{ "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", "ecs_version": "1.12.2" }, "template": { "settings": { "analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", "char_filter": [ "whitespace_no_way" ], "filter": [ "lowercase", "trim" ], "tokenizer": "keyword" } }, "char_filter": { "whitespace_no_way": { "type": "pattern_replace", "pattern": "(\\s)+", "replacement": "$1" } }, "filter": { "path_hierarchy_pattern_filter": { "type": "pattern_capture", "preserve_original": true, "patterns": [ "((?:[^\\\\]*\\\\)*)(.*)", "((?:[^/]*/)*)(.*)" ] } }, "tokenizer": { "path_tokenizer": { "type": "path_hierarchy", "delimiter": "\\" } } } }, "mappings": { "properties": { "google_workspace": { "properties": { "actor": { "properties": { "key": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "admin": { "properties": { "alert": { "properties": { "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "api": { "properties": { "client": { "properties": { "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "scopes": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "application": { "properties": { "asp_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "edition": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "enabled": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "licences_order_number": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "licences_purchased": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "package_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "bulk_upload": { "properties": { "failed": { "type": "long" }, "total": { "type": "long" } } }, "chrome_licenses": { "properties": { "allowed": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "enabled": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "chrome_os": { "properties": { "session_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "device": { "properties": { "command_details": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "serial_number": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "distribution": { "properties": { "entity": { "properties": { "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } }, "domain": { "properties": { "alias": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "secondary_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "email": { "properties": { "log_search_filter": { "properties": { "end_date": { "type": "date" }, "message_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "recipient": { "properties": { "ip": { "type": "ip" }, "value": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "sender": { "properties": { "ip": { "type": "ip" }, "value": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "start_date": { "type": "date" } } }, "quarantine_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "email_dump": { "properties": { "include_deleted": { "type": "boolean" }, "package_content": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "query": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "email_monitor": { "properties": { "dest_email": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "level": { "properties": { "chat": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "draft": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "incoming": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "outgoing": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } }, "field": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "gateway": { "properties": { "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "group": { "properties": { "allowed_list": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "email": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "priorities": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "info_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "managed_configuration": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "mdm": { "properties": { "token": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "vendor": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "mobile": { "properties": { "action": { "properties": { "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "certificate": { "properties": { "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "company_owned_devices": { "type": "long" } } }, "new_value": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "non_featured_services_selection": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "oauth2": { "properties": { "application": { "properties": { "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "service": { "properties": { "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } }, "old_value": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "org_unit": { "properties": { "full": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "print_server": { "properties": { "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "printer": { "properties": { "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "privilege": { "properties": { "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "product": { "properties": { "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "sku": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "request": { "properties": { "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "resource": { "properties": { "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "role": { "properties": { "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "rule": { "properties": { "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "service": { "properties": { "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "setting": { "properties": { "description": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "url": { "properties": { "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "user": { "properties": { "birthdate": { "type": "date" }, "email": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "nickname": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "user_defined_setting": { "properties": { "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "verification_method": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "drive": { "properties": { "added_role": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "billable": { "type": "boolean" }, "destination_folder_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "destination_folder_title": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "file": { "properties": { "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "owner": { "properties": { "email": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "is_shared_drive": { "type": "boolean" } } }, "type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "membership_change_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "new_value": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "old_value": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "old_visibility": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "originating_app_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "primary_event": { "type": "boolean" }, "removed_role": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "shared_drive_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "shared_drive_settings_change_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "sheets_import_range_recipient_doc": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "source_folder_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "source_folder_title": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "target": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "target_domain": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "visibility": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "visibility_change": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "event": { "properties": { "type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "groups": { "properties": { "acl_permission": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "email": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "member": { "properties": { "email": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "role": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "message": { "properties": { "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "moderation_action": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "new_value": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "old_value": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "setting": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "status": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "value": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "kind": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "login": { "properties": { "affected_email_address": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "challenge_method": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "failure_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "is_second_factor": { "type": "boolean" }, "is_suspicious": { "type": "boolean" }, "type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "organization": { "properties": { "domain": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "saml": { "properties": { "application_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "failure_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "initiated_by": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "orgunit_path": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "second_level_status_code": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "status_code": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } } } } } }