{ "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", "ecs_version": "1.12.2" }, "template": { "mappings": { "dynamic_templates": [ { "winlog.event_data": { "mapping": { "type": "keyword" }, "match_mapping_type": "string", "path_match": "winlog.event_data.*" } }, { "winlog.user_data": { "mapping": { "type": "keyword" }, "match_mapping_type": "string", "path_match": "winlog.user_data.*" } } ], "properties": { "winlog": { "properties": { "activity_id": { "ignore_above": 1024, "type": "keyword" }, "api": { "ignore_above": 1024, "type": "keyword" }, "channel": { "ignore_above": 1024, "type": "keyword" }, "computer_name": { "ignore_above": 1024, "type": "keyword" }, "event_data": { "properties": { "AuthenticationPackageName": { "ignore_above": 1024, "type": "keyword" }, "Binary": { "ignore_above": 1024, "type": "keyword" }, "BitlockerUserInputTime": { "ignore_above": 1024, "type": "keyword" }, "BootMode": { "ignore_above": 1024, "type": "keyword" }, "BootType": { "ignore_above": 1024, "type": "keyword" }, "BuildVersion": { "ignore_above": 1024, "type": "keyword" }, "Company": { "ignore_above": 1024, "type": "keyword" }, "CorruptionActionState": { "ignore_above": 1024, "type": "keyword" }, "CreationUtcTime": { "ignore_above": 1024, "type": "keyword" }, "Description": { "ignore_above": 1024, "type": "keyword" }, "Detail": { "ignore_above": 1024, "type": "keyword" }, "DeviceName": { "ignore_above": 1024, "type": "keyword" }, "DeviceNameLength": { "ignore_above": 1024, "type": "keyword" }, "DeviceTime": { "ignore_above": 1024, "type": "keyword" }, "DeviceVersionMajor": { "ignore_above": 1024, "type": "keyword" }, "DeviceVersionMinor": { "ignore_above": 1024, "type": "keyword" }, "DriveName": { "ignore_above": 1024, "type": "keyword" }, "DriverName": { "ignore_above": 1024, "type": "keyword" }, "DriverNameLength": { "ignore_above": 1024, "type": "keyword" }, "DwordVal": { "ignore_above": 1024, "type": "keyword" }, "EntryCount": { "ignore_above": 1024, "type": "keyword" }, "ExtraInfo": { "ignore_above": 1024, "type": "keyword" }, "FailureName": { "ignore_above": 1024, "type": "keyword" }, "FailureNameLength": { "ignore_above": 1024, "type": "keyword" }, "FileVersion": { "ignore_above": 1024, "type": "keyword" }, "FinalStatus": { "ignore_above": 1024, "type": "keyword" }, "Group": { "ignore_above": 1024, "type": "keyword" }, "IdleImplementation": { "ignore_above": 1024, "type": "keyword" }, "IdleStateCount": { "ignore_above": 1024, "type": "keyword" }, "ImpersonationLevel": { "ignore_above": 1024, "type": "keyword" }, "IntegrityLevel": { "ignore_above": 1024, "type": "keyword" }, "IpAddress": { "ignore_above": 1024, "type": "keyword" }, "IpPort": { "ignore_above": 1024, "type": "keyword" }, "KeyLength": { "ignore_above": 1024, "type": "keyword" }, "LastBootGood": { "ignore_above": 1024, "type": "keyword" }, "LastShutdownGood": { "ignore_above": 1024, "type": "keyword" }, "LmPackageName": { "ignore_above": 1024, "type": "keyword" }, "LogonGuid": { "ignore_above": 1024, "type": "keyword" }, "LogonId": { "ignore_above": 1024, "type": "keyword" }, "LogonProcessName": { "ignore_above": 1024, "type": "keyword" }, "LogonType": { "ignore_above": 1024, "type": "keyword" }, "MajorVersion": { "ignore_above": 1024, "type": "keyword" }, "MaximumPerformancePercent": { "ignore_above": 1024, "type": "keyword" }, "MemberName": { "ignore_above": 1024, "type": "keyword" }, "MemberSid": { "ignore_above": 1024, "type": "keyword" }, "MinimumPerformancePercent": { "ignore_above": 1024, "type": "keyword" }, "MinimumThrottlePercent": { "ignore_above": 1024, "type": "keyword" }, "MinorVersion": { "ignore_above": 1024, "type": "keyword" }, "NewProcessId": { "ignore_above": 1024, "type": "keyword" }, "NewProcessName": { "ignore_above": 1024, "type": "keyword" }, "NewSchemeGuid": { "ignore_above": 1024, "type": "keyword" }, "NewTime": { "ignore_above": 1024, "type": "keyword" }, "NominalFrequency": { "ignore_above": 1024, "type": "keyword" }, "Number": { "ignore_above": 1024, "type": "keyword" }, "OldSchemeGuid": { "ignore_above": 1024, "type": "keyword" }, "OldTime": { "ignore_above": 1024, "type": "keyword" }, "OriginalFileName": { "ignore_above": 1024, "type": "keyword" }, "Path": { "ignore_above": 1024, "type": "keyword" }, "PerformanceImplementation": { "ignore_above": 1024, "type": "keyword" }, "PreviousCreationUtcTime": { "ignore_above": 1024, "type": "keyword" }, "PreviousTime": { "ignore_above": 1024, "type": "keyword" }, "PrivilegeList": { "ignore_above": 1024, "type": "keyword" }, "ProcessId": { "ignore_above": 1024, "type": "keyword" }, "ProcessName": { "ignore_above": 1024, "type": "keyword" }, "ProcessPath": { "ignore_above": 1024, "type": "keyword" }, "ProcessPid": { "ignore_above": 1024, "type": "keyword" }, "Product": { "ignore_above": 1024, "type": "keyword" }, "PuaCount": { "ignore_above": 1024, "type": "keyword" }, "PuaPolicyId": { "ignore_above": 1024, "type": "keyword" }, "QfeVersion": { "ignore_above": 1024, "type": "keyword" }, "Reason": { "ignore_above": 1024, "type": "keyword" }, "SchemaVersion": { "ignore_above": 1024, "type": "keyword" }, "ScriptBlockText": { "ignore_above": 1024, "type": "keyword" }, "ServiceName": { "ignore_above": 1024, "type": "keyword" }, "ServiceVersion": { "ignore_above": 1024, "type": "keyword" }, "ShutdownActionType": { "ignore_above": 1024, "type": "keyword" }, "ShutdownEventCode": { "ignore_above": 1024, "type": "keyword" }, "ShutdownReason": { "ignore_above": 1024, "type": "keyword" }, "Signature": { "ignore_above": 1024, "type": "keyword" }, "SignatureStatus": { "ignore_above": 1024, "type": "keyword" }, "Signed": { "ignore_above": 1024, "type": "keyword" }, "StartTime": { "ignore_above": 1024, "type": "keyword" }, "State": { "ignore_above": 1024, "type": "keyword" }, "Status": { "ignore_above": 1024, "type": "keyword" }, "StopTime": { "ignore_above": 1024, "type": "keyword" }, "SubjectDomainName": { "ignore_above": 1024, "type": "keyword" }, "SubjectLogonId": { "ignore_above": 1024, "type": "keyword" }, "SubjectUserName": { "ignore_above": 1024, "type": "keyword" }, "SubjectUserSid": { "ignore_above": 1024, "type": "keyword" }, "TSId": { "ignore_above": 1024, "type": "keyword" }, "TargetDomainName": { "ignore_above": 1024, "type": "keyword" }, "TargetInfo": { "ignore_above": 1024, "type": "keyword" }, "TargetLogonGuid": { "ignore_above": 1024, "type": "keyword" }, "TargetLogonId": { "ignore_above": 1024, "type": "keyword" }, "TargetServerName": { "ignore_above": 1024, "type": "keyword" }, "TargetUserName": { "ignore_above": 1024, "type": "keyword" }, "TargetUserSid": { "ignore_above": 1024, "type": "keyword" }, "TerminalSessionId": { "ignore_above": 1024, "type": "keyword" }, "TokenElevationType": { "ignore_above": 1024, "type": "keyword" }, "TransmittedServices": { "ignore_above": 1024, "type": "keyword" }, "UserSid": { "ignore_above": 1024, "type": "keyword" }, "Version": { "ignore_above": 1024, "type": "keyword" }, "Workstation": { "ignore_above": 1024, "type": "keyword" }, "param1": { "ignore_above": 1024, "type": "keyword" }, "param2": { "ignore_above": 1024, "type": "keyword" }, "param3": { "ignore_above": 1024, "type": "keyword" }, "param4": { "ignore_above": 1024, "type": "keyword" }, "param5": { "ignore_above": 1024, "type": "keyword" }, "param6": { "ignore_above": 1024, "type": "keyword" }, "param7": { "ignore_above": 1024, "type": "keyword" }, "param8": { "ignore_above": 1024, "type": "keyword" } } }, "event_id": { "ignore_above": 1024, "type": "keyword" }, "keywords": { "ignore_above": 1024, "type": "keyword" }, "logon": { "properties": { "failure": { "properties": { "reason": { "ignore_above": 1024, "type": "keyword" }, "status": { "ignore_above": 1024, "type": "keyword" }, "sub_status": { "ignore_above": 1024, "type": "keyword" } } }, "id": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" } } }, "opcode": { "ignore_above": 1024, "type": "keyword" }, "process": { "properties": { "pid": { "type": "long" }, "thread": { "properties": { "id": { "type": "long" } } } } }, "provider_guid": { "ignore_above": 1024, "type": "keyword" }, "provider_name": { "ignore_above": 1024, "type": "keyword" }, "record_id": { "ignore_above": 1024, "type": "keyword" }, "related_activity_id": { "ignore_above": 1024, "type": "keyword" }, "task": { "ignore_above": 1024, "type": "keyword" }, "time_created": { "type": "date" }, "user": { "properties": { "domain": { "ignore_above": 1024, "type": "keyword" }, "identifier": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" } } }, "user_data": { "type": "object" }, "version": { "type": "long" } } } } } } }