{ "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", "ecs_version": "1.12.2" }, "template": { "mappings": { "properties": { "zeek": { "properties": { "capture_loss": { "properties": { "acks": { "type": "long" }, "gaps": { "type": "long" }, "peer": { "ignore_above": 1024, "type": "keyword" }, "percent_lost": { "type": "double" }, "ts_delta": { "type": "long" } } }, "connection": { "properties": { "history": { "ignore_above": 1024, "type": "keyword" }, "icmp": { "properties": { "code": { "type": "long" }, "type": { "type": "long" } } }, "inner_vlan": { "type": "long" }, "local_orig": { "type": "boolean" }, "local_resp": { "type": "boolean" }, "missed_bytes": { "type": "long" }, "state": { "ignore_above": 1024, "type": "keyword" }, "state_message": { "ignore_above": 1024, "type": "keyword" }, "vlan": { "type": "long" } } }, "dce_rpc": { "properties": { "endpoint": { "ignore_above": 1024, "type": "keyword" }, "named_pipe": { "ignore_above": 1024, "type": "keyword" }, "operation": { "ignore_above": 1024, "type": "keyword" }, "rtt": { "type": "long" } } }, "dhcp": { "properties": { "address": { "properties": { "assigned": { "type": "ip" }, "client": { "type": "ip" }, "mac": { "ignore_above": 1024, "type": "keyword" }, "requested": { "type": "ip" }, "server": { "type": "ip" } } }, "client_fqdn": { "ignore_above": 1024, "type": "keyword" }, "domain": { "ignore_above": 1024, "type": "keyword" }, "duration": { "type": "double" }, "hostname": { "ignore_above": 1024, "type": "keyword" }, "id": { "properties": { "circuit": { "ignore_above": 1024, "type": "keyword" }, "remote_agent": { "ignore_above": 1024, "type": "keyword" }, "subscriber": { "ignore_above": 1024, "type": "keyword" } } }, "lease_time": { "type": "long" }, "msg": { "properties": { "client": { "ignore_above": 1024, "type": "keyword" }, "origin": { "type": "ip" }, "server": { "ignore_above": 1024, "type": "keyword" }, "types": { "ignore_above": 1024, "type": "keyword" } } }, "software": { "properties": { "client": { "ignore_above": 1024, "type": "keyword" }, "server": { "ignore_above": 1024, "type": "keyword" } } } } }, "dnp3": { "properties": { "function": { "properties": { "reply": { "ignore_above": 1024, "type": "keyword" }, "request": { "ignore_above": 1024, "type": "keyword" } } }, "id": { "type": "long" } } }, "dns": { "properties": { "AA": { "type": "boolean" }, "RA": { "type": "boolean" }, "RD": { "type": "boolean" }, "TC": { "type": "boolean" }, "TTLs": { "type": "double" }, "answers": { "ignore_above": 1024, "type": "keyword" }, "qclass": { "type": "long" }, "qclass_name": { "ignore_above": 1024, "type": "keyword" }, "qtype": { "type": "long" }, "qtype_name": { "ignore_above": 1024, "type": "keyword" }, "query": { "ignore_above": 1024, "type": "keyword" }, "rcode": { "type": "long" }, "rcode_name": { "ignore_above": 1024, "type": "keyword" }, "rejected": { "type": "boolean" }, "rtt": { "type": "double" }, "saw_query": { "type": "boolean" }, "saw_reply": { "type": "boolean" }, "total_answers": { "type": "long" }, "total_replies": { "type": "long" }, "trans_id": { "ignore_above": 1024, "type": "keyword" } } }, "dpd": { "properties": { "analyzer": { "ignore_above": 1024, "type": "keyword" }, "failure_reason": { "ignore_above": 1024, "type": "keyword" }, "packet_segment": { "ignore_above": 1024, "type": "keyword" } } }, "files": { "properties": { "analyzers": { "ignore_above": 1024, "type": "keyword" }, "depth": { "type": "long" }, "duration": { "type": "double" }, "entropy": { "type": "double" }, "extracted": { "ignore_above": 1024, "type": "keyword" }, "extracted_cutoff": { "type": "boolean" }, "extracted_size": { "type": "long" }, "filename": { "ignore_above": 1024, "type": "keyword" }, "fuid": { "ignore_above": 1024, "type": "keyword" }, "is_orig": { "type": "boolean" }, "local_orig": { "type": "boolean" }, "md5": { "ignore_above": 1024, "type": "keyword" }, "mime_type": { "ignore_above": 1024, "type": "keyword" }, "missing_bytes": { "type": "long" }, "overflow_bytes": { "type": "long" }, "parent_fuid": { "ignore_above": 1024, "type": "keyword" }, "rx_host": { "type": "ip" }, "seen_bytes": { "type": "long" }, "session_ids": { "ignore_above": 1024, "type": "keyword" }, "sha1": { "ignore_above": 1024, "type": "keyword" }, "sha256": { "ignore_above": 1024, "type": "keyword" }, "source": { "ignore_above": 1024, "type": "keyword" }, "timedout": { "type": "boolean" }, "total_bytes": { "type": "long" }, "tx_host": { "type": "ip" } } }, "ftp": { "properties": { "arg": { "ignore_above": 1024, "type": "keyword" }, "capture_password": { "type": "boolean" }, "cmdarg": { "properties": { "arg": { "ignore_above": 1024, "type": "keyword" }, "cmd": { "ignore_above": 1024, "type": "keyword" }, "seq": { "type": "long" } } }, "command": { "ignore_above": 1024, "type": "keyword" }, "cwd": { "ignore_above": 1024, "type": "keyword" }, "data_channel": { "properties": { "originating_host": { "type": "ip" }, "passive": { "type": "boolean" }, "response_host": { "type": "ip" }, "response_port": { "type": "long" } } }, "file": { "properties": { "fuid": { "ignore_above": 1024, "type": "keyword" }, "mime_type": { "ignore_above": 1024, "type": "keyword" }, "size": { "type": "long" } } }, "last_auth_requested": { "ignore_above": 1024, "type": "keyword" }, "passive": { "type": "boolean" }, "password": { "ignore_above": 1024, "type": "keyword" }, "pending_commands": { "type": "long" }, "reply": { "properties": { "code": { "type": "long" }, "msg": { "ignore_above": 1024, "type": "keyword" } } }, "user": { "ignore_above": 1024, "type": "keyword" } } }, "http": { "properties": { "captured_password": { "type": "boolean" }, "client_header_names": { "ignore_above": 1024, "type": "keyword" }, "info_code": { "type": "long" }, "info_msg": { "ignore_above": 1024, "type": "keyword" }, "orig_filenames": { "ignore_above": 1024, "type": "keyword" }, "orig_fuids": { "ignore_above": 1024, "type": "keyword" }, "orig_mime_depth": { "type": "long" }, "orig_mime_types": { "ignore_above": 1024, "type": "keyword" }, "password": { "ignore_above": 1024, "type": "keyword" }, "proxied": { "ignore_above": 1024, "type": "keyword" }, "range_request": { "type": "boolean" }, "resp_filenames": { "ignore_above": 1024, "type": "keyword" }, "resp_fuids": { "ignore_above": 1024, "type": "keyword" }, "resp_mime_depth": { "type": "long" }, "resp_mime_types": { "ignore_above": 1024, "type": "keyword" }, "server_header_names": { "ignore_above": 1024, "type": "keyword" }, "status_msg": { "ignore_above": 1024, "type": "keyword" }, "tags": { "ignore_above": 1024, "type": "keyword" }, "trans_depth": { "type": "long" } } }, "intel": { "properties": { "file_desc": { "ignore_above": 1024, "type": "keyword" }, "file_mime_type": { "ignore_above": 1024, "type": "keyword" }, "fuid": { "ignore_above": 1024, "type": "keyword" }, "matched": { "ignore_above": 1024, "type": "keyword" }, "seen": { "properties": { "conn": { "ignore_above": 1024, "type": "keyword" }, "f": { "type": "object" }, "fuid": { "ignore_above": 1024, "type": "keyword" }, "host": { "ignore_above": 1024, "type": "keyword" }, "indicator": { "ignore_above": 1024, "type": "keyword" }, "indicator_type": { "ignore_above": 1024, "type": "keyword" }, "node": { "ignore_above": 1024, "type": "keyword" }, "uid": { "ignore_above": 1024, "type": "keyword" }, "where": { "ignore_above": 1024, "type": "keyword" } } }, "sources": { "ignore_above": 1024, "type": "keyword" } } }, "irc": { "properties": { "addl": { "ignore_above": 1024, "type": "keyword" }, "command": { "ignore_above": 1024, "type": "keyword" }, "dcc": { "properties": { "file": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" }, "size": { "type": "long" } } }, "mime_type": { "ignore_above": 1024, "type": "keyword" } } }, "fuid": { "ignore_above": 1024, "type": "keyword" }, "nick": { "ignore_above": 1024, "type": "keyword" }, "user": { "ignore_above": 1024, "type": "keyword" }, "value": { "ignore_above": 1024, "type": "keyword" } } }, "kerberos": { "properties": { "cert": { "properties": { "client": { "properties": { "fuid": { "ignore_above": 1024, "type": "keyword" }, "subject": { "ignore_above": 1024, "type": "keyword" }, "value": { "ignore_above": 1024, "type": "keyword" } } }, "server": { "properties": { "fuid": { "ignore_above": 1024, "type": "keyword" }, "subject": { "ignore_above": 1024, "type": "keyword" }, "value": { "ignore_above": 1024, "type": "keyword" } } } } }, "cipher": { "ignore_above": 1024, "type": "keyword" }, "client": { "ignore_above": 1024, "type": "keyword" }, "error": { "properties": { "code": { "type": "long" }, "msg": { "ignore_above": 1024, "type": "keyword" } } }, "forwardable": { "type": "boolean" }, "renewable": { "type": "boolean" }, "request_type": { "ignore_above": 1024, "type": "keyword" }, "service": { "ignore_above": 1024, "type": "keyword" }, "success": { "type": "boolean" }, "ticket": { "properties": { "auth": { "ignore_above": 1024, "type": "keyword" }, "new": { "ignore_above": 1024, "type": "keyword" } } }, "valid": { "properties": { "days": { "type": "long" }, "from": { "type": "date" }, "until": { "type": "date" } } } } }, "modbus": { "properties": { "exception": { "ignore_above": 1024, "type": "keyword" }, "function": { "ignore_above": 1024, "type": "keyword" }, "track_address": { "type": "long" } } }, "mysql": { "properties": { "arg": { "ignore_above": 1024, "type": "keyword" }, "cmd": { "ignore_above": 1024, "type": "keyword" }, "response": { "ignore_above": 1024, "type": "keyword" }, "rows": { "type": "long" }, "success": { "type": "boolean" } } }, "notice": { "properties": { "actions": { "ignore_above": 1024, "type": "keyword" }, "connection_id": { "ignore_above": 1024, "type": "keyword" }, "dropped": { "type": "boolean" }, "email_body_sections": { "norms": false, "type": "text" }, "email_delay_tokens": { "ignore_above": 1024, "type": "keyword" }, "false": { "type": "long" }, "ffile": { "properties": { "total_bytes": { "type": "long" } } }, "file": { "properties": { "id": { "ignore_above": 1024, "type": "keyword" }, "is_orig": { "type": "boolean" }, "mime_type": { "ignore_above": 1024, "type": "keyword" }, "missing_bytes": { "type": "long" }, "overflow_bytes": { "type": "long" }, "parent_id": { "ignore_above": 1024, "type": "keyword" }, "seen_bytes": { "type": "long" }, "source": { "ignore_above": 1024, "type": "keyword" } } }, "fuid": { "ignore_above": 1024, "type": "keyword" }, "icmp_id": { "ignore_above": 1024, "type": "keyword" }, "identifier": { "ignore_above": 1024, "type": "keyword" }, "msg": { "ignore_above": 1024, "type": "keyword" }, "note": { "ignore_above": 1024, "type": "keyword" }, "peer_descr": { "norms": false, "type": "text" }, "peer_name": { "ignore_above": 1024, "type": "keyword" }, "sub": { "ignore_above": 1024, "type": "keyword" }, "suppress_for": { "type": "double" } } }, "ntlm": { "properties": { "domain": { "ignore_above": 1024, "type": "keyword" }, "hostname": { "ignore_above": 1024, "type": "keyword" }, "server": { "properties": { "name": { "properties": { "dns": { "ignore_above": 1024, "type": "keyword" }, "netbios": { "ignore_above": 1024, "type": "keyword" }, "tree": { "ignore_above": 1024, "type": "keyword" } } } } }, "success": { "type": "boolean" }, "username": { "ignore_above": 1024, "type": "keyword" } } }, "ntp": { "properties": { "mode": { "type": "long" }, "num_exts": { "type": "long" }, "org_time": { "type": "date" }, "poll": { "type": "double" }, "precision": { "type": "double" }, "rec_time": { "type": "date" }, "ref_id": { "ignore_above": 1024, "type": "keyword" }, "ref_time": { "type": "date" }, "root_delay": { "type": "double" }, "root_disp": { "type": "double" }, "stratum": { "type": "long" }, "version": { "type": "long" }, "xmt_time": { "type": "date" } } }, "ocsp": { "properties": { "file_id": { "ignore_above": 1024, "type": "keyword" }, "hash": { "properties": { "algorithm": { "ignore_above": 1024, "type": "keyword" }, "issuer": { "properties": { "key": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" } } } } }, "revoke": { "properties": { "reason": { "ignore_above": 1024, "type": "keyword" }, "time": { "type": "date" } } }, "serial_number": { "ignore_above": 1024, "type": "keyword" }, "status": { "ignore_above": 1024, "type": "keyword" }, "update": { "properties": { "next": { "type": "date" }, "this": { "type": "date" } } } } }, "pe": { "properties": { "client": { "ignore_above": 1024, "type": "keyword" }, "compile_time": { "type": "date" }, "has_cert_table": { "type": "boolean" }, "has_debug_data": { "type": "boolean" }, "has_export_table": { "type": "boolean" }, "has_import_table": { "type": "boolean" }, "id": { "ignore_above": 1024, "type": "keyword" }, "is_64bit": { "type": "boolean" }, "is_exe": { "type": "boolean" }, "machine": { "ignore_above": 1024, "type": "keyword" }, "os": { "ignore_above": 1024, "type": "keyword" }, "section_names": { "ignore_above": 1024, "type": "keyword" }, "subsystem": { "ignore_above": 1024, "type": "keyword" }, "uses_aslr": { "type": "boolean" }, "uses_code_integrity": { "type": "boolean" }, "uses_dep": { "type": "boolean" }, "uses_seh": { "type": "boolean" } } }, "radius": { "properties": { "connect_info": { "ignore_above": 1024, "type": "keyword" }, "framed_addr": { "type": "ip" }, "logged": { "type": "boolean" }, "mac": { "ignore_above": 1024, "type": "keyword" }, "remote_ip": { "type": "ip" }, "reply_msg": { "ignore_above": 1024, "type": "keyword" }, "result": { "ignore_above": 1024, "type": "keyword" }, "ttl": { "type": "long" }, "username": { "ignore_above": 1024, "type": "keyword" } } }, "rdp": { "properties": { "cert": { "properties": { "count": { "type": "long" }, "permanent": { "type": "boolean" }, "type": { "ignore_above": 1024, "type": "keyword" } } }, "client": { "properties": { "build": { "ignore_above": 1024, "type": "keyword" }, "client_name": { "ignore_above": 1024, "type": "keyword" }, "product_id": { "ignore_above": 1024, "type": "keyword" } } }, "cookie": { "ignore_above": 1024, "type": "keyword" }, "desktop": { "properties": { "color_depth": { "ignore_above": 1024, "type": "keyword" }, "height": { "type": "long" }, "width": { "type": "long" } } }, "done": { "type": "boolean" }, "encryption": { "properties": { "level": { "ignore_above": 1024, "type": "keyword" }, "method": { "ignore_above": 1024, "type": "keyword" } } }, "keyboard_layout": { "ignore_above": 1024, "type": "keyword" }, "result": { "ignore_above": 1024, "type": "keyword" }, "security_protocol": { "ignore_above": 1024, "type": "keyword" }, "ssl": { "type": "boolean" } } }, "rfb": { "properties": { "auth": { "properties": { "method": { "ignore_above": 1024, "type": "keyword" }, "success": { "type": "boolean" } } }, "desktop_name": { "ignore_above": 1024, "type": "keyword" }, "height": { "type": "long" }, "share_flag": { "type": "boolean" }, "version": { "properties": { "client": { "properties": { "major": { "ignore_above": 1024, "type": "keyword" }, "minor": { "ignore_above": 1024, "type": "keyword" } } }, "server": { "properties": { "major": { "ignore_above": 1024, "type": "keyword" }, "minor": { "ignore_above": 1024, "type": "keyword" } } } } }, "width": { "type": "long" } } }, "session_id": { "ignore_above": 1024, "type": "keyword" }, "signature": { "properties": { "event_msg": { "ignore_above": 1024, "type": "keyword" }, "host_count": { "type": "long" }, "note": { "ignore_above": 1024, "type": "keyword" }, "sig_count": { "type": "long" }, "sig_id": { "ignore_above": 1024, "type": "keyword" }, "sub_msg": { "ignore_above": 1024, "type": "keyword" } } }, "sip": { "properties": { "call_id": { "ignore_above": 1024, "type": "keyword" }, "content_type": { "ignore_above": 1024, "type": "keyword" }, "date": { "ignore_above": 1024, "type": "keyword" }, "reply_to": { "ignore_above": 1024, "type": "keyword" }, "request": { "properties": { "body_length": { "type": "long" }, "from": { "ignore_above": 1024, "type": "keyword" }, "path": { "ignore_above": 1024, "type": "keyword" }, "to": { "ignore_above": 1024, "type": "keyword" } } }, "response": { "properties": { "body_length": { "type": "long" }, "from": { "ignore_above": 1024, "type": "keyword" }, "path": { "ignore_above": 1024, "type": "keyword" }, "to": { "ignore_above": 1024, "type": "keyword" } } }, "sequence": { "properties": { "method": { "ignore_above": 1024, "type": "keyword" }, "number": { "ignore_above": 1024, "type": "keyword" } } }, "status": { "properties": { "code": { "type": "long" }, "msg": { "ignore_above": 1024, "type": "keyword" } } }, "subject": { "ignore_above": 1024, "type": "keyword" }, "transaction_depth": { "type": "long" }, "uri": { "ignore_above": 1024, "type": "keyword" }, "user_agent": { "ignore_above": 1024, "type": "keyword" }, "warning": { "ignore_above": 1024, "type": "keyword" } } }, "smb_cmd": { "properties": { "argument": { "ignore_above": 1024, "type": "keyword" }, "command": { "ignore_above": 1024, "type": "keyword" }, "file": { "properties": { "action": { "ignore_above": 1024, "type": "keyword" }, "host": { "properties": { "rx": { "type": "ip" }, "tx": { "type": "ip" } } }, "name": { "ignore_above": 1024, "type": "keyword" }, "uid": { "ignore_above": 1024, "type": "keyword" } } }, "rtt": { "type": "double" }, "smb1_offered_dialects": { "ignore_above": 1024, "type": "keyword" }, "smb2_offered_dialects": { "type": "long" }, "status": { "ignore_above": 1024, "type": "keyword" }, "sub_command": { "ignore_above": 1024, "type": "keyword" }, "tree": { "ignore_above": 1024, "type": "keyword" }, "tree_service": { "ignore_above": 1024, "type": "keyword" }, "username": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" } } }, "smb_files": { "properties": { "action": { "ignore_above": 1024, "type": "keyword" }, "fid": { "type": "long" }, "name": { "ignore_above": 1024, "type": "keyword" }, "path": { "ignore_above": 1024, "type": "keyword" }, "previous_name": { "ignore_above": 1024, "type": "keyword" }, "size": { "type": "long" }, "times": { "properties": { "accessed": { "type": "date" }, "changed": { "type": "date" }, "created": { "type": "date" }, "modified": { "type": "date" } } }, "uuid": { "ignore_above": 1024, "type": "keyword" } } }, "smb_mapping": { "properties": { "native_file_system": { "ignore_above": 1024, "type": "keyword" }, "path": { "ignore_above": 1024, "type": "keyword" }, "service": { "ignore_above": 1024, "type": "keyword" }, "share_type": { "ignore_above": 1024, "type": "keyword" } } }, "smtp": { "properties": { "cc": { "ignore_above": 1024, "type": "keyword" }, "date": { "type": "date" }, "first_received": { "ignore_above": 1024, "type": "keyword" }, "from": { "ignore_above": 1024, "type": "keyword" }, "fuids": { "ignore_above": 1024, "type": "keyword" }, "has_client_activity": { "type": "boolean" }, "helo": { "ignore_above": 1024, "type": "keyword" }, "in_reply_to": { "ignore_above": 1024, "type": "keyword" }, "is_webmail": { "type": "boolean" }, "last_reply": { "ignore_above": 1024, "type": "keyword" }, "mail_from": { "ignore_above": 1024, "type": "keyword" }, "msg_id": { "ignore_above": 1024, "type": "keyword" }, "path": { "type": "ip" }, "process_received_from": { "type": "boolean" }, "rcpt_to": { "ignore_above": 1024, "type": "keyword" }, "reply_to": { "ignore_above": 1024, "type": "keyword" }, "second_received": { "ignore_above": 1024, "type": "keyword" }, "subject": { "ignore_above": 1024, "type": "keyword" }, "tls": { "type": "boolean" }, "to": { "ignore_above": 1024, "type": "keyword" }, "transaction_depth": { "type": "long" }, "user_agent": { "ignore_above": 1024, "type": "keyword" }, "x_originating_ip": { "ignore_above": 1024, "type": "keyword" } } }, "snmp": { "properties": { "community": { "ignore_above": 1024, "type": "keyword" }, "display_string": { "ignore_above": 1024, "type": "keyword" }, "duration": { "type": "double" }, "get": { "properties": { "bulk_requests": { "type": "long" }, "requests": { "type": "long" }, "responses": { "type": "long" } } }, "set": { "properties": { "requests": { "type": "long" } } }, "up_since": { "type": "date" }, "version": { "ignore_above": 1024, "type": "keyword" } } }, "socks": { "properties": { "bound": { "properties": { "host": { "ignore_above": 1024, "type": "keyword" }, "port": { "type": "long" } } }, "capture_password": { "type": "boolean" }, "password": { "ignore_above": 1024, "type": "keyword" }, "request": { "properties": { "host": { "ignore_above": 1024, "type": "keyword" }, "port": { "type": "long" } } }, "status": { "ignore_above": 1024, "type": "keyword" }, "user": { "ignore_above": 1024, "type": "keyword" }, "version": { "type": "long" } } }, "ssh": { "properties": { "algorithm": { "properties": { "cipher": { "ignore_above": 1024, "type": "keyword" }, "compression": { "ignore_above": 1024, "type": "keyword" }, "host_key": { "ignore_above": 1024, "type": "keyword" }, "key_exchange": { "ignore_above": 1024, "type": "keyword" }, "mac": { "ignore_above": 1024, "type": "keyword" } } }, "auth": { "properties": { "attempts": { "type": "long" }, "success": { "type": "boolean" } } }, "client": { "ignore_above": 1024, "type": "keyword" }, "direction": { "ignore_above": 1024, "type": "keyword" }, "host_key": { "ignore_above": 1024, "type": "keyword" }, "server": { "ignore_above": 1024, "type": "keyword" }, "version": { "type": "long" } } }, "ssl": { "properties": { "cipher": { "ignore_above": 1024, "type": "keyword" }, "client": { "properties": { "cert_chain": { "ignore_above": 1024, "type": "keyword" }, "cert_chain_fuids": { "ignore_above": 1024, "type": "keyword" }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, "type": "keyword" }, "country": { "ignore_above": 1024, "type": "keyword" }, "locality": { "ignore_above": 1024, "type": "keyword" }, "organization": { "ignore_above": 1024, "type": "keyword" }, "organizational_unit": { "ignore_above": 1024, "type": "keyword" }, "state": { "ignore_above": 1024, "type": "keyword" } } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, "type": "keyword" }, "country": { "ignore_above": 1024, "type": "keyword" }, "locality": { "ignore_above": 1024, "type": "keyword" }, "organization": { "ignore_above": 1024, "type": "keyword" }, "organizational_unit": { "ignore_above": 1024, "type": "keyword" }, "state": { "ignore_above": 1024, "type": "keyword" } } } } }, "curve": { "ignore_above": 1024, "type": "keyword" }, "established": { "type": "boolean" }, "last_alert": { "ignore_above": 1024, "type": "keyword" }, "next_protocol": { "ignore_above": 1024, "type": "keyword" }, "resumed": { "type": "boolean" }, "server": { "properties": { "cert_chain": { "ignore_above": 1024, "type": "keyword" }, "cert_chain_fuids": { "ignore_above": 1024, "type": "keyword" }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, "type": "keyword" }, "country": { "ignore_above": 1024, "type": "keyword" }, "locality": { "ignore_above": 1024, "type": "keyword" }, "organization": { "ignore_above": 1024, "type": "keyword" }, "organizational_unit": { "ignore_above": 1024, "type": "keyword" }, "state": { "ignore_above": 1024, "type": "keyword" } } }, "name": { "ignore_above": 1024, "type": "keyword" }, "subject": { "properties": { "common_name": { "ignore_above": 1024, "type": "keyword" }, "country": { "ignore_above": 1024, "type": "keyword" }, "locality": { "ignore_above": 1024, "type": "keyword" }, "organization": { "ignore_above": 1024, "type": "keyword" }, "organizational_unit": { "ignore_above": 1024, "type": "keyword" }, "state": { "ignore_above": 1024, "type": "keyword" } } } } }, "validation": { "properties": { "code": { "ignore_above": 1024, "type": "keyword" }, "status": { "ignore_above": 1024, "type": "keyword" } } }, "version": { "ignore_above": 1024, "type": "keyword" } } }, "stats": { "properties": { "bytes": { "properties": { "received": { "type": "long" } } }, "connections": { "properties": { "icmp": { "properties": { "active": { "type": "long" }, "count": { "type": "long" } } }, "tcp": { "properties": { "active": { "type": "long" }, "count": { "type": "long" } } }, "udp": { "properties": { "active": { "type": "long" }, "count": { "type": "long" } } } } }, "dns_requests": { "properties": { "active": { "type": "long" }, "count": { "type": "long" } } }, "events": { "properties": { "processed": { "type": "long" }, "queued": { "type": "long" } } }, "files": { "properties": { "active": { "type": "long" }, "count": { "type": "long" } } }, "memory": { "type": "long" }, "packets": { "properties": { "dropped": { "type": "long" }, "processed": { "type": "long" }, "received": { "type": "long" } } }, "peer": { "ignore_above": 1024, "type": "keyword" }, "reassembly_size": { "properties": { "file": { "type": "long" }, "frag": { "type": "long" }, "tcp": { "type": "long" }, "unknown": { "type": "long" } } }, "timers": { "properties": { "active": { "type": "long" }, "count": { "type": "long" } } }, "timestamp_lag": { "type": "long" } } }, "syslog": { "properties": { "facility": { "ignore_above": 1024, "type": "keyword" }, "message": { "ignore_above": 1024, "type": "keyword" }, "severity": { "ignore_above": 1024, "type": "keyword" } } }, "tunnel": { "properties": { "action": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" } } }, "weird": { "properties": { "additional_info": { "ignore_above": 1024, "type": "keyword" }, "identifier": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "notice": { "type": "boolean" }, "peer": { "ignore_above": 1024, "type": "keyword" } } }, "x509": { "properties": { "basic_constraints": { "properties": { "certificate_authority": { "type": "boolean" }, "path_length": { "type": "long" } } }, "certificate": { "properties": { "common_name": { "ignore_above": 1024, "type": "keyword" }, "curve": { "ignore_above": 1024, "type": "keyword" }, "exponent": { "ignore_above": 1024, "type": "keyword" }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, "type": "keyword" }, "country": { "ignore_above": 1024, "type": "keyword" }, "locality": { "ignore_above": 1024, "type": "keyword" }, "organization": { "ignore_above": 1024, "type": "keyword" }, "organizational_unit": { "ignore_above": 1024, "type": "keyword" }, "state": { "ignore_above": 1024, "type": "keyword" } } }, "key": { "properties": { "algorithm": { "ignore_above": 1024, "type": "keyword" }, "length": { "type": "long" }, "type": { "ignore_above": 1024, "type": "keyword" } } }, "serial": { "ignore_above": 1024, "type": "keyword" }, "signature_algorithm": { "ignore_above": 1024, "type": "keyword" }, "subject": { "properties": { "common_name": { "ignore_above": 1024, "type": "keyword" }, "country": { "ignore_above": 1024, "type": "keyword" }, "locality": { "ignore_above": 1024, "type": "keyword" }, "organization": { "ignore_above": 1024, "type": "keyword" }, "organizational_unit": { "ignore_above": 1024, "type": "keyword" }, "state": { "ignore_above": 1024, "type": "keyword" } } }, "valid": { "properties": { "from": { "type": "date" }, "until": { "type": "date" } } }, "version": { "type": "long" } } }, "id": { "ignore_above": 1024, "type": "keyword" }, "log_cert": { "type": "boolean" }, "san": { "properties": { "dns": { "ignore_above": 1024, "type": "keyword" }, "email": { "ignore_above": 1024, "type": "keyword" }, "ip": { "type": "ip" }, "other_fields": { "type": "boolean" }, "uri": { "ignore_above": 1024, "type": "keyword" } } } } } } } } } } }