{ "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", "ecs_version": "1.12.2" }, "template": { "settings": { "analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", "char_filter": [ "whitespace_no_way" ], "filter": [ "lowercase", "trim" ], "tokenizer": "keyword" } }, "char_filter": { "whitespace_no_way": { "type": "pattern_replace", "pattern": "(\\s)+", "replacement": "$1" } }, "filter": { "path_hierarchy_pattern_filter": { "type": "pattern_capture", "preserve_original": true, "patterns": [ "((?:[^\\\\]*\\\\)*)(.*)", "((?:[^/]*/)*)(.*)" ] } }, "tokenizer": { "path_tokenizer": { "type": "path_hierarchy", "delimiter": "\\" } } } }, "mappings": { "properties": { "microsoft": { "properties": { "defender_atp": { "properties": { "assignedTo": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "classification": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "determination": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "evidence": { "properties": { "aadUserId": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "accountName": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "domainName": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "entityType": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "ipAddress": { "type": "ip" }, "userPrincipalName": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "incidentId": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "investigationId": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "investigationState": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "lastUpdateTime": { "type": "date" }, "rbacGroupName": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "resolvedTime": { "type": "date" }, "status": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "threatFamilyName": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "m365_defender": { "properties": { "alerts": { "properties": { "actorName": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "assignedTo": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "classification": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "creationTime": { "type": "date" }, "detectionSource": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "determination": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "devices": { "type": "flattened" }, "entities": { "properties": { "accountName": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "clusterBy": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "deliveryAction": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "deviceId": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "entityType": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "ipAddress": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "mailboxAddress": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "mailboxDisplayName": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "recipient": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "registryHive": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "registryKey": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "registryValueType": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "securityGroupId": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "securityGroupName": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "sender": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "subject": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "incidentId": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "investigationId": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "investigationState": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "lastUpdatedTime": { "type": "date" }, "mitreTechniques": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "resolvedTime": { "type": "date" }, "severity": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "status": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "threatFamilyName": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "userSid": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "assignedTo": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "classification": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "determination": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "incidentId": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "incidentName": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "investigationState": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "redirectIncidentId": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "status": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "tags": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } } } } } }