{ "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", "ecs_version": "1.12.2" }, "template": { "settings": { "analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", "char_filter": [ "whitespace_no_way" ], "filter": [ "lowercase", "trim" ], "tokenizer": "keyword" } }, "char_filter": { "whitespace_no_way": { "type": "pattern_replace", "pattern": "(\\s)+", "replacement": "$1" } }, "filter": { "path_hierarchy_pattern_filter": { "type": "pattern_capture", "preserve_original": true, "patterns": [ "((?:[^\\\\]*\\\\)*)(.*)", "((?:[^/]*/)*)(.*)" ] } }, "tokenizer": { "path_tokenizer": { "type": "path_hierarchy", "delimiter": "\\" } } } }, "mappings": { "properties": { "azure": { "properties": { "activitylogs": { "properties": { "category": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "event_category": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "identity": { "properties": { "authorization": { "properties": { "action": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "evidence": { "properties": { "principal_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "principal_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "role": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "role_assignment_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "role_assignment_scope": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "role_definition_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "scope": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "claims": { "properties": { "*": { "type": "object" } } }, "claims_initiated_by_user": { "properties": { "fullname": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "givenname": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "schema": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "surname": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } }, "operation_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "properties": { "type": "flattened" }, "result_signature": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "result_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "auditlogs": { "properties": { "category": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "identity": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "operation_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "operation_version": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "properties": { "properties": { "activity_datetime": { "type": "date" }, "activity_display_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "category": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "correlation_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "initiated_by": { "properties": { "app": { "properties": { "appId": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "displayName": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "servicePrincipalId": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "servicePrincipalName": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "user": { "properties": { "displayName": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "ipAddress": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "userPrincipalName": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } }, "logged_by_service": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "operation_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "result": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "result_reason": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "target_resources": { "properties": { "*": { "properties": { "display_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "ip_address": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "modified_properties": { "properties": { "*": { "properties": { "display_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "new_value": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "old_value": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } }, "type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "user_principal_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } } } }, "result_signature": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "tenant_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "consumer_group": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "correlation_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "enqueued_time": { "type": "date" }, "eventhub": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "offset": { "type": "long" }, "partition_id": { "type": "long" }, "platformlogs": { "properties": { "ActivityId": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "Caller": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "Cloud": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "Environment": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "EventTimeString": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "ScaleUnit": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "category": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "ccpNamespace": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "event_category": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "operation_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "properties": { "type": "flattened" }, "result_signature": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "result_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "status": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "resource": { "properties": { "authorization_rule": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "group": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "namespace": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "provider": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "sequence_number": { "type": "long" }, "signinlogs": { "properties": { "category": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "identity": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "operation_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "operation_version": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "properties": { "properties": { "app_display_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "app_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "authentication_processing_details": { "type": "flattened" }, "authentication_requirement": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "authentication_requirement_policies": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "autonomous_system_number": { "type": "long" }, "client_app_used": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "conditional_access_status": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "correlation_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "created_at": { "type": "date" }, "cross_tenant_access_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "device_detail": { "properties": { "browser": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "device_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "display_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "operating_system": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "trust_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "flagged_for_review": { "type": "boolean" }, "home_tenant_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "is_interactive": { "type": "boolean" }, "is_tenant_restricted": { "type": "boolean" }, "original_request_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "processing_time_ms": { "type": "float" }, "resource_display_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "resource_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "resource_tenant_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "risk_detail": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "risk_event_types": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "risk_event_types_v2": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "risk_level_aggregated": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "risk_level_during_signin": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "risk_state": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "service_principal_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "service_principal_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "sso_extension_version": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "status": { "properties": { "error_code": { "type": "long" } } }, "token_issuer_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "token_issuer_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "user_display_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "user_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "user_principal_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "user_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "result_description": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "result_signature": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "result_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "tenant_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "subscription_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "tenant_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } } } }