{ "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html", "ecs_version": "1.12.2" }, "template": { "mappings": { "properties": { "process": { "properties": { "args": { "ignore_above": 1024, "type": "keyword" }, "args_count": { "type": "long" }, "code_signature": { "properties": { "digest_algorithm": { "ignore_above": 1024, "type": "keyword" }, "exists": { "type": "boolean" }, "signing_id": { "ignore_above": 1024, "type": "keyword" }, "status": { "ignore_above": 1024, "type": "keyword" }, "subject_name": { "ignore_above": 1024, "type": "keyword" }, "team_id": { "ignore_above": 1024, "type": "keyword" }, "timestamp": { "type": "date" }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "command_line": { "fields": { "text": { "type": "match_only_text" } }, "type": "wildcard" }, "elf": { "properties": { "architecture": { "ignore_above": 1024, "type": "keyword" }, "byte_order": { "ignore_above": 1024, "type": "keyword" }, "cpu_type": { "ignore_above": 1024, "type": "keyword" }, "creation_date": { "type": "date" }, "exports": { "type": "flattened" }, "header": { "properties": { "abi_version": { "ignore_above": 1024, "type": "keyword" }, "class": { "ignore_above": 1024, "type": "keyword" }, "data": { "ignore_above": 1024, "type": "keyword" }, "entrypoint": { "type": "long" }, "object_version": { "ignore_above": 1024, "type": "keyword" }, "os_abi": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" } } }, "imports": { "type": "flattened" }, "sections": { "properties": { "chi2": { "type": "long" }, "entropy": { "type": "long" }, "flags": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "physical_offset": { "ignore_above": 1024, "type": "keyword" }, "physical_size": { "type": "long" }, "type": { "ignore_above": 1024, "type": "keyword" }, "virtual_address": { "type": "long" }, "virtual_size": { "type": "long" } }, "type": "nested" }, "segments": { "properties": { "sections": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" } }, "type": "nested" }, "shared_libraries": { "ignore_above": 1024, "type": "keyword" }, "telfhash": { "ignore_above": 1024, "type": "keyword" } } }, "end": { "type": "date" }, "entity_id": { "ignore_above": 1024, "type": "keyword" }, "executable": { "ignore_above": 1024, "type": "keyword" }, "exit_code": { "type": "long" }, "hash": { "properties": { "md5": { "ignore_above": 1024, "type": "keyword" }, "sha1": { "ignore_above": 1024, "type": "keyword" }, "sha256": { "ignore_above": 1024, "type": "keyword" }, "sha512": { "ignore_above": 1024, "type": "keyword" }, "ssdeep": { "ignore_above": 1024, "type": "keyword" } } }, "name": { "ignore_above": 1024, "type": "keyword" }, "parent": { "properties": { "args": { "ignore_above": 1024, "type": "keyword" }, "args_count": { "type": "long" }, "code_signature": { "properties": { "digest_algorithm": { "ignore_above": 1024, "type": "keyword" }, "exists": { "type": "boolean" }, "signing_id": { "ignore_above": 1024, "type": "keyword" }, "status": { "ignore_above": 1024, "type": "keyword" }, "subject_name": { "ignore_above": 1024, "type": "keyword" }, "team_id": { "ignore_above": 1024, "type": "keyword" }, "timestamp": { "type": "date" }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "command_line": { "fields": { "text": { "type": "match_only_text" } }, "type": "wildcard" }, "elf": { "properties": { "architecture": { "ignore_above": 1024, "type": "keyword" }, "byte_order": { "ignore_above": 1024, "type": "keyword" }, "cpu_type": { "ignore_above": 1024, "type": "keyword" }, "creation_date": { "type": "date" }, "exports": { "type": "flattened" }, "header": { "properties": { "abi_version": { "ignore_above": 1024, "type": "keyword" }, "class": { "ignore_above": 1024, "type": "keyword" }, "data": { "ignore_above": 1024, "type": "keyword" }, "entrypoint": { "type": "long" }, "object_version": { "ignore_above": 1024, "type": "keyword" }, "os_abi": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" } } }, "imports": { "type": "flattened" }, "sections": { "properties": { "chi2": { "type": "long" }, "entropy": { "type": "long" }, "flags": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "physical_offset": { "ignore_above": 1024, "type": "keyword" }, "physical_size": { "type": "long" }, "type": { "ignore_above": 1024, "type": "keyword" }, "virtual_address": { "type": "long" }, "virtual_size": { "type": "long" } }, "type": "nested" }, "segments": { "properties": { "sections": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" } }, "type": "nested" }, "shared_libraries": { "ignore_above": 1024, "type": "keyword" }, "telfhash": { "ignore_above": 1024, "type": "keyword" } } }, "end": { "type": "date" }, "entity_id": { "ignore_above": 1024, "type": "keyword" }, "executable": { "ignore_above": 1024, "type": "keyword" }, "exit_code": { "type": "long" }, "hash": { "properties": { "md5": { "ignore_above": 1024, "type": "keyword" }, "sha1": { "ignore_above": 1024, "type": "keyword" }, "sha256": { "ignore_above": 1024, "type": "keyword" }, "sha512": { "ignore_above": 1024, "type": "keyword" }, "ssdeep": { "ignore_above": 1024, "type": "keyword" } } }, "name": { "ignore_above": 1024, "type": "keyword" }, "pe": { "properties": { "architecture": { "ignore_above": 1024, "type": "keyword" }, "company": { "ignore_above": 1024, "type": "keyword" }, "description": { "ignore_above": 1024, "type": "keyword" }, "file_version": { "ignore_above": 1024, "type": "keyword" }, "imphash": { "ignore_above": 1024, "type": "keyword" }, "original_file_name": { "ignore_above": 1024, "type": "keyword" }, "product": { "ignore_above": 1024, "type": "keyword" } } }, "pgid": { "type": "long" }, "pid": { "type": "long" }, "ppid": { "type": "long" }, "start": { "type": "date" }, "thread": { "properties": { "id": { "type": "long" }, "name": { "ignore_above": 1024, "type": "keyword" } } }, "title": { "ignore_above": 1024, "type": "keyword" }, "uptime": { "type": "long" }, "working_directory": { "ignore_above": 1024, "type": "keyword" } } }, "pe": { "properties": { "architecture": { "ignore_above": 1024, "type": "keyword" }, "company": { "ignore_above": 1024, "type": "keyword" }, "description": { "ignore_above": 1024, "type": "keyword" }, "file_version": { "ignore_above": 1024, "type": "keyword" }, "imphash": { "ignore_above": 1024, "type": "keyword" }, "original_file_name": { "ignore_above": 1024, "type": "keyword" }, "product": { "ignore_above": 1024, "type": "keyword" } } }, "pgid": { "type": "long" }, "pid": { "type": "long" }, "ppid": { "type": "long" }, "start": { "type": "date" }, "thread": { "properties": { "id": { "type": "long" }, "name": { "ignore_above": 1024, "type": "keyword" } } }, "title": { "ignore_above": 1024, "type": "keyword" }, "uptime": { "type": "long" }, "working_directory": { "ignore_above": 1024, "type": "keyword" } } } } } } }