{ "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", "ecs_version": "1.12.2" }, "template": { "mappings": { "properties": { "o365": { "properties": { "audit": { "properties": { "AADGroupId": { "ignore_above": 1024, "type": "keyword" }, "ActorContextId": { "ignore_above": 1024, "type": "keyword" }, "ActorIpAddress": { "ignore_above": 1024, "type": "keyword" }, "ActorUserId": { "ignore_above": 1024, "type": "keyword" }, "ActorYammerUserId": { "ignore_above": 1024, "type": "keyword" }, "AlertEntityId": { "ignore_above": 1024, "type": "keyword" }, "AlertId": { "ignore_above": 1024, "type": "keyword" }, "AlertType": { "ignore_above": 1024, "type": "keyword" }, "AppId": { "ignore_above": 1024, "type": "keyword" }, "ApplicationDisplayName": { "ignore_above": 1024, "type": "keyword" }, "ApplicationId": { "ignore_above": 1024, "type": "keyword" }, "AzureActiveDirectoryEventType": { "ignore_above": 1024, "type": "keyword" }, "Category": { "ignore_above": 1024, "type": "keyword" }, "ClientAppId": { "ignore_above": 1024, "type": "keyword" }, "ClientIP": { "ignore_above": 1024, "type": "keyword" }, "ClientIPAddress": { "ignore_above": 1024, "type": "keyword" }, "ClientInfoString": { "ignore_above": 1024, "type": "keyword" }, "Comments": { "norms": false, "type": "text" }, "CommunicationType": { "ignore_above": 1024, "type": "keyword" }, "CorrelationId": { "ignore_above": 1024, "type": "keyword" }, "CreationTime": { "ignore_above": 1024, "type": "keyword" }, "CustomUniqueId": { "ignore_above": 1024, "type": "keyword" }, "Data": { "ignore_above": 1024, "type": "keyword" }, "DataType": { "ignore_above": 1024, "type": "keyword" }, "DoNotDistributeEvent": { "type": "boolean" }, "EntityType": { "ignore_above": 1024, "type": "keyword" }, "ErrorNumber": { "ignore_above": 1024, "type": "keyword" }, "EventData": { "ignore_above": 1024, "type": "keyword" }, "EventSource": { "ignore_above": 1024, "type": "keyword" }, "ExceptionInfo": { "properties": { "*": { "type": "object" } } }, "ExchangeMetaData": { "properties": { "*": { "type": "object" } } }, "ExtendedProperties": { "properties": { "*": { "type": "object" } } }, "ExternalAccess": { "ignore_above": 1024, "type": "keyword" }, "FromApp": { "type": "boolean" }, "GroupName": { "ignore_above": 1024, "type": "keyword" }, "Id": { "ignore_above": 1024, "type": "keyword" }, "ImplicitShare": { "ignore_above": 1024, "type": "keyword" }, "IncidentId": { "ignore_above": 1024, "type": "keyword" }, "InterSystemsId": { "ignore_above": 1024, "type": "keyword" }, "InternalLogonType": { "ignore_above": 1024, "type": "keyword" }, "IntraSystemId": { "ignore_above": 1024, "type": "keyword" }, "IsDocLib": { "type": "boolean" }, "Item": { "properties": { "*": { "properties": { "*": { "type": "object" } }, "type": "object" } } }, "ItemCount": { "type": "long" }, "ItemName": { "ignore_above": 1024, "type": "keyword" }, "ItemType": { "ignore_above": 1024, "type": "keyword" }, "ListBaseTemplateType": { "ignore_above": 1024, "type": "keyword" }, "ListBaseType": { "ignore_above": 1024, "type": "keyword" }, "ListColor": { "ignore_above": 1024, "type": "keyword" }, "ListIcon": { "ignore_above": 1024, "type": "keyword" }, "ListId": { "ignore_above": 1024, "type": "keyword" }, "ListItemUniqueId": { "ignore_above": 1024, "type": "keyword" }, "ListTitle": { "ignore_above": 1024, "type": "keyword" }, "LogonError": { "ignore_above": 1024, "type": "keyword" }, "LogonType": { "ignore_above": 1024, "type": "keyword" }, "LogonUserSid": { "ignore_above": 1024, "type": "keyword" }, "MailboxGuid": { "ignore_above": 1024, "type": "keyword" }, "MailboxOwnerMasterAccountSid": { "ignore_above": 1024, "type": "keyword" }, "MailboxOwnerSid": { "ignore_above": 1024, "type": "keyword" }, "MailboxOwnerUPN": { "ignore_above": 1024, "type": "keyword" }, "Members": { "properties": { "*": { "type": "object" } } }, "ModifiedProperties": { "properties": { "*": { "properties": { "*": { "type": "object" } } } } }, "Name": { "ignore_above": 1024, "type": "keyword" }, "ObjectId": { "ignore_above": 1024, "type": "keyword" }, "Operation": { "ignore_above": 1024, "type": "keyword" }, "OrganizationId": { "ignore_above": 1024, "type": "keyword" }, "OrganizationName": { "ignore_above": 1024, "type": "keyword" }, "OriginatingServer": { "ignore_above": 1024, "type": "keyword" }, "Parameters": { "properties": { "*": { "type": "object" } } }, "PolicyId": { "ignore_above": 1024, "type": "keyword" }, "RecordType": { "ignore_above": 1024, "type": "keyword" }, "ResultStatus": { "ignore_above": 1024, "type": "keyword" }, "SensitiveInfoDetectionIsIncluded": { "ignore_above": 1024, "type": "keyword" }, "SessionId": { "ignore_above": 1024, "type": "keyword" }, "Severity": { "ignore_above": 1024, "type": "keyword" }, "SharePointMetaData": { "properties": { "*": { "type": "object" } } }, "Site": { "ignore_above": 1024, "type": "keyword" }, "SiteUrl": { "ignore_above": 1024, "type": "keyword" }, "Source": { "ignore_above": 1024, "type": "keyword" }, "SourceFileExtension": { "ignore_above": 1024, "type": "keyword" }, "SourceFileName": { "ignore_above": 1024, "type": "keyword" }, "SourceRelativeUrl": { "ignore_above": 1024, "type": "keyword" }, "Status": { "ignore_above": 1024, "type": "keyword" }, "SupportTicketId": { "ignore_above": 1024, "type": "keyword" }, "TargetContextId": { "ignore_above": 1024, "type": "keyword" }, "TargetUserOrGroupName": { "ignore_above": 1024, "type": "keyword" }, "TargetUserOrGroupType": { "ignore_above": 1024, "type": "keyword" }, "TeamGuid": { "ignore_above": 1024, "type": "keyword" }, "TeamName": { "ignore_above": 1024, "type": "keyword" }, "TemplateTypeId": { "ignore_above": 1024, "type": "keyword" }, "UniqueSharingId": { "ignore_above": 1024, "type": "keyword" }, "UserAgent": { "ignore_above": 1024, "type": "keyword" }, "UserId": { "ignore_above": 1024, "type": "keyword" }, "UserKey": { "ignore_above": 1024, "type": "keyword" }, "UserType": { "ignore_above": 1024, "type": "keyword" }, "Version": { "ignore_above": 1024, "type": "keyword" }, "WebId": { "ignore_above": 1024, "type": "keyword" }, "Workload": { "ignore_above": 1024, "type": "keyword" }, "YammerNetworkId": { "ignore_above": 1024, "type": "keyword" } } } } } } } } }