{ "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", "ecs_version": "1.12.2" }, "template": { "settings": { "analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", "char_filter": [ "whitespace_no_way" ], "filter": [ "lowercase", "trim" ], "tokenizer": "keyword" } }, "char_filter": { "whitespace_no_way": { "type": "pattern_replace", "pattern": "(\\s)+", "replacement": "$1" } }, "filter": { "path_hierarchy_pattern_filter": { "type": "pattern_capture", "preserve_original": true, "patterns": [ "((?:[^\\\\]*\\\\)*)(.*)", "((?:[^/]*/)*)(.*)" ] } }, "tokenizer": { "path_tokenizer": { "type": "path_hierarchy", "delimiter": "\\" } } } }, "mappings": { "properties": { "cisco": { "properties": { "amp": { "properties": { "bp_data": { "type": "flattened" }, "cloud_ioc": { "properties": { "description": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "short_description": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "command_line": { "properties": { "arguments": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "computer": { "properties": { "active": { "type": "boolean" }, "connector_guid": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "external_ip": { "type": "ip" }, "network_addresses": { "type": "flattened" } } }, "connector_guid": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "detection": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "detection_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "error": { "properties": { "description": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "error_code": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "event_type_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "file": { "properties": { "archived_file": { "properties": { "disposition": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "identity": { "properties": { "md5": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "sha1": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "sha256": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } }, "attack_details": { "properties": { "application": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "attacked_module": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "base_address": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "indicators": { "type": "flattened" }, "suspicious_files": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "disposition": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "parent": { "properties": { "disposition": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } }, "group_guids": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "mitre_tactics": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "mitre_techniques": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "network_info": { "properties": { "disposition": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "nfm": { "properties": { "direction": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "parent": { "properties": { "disposition": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "identify": { "properties": { "sha256": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "identity": { "properties": { "md5": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "sha1": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } } } }, "related": { "properties": { "cve": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "mac": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "scan": { "properties": { "clean": { "type": "boolean" }, "description": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "malicious_detections": { "type": "long" }, "scanned_files": { "type": "long" }, "scanned_paths": { "type": "long" }, "scanned_processes": { "type": "long" } } }, "tactics": { "type": "flattened" }, "techniques": { "type": "flattened" }, "threat_hunting": { "properties": { "incident_end_time": { "type": "date" }, "incident_hunt_guid": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "incident_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "incident_remediation": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "incident_report_guid": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "incident_start_time": { "type": "date" }, "incident_summary": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "incident_title": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "severity": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "tactics": { "type": "flattened" }, "techniques": { "type": "flattened" } } }, "timestamp_nanoseconds": { "type": "date" }, "vulnerabilities": { "type": "flattened" } } }, "asa": { "properties": { "assigned_ip": { "type": "ip" }, "burst": { "properties": { "avg_rate": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "configured_avg_rate": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "configured_rate": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "cumulative_count": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "current_rate": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "object": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "command_line_arguments": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "connection_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "connection_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "dap_records": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "destination_interface": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "destination_username": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "icmp_code": { "type": "short" }, "icmp_type": { "type": "short" }, "mapped_destination_host": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "mapped_destination_ip": { "type": "ip" }, "mapped_destination_port": { "type": "long" }, "mapped_source_host": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "mapped_source_ip": { "type": "ip" }, "mapped_source_port": { "type": "long" }, "message_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "privilege": { "properties": { "new": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "old": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "rule_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "session_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "source_interface": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "source_username": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "suffix": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "termination_initiator": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "termination_user": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "threat_category": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "threat_level": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "tunnel_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "webvpn": { "properties": { "group_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } }, "ftd": { "properties": { "connection_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "connection_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "dap_records": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "destination_interface": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "destination_username": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "icmp_code": { "type": "short" }, "icmp_type": { "type": "short" }, "mapped_destination_host": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "mapped_destination_ip": { "type": "ip" }, "mapped_destination_port": { "type": "long" }, "mapped_source_host": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "mapped_source_ip": { "type": "ip" }, "mapped_source_port": { "type": "long" }, "message_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "rule_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "security": { "type": "object" }, "source_interface": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "source_username": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "suffix": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "termination_initiator": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "termination_user": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "threat_category": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "threat_level": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "webvpn": { "properties": { "group_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } }, "ios": { "properties": { "access_list": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "facility": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "umbrella": { "properties": { "amp_disposition": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "amp_malware_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "amp_score": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "av_detections": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "blocked_categories": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "categories": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "content_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "datacenter": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "identities": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "identity_types": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "origin_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "policy_identity_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "puas": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "sha_sha256": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } } } } } }