {
+ "project_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subnetwork_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vpc_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "vpcflow": {
+ "properties": {
+ "reporter": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "rtt": {
+ "properties": {
+ "ms": {
+ "type": "long"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/google_workspace.json b/salt/elasticsearch/templates/component/ecs/google_workspace.json
new file mode 100644
index 000000000..526bd9bb5
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/google_workspace.json
@@ -0,0 +1,750 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "google_workspace": {
+ "properties": {
+ "actor": {
+ "properties": {
+ "key": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "admin": {
+ "properties": {
+ "alert": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "api": {
+ "properties": {
+ "client": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "scopes": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "application": {
+ "properties": {
+ "asp_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "edition": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "enabled": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "licences_order_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "licences_purchased": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "package_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "bulk_upload": {
+ "properties": {
+ "failed": {
+ "type": "long"
+ },
+ "total": {
+ "type": "long"
+ }
+ }
+ },
+ "chrome_licenses": {
+ "properties": {
+ "allowed": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "enabled": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "chrome_os": {
+ "properties": {
+ "session_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "device": {
+ "properties": {
+ "command_details": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "serial_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "distribution": {
+ "properties": {
+ "entity": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "domain": {
+ "properties": {
+ "alias": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "secondary_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "email": {
+ "properties": {
+ "log_search_filter": {
+ "properties": {
+ "end_date": {
+ "type": "date"
+ },
+ "message_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "recipient": {
+ "properties": {
+ "ip": {
+ "type": "ip"
+ },
+ "value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "sender": {
+ "properties": {
+ "ip": {
+ "type": "ip"
+ },
+ "value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "start_date": {
+ "type": "date"
+ }
+ }
+ },
+ "quarantine_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "email_dump": {
+ "properties": {
+ "include_deleted": {
+ "type": "boolean"
+ },
+ "package_content": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "query": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "email_monitor": {
+ "properties": {
+ "dest_email": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "level": {
+ "properties": {
+ "chat": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "draft": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "incoming": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "outgoing": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "field": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "gateway": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "group": {
+ "properties": {
+ "allowed_list": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "priorities": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "info_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "managed_configuration": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mdm": {
+ "properties": {
+ "token": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vendor": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "mobile": {
+ "properties": {
+ "action": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "certificate": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "company_owned_devices": {
+ "type": "long"
+ }
+ }
+ },
+ "new_value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "non_featured_services_selection": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "oauth2": {
+ "properties": {
+ "application": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "service": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "old_value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "org_unit": {
+ "properties": {
+ "full": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "print_server": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "printer": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "privilege": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "product": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sku": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "request": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "resource": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "role": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "rule": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "service": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "setting": {
+ "properties": {
+ "description": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "url": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "user": {
+ "properties": {
+ "birthdate": {
+ "type": "date"
+ },
+ "email": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "nickname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "user_defined_setting": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "verification_method": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "drive": {
+ "properties": {
+ "added_role": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "billable": {
+ "type": "boolean"
+ },
+ "destination_folder_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "destination_folder_title": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "file": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "owner": {
+ "properties": {
+ "email": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "is_shared_drive": {
+ "type": "boolean"
+ }
+ }
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "membership_change_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "new_value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "old_value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "old_visibility": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "originating_app_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "primary_event": {
+ "type": "boolean"
+ },
+ "removed_role": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "shared_drive_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "shared_drive_settings_change_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sheets_import_range_recipient_doc": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source_folder_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source_folder_title": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "target": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "target_domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "visibility": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "visibility_change": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "event": {
+ "properties": {
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "groups": {
+ "properties": {
+ "acl_permission": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "email": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "member": {
+ "properties": {
+ "email": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "role": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "message": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "moderation_action": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "new_value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "old_value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "setting": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "kind": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "login": {
+ "properties": {
+ "affected_email_address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "challenge_method": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "failure_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "is_second_factor": {
+ "type": "boolean"
+ },
+ "is_suspicious": {
+ "type": "boolean"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "organization": {
+ "properties": {
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "saml": {
+ "properties": {
+ "application_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "failure_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "initiated_by": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "orgunit_path": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "second_level_status_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/juniper.json b/salt/elasticsearch/templates/component/ecs/juniper.json
new file mode 100644
index 000000000..33a5f61d6
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/juniper.json
@@ -0,0 +1,378 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "juniper": {
+ "properties": {
+ "srx": {
+ "properties": {
+ "action": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "action_detail": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "alert": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "apbr_rule_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "application": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "application_category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "application_characteristics": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "application_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "application_sub_category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "attack_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "client_ip": {
+ "type": "ip"
+ },
+ "connection_hit_rate": {
+ "type": "long"
+ },
+ "connection_tag": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "context_hit_rate": {
+ "type": "long"
+ },
+ "context_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "context_value": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "context_value_hit_rate": {
+ "type": "long"
+ },
+ "ddos_application_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dscp_value": {
+ "type": "long"
+ },
+ "dst_nat_rule_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dst_nat_rule_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dst_vrf_grp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "elapsed_time": {
+ "type": "date"
+ },
+ "encrypted": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "epoch_time": {
+ "type": "date"
+ },
+ "error_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "error_message": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "export_id": {
+ "type": "long"
+ },
+ "feed_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "file_category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "file_hash_lookup": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "file_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "filename": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "hostname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "icmp_type": {
+ "type": "long"
+ },
+ "inbound_bytes": {
+ "type": "long"
+ },
+ "inbound_packets": {
+ "type": "long"
+ },
+ "index": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "logical_system_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "malware_info": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "nat_connection_tag": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "nested_application": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "obj": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "occur_count": {
+ "type": "long"
+ },
+ "outbound_bytes": {
+ "type": "long"
+ },
+ "outbound_packets": {
+ "type": "long"
+ },
+ "packet_log_id": {
+ "type": "long"
+ },
+ "peer_destination_address": {
+ "type": "ip"
+ },
+ "peer_destination_port": {
+ "type": "long"
+ },
+ "peer_session_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "peer_source_address": {
+ "type": "ip"
+ },
+ "peer_source_port": {
+ "type": "long"
+ },
+ "policy_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "process": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "profile": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "profile_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "protocol": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "protocol_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "protocol_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "repeat_count": {
+ "type": "long"
+ },
+ "roles": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "routing_instance": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "rule_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ruleebase_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sample_sha256": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "secure_web_proxy_session_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "service_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "session_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "session_id_32": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "src_nat_rule_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "src_nat_rule_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "src_vrf_grp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tag": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "temporary_filename": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tenant_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "th": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "threat_severity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "time_count": {
+ "type": "long"
+ },
+ "time_period": {
+ "type": "long"
+ },
+ "time_scope": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timestamp": {
+ "type": "date"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "uplink_rx_bytes": {
+ "type": "long"
+ },
+ "uplink_tx_bytes": {
+ "type": "long"
+ },
+ "url": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "username": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "verdict_number": {
+ "type": "long"
+ },
+ "verdict_source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/kibana.json b/salt/elasticsearch/templates/component/ecs/kibana.json
similarity index 100%
rename from salt/elasticsearch/templates/component/ecs/newcomponents/kibana.json
rename to salt/elasticsearch/templates/component/ecs/kibana.json
diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/logstash.json b/salt/elasticsearch/templates/component/ecs/logstash.json
similarity index 100%
rename from salt/elasticsearch/templates/component/ecs/newcomponents/logstash.json
rename to salt/elasticsearch/templates/component/ecs/logstash.json
diff --git a/salt/elasticsearch/templates/component/ecs/microsoft.json b/salt/elasticsearch/templates/component/ecs/microsoft.json
new file mode 100644
index 000000000..512b99c79
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/microsoft.json
@@ -0,0 +1,265 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "microsoft": {
+ "properties": {
+ "defender_atp": {
+ "properties": {
+ "assignedTo": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "classification": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "determination": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "evidence": {
+ "properties": {
+ "aadUserId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "accountName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "domainName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "entityType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ipAddress": {
+ "type": "ip"
+ },
+ "userPrincipalName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "incidentId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "investigationId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "investigationState": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "lastUpdateTime": {
+ "type": "date"
+ },
+ "rbacGroupName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "resolvedTime": {
+ "type": "date"
+ },
+ "status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "threatFamilyName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "m365_defender": {
+ "properties": {
+ "alerts": {
+ "properties": {
+ "actorName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "assignedTo": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "classification": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "creationTime": {
+ "type": "date"
+ },
+ "detectionSource": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "determination": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "devices": {
+ "type": "flattened"
+ },
+ "entities": {
+ "properties": {
+ "accountName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "clusterBy": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deliveryAction": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "deviceId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "entityType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ipAddress": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mailboxAddress": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mailboxDisplayName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "recipient": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "registryHive": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "registryKey": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "registryValueType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "securityGroupId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "securityGroupName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sender": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "incidentId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "investigationId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "investigationState": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "lastUpdatedTime": {
+ "type": "date"
+ },
+ "mitreTechniques": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "resolvedTime": {
+ "type": "date"
+ },
+ "severity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "threatFamilyName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "userSid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "assignedTo": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "classification": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "determination": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "incidentId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "incidentName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "investigationState": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "redirectIncidentId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tags": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/misp.json b/salt/elasticsearch/templates/component/ecs/misp.json
new file mode 100644
index 000000000..8150371ec
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/misp.json
@@ -0,0 +1,425 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "misp": {
+ "properties": {
+ "attack_pattern": {
+ "properties": {
+ "description": {
+ "norms": false,
+ "type": "text"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "kill_chain_phases": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "campaign": {
+ "properties": {
+ "aliases": {
+ "norms": false,
+ "type": "text"
+ },
+ "description": {
+ "norms": false,
+ "type": "text"
+ },
+ "first_seen": {
+ "type": "date"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen": {
+ "type": "date"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "objective": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "course_of_action": {
+ "properties": {
+ "description": {
+ "norms": false,
+ "type": "text"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "identity": {
+ "properties": {
+ "contact_information": {
+ "norms": false,
+ "type": "text"
+ },
+ "description": {
+ "norms": false,
+ "type": "text"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "identity_class": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "labels": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sectors": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "intrusion_set": {
+ "properties": {
+ "aliases": {
+ "norms": false,
+ "type": "text"
+ },
+ "description": {
+ "norms": false,
+ "type": "text"
+ },
+ "first_seen": {
+ "type": "date"
+ },
+ "goals": {
+ "norms": false,
+ "type": "text"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen": {
+ "type": "date"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "primary_motivation": {
+ "norms": false,
+ "type": "text"
+ },
+ "resource_level": {
+ "norms": false,
+ "type": "text"
+ },
+ "secondary_motivations": {
+ "norms": false,
+ "type": "text"
+ }
+ }
+ },
+ "malware": {
+ "properties": {
+ "description": {
+ "norms": false,
+ "type": "text"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "kill_chain_phases": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "labels": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "note": {
+ "properties": {
+ "authors": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "description": {
+ "norms": false,
+ "type": "text"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "object_refs": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "summary": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "observed_data": {
+ "properties": {
+ "first_observed": {
+ "type": "date"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_observed": {
+ "type": "date"
+ },
+ "number_observed": {
+ "type": "long"
+ },
+ "objects": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "report": {
+ "properties": {
+ "description": {
+ "norms": false,
+ "type": "text"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "labels": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "object_refs": {
+ "norms": false,
+ "type": "text"
+ },
+ "published": {
+ "type": "date"
+ }
+ }
+ },
+ "threat_actor": {
+ "properties": {
+ "aliases": {
+ "norms": false,
+ "type": "text"
+ },
+ "description": {
+ "norms": false,
+ "type": "text"
+ },
+ "goals": {
+ "norms": false,
+ "type": "text"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "labels": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "personal_motivations": {
+ "norms": false,
+ "type": "text"
+ },
+ "primary_motivation": {
+ "norms": false,
+ "type": "text"
+ },
+ "resource_level": {
+ "norms": false,
+ "type": "text"
+ },
+ "roles": {
+ "norms": false,
+ "type": "text"
+ },
+ "secondary_motivations": {
+ "norms": false,
+ "type": "text"
+ },
+ "sophistication": {
+ "norms": false,
+ "type": "text"
+ }
+ }
+ },
+ "threat_indicator": {
+ "properties": {
+ "attack_pattern": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "attack_pattern_kql": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "campaign": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "confidence": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "description": {
+ "norms": false,
+ "type": "text"
+ },
+ "feed": {
+ "norms": false,
+ "type": "text"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "intrusion_set": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "kill_chain_phases": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "labels": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mitre_tactic": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mitre_technique": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "negate": {
+ "type": "boolean"
+ },
+ "severity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "threat_actor": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "valid_from": {
+ "type": "date"
+ },
+ "valid_until": {
+ "type": "date"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "tool": {
+ "properties": {
+ "description": {
+ "norms": false,
+ "type": "text"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "kill_chain_phases": {
+ "norms": false,
+ "type": "text"
+ },
+ "labels": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tool_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "vulnerability": {
+ "properties": {
+ "description": {
+ "norms": false,
+ "type": "text"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/netflow.json b/salt/elasticsearch/templates/component/ecs/netflow.json
similarity index 100%
rename from salt/elasticsearch/templates/component/ecs/newcomponents/netflow.json
rename to salt/elasticsearch/templates/component/ecs/netflow.json
diff --git a/salt/elasticsearch/templates/component/ecs/o365.json b/salt/elasticsearch/templates/component/ecs/o365.json
new file mode 100644
index 000000000..d1bdb29b1
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/o365.json
@@ -0,0 +1,445 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "o365": {
+ "properties": {
+ "audit": {
+ "properties": {
+ "AADGroupId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ActorContextId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ActorIpAddress": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ActorUserId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ActorYammerUserId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "AlertEntityId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "AlertId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "AlertType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "AppId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ApplicationDisplayName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ApplicationId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "AzureActiveDirectoryEventType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ClientAppId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ClientIP": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ClientIPAddress": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ClientInfoString": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Comments": {
+ "norms": false,
+ "type": "text"
+ },
+ "CommunicationType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "CorrelationId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "CreationTime": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "CustomUniqueId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Data": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "DataType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "DoNotDistributeEvent": {
+ "type": "boolean"
+ },
+ "EntityType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ErrorNumber": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "EventData": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "EventSource": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ExceptionInfo": {
+ "properties": {
+ "*": {
+ "type": "object"
+ }
+ }
+ },
+ "ExchangeMetaData": {
+ "properties": {
+ "*": {
+ "type": "object"
+ }
+ }
+ },
+ "ExtendedProperties": {
+ "properties": {
+ "*": {
+ "type": "object"
+ }
+ }
+ },
+ "ExternalAccess": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "FromApp": {
+ "type": "boolean"
+ },
+ "GroupName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ImplicitShare": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "IncidentId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "InterSystemsId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "InternalLogonType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "IntraSystemId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "IsDocLib": {
+ "type": "boolean"
+ },
+ "Item": {
+ "properties": {
+ "*": {
+ "properties": {
+ "*": {
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ }
+ },
+ "ItemCount": {
+ "type": "long"
+ },
+ "ItemName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ItemType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ListBaseTemplateType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ListBaseType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ListColor": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ListIcon": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ListId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ListItemUniqueId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ListTitle": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "LogonError": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "LogonType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "LogonUserSid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "MailboxGuid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "MailboxOwnerMasterAccountSid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "MailboxOwnerSid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "MailboxOwnerUPN": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Members": {
+ "properties": {
+ "*": {
+ "type": "object"
+ }
+ }
+ },
+ "ModifiedProperties": {
+ "properties": {
+ "*": {
+ "properties": {
+ "*": {
+ "type": "object"
+ }
+ }
+ }
+ }
+ },
+ "Name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ObjectId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Operation": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "OrganizationId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "OrganizationName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "OriginatingServer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Parameters": {
+ "properties": {
+ "*": {
+ "type": "object"
+ }
+ }
+ },
+ "PolicyId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "RecordType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ResultStatus": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "SensitiveInfoDetectionIsIncluded": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "SessionId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Severity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "SharePointMetaData": {
+ "properties": {
+ "*": {
+ "type": "object"
+ }
+ }
+ },
+ "Site": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "SiteUrl": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "SourceFileExtension": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "SourceFileName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "SourceRelativeUrl": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "SupportTicketId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "TargetContextId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "TargetUserOrGroupName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "TargetUserOrGroupType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "TeamGuid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "TeamName": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "TemplateTypeId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "UniqueSharingId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "UserAgent": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "UserId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "UserKey": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "UserType": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "WebId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Workload": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "YammerNetworkId": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/okta.json b/salt/elasticsearch/templates/component/ecs/okta.json
new file mode 100644
index 000000000..dcfaab1c2
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/okta.json
@@ -0,0 +1,293 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "okta": {
+ "properties": {
+ "actor": {
+ "properties": {
+ "alternate_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "display_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "authentication_context": {
+ "properties": {
+ "authentication_provider": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "authentication_step": {
+ "type": "long"
+ },
+ "credential_provider": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "credential_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "external_session_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "interface": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "client": {
+ "properties": {
+ "device": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ip": {
+ "type": "ip"
+ },
+ "user_agent": {
+ "properties": {
+ "browser": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "os": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw_user_agent": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "zone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "debug_context": {
+ "properties": {
+ "debug_data": {
+ "properties": {
+ "device_fingerprint": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "request_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "request_uri": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "suspicious_activity": {
+ "properties": {
+ "browser": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "event_city": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "event_country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "event_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "event_ip": {
+ "type": "ip"
+ },
+ "event_latitude": {
+ "type": "float"
+ },
+ "event_longitude": {
+ "type": "float"
+ },
+ "event_state": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "event_transaction_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "event_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "os": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timestamp": {
+ "type": "date"
+ }
+ }
+ },
+ "threat_suspected": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "url": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "display_message": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "event_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "outcome": {
+ "properties": {
+ "reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "result": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "request": {
+ "properties": {
+ "ip_chain": {
+ "properties": {
+ "geographical_context": {
+ "properties": {
+ "city": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "geolocation": {
+ "type": "geo_point"
+ },
+ "postal_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "state": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "ip": {
+ "type": "ip"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "security_context": {
+ "properties": {
+ "as": {
+ "properties": {
+ "number": {
+ "type": "long"
+ },
+ "organization": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "domain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "is_proxy": {
+ "type": "boolean"
+ },
+ "isp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "severity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "target": {
+ "type": "flattened"
+ },
+ "transaction": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "uuid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/redis.json b/salt/elasticsearch/templates/component/ecs/redis.json
new file mode 100644
index 000000000..925f55c62
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/redis.json
@@ -0,0 +1,50 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "redis": {
+ "properties": {
+ "log": {
+ "properties": {
+ "role": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "slowlog": {
+ "properties": {
+ "args": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cmd": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "duration": {
+ "properties": {
+ "us": {
+ "type": "long"
+ }
+ }
+ },
+ "id": {
+ "type": "long"
+ },
+ "key": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/sophos.json b/salt/elasticsearch/templates/component/ecs/sophos.json
new file mode 100644
index 000000000..a5606f962
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/sophos.json
@@ -0,0 +1,722 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "sophos": {
+ "properties": {
+ "xg": {
+ "properties": {
+ "Configuration": {
+ "type": "float"
+ },
+ "Mode": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "PHPSESSID": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Reports": {
+ "type": "float"
+ },
+ "Signature": {
+ "type": "float"
+ },
+ "SysLog_SERVER_NAME": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "Temp": {
+ "type": "float"
+ },
+ "action": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "activityname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ap": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "app_is_cloud": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "appfilter_policy_id": {
+ "type": "long"
+ },
+ "application": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "application_category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "application_filter_policy": {
+ "type": "long"
+ },
+ "application_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "application_risk": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "application_technology": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "appresolvedby": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "auth_client": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "auth_mechanism": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "av_policy_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "backup_mode": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "branch_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "category_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "classification": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "client_host_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "client_physical_address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "clients_conn_ssid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "collisions": {
+ "type": "long"
+ },
+ "con_id": {
+ "type": "long"
+ },
+ "conn_id": {
+ "type": "long"
+ },
+ "connectionname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "connectiontype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "connevent": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "connid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "contenttype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "context_match": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "context_prefix": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "context_suffix": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cookie": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "date": {
+ "type": "date"
+ },
+ "destinationip": {
+ "type": "ip"
+ },
+ "device": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "device_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "device_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dictionary_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dir_disp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "direction": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "domainname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "download_file_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "download_file_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dst_country_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dst_domainname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dst_ip": {
+ "type": "ip"
+ },
+ "dst_port": {
+ "type": "long"
+ },
+ "dstdomain": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dstzone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "dstzonetype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "duration": {
+ "type": "long"
+ },
+ "email_subject": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ep_uuid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "eventid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "eventtime": {
+ "type": "date"
+ },
+ "eventtype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "exceptions": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "execution_path": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "extra": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "file_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "file_path": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "file_size": {
+ "type": "long"
+ },
+ "filename": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "filepath": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "filesize": {
+ "type": "long"
+ },
+ "free": {
+ "type": "long"
+ },
+ "from_email_address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ftp_direction": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ftp_url": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ftpcommand": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "fw_rule_id": {
+ "type": "long"
+ },
+ "hb_health": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "host": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "httpresponsecode": {
+ "type": "long"
+ },
+ "iap": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "icmp_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "icmp_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "idle_cpu": {
+ "type": "float"
+ },
+ "idp_policy_id": {
+ "type": "long"
+ },
+ "idp_policy_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "in_interface": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "interface": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ipaddress": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ips_policy_id": {
+ "type": "long"
+ },
+ "localgateway": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "localnetwork": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "log_component": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "log_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "log_subtype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "log_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "login_user": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mailid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "mailsize": {
+ "type": "long"
+ },
+ "message": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "newversion": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "oldversion": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "out_interface": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "override_authorizer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "override_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "override_token": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "platform": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "policy_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "priority": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "protocol": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "quarantine": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "quarantine_reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "querystring": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw_data": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "reason": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "received_pkts": {
+ "type": "long"
+ },
+ "receiveddrops": {
+ "type": "long"
+ },
+ "receivederrors": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "receivedkbits": {
+ "type": "long"
+ },
+ "recv_bytes": {
+ "type": "long"
+ },
+ "red_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "referer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "remote_ip": {
+ "type": "ip"
+ },
+ "remotenetwork": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "responsetime": {
+ "type": "long"
+ },
+ "rule_priority": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sent_bytes": {
+ "type": "long"
+ },
+ "sent_pkts": {
+ "type": "long"
+ },
+ "server": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sessionid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sha1sum": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "signature_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "signature_msg": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "site_category": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sourceip": {
+ "type": "ip"
+ },
+ "spamaction": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sqli": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "src_country_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "src_domainname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "src_ip": {
+ "type": "ip"
+ },
+ "src_mac": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "src_port": {
+ "type": "long"
+ },
+ "srczone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "srczonetype": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ssid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "start_time": {
+ "type": "date"
+ },
+ "starttime": {
+ "type": "date"
+ },
+ "status": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "status_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "subject": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "system_cpu": {
+ "type": "float"
+ },
+ "target": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "threatname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timestamp": {
+ "type": "date"
+ },
+ "timezone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "to_email_address": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "total_memory": {
+ "type": "long"
+ },
+ "trans_dst_ip": {
+ "type": "ip"
+ },
+ "trans_dst_port": {
+ "type": "long"
+ },
+ "trans_src_ip": {
+ "type": "ip"
+ },
+ "trans_src_port": {
+ "type": "long"
+ },
+ "transaction_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "transactionid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "transmitteddrops": {
+ "type": "long"
+ },
+ "transmittederrors": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "transmittedkbits": {
+ "type": "long"
+ },
+ "unit": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "updatedip": {
+ "type": "ip"
+ },
+ "upload_file_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "upload_file_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "url": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "used": {
+ "type": "long"
+ },
+ "user": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user_cpu": {
+ "type": "float"
+ },
+ "user_gp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user_group": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "users": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "vconn_id": {
+ "type": "long"
+ },
+ "virus": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "website": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "xss": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/suricata.json b/salt/elasticsearch/templates/component/ecs/suricata.json
similarity index 100%
rename from salt/elasticsearch/templates/component/ecs/newcomponents/suricata.json
rename to salt/elasticsearch/templates/component/ecs/suricata.json
diff --git a/salt/elasticsearch/templates/component/ecs/syslog.json b/salt/elasticsearch/templates/component/ecs/syslog.json
new file mode 100644
index 000000000..c886589e9
--- /dev/null
+++ b/salt/elasticsearch/templates/component/ecs/syslog.json
@@ -0,0 +1,30 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+ "ecs_version": "1.12.2"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "syslog": {
+ "properties": {
+ "facility": {
+ "type": "long"
+ },
+ "facility_label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "priority": {
+ "type": "long"
+ },
+ "severity_label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/zeek.json b/salt/elasticsearch/templates/component/ecs/zeek.json
similarity index 100%
rename from salt/elasticsearch/templates/component/ecs/newcomponents/zeek.json
rename to salt/elasticsearch/templates/component/ecs/zeek.json
diff --git a/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja
index 09e61fa8a..9751fb0f3 100644
--- a/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja
@@ -43,6 +43,7 @@
"composed_of": [
"agent-mappings",
"dtc-agent-mappings",
+ "aws-mappings",
"base-mappings",
"dtc-base-mappings",
"client-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja
index 366acb167..f663e0b82 100644
--- a/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja
@@ -43,6 +43,7 @@
"composed_of": [
"agent-mappings",
"dtc-agent-mappings",
+ "azure-mappings",
"base-mappings",
"dtc-base-mappings",
"client-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja
index c47d36875..84e175a88 100644
--- a/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja
@@ -45,6 +45,7 @@
"dtc-agent-mappings",
"base-mappings",
"dtc-base-mappings",
+ "cef-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja
index 458c675ac..ee76932d4 100644
--- a/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja
@@ -45,6 +45,7 @@
"dtc-agent-mappings",
"base-mappings",
"dtc-base-mappings",
+ "checkpoint-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja
index b506026f8..6b8396815 100644
--- a/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja
@@ -46,6 +46,7 @@
"dtc-agent-mappings",
"base-mappings",
"dtc-base-mappings",
+ "cisco-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja
index d0e2802e5..6644f274b 100644
--- a/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja
@@ -48,6 +48,7 @@
"client-mappings",
"cloud-mappings",
"container-mappings",
+ "cyberark-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja
index 00fa7be2a..d04193d31 100644
--- a/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja
@@ -60,6 +60,7 @@
"dtc-event-mappings",
"file-mappings",
"dtc-file-mappings",
+ "fortinet-mappings",
"group-mappings",
"host-mappings",
"dtc-host-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja
index aa964a52d..78a39f158 100644
--- a/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja
@@ -60,6 +60,7 @@
"dtc-event-mappings",
"file-mappings",
"dtc-file-mappings",
+ "gcp-mappings",
"group-mappings",
"host-mappings",
"dtc-host-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja
index 5816a94f3..1aa207d57 100644
--- a/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja
@@ -60,6 +60,7 @@
"dtc-event-mappings",
"file-mappings",
"dtc-file-mappings",
+ "google_workspace-mappings",
"group-mappings",
"host-mappings",
"dtc-host-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja
index 1f2eca87c..a1aaa5cd0 100644
--- a/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja
@@ -65,6 +65,7 @@
"dtc-host-mappings",
"http-mappings",
"dtc-http-mappings",
+ "juniper-mappings",
"log-mappings",
"network-mappings",
"dtc-network-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja
index 6105b1e00..d0b7d2cbb 100644
--- a/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja
@@ -66,6 +66,7 @@
"http-mappings",
"dtc-http-mappings",
"log-mappings",
+ "microsoft-mappings",
"network-mappings",
"dtc-network-mappings",
"observer-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja
index a2b2a0d63..046ffa6e7 100644
--- a/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja
@@ -66,6 +66,7 @@
"http-mappings",
"dtc-http-mappings",
"log-mappings",
+ "misp-mappings",
"network-mappings",
"dtc-network-mappings",
"observer-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja
index c34cbbd37..da688ea75 100644
--- a/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja
@@ -68,6 +68,7 @@
"log-mappings",
"network-mappings",
"dtc-network-mappings",
+ "o365-mappings",
"observer-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja
index e45a664d9..26488c4b2 100644
--- a/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja
@@ -70,6 +70,7 @@
"dtc-network-mappings",
"observer-mappings",
"dtc-observer-mappings",
+ "okta-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja
index 8eb44cb87..8cf1a3777 100644
--- a/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja
@@ -77,6 +77,7 @@
"dtc-process-mappings",
"registry-mappings",
"related-mappings",
+ "redis-mappings",
"rule-mappings",
"dtc-rule-mappings",
"server-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja
index c22a6d9bd..42cff57ce 100644
--- a/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja
@@ -82,6 +82,7 @@
"server-mappings",
"service-mappings",
"dtc-service-mappings",
+ "snyk-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja
index 1eda879fb..c8c95f178 100644
--- a/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja
@@ -82,6 +82,7 @@
"server-mappings",
"service-mappings",
"dtc-service-mappings",
+ "sophos-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
diff --git a/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja
index af609836e..41215e262 100644
--- a/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja
@@ -83,6 +83,7 @@
"service-mappings",
"dtc-service-mappings",
"source-mappings",
+ "syslog-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",