{"template": { "settings": { "index": { "lifecycle": { "name": "logs" }, "codec": "best_compression", "default_pipeline": "logs-system.security-1.6.4", "mapping": { "total_fields": { "limit": "10000" } }, "query": { "default_field": [ "cloud.account.id", "cloud.availability_zone", "cloud.instance.id", "cloud.instance.name", "cloud.machine.type", "cloud.provider", "cloud.region", "cloud.project.id", "cloud.image.id", "container.id", "container.image.name", "container.name", "host.architecture", "host.hostname", "host.id", "host.mac", "host.name", "host.os.family", "host.os.kernel", "host.os.name", "host.os.platform", "host.os.version", "host.os.build", "host.os.codename", "host.type", "event.action", "event.category", "event.code", "event.kind", "event.outcome", "event.provider", "event.type", "tags", "input.type", "ecs.version", "group.domain", "group.id", "group.name", "log.file.path", "log.level", "message", "process.args", "process.command_line", "process.entity_id", "process.executable", "process.name", "process.parent.executable", "process.parent.name", "process.title", "related.hash", "related.hosts", "related.user", "service.name", "service.type", "source.domain", "user.domain", "user.id", "user.name", "user.effective.domain", "user.effective.id", "user.effective.name", "user.target.group.domain", "user.target.group.id", "user.target.group.name", "user.target.name", "user.target.domain", "user.target.id", "user.changes.name", "winlog.logon.type", "winlog.logon.id", "winlog.logon.failure.reason", "winlog.logon.failure.status", "winlog.logon.failure.sub_status", "winlog.api", "winlog.activity_id", "winlog.channel", "winlog.computer_name", "winlog.computerObject.domain", "winlog.computerObject.id", "winlog.computerObject.name", "winlog.event_data.AccessGranted", "winlog.event_data.AccessList", "winlog.event_data.AccessListDescription", "winlog.event_data.AccessMask", "winlog.event_data.AccessMaskDescription", "winlog.event_data.AccessRemoved", "winlog.event_data.AccountDomain", "winlog.event_data.AccountExpires", "winlog.event_data.AccountName", "winlog.event_data.AllowedToDelegateTo", "winlog.event_data.AuditPolicyChanges", "winlog.event_data.AuditPolicyChangesDescription", "winlog.event_data.AuditSourceName", "winlog.event_data.AuthenticationPackageName", "winlog.event_data.Binary", "winlog.event_data.BitlockerUserInputTime", "winlog.event_data.BootMode", "winlog.event_data.BootType", "winlog.event_data.BuildVersion", "winlog.event_data.CallerProcessId", "winlog.event_data.CallerProcessName", "winlog.event_data.Category", "winlog.event_data.CategoryId", "winlog.event_data.ClientAddress", "winlog.event_data.ClientName", "winlog.event_data.CommandLine", "winlog.event_data.Company", "winlog.event_data.CorruptionActionState", "winlog.event_data.CrashOnAuditFailValue", "winlog.event_data.CreationUtcTime", "winlog.event_data.Description", "winlog.event_data.Detail", "winlog.event_data.DeviceName", "winlog.event_data.DeviceNameLength", "winlog.event_data.DeviceTime", "winlog.event_data.DeviceVersionMajor", "winlog.event_data.DeviceVersionMinor", "winlog.event_data.DisplayName", "winlog.event_data.DomainBehaviorVersion", "winlog.event_data.DomainName", "winlog.event_data.DomainPolicyChanged", "winlog.event_data.DomainSid", "winlog.event_data.DriveName", "winlog.event_data.DriverName", "winlog.event_data.DriverNameLength", "winlog.event_data.Dummy", "winlog.event_data.DwordVal", "winlog.event_data.EntryCount", "winlog.event_data.EventSourceId", "winlog.event_data.ExtraInfo", "winlog.event_data.FailureName", "winlog.event_data.FailureNameLength", "winlog.event_data.FailureReason", "winlog.event_data.FileVersion", "winlog.event_data.FinalStatus", "winlog.event_data.Group", "winlog.event_data.GroupTypeChange", "winlog.event_data.HandleId", "winlog.event_data.HomeDirectory", "winlog.event_data.HomePath", "winlog.event_data.IdleImplementation", "winlog.event_data.IdleStateCount", "winlog.event_data.ImpersonationLevel", "winlog.event_data.IntegrityLevel", "winlog.event_data.IpAddress", "winlog.event_data.IpPort", "winlog.event_data.KerberosPolicyChange", "winlog.event_data.KeyLength", "winlog.event_data.LastBootGood", "winlog.event_data.LastShutdownGood", "winlog.event_data.LmPackageName", "winlog.event_data.LogonGuid", "winlog.event_data.LogonHours", "winlog.event_data.LogonId", "winlog.event_data.LogonID", "winlog.event_data.LogonProcessName", "winlog.event_data.LogonType", "winlog.event_data.MachineAccountQuota", "winlog.event_data.MajorVersion", "winlog.event_data.MandatoryLabel", "winlog.event_data.MaximumPerformancePercent", "winlog.event_data.MemberName", "winlog.event_data.MemberSid", "winlog.event_data.MinimumPerformancePercent", "winlog.event_data.MinimumThrottlePercent", "winlog.event_data.MinorVersion", "winlog.event_data.MixedDomainMode", "winlog.event_data.NewProcessId", "winlog.event_data.NewProcessName", "winlog.event_data.NewSchemeGuid", "winlog.event_data.NewSd", "winlog.event_data.NewSdDacl0", "winlog.event_data.NewSdDacl1", "winlog.event_data.NewSdDacl2", "winlog.event_data.NewSdSacl0", "winlog.event_data.NewSdSacl1", "winlog.event_data.NewSdSacl2", "winlog.event_data.NewTargetUserName", "winlog.event_data.NewTime", "winlog.event_data.NewUACList", "winlog.event_data.NewUacValue", "winlog.event_data.NominalFrequency", "winlog.event_data.Number", "winlog.event_data.ObjectName", "winlog.event_data.ObjectServer", "winlog.event_data.ObjectType", "winlog.event_data.OemInformation", "winlog.event_data.OldSchemeGuid", "winlog.event_data.OldSd", "winlog.event_data.OldSdDacl0", "winlog.event_data.OldSdDacl1", "winlog.event_data.OldSdDacl2", "winlog.event_data.OldSdSacl0", "winlog.event_data.OldSdSacl1", "winlog.event_data.OldSdSacl2", "winlog.event_data.OldTargetUserName", "winlog.event_data.OldTime", "winlog.event_data.OldUacValue", "winlog.event_data.OriginalFileName", "winlog.event_data.PackageName", "winlog.event_data.PasswordLastSet", "winlog.event_data.PasswordHistoryLength", "winlog.event_data.Path", "winlog.event_data.ParentProcessName", "winlog.event_data.PerformanceImplementation", "winlog.event_data.PreviousCreationUtcTime", "winlog.event_data.PreAuthType", "winlog.event_data.PreviousTime", "winlog.event_data.PrimaryGroupId", "winlog.event_data.PrivilegeList", "winlog.event_data.ProcessId", "winlog.event_data.ProcessName", "winlog.event_data.ProcessPath", "winlog.event_data.ProcessPid", "winlog.event_data.Product", "winlog.event_data.ProfilePath", "winlog.event_data.PuaCount", "winlog.event_data.PuaPolicyId", "winlog.event_data.QfeVersion", "winlog.event_data.Reason", "winlog.event_data.ResourceAttributes", "winlog.event_data.SamAccountName", "winlog.event_data.SchemaVersion", "winlog.event_data.ScriptPath", "winlog.event_data.SidHistory", "winlog.event_data.ScriptBlockText", "winlog.event_data.Service", "winlog.event_data.ServiceAccount", "winlog.event_data.ServiceFileName", "winlog.event_data.ServiceName", "winlog.event_data.ServiceSid", "winlog.event_data.ServiceStartType", "winlog.event_data.ServiceType", "winlog.event_data.ServiceVersion", "winlog.event_data.SessionName", "winlog.event_data.ShutdownActionType", "winlog.event_data.ShutdownEventCode", "winlog.event_data.ShutdownReason", "winlog.event_data.SidFilteringEnabled", "winlog.event_data.Signature", "winlog.event_data.SignatureStatus", "winlog.event_data.Signed", "winlog.event_data.StartTime", "winlog.event_data.State", "winlog.event_data.Status", "winlog.event_data.StatusDescription", "winlog.event_data.StopTime", "winlog.event_data.SubCategory", "winlog.event_data.SubCategoryGuid", "winlog.event_data.SubcategoryGuid", "winlog.event_data.SubCategoryId", "winlog.event_data.SubcategoryId", "winlog.event_data.SubjectDomainName", "winlog.event_data.SubjectLogonId", "winlog.event_data.SubjectUserName", "winlog.event_data.SubjectUserSid", "winlog.event_data.SubStatus", "winlog.event_data.TSId", "winlog.event_data.TargetDomainName", "winlog.event_data.TargetInfo", "winlog.event_data.TargetLogonGuid", "winlog.event_data.TargetLogonId", "winlog.event_data.TargetServerName", "winlog.event_data.TargetSid", "winlog.event_data.TargetUserName", "winlog.event_data.TargetUserSid", "winlog.event_data.TdoAttributes", "winlog.event_data.TdoDirection", "winlog.event_data.TdoType", "winlog.event_data.TerminalSessionId", "winlog.event_data.TicketEncryptionType", "winlog.event_data.TicketEncryptionTypeDescription", "winlog.event_data.TicketOptions", "winlog.event_data.TicketOptionsDescription", "winlog.event_data.TokenElevationType", "winlog.event_data.TransmittedServices", "winlog.event_data.UserAccountControl", "winlog.event_data.UserParameters", "winlog.event_data.UserPrincipalName", "winlog.event_data.UserSid", "winlog.event_data.UserWorkstations", "winlog.event_data.Version", "winlog.event_data.Workstation", "winlog.event_data.WorkstationName", "winlog.event_data.param1", "winlog.event_data.param2", "winlog.event_data.param3", "winlog.event_data.param4", "winlog.event_data.param5", "winlog.event_data.param6", "winlog.event_data.param7", "winlog.event_data.param8", "winlog.event_id", "winlog.keywords", "winlog.level", "winlog.outcome", "winlog.record_id", "winlog.related_activity_id", "winlog.opcode", "winlog.provider_guid", "winlog.provider_name", "winlog.task", "winlog.time_created", "winlog.trustAttribute", "winlog.trustDirection", "winlog.trustType", "winlog.user_data.BackupPath", "winlog.user_data.Channel", "winlog.user_data.SubjectDomainName", "winlog.user_data.SubjectLogonId", "winlog.user_data.SubjectUserName", "winlog.user_data.SubjectUserSid", "winlog.user_data.xml_name", "winlog.user.identifier", "winlog.user.name", "winlog.user.domain", "winlog.user.type" ] } } }, "mappings": { "dynamic_templates": [ { "container.labels": { "path_match": "container.labels.*", "mapping": { "type": "keyword" }, "match_mapping_type": "string" } } ], "properties": { "container": { "properties": { "image": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" } } }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } }, "process": { "properties": { "args": { "ignore_above": 1024, "type": "keyword" }, "parent": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" }, "executable": { "ignore_above": 1024, "type": "keyword" } } }, "name": { "ignore_above": 1024, "type": "keyword" }, "pid": { "type": "long" }, "args_count": { "type": "long" }, "entity_id": { "ignore_above": 1024, "type": "keyword" }, "title": { "ignore_above": 1024, "type": "keyword" }, "command_line": { "ignore_above": 1024, "type": "wildcard" }, "executable": { "ignore_above": 1024, "type": "keyword" } } }, "winlog": { "properties": { "related_activity_id": { "ignore_above": 1024, "type": "keyword" }, "keywords": { "ignore_above": 1024, "type": "keyword" }, "logon": { "properties": { "failure": { "properties": { "reason": { "ignore_above": 1024, "type": "keyword" }, "sub_status": { "ignore_above": 1024, "type": "keyword" }, "status": { "ignore_above": 1024, "type": "keyword" } } }, "id": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" } } }, "channel": { "ignore_above": 1024, "type": "keyword" }, "event_data": { "properties": { "ProcessName": { "ignore_above": 1024, "type": "keyword" }, "LogonGuid": { "ignore_above": 1024, "type": "keyword" }, "OriginalFileName": { "ignore_above": 1024, "type": "keyword" }, "BootMode": { "ignore_above": 1024, "type": "keyword" }, "Product": { "ignore_above": 1024, "type": "keyword" }, "LogonHours": { "ignore_above": 1024, "type": "keyword" }, "TargetLogonGuid": { "ignore_above": 1024, "type": "keyword" }, "FileVersion": { "ignore_above": 1024, "type": "keyword" }, "TicketOptions": { "ignore_above": 1024, "type": "keyword" }, "AllowedToDelegateTo": { "ignore_above": 1024, "type": "keyword" }, "TdoAttributes": { "ignore_above": 1024, "type": "keyword" }, "StopTime": { "ignore_above": 1024, "type": "keyword" }, "Status": { "ignore_above": 1024, "type": "keyword" }, "AccessMask": { "ignore_above": 1024, "type": "keyword" }, "KeyLength": { "ignore_above": 1024, "type": "keyword" }, "ResourceAttributes": { "ignore_above": 1024, "type": "keyword" }, "SessionName": { "ignore_above": 1024, "type": "keyword" }, "PasswordHistoryLength": { "ignore_above": 1024, "type": "keyword" }, "TargetInfo": { "ignore_above": 1024, "type": "keyword" }, "OldSd": { "ignore_above": 1024, "type": "keyword" }, "TargetUserSid": { "ignore_above": 1024, "type": "keyword" }, "Group": { "ignore_above": 1024, "type": "keyword" }, "PackageName": { "ignore_above": 1024, "type": "keyword" }, "ShutdownActionType": { "ignore_above": 1024, "type": "keyword" }, "DwordVal": { "ignore_above": 1024, "type": "keyword" }, "DeviceVersionMajor": { "ignore_above": 1024, "type": "keyword" }, "SidHistory": { "ignore_above": 1024, "type": "keyword" }, "TransmittedServices": { "ignore_above": 1024, "type": "keyword" }, "WorkstationName": { "ignore_above": 1024, "type": "keyword" }, "SubStatus": { "ignore_above": 1024, "type": "keyword" }, "IdleStateCount": { "ignore_above": 1024, "type": "keyword" }, "Path": { "ignore_above": 1024, "type": "keyword" }, "SchemaVersion": { "ignore_above": 1024, "type": "keyword" }, "MinorVersion": { "ignore_above": 1024, "type": "keyword" }, "CrashOnAuditFailValue": { "ignore_above": 1024, "type": "keyword" }, "ProcessPath": { "ignore_above": 1024, "type": "keyword" }, "DeviceVersionMinor": { "ignore_above": 1024, "type": "keyword" }, "OldTime": { "ignore_above": 1024, "type": "keyword" }, "HandleId": { "ignore_above": 1024, "type": "keyword" }, "IpAddress": { "ignore_above": 1024, "type": "keyword" }, "LastShutdownGood": { "ignore_above": 1024, "type": "keyword" }, "IpPort": { "ignore_above": 1024, "type": "keyword" }, "DriverNameLength": { "ignore_above": 1024, "type": "keyword" }, "LmPackageName": { "ignore_above": 1024, "type": "keyword" }, "UserSid": { "ignore_above": 1024, "type": "keyword" }, "LastBootGood": { "ignore_above": 1024, "type": "keyword" }, "AccessListDescription": { "ignore_above": 1024, "type": "keyword" }, "PuaCount": { "ignore_above": 1024, "type": "keyword" }, "Version": { "ignore_above": 1024, "type": "keyword" }, "MachineAccountQuota": { "ignore_above": 1024, "type": "keyword" }, "OldUacValue": { "ignore_above": 1024, "type": "keyword" }, "UserParameters": { "ignore_above": 1024, "type": "keyword" }, "Signed": { "ignore_above": 1024, "type": "keyword" }, "StartTime": { "ignore_above": 1024, "type": "keyword" }, "SubCategoryId": { "ignore_above": 1024, "type": "keyword" }, "OldTargetUserName": { "ignore_above": 1024, "type": "keyword" }, "NewUacValue": { "ignore_above": 1024, "type": "keyword" }, "CallerProcessId": { "ignore_above": 1024, "type": "keyword" }, "ProfilePath": { "ignore_above": 1024, "type": "keyword" }, "ServiceName": { "ignore_above": 1024, "type": "keyword" }, "State": { "ignore_above": 1024, "type": "keyword" }, "FailureReason": { "ignore_above": 1024, "type": "keyword" }, "BootType": { "ignore_above": 1024, "type": "keyword" }, "Binary": { "ignore_above": 1024, "type": "keyword" }, "ImpersonationLevel": { "ignore_above": 1024, "type": "keyword" }, "MemberName": { "ignore_above": 1024, "type": "keyword" }, "TargetUserName": { "ignore_above": 1024, "type": "keyword" }, "DomainPolicyChanged": { "ignore_above": 1024, "type": "keyword" }, "CategoryId": { "ignore_above": 1024, "type": "keyword" }, "PreAuthType": { "ignore_above": 1024, "type": "keyword" }, "AccountDomain": { "ignore_above": 1024, "type": "keyword" }, "MemberSid": { "ignore_above": 1024, "type": "keyword" }, "DriverName": { "ignore_above": 1024, "type": "keyword" }, "NewUACList": { "ignore_above": 1024, "type": "keyword" }, "SubcategoryGuid": { "ignore_above": 1024, "type": "keyword" }, "ShutdownReason": { "ignore_above": 1024, "type": "keyword" }, "SidFilteringEnabled": { "ignore_above": 1024, "type": "keyword" }, "TargetServerName": { "ignore_above": 1024, "type": "keyword" }, "AuditPolicyChanges": { "ignore_above": 1024, "type": "keyword" }, "Number": { "ignore_above": 1024, "type": "keyword" }, "TargetDomainName": { "ignore_above": 1024, "type": "keyword" }, "EventSourceId": { "ignore_above": 1024, "type": "keyword" }, "DriveName": { "ignore_above": 1024, "type": "keyword" }, "NewProcessId": { "ignore_above": 1024, "type": "keyword" }, "LogonType": { "ignore_above": 1024, "type": "keyword" }, "ExtraInfo": { "ignore_above": 1024, "type": "keyword" }, "PrimaryGroupId": { "ignore_above": 1024, "type": "keyword" }, "ObjectName": { "ignore_above": 1024, "type": "keyword" }, "TargetLogonId": { "ignore_above": 1024, "type": "keyword" }, "Workstation": { "ignore_above": 1024, "type": "keyword" }, "PasswordLastSet": { "ignore_above": 1024, "type": "keyword" }, "NewSchemeGuid": { "ignore_above": 1024, "type": "keyword" }, "MinimumThrottlePercent": { "ignore_above": 1024, "type": "keyword" }, "GroupTypeChange": { "ignore_above": 1024, "type": "keyword" }, "AccessList": { "ignore_above": 1024, "type": "keyword" }, "AuthenticationPackageName": { "ignore_above": 1024, "type": "keyword" }, "NominalFrequency": { "ignore_above": 1024, "type": "keyword" }, "SignatureStatus": { "ignore_above": 1024, "type": "keyword" }, "DeviceTime": { "ignore_above": 1024, "type": "keyword" }, "DomainSid": { "ignore_above": 1024, "type": "keyword" }, "ScriptPath": { "ignore_above": 1024, "type": "keyword" }, "TicketEncryptionType": { "ignore_above": 1024, "type": "keyword" }, "TicketOptionsDescription": { "ignore_above": 1024, "type": "keyword" }, "ServiceType": { "ignore_above": 1024, "type": "keyword" }, "ObjectServer": { "ignore_above": 1024, "type": "keyword" }, "HomePath": { "ignore_above": 1024, "type": "keyword" }, "UserWorkstations": { "ignore_above": 1024, "type": "keyword" }, "SamAccountName": { "ignore_above": 1024, "type": "keyword" }, "DomainName": { "ignore_above": 1024, "type": "keyword" }, "CorruptionActionState": { "ignore_above": 1024, "type": "keyword" }, "AuditSourceName": { "ignore_above": 1024, "type": "keyword" }, "SubCategoryGuid": { "ignore_above": 1024, "type": "keyword" }, "PreviousCreationUtcTime": { "ignore_above": 1024, "type": "keyword" }, "ServiceVersion": { "ignore_above": 1024, "type": "keyword" }, "AuditPolicyChangesDescription": { "ignore_above": 1024, "type": "keyword" }, "AccessMaskDescription": { "ignore_above": 1024, "type": "keyword" }, "SubjectUserSid": { "ignore_above": 1024, "type": "keyword" }, "AccountName": { "ignore_above": 1024, "type": "keyword" }, "PerformanceImplementation": { "ignore_above": 1024, "type": "keyword" }, "TicketEncryptionTypeDescription": { "ignore_above": 1024, "type": "keyword" }, "ServiceAccount": { "ignore_above": 1024, "type": "keyword" }, "Description": { "ignore_above": 1024, "type": "keyword" }, "ProcessPid": { "ignore_above": 1024, "type": "keyword" }, "ScriptBlockText": { "ignore_above": 1024, "type": "keyword" }, "ObjectType": { "ignore_above": 1024, "type": "keyword" }, "MaximumPerformancePercent": { "ignore_above": 1024, "type": "keyword" }, "KerberosPolicyChange": { "ignore_above": 1024, "type": "keyword" }, "NewTime": { "ignore_above": 1024, "type": "keyword" }, "FinalStatus": { "ignore_above": 1024, "type": "keyword" }, "MajorVersion": { "ignore_above": 1024, "type": "keyword" }, "MandatoryLabel": { "ignore_above": 1024, "type": "keyword" }, "HomeDirectory": { "ignore_above": 1024, "type": "keyword" }, "TokenElevationType": { "ignore_above": 1024, "type": "keyword" }, "SubjectLogonId": { "ignore_above": 1024, "type": "keyword" }, "IdleImplementation": { "ignore_above": 1024, "type": "keyword" }, "QfeVersion": { "ignore_above": 1024, "type": "keyword" }, "AccountExpires": { "ignore_above": 1024, "type": "keyword" }, "ServiceStartType": { "ignore_above": 1024, "type": "keyword" }, "UserPrincipalName": { "ignore_above": 1024, "type": "keyword" }, "NewSdSacl1": { "ignore_above": 1024, "type": "keyword" }, "Dummy": { "ignore_above": 1024, "type": "keyword" }, "NewSdSacl0": { "ignore_above": 1024, "type": "keyword" }, "DeviceName": { "ignore_above": 1024, "type": "keyword" }, "NewSdSacl2": { "ignore_above": 1024, "type": "keyword" }, "Company": { "ignore_above": 1024, "type": "keyword" }, "PuaPolicyId": { "ignore_above": 1024, "type": "keyword" }, "OldSdSacl2": { "ignore_above": 1024, "type": "keyword" }, "IntegrityLevel": { "ignore_above": 1024, "type": "keyword" }, "OldSdSacl1": { "ignore_above": 1024, "type": "keyword" }, "OldSdSacl0": { "ignore_above": 1024, "type": "keyword" }, "TargetSid": { "ignore_above": 1024, "type": "keyword" }, "NewSd": { "ignore_above": 1024, "type": "keyword" }, "NewTargetUserName": { "ignore_above": 1024, "type": "keyword" }, "ClientName": { "ignore_above": 1024, "type": "keyword" }, "StatusDescription": { "ignore_above": 1024, "type": "keyword" }, "NewSdDacl0": { "ignore_above": 1024, "type": "keyword" }, "NewSdDacl2": { "ignore_above": 1024, "type": "keyword" }, "NewSdDacl1": { "ignore_above": 1024, "type": "keyword" }, "DomainBehaviorVersion": { "ignore_above": 1024, "type": "keyword" }, "AccessGranted": { "ignore_above": 1024, "type": "keyword" }, "ParentProcessName": { "ignore_above": 1024, "type": "keyword" }, "SubcategoryId": { "ignore_above": 1024, "type": "keyword" }, "AccessRemoved": { "ignore_above": 1024, "type": "keyword" }, "ShutdownEventCode": { "ignore_above": 1024, "type": "keyword" }, "NewProcessName": { "ignore_above": 1024, "type": "keyword" }, "FailureNameLength": { "ignore_above": 1024, "type": "keyword" }, "PreviousTime": { "ignore_above": 1024, "type": "keyword" }, "MixedDomainMode": { "ignore_above": 1024, "type": "keyword" }, "Detail": { "ignore_above": 1024, "type": "keyword" }, "OldSdDacl1": { "ignore_above": 1024, "type": "keyword" }, "OldSdDacl0": { "ignore_above": 1024, "type": "keyword" }, "Category": { "ignore_above": 1024, "type": "keyword" }, "TerminalSessionId": { "ignore_above": 1024, "type": "keyword" }, "OldSdDacl2": { "ignore_above": 1024, "type": "keyword" }, "ClientAddress": { "ignore_above": 1024, "type": "keyword" }, "DeviceNameLength": { "ignore_above": 1024, "type": "keyword" }, "OldSchemeGuid": { "ignore_above": 1024, "type": "keyword" }, "CreationUtcTime": { "ignore_above": 1024, "type": "keyword" }, "CallerProcessName": { "ignore_above": 1024, "type": "keyword" }, "TdoType": { "ignore_above": 1024, "type": "keyword" }, "Reason": { "ignore_above": 1024, "type": "keyword" }, "ServiceFileName": { "ignore_above": 1024, "type": "keyword" }, "DisplayName": { "ignore_above": 1024, "type": "keyword" }, "BuildVersion": { "ignore_above": 1024, "type": "keyword" }, "SubjectDomainName": { "ignore_above": 1024, "type": "keyword" }, "MinimumPerformancePercent": { "ignore_above": 1024, "type": "keyword" }, "LogonId": { "ignore_above": 1024, "type": "keyword" }, "LogonProcessName": { "ignore_above": 1024, "type": "keyword" }, "TSId": { "ignore_above": 1024, "type": "keyword" }, "PrivilegeList": { "ignore_above": 1024, "type": "keyword" }, "param7": { "ignore_above": 1024, "type": "keyword" }, "param8": { "ignore_above": 1024, "type": "keyword" }, "param5": { "ignore_above": 1024, "type": "keyword" }, "param6": { "ignore_above": 1024, "type": "keyword" }, "Service": { "ignore_above": 1024, "type": "keyword" }, "TdoDirection": { "ignore_above": 1024, "type": "keyword" }, "param3": { "ignore_above": 1024, "type": "keyword" }, "param4": { "ignore_above": 1024, "type": "keyword" }, "param1": { "ignore_above": 1024, "type": "keyword" }, "param2": { "ignore_above": 1024, "type": "keyword" }, "CommandLine": { "ignore_above": 1024, "type": "keyword" }, "SubjectUserName": { "ignore_above": 1024, "type": "keyword" }, "UserAccountControl": { "ignore_above": 1024, "type": "keyword" }, "OemInformation": { "ignore_above": 1024, "type": "keyword" }, "FailureName": { "ignore_above": 1024, "type": "keyword" }, "Signature": { "ignore_above": 1024, "type": "keyword" }, "SubCategory": { "ignore_above": 1024, "type": "keyword" }, "ServiceSid": { "ignore_above": 1024, "type": "keyword" }, "ProcessId": { "ignore_above": 1024, "type": "keyword" }, "EntryCount": { "ignore_above": 1024, "type": "keyword" }, "LogonID": { "ignore_above": 1024, "type": "keyword" }, "BitlockerUserInputTime": { "ignore_above": 1024, "type": "keyword" } } }, "opcode": { "ignore_above": 1024, "type": "keyword" }, "provider_guid": { "ignore_above": 1024, "type": "keyword" }, "activity_id": { "ignore_above": 1024, "type": "keyword" }, "time_created": { "ignore_above": 1024, "type": "keyword" }, "trustDirection": { "ignore_above": 1024, "type": "keyword" }, "api": { "ignore_above": 1024, "type": "keyword" }, "provider_name": { "ignore_above": 1024, "type": "keyword" }, "outcome": { "ignore_above": 1024, "type": "keyword" }, "computer_name": { "ignore_above": 1024, "type": "keyword" }, "process": { "properties": { "pid": { "type": "long" }, "thread": { "properties": { "id": { "type": "long" } } } } }, "trustAttribute": { "ignore_above": 1024, "type": "keyword" }, "level": { "ignore_above": 1024, "type": "keyword" }, "computerObject": { "properties": { "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } }, "user_data": { "properties": { "SubjectUserName": { "ignore_above": 1024, "type": "keyword" }, "BackupPath": { "ignore_above": 1024, "type": "keyword" }, "Channel": { "ignore_above": 1024, "type": "keyword" }, "SubjectDomainName": { "ignore_above": 1024, "type": "keyword" }, "SubjectLogonId": { "ignore_above": 1024, "type": "keyword" }, "SubjectUserSid": { "ignore_above": 1024, "type": "keyword" }, "xml_name": { "ignore_above": 1024, "type": "keyword" } } }, "version": { "type": "long" }, "record_id": { "ignore_above": 1024, "type": "keyword" }, "event_id": { "ignore_above": 1024, "type": "keyword" }, "task": { "ignore_above": 1024, "type": "keyword" }, "trustType": { "ignore_above": 1024, "type": "keyword" }, "user": { "properties": { "identifier": { "ignore_above": 1024, "type": "keyword" }, "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" } } } } }, "log": { "properties": { "file": { "properties": { "path": { "ignore_above": 1024, "type": "keyword" } } }, "level": { "ignore_above": 1024, "type": "keyword" } } }, "source": { "properties": { "port": { "type": "long" }, "domain": { "ignore_above": 1024, "type": "keyword" }, "ip": { "type": "ip" } } }, "message": { "type": "match_only_text" }, "tags": { "ignore_above": 1024, "type": "keyword" }, "cloud": { "properties": { "availability_zone": { "ignore_above": 1024, "type": "keyword" }, "image": { "properties": { "id": { "ignore_above": 1024, "type": "keyword" } } }, "instance": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } }, "provider": { "ignore_above": 1024, "type": "keyword" }, "machine": { "properties": { "type": { "ignore_above": 1024, "type": "keyword" } } }, "project": { "properties": { "id": { "ignore_above": 1024, "type": "keyword" } } }, "region": { "ignore_above": 1024, "type": "keyword" }, "account": { "properties": { "id": { "ignore_above": 1024, "type": "keyword" } } } } }, "input": { "properties": { "type": { "ignore_above": 1024, "type": "keyword" } } }, "@timestamp": { "type": "date" }, "ecs": { "properties": { "version": { "ignore_above": 1024, "type": "keyword" } } }, "related": { "properties": { "hosts": { "ignore_above": 1024, "type": "keyword" }, "ip": { "type": "ip" }, "user": { "ignore_above": 1024, "type": "keyword" }, "hash": { "ignore_above": 1024, "type": "keyword" } } }, "data_stream": { "properties": { "namespace": { "type": "constant_keyword" }, "type": { "type": "constant_keyword", "value": "logs" }, "dataset": { "type": "constant_keyword" } } }, "service": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" } } }, "host": { "properties": { "hostname": { "ignore_above": 1024, "type": "keyword" }, "os": { "properties": { "build": { "ignore_above": 1024, "type": "keyword" }, "kernel": { "ignore_above": 1024, "type": "keyword" }, "codename": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { "text": { "type": "text" } } }, "family": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" }, "platform": { "ignore_above": 1024, "type": "keyword" } } }, "domain": { "ignore_above": 1024, "type": "keyword" }, "ip": { "type": "ip" }, "containerized": { "type": "boolean" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" }, "mac": { "ignore_above": 1024, "type": "keyword" }, "architecture": { "ignore_above": 1024, "type": "keyword" } } }, "event": { "properties": { "sequence": { "type": "long" }, "ingested": { "type": "date" }, "code": { "ignore_above": 1024, "type": "keyword" }, "provider": { "ignore_above": 1024, "type": "keyword" }, "created": { "type": "date" }, "kind": { "ignore_above": 1024, "type": "keyword" }, "module": { "type": "constant_keyword", "value": "system" }, "action": { "ignore_above": 1024, "type": "keyword" }, "category": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" }, "dataset": { "type": "constant_keyword", "value": "system.security" }, "outcome": { "ignore_above": 1024, "type": "keyword" } } }, "user": { "properties": { "effective": { "properties": { "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } }, "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "changes": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" } } }, "id": { "ignore_above": 1024, "type": "keyword" }, "target": { "properties": { "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "group": { "properties": { "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } } } } } }, "group": { "properties": { "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } } } } }, "_meta": { "package": { "name": "system" }, "managed_by": "fleet", "managed": true } }