{ "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", "ecs_version": "1.12.2" }, "template": { "settings": { "analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", "char_filter": [ "whitespace_no_way" ], "filter": [ "lowercase", "trim" ], "tokenizer": "keyword" } }, "char_filter": { "whitespace_no_way": { "type": "pattern_replace", "pattern": "(\\s)+", "replacement": "$1" } }, "filter": { "path_hierarchy_pattern_filter": { "type": "pattern_capture", "preserve_original": true, "patterns": [ "((?:[^\\\\]*\\\\)*)(.*)", "((?:[^/]*/)*)(.*)" ] } }, "tokenizer": { "path_tokenizer": { "type": "path_hierarchy", "delimiter": "\\" } } } }, "mappings": { "properties": { "okta": { "properties": { "actor": { "properties": { "alternate_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "display_name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "authentication_context": { "properties": { "authentication_provider": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "authentication_step": { "type": "long" }, "credential_provider": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "credential_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "external_session_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "interface": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "client": { "properties": { "device": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "ip": { "type": "ip" }, "user_agent": { "properties": { "browser": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "os": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "raw_user_agent": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "zone": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "debug_context": { "properties": { "debug_data": { "properties": { "device_fingerprint": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "request_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "request_uri": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "suspicious_activity": { "properties": { "browser": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "event_city": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "event_country": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "event_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "event_ip": { "type": "ip" }, "event_latitude": { "type": "float" }, "event_longitude": { "type": "float" }, "event_state": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "event_transaction_id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "event_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "os": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "timestamp": { "type": "date" } } }, "threat_suspected": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "url": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } }, "display_message": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "event_type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "outcome": { "properties": { "reason": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "result": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "request": { "properties": { "ip_chain": { "properties": { "geographical_context": { "properties": { "city": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "country": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "geolocation": { "type": "geo_point" }, "postal_code": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "state": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "ip": { "type": "ip" }, "source": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "version": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } }, "security_context": { "properties": { "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } }, "domain": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "is_proxy": { "type": "boolean" }, "isp": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "severity": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "target": { "type": "flattened" }, "transaction": { "properties": { "id": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "type": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } }, "uuid": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } }, "version": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer" } } } } } } } } }