{ "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", "ecs_version": "1.12.2" }, "template": { "mappings": { "properties": { "cef": { "properties": { "device": { "properties": { "event_class_id": { "ignore_above": 1024, "type": "keyword" }, "product": { "ignore_above": 1024, "type": "keyword" }, "vendor": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" } } }, "extensions": { "properties": { "Reason": { "ignore_above": 1024, "type": "keyword" }, "agentAddress": { "type": "ip" }, "agentDnsDomain": { "ignore_above": 1024, "type": "keyword" }, "agentHostName": { "ignore_above": 1024, "type": "keyword" }, "agentId": { "ignore_above": 1024, "type": "keyword" }, "agentMacAddress": { "ignore_above": 1024, "type": "keyword" }, "agentNtDomain": { "ignore_above": 1024, "type": "keyword" }, "agentReceiptTime": { "type": "date" }, "agentTimeZone": { "ignore_above": 1024, "type": "keyword" }, "agentTranslatedAddress": { "type": "ip" }, "agentTranslatedZoneExternalID": { "ignore_above": 1024, "type": "keyword" }, "agentTranslatedZoneURI": { "ignore_above": 1024, "type": "keyword" }, "agentType": { "ignore_above": 1024, "type": "keyword" }, "agentVersion": { "ignore_above": 1024, "type": "keyword" }, "agentZoneExternalID": { "ignore_above": 1024, "type": "keyword" }, "agentZoneURI": { "ignore_above": 1024, "type": "keyword" }, "applicationProtocol": { "ignore_above": 1024, "type": "keyword" }, "baseEventCount": { "type": "long" }, "bytesIn": { "type": "long" }, "bytesOut": { "type": "long" }, "categoryBehavior": { "ignore_above": 1024, "type": "keyword" }, "categoryDeviceGroup": { "ignore_above": 1024, "type": "keyword" }, "categoryDeviceType": { "ignore_above": 1024, "type": "keyword" }, "categoryObject": { "ignore_above": 1024, "type": "keyword" }, "categoryOutcome": { "ignore_above": 1024, "type": "keyword" }, "categorySignificance": { "ignore_above": 1024, "type": "keyword" }, "categoryTechnique": { "ignore_above": 1024, "type": "keyword" }, "cp_app_risk": { "ignore_above": 1024, "type": "keyword" }, "cp_severity": { "ignore_above": 1024, "type": "keyword" }, "customerExternalID": { "ignore_above": 1024, "type": "keyword" }, "customerURI": { "ignore_above": 1024, "type": "keyword" }, "destinationAddress": { "type": "ip" }, "destinationDnsDomain": { "ignore_above": 1024, "type": "keyword" }, "destinationGeoLatitude": { "type": "double" }, "destinationGeoLongitude": { "type": "double" }, "destinationHostName": { "ignore_above": 1024, "type": "keyword" }, "destinationMacAddress": { "ignore_above": 1024, "type": "keyword" }, "destinationNtDomain": { "ignore_above": 1024, "type": "keyword" }, "destinationPort": { "type": "long" }, "destinationProcessId": { "type": "long" }, "destinationProcessName": { "ignore_above": 1024, "type": "keyword" }, "destinationServiceName": { "ignore_above": 1024, "type": "keyword" }, "destinationTranslatedAddress": { "type": "ip" }, "destinationTranslatedPort": { "type": "long" }, "destinationTranslatedZoneExternalID": { "ignore_above": 1024, "type": "keyword" }, "destinationTranslatedZoneURI": { "ignore_above": 1024, "type": "keyword" }, "destinationUserId": { "ignore_above": 1024, "type": "keyword" }, "destinationUserName": { "ignore_above": 1024, "type": "keyword" }, "destinationUserPrivileges": { "ignore_above": 1024, "type": "keyword" }, "destinationZoneExternalID": { "ignore_above": 1024, "type": "keyword" }, "destinationZoneURI": { "ignore_above": 1024, "type": "keyword" }, "deviceAction": { "ignore_above": 1024, "type": "keyword" }, "deviceAddress": { "type": "ip" }, "deviceCustomDate1": { "type": "date" }, "deviceCustomDate1Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomDate2": { "type": "date" }, "deviceCustomDate2Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomFloatingPoint1": { "type": "double" }, "deviceCustomFloatingPoint1Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomFloatingPoint2": { "type": "double" }, "deviceCustomFloatingPoint2Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomFloatingPoint3": { "type": "double" }, "deviceCustomFloatingPoint3Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomFloatingPoint4": { "type": "double" }, "deviceCustomFloatingPoint4Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomIPv6Address1": { "type": "ip" }, "deviceCustomIPv6Address1Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomIPv6Address2": { "type": "ip" }, "deviceCustomIPv6Address2Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomIPv6Address3": { "type": "ip" }, "deviceCustomIPv6Address3Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomIPv6Address4": { "type": "ip" }, "deviceCustomIPv6Address4Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomNumber1": { "type": "long" }, "deviceCustomNumber1Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomNumber2": { "type": "long" }, "deviceCustomNumber2Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomNumber3": { "type": "long" }, "deviceCustomNumber3Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomString1": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomString1Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomString2": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomString2Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomString3": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomString3Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomString4": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomString4Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomString5": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomString5Label": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomString6": { "ignore_above": 1024, "type": "keyword" }, "deviceCustomString6Label": { "ignore_above": 1024, "type": "keyword" }, "deviceDirection": { "type": "long" }, "deviceDnsDomain": { "ignore_above": 1024, "type": "keyword" }, "deviceEventCategory": { "ignore_above": 1024, "type": "keyword" }, "deviceExternalId": { "ignore_above": 1024, "type": "keyword" }, "deviceFacility": { "ignore_above": 1024, "type": "keyword" }, "deviceFlexNumber1": { "type": "long" }, "deviceFlexNumber1Label": { "ignore_above": 1024, "type": "keyword" }, "deviceFlexNumber2": { "type": "long" }, "deviceFlexNumber2Label": { "ignore_above": 1024, "type": "keyword" }, "deviceHostName": { "ignore_above": 1024, "type": "keyword" }, "deviceInboundInterface": { "ignore_above": 1024, "type": "keyword" }, "deviceMacAddress": { "ignore_above": 1024, "type": "keyword" }, "deviceNtDomain": { "ignore_above": 1024, "type": "keyword" }, "deviceOutboundInterface": { "ignore_above": 1024, "type": "keyword" }, "devicePayloadId": { "ignore_above": 1024, "type": "keyword" }, "deviceProcessId": { "type": "long" }, "deviceProcessName": { "ignore_above": 1024, "type": "keyword" }, "deviceReceiptTime": { "type": "date" }, "deviceTimeZone": { "ignore_above": 1024, "type": "keyword" }, "deviceTranslatedAddress": { "type": "ip" }, "deviceTranslatedZoneExternalID": { "ignore_above": 1024, "type": "keyword" }, "deviceTranslatedZoneURI": { "ignore_above": 1024, "type": "keyword" }, "deviceZoneExternalID": { "ignore_above": 1024, "type": "keyword" }, "deviceZoneURI": { "ignore_above": 1024, "type": "keyword" }, "endTime": { "type": "date" }, "eventId": { "type": "long" }, "eventOutcome": { "ignore_above": 1024, "type": "keyword" }, "externalId": { "ignore_above": 1024, "type": "keyword" }, "fileCreateTime": { "type": "date" }, "fileHash": { "ignore_above": 1024, "type": "keyword" }, "fileId": { "ignore_above": 1024, "type": "keyword" }, "fileModificationTime": { "type": "date" }, "filePath": { "ignore_above": 1024, "type": "keyword" }, "filePermission": { "ignore_above": 1024, "type": "keyword" }, "fileSize": { "type": "long" }, "fileType": { "ignore_above": 1024, "type": "keyword" }, "filename": { "ignore_above": 1024, "type": "keyword" }, "flexDate1": { "type": "date" }, "flexDate1Label": { "ignore_above": 1024, "type": "keyword" }, "flexString1": { "ignore_above": 1024, "type": "keyword" }, "flexString1Label": { "ignore_above": 1024, "type": "keyword" }, "flexString2": { "ignore_above": 1024, "type": "keyword" }, "flexString2Label": { "ignore_above": 1024, "type": "keyword" }, "ifname": { "ignore_above": 1024, "type": "keyword" }, "inzone": { "ignore_above": 1024, "type": "keyword" }, "layer_name": { "ignore_above": 1024, "type": "keyword" }, "layer_uuid": { "ignore_above": 1024, "type": "keyword" }, "logid": { "ignore_above": 1024, "type": "keyword" }, "loguid": { "ignore_above": 1024, "type": "keyword" }, "managerReceiptTime": { "type": "date" }, "match_id": { "ignore_above": 1024, "type": "keyword" }, "message": { "ignore_above": 1024, "type": "keyword" }, "nat_addtnl_rulenum": { "ignore_above": 1024, "type": "keyword" }, "nat_rulenum": { "ignore_above": 1024, "type": "keyword" }, "oldFileCreateTime": { "type": "date" }, "oldFileHash": { "ignore_above": 1024, "type": "keyword" }, "oldFileId": { "ignore_above": 1024, "type": "keyword" }, "oldFileModificationTime": { "type": "date" }, "oldFileName": { "ignore_above": 1024, "type": "keyword" }, "oldFilePath": { "ignore_above": 1024, "type": "keyword" }, "oldFilePermission": { "ignore_above": 1024, "type": "keyword" }, "oldFileSize": { "type": "long" }, "oldFileType": { "ignore_above": 1024, "type": "keyword" }, "origin": { "ignore_above": 1024, "type": "keyword" }, "originsicname": { "ignore_above": 1024, "type": "keyword" }, "outzone": { "ignore_above": 1024, "type": "keyword" }, "parent_rule": { "ignore_above": 1024, "type": "keyword" }, "product": { "ignore_above": 1024, "type": "keyword" }, "rawEvent": { "ignore_above": 1024, "type": "keyword" }, "requestClientApplication": { "ignore_above": 1024, "type": "keyword" }, "requestContext": { "ignore_above": 1024, "type": "keyword" }, "requestCookies": { "ignore_above": 1024, "type": "keyword" }, "requestMethod": { "ignore_above": 1024, "type": "keyword" }, "requestUrl": { "ignore_above": 1024, "type": "keyword" }, "rule_action": { "ignore_above": 1024, "type": "keyword" }, "rule_uid": { "ignore_above": 1024, "type": "keyword" }, "sequencenum": { "ignore_above": 1024, "type": "keyword" }, "service_id": { "ignore_above": 1024, "type": "keyword" }, "sourceAddress": { "type": "ip" }, "sourceDnsDomain": { "ignore_above": 1024, "type": "keyword" }, "sourceGeoLatitude": { "type": "double" }, "sourceGeoLongitude": { "type": "double" }, "sourceHostName": { "ignore_above": 1024, "type": "keyword" }, "sourceMacAddress": { "ignore_above": 1024, "type": "keyword" }, "sourceNtDomain": { "ignore_above": 1024, "type": "keyword" }, "sourcePort": { "type": "long" }, "sourceProcessId": { "type": "long" }, "sourceProcessName": { "ignore_above": 1024, "type": "keyword" }, "sourceServiceName": { "ignore_above": 1024, "type": "keyword" }, "sourceTranslatedAddress": { "type": "ip" }, "sourceTranslatedPort": { "type": "long" }, "sourceTranslatedZoneExternalID": { "ignore_above": 1024, "type": "keyword" }, "sourceTranslatedZoneURI": { "ignore_above": 1024, "type": "keyword" }, "sourceUserId": { "ignore_above": 1024, "type": "keyword" }, "sourceUserName": { "ignore_above": 1024, "type": "keyword" }, "sourceUserPrivileges": { "ignore_above": 1024, "type": "keyword" }, "sourceZoneExternalID": { "ignore_above": 1024, "type": "keyword" }, "sourceZoneURI": { "ignore_above": 1024, "type": "keyword" }, "startTime": { "type": "date" }, "transportProtocol": { "ignore_above": 1024, "type": "keyword" }, "type": { "type": "long" }, "version": { "ignore_above": 1024, "type": "keyword" } } }, "name": { "ignore_above": 1024, "type": "keyword" }, "severity": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" } } } } } } }