mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-15 21:52:47 +01:00
1841 lines
68 KiB
JSON
1841 lines
68 KiB
JSON
{"template": {
|
|
"settings": {
|
|
"index": {
|
|
"lifecycle": {
|
|
"name": "logs"
|
|
},
|
|
"codec": "best_compression",
|
|
"default_pipeline": "logs-system.security-1.6.4",
|
|
"mapping": {
|
|
"total_fields": {
|
|
"limit": "10000"
|
|
}
|
|
},
|
|
"query": {
|
|
"default_field": [
|
|
"cloud.account.id",
|
|
"cloud.availability_zone",
|
|
"cloud.instance.id",
|
|
"cloud.instance.name",
|
|
"cloud.machine.type",
|
|
"cloud.provider",
|
|
"cloud.region",
|
|
"cloud.project.id",
|
|
"cloud.image.id",
|
|
"container.id",
|
|
"container.image.name",
|
|
"container.name",
|
|
"host.architecture",
|
|
"host.hostname",
|
|
"host.id",
|
|
"host.mac",
|
|
"host.name",
|
|
"host.os.family",
|
|
"host.os.kernel",
|
|
"host.os.name",
|
|
"host.os.platform",
|
|
"host.os.version",
|
|
"host.os.build",
|
|
"host.os.codename",
|
|
"host.type",
|
|
"event.action",
|
|
"event.category",
|
|
"event.code",
|
|
"event.kind",
|
|
"event.outcome",
|
|
"event.provider",
|
|
"event.type",
|
|
"tags",
|
|
"input.type",
|
|
"ecs.version",
|
|
"group.domain",
|
|
"group.id",
|
|
"group.name",
|
|
"log.file.path",
|
|
"log.level",
|
|
"message",
|
|
"process.args",
|
|
"process.command_line",
|
|
"process.entity_id",
|
|
"process.executable",
|
|
"process.name",
|
|
"process.parent.executable",
|
|
"process.parent.name",
|
|
"process.title",
|
|
"related.hash",
|
|
"related.hosts",
|
|
"related.user",
|
|
"service.name",
|
|
"service.type",
|
|
"source.domain",
|
|
"user.domain",
|
|
"user.id",
|
|
"user.name",
|
|
"user.effective.domain",
|
|
"user.effective.id",
|
|
"user.effective.name",
|
|
"user.target.group.domain",
|
|
"user.target.group.id",
|
|
"user.target.group.name",
|
|
"user.target.name",
|
|
"user.target.domain",
|
|
"user.target.id",
|
|
"user.changes.name",
|
|
"winlog.logon.type",
|
|
"winlog.logon.id",
|
|
"winlog.logon.failure.reason",
|
|
"winlog.logon.failure.status",
|
|
"winlog.logon.failure.sub_status",
|
|
"winlog.api",
|
|
"winlog.activity_id",
|
|
"winlog.channel",
|
|
"winlog.computer_name",
|
|
"winlog.computerObject.domain",
|
|
"winlog.computerObject.id",
|
|
"winlog.computerObject.name",
|
|
"winlog.event_data.AccessGranted",
|
|
"winlog.event_data.AccessList",
|
|
"winlog.event_data.AccessListDescription",
|
|
"winlog.event_data.AccessMask",
|
|
"winlog.event_data.AccessMaskDescription",
|
|
"winlog.event_data.AccessRemoved",
|
|
"winlog.event_data.AccountDomain",
|
|
"winlog.event_data.AccountExpires",
|
|
"winlog.event_data.AccountName",
|
|
"winlog.event_data.AllowedToDelegateTo",
|
|
"winlog.event_data.AuditPolicyChanges",
|
|
"winlog.event_data.AuditPolicyChangesDescription",
|
|
"winlog.event_data.AuditSourceName",
|
|
"winlog.event_data.AuthenticationPackageName",
|
|
"winlog.event_data.Binary",
|
|
"winlog.event_data.BitlockerUserInputTime",
|
|
"winlog.event_data.BootMode",
|
|
"winlog.event_data.BootType",
|
|
"winlog.event_data.BuildVersion",
|
|
"winlog.event_data.CallerProcessId",
|
|
"winlog.event_data.CallerProcessName",
|
|
"winlog.event_data.Category",
|
|
"winlog.event_data.CategoryId",
|
|
"winlog.event_data.ClientAddress",
|
|
"winlog.event_data.ClientName",
|
|
"winlog.event_data.CommandLine",
|
|
"winlog.event_data.Company",
|
|
"winlog.event_data.CorruptionActionState",
|
|
"winlog.event_data.CrashOnAuditFailValue",
|
|
"winlog.event_data.CreationUtcTime",
|
|
"winlog.event_data.Description",
|
|
"winlog.event_data.Detail",
|
|
"winlog.event_data.DeviceName",
|
|
"winlog.event_data.DeviceNameLength",
|
|
"winlog.event_data.DeviceTime",
|
|
"winlog.event_data.DeviceVersionMajor",
|
|
"winlog.event_data.DeviceVersionMinor",
|
|
"winlog.event_data.DisplayName",
|
|
"winlog.event_data.DomainBehaviorVersion",
|
|
"winlog.event_data.DomainName",
|
|
"winlog.event_data.DomainPolicyChanged",
|
|
"winlog.event_data.DomainSid",
|
|
"winlog.event_data.DriveName",
|
|
"winlog.event_data.DriverName",
|
|
"winlog.event_data.DriverNameLength",
|
|
"winlog.event_data.Dummy",
|
|
"winlog.event_data.DwordVal",
|
|
"winlog.event_data.EntryCount",
|
|
"winlog.event_data.EventSourceId",
|
|
"winlog.event_data.ExtraInfo",
|
|
"winlog.event_data.FailureName",
|
|
"winlog.event_data.FailureNameLength",
|
|
"winlog.event_data.FailureReason",
|
|
"winlog.event_data.FileVersion",
|
|
"winlog.event_data.FinalStatus",
|
|
"winlog.event_data.Group",
|
|
"winlog.event_data.GroupTypeChange",
|
|
"winlog.event_data.HandleId",
|
|
"winlog.event_data.HomeDirectory",
|
|
"winlog.event_data.HomePath",
|
|
"winlog.event_data.IdleImplementation",
|
|
"winlog.event_data.IdleStateCount",
|
|
"winlog.event_data.ImpersonationLevel",
|
|
"winlog.event_data.IntegrityLevel",
|
|
"winlog.event_data.IpAddress",
|
|
"winlog.event_data.IpPort",
|
|
"winlog.event_data.KerberosPolicyChange",
|
|
"winlog.event_data.KeyLength",
|
|
"winlog.event_data.LastBootGood",
|
|
"winlog.event_data.LastShutdownGood",
|
|
"winlog.event_data.LmPackageName",
|
|
"winlog.event_data.LogonGuid",
|
|
"winlog.event_data.LogonHours",
|
|
"winlog.event_data.LogonId",
|
|
"winlog.event_data.LogonID",
|
|
"winlog.event_data.LogonProcessName",
|
|
"winlog.event_data.LogonType",
|
|
"winlog.event_data.MachineAccountQuota",
|
|
"winlog.event_data.MajorVersion",
|
|
"winlog.event_data.MandatoryLabel",
|
|
"winlog.event_data.MaximumPerformancePercent",
|
|
"winlog.event_data.MemberName",
|
|
"winlog.event_data.MemberSid",
|
|
"winlog.event_data.MinimumPerformancePercent",
|
|
"winlog.event_data.MinimumThrottlePercent",
|
|
"winlog.event_data.MinorVersion",
|
|
"winlog.event_data.MixedDomainMode",
|
|
"winlog.event_data.NewProcessId",
|
|
"winlog.event_data.NewProcessName",
|
|
"winlog.event_data.NewSchemeGuid",
|
|
"winlog.event_data.NewSd",
|
|
"winlog.event_data.NewSdDacl0",
|
|
"winlog.event_data.NewSdDacl1",
|
|
"winlog.event_data.NewSdDacl2",
|
|
"winlog.event_data.NewSdSacl0",
|
|
"winlog.event_data.NewSdSacl1",
|
|
"winlog.event_data.NewSdSacl2",
|
|
"winlog.event_data.NewTargetUserName",
|
|
"winlog.event_data.NewTime",
|
|
"winlog.event_data.NewUACList",
|
|
"winlog.event_data.NewUacValue",
|
|
"winlog.event_data.NominalFrequency",
|
|
"winlog.event_data.Number",
|
|
"winlog.event_data.ObjectName",
|
|
"winlog.event_data.ObjectServer",
|
|
"winlog.event_data.ObjectType",
|
|
"winlog.event_data.OemInformation",
|
|
"winlog.event_data.OldSchemeGuid",
|
|
"winlog.event_data.OldSd",
|
|
"winlog.event_data.OldSdDacl0",
|
|
"winlog.event_data.OldSdDacl1",
|
|
"winlog.event_data.OldSdDacl2",
|
|
"winlog.event_data.OldSdSacl0",
|
|
"winlog.event_data.OldSdSacl1",
|
|
"winlog.event_data.OldSdSacl2",
|
|
"winlog.event_data.OldTargetUserName",
|
|
"winlog.event_data.OldTime",
|
|
"winlog.event_data.OldUacValue",
|
|
"winlog.event_data.OriginalFileName",
|
|
"winlog.event_data.PackageName",
|
|
"winlog.event_data.PasswordLastSet",
|
|
"winlog.event_data.PasswordHistoryLength",
|
|
"winlog.event_data.Path",
|
|
"winlog.event_data.ParentProcessName",
|
|
"winlog.event_data.PerformanceImplementation",
|
|
"winlog.event_data.PreviousCreationUtcTime",
|
|
"winlog.event_data.PreAuthType",
|
|
"winlog.event_data.PreviousTime",
|
|
"winlog.event_data.PrimaryGroupId",
|
|
"winlog.event_data.PrivilegeList",
|
|
"winlog.event_data.ProcessId",
|
|
"winlog.event_data.ProcessName",
|
|
"winlog.event_data.ProcessPath",
|
|
"winlog.event_data.ProcessPid",
|
|
"winlog.event_data.Product",
|
|
"winlog.event_data.ProfilePath",
|
|
"winlog.event_data.PuaCount",
|
|
"winlog.event_data.PuaPolicyId",
|
|
"winlog.event_data.QfeVersion",
|
|
"winlog.event_data.Reason",
|
|
"winlog.event_data.ResourceAttributes",
|
|
"winlog.event_data.SamAccountName",
|
|
"winlog.event_data.SchemaVersion",
|
|
"winlog.event_data.ScriptPath",
|
|
"winlog.event_data.SidHistory",
|
|
"winlog.event_data.ScriptBlockText",
|
|
"winlog.event_data.Service",
|
|
"winlog.event_data.ServiceAccount",
|
|
"winlog.event_data.ServiceFileName",
|
|
"winlog.event_data.ServiceName",
|
|
"winlog.event_data.ServiceSid",
|
|
"winlog.event_data.ServiceStartType",
|
|
"winlog.event_data.ServiceType",
|
|
"winlog.event_data.ServiceVersion",
|
|
"winlog.event_data.SessionName",
|
|
"winlog.event_data.ShutdownActionType",
|
|
"winlog.event_data.ShutdownEventCode",
|
|
"winlog.event_data.ShutdownReason",
|
|
"winlog.event_data.SidFilteringEnabled",
|
|
"winlog.event_data.Signature",
|
|
"winlog.event_data.SignatureStatus",
|
|
"winlog.event_data.Signed",
|
|
"winlog.event_data.StartTime",
|
|
"winlog.event_data.State",
|
|
"winlog.event_data.Status",
|
|
"winlog.event_data.StatusDescription",
|
|
"winlog.event_data.StopTime",
|
|
"winlog.event_data.SubCategory",
|
|
"winlog.event_data.SubCategoryGuid",
|
|
"winlog.event_data.SubcategoryGuid",
|
|
"winlog.event_data.SubCategoryId",
|
|
"winlog.event_data.SubcategoryId",
|
|
"winlog.event_data.SubjectDomainName",
|
|
"winlog.event_data.SubjectLogonId",
|
|
"winlog.event_data.SubjectUserName",
|
|
"winlog.event_data.SubjectUserSid",
|
|
"winlog.event_data.SubStatus",
|
|
"winlog.event_data.TSId",
|
|
"winlog.event_data.TargetDomainName",
|
|
"winlog.event_data.TargetInfo",
|
|
"winlog.event_data.TargetLogonGuid",
|
|
"winlog.event_data.TargetLogonId",
|
|
"winlog.event_data.TargetServerName",
|
|
"winlog.event_data.TargetSid",
|
|
"winlog.event_data.TargetUserName",
|
|
"winlog.event_data.TargetUserSid",
|
|
"winlog.event_data.TdoAttributes",
|
|
"winlog.event_data.TdoDirection",
|
|
"winlog.event_data.TdoType",
|
|
"winlog.event_data.TerminalSessionId",
|
|
"winlog.event_data.TicketEncryptionType",
|
|
"winlog.event_data.TicketEncryptionTypeDescription",
|
|
"winlog.event_data.TicketOptions",
|
|
"winlog.event_data.TicketOptionsDescription",
|
|
"winlog.event_data.TokenElevationType",
|
|
"winlog.event_data.TransmittedServices",
|
|
"winlog.event_data.UserAccountControl",
|
|
"winlog.event_data.UserParameters",
|
|
"winlog.event_data.UserPrincipalName",
|
|
"winlog.event_data.UserSid",
|
|
"winlog.event_data.UserWorkstations",
|
|
"winlog.event_data.Version",
|
|
"winlog.event_data.Workstation",
|
|
"winlog.event_data.WorkstationName",
|
|
"winlog.event_data.param1",
|
|
"winlog.event_data.param2",
|
|
"winlog.event_data.param3",
|
|
"winlog.event_data.param4",
|
|
"winlog.event_data.param5",
|
|
"winlog.event_data.param6",
|
|
"winlog.event_data.param7",
|
|
"winlog.event_data.param8",
|
|
"winlog.event_id",
|
|
"winlog.keywords",
|
|
"winlog.level",
|
|
"winlog.outcome",
|
|
"winlog.record_id",
|
|
"winlog.related_activity_id",
|
|
"winlog.opcode",
|
|
"winlog.provider_guid",
|
|
"winlog.provider_name",
|
|
"winlog.task",
|
|
"winlog.time_created",
|
|
"winlog.trustAttribute",
|
|
"winlog.trustDirection",
|
|
"winlog.trustType",
|
|
"winlog.user_data.BackupPath",
|
|
"winlog.user_data.Channel",
|
|
"winlog.user_data.SubjectDomainName",
|
|
"winlog.user_data.SubjectLogonId",
|
|
"winlog.user_data.SubjectUserName",
|
|
"winlog.user_data.SubjectUserSid",
|
|
"winlog.user_data.xml_name",
|
|
"winlog.user.identifier",
|
|
"winlog.user.name",
|
|
"winlog.user.domain",
|
|
"winlog.user.type"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"mappings": {
|
|
"dynamic_templates": [
|
|
{
|
|
"container.labels": {
|
|
"path_match": "container.labels.*",
|
|
"mapping": {
|
|
"type": "keyword"
|
|
},
|
|
"match_mapping_type": "string"
|
|
}
|
|
}
|
|
],
|
|
"properties": {
|
|
"container": {
|
|
"properties": {
|
|
"image": {
|
|
"properties": {
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"process": {
|
|
"properties": {
|
|
"args": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"parent": {
|
|
"properties": {
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"executable": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"pid": {
|
|
"type": "long"
|
|
},
|
|
"args_count": {
|
|
"type": "long"
|
|
},
|
|
"entity_id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"title": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"command_line": {
|
|
"ignore_above": 1024,
|
|
"type": "wildcard"
|
|
},
|
|
"executable": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"winlog": {
|
|
"properties": {
|
|
"related_activity_id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"keywords": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"logon": {
|
|
"properties": {
|
|
"failure": {
|
|
"properties": {
|
|
"reason": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"sub_status": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"status": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"type": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"channel": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"event_data": {
|
|
"properties": {
|
|
"ProcessName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"LogonGuid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"OriginalFileName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"BootMode": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Product": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"LogonHours": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TargetLogonGuid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"FileVersion": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TicketOptions": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"AllowedToDelegateTo": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TdoAttributes": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"StopTime": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Status": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"AccessMask": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"KeyLength": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ResourceAttributes": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SessionName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"PasswordHistoryLength": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TargetInfo": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"OldSd": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TargetUserSid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Group": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"PackageName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ShutdownActionType": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"DwordVal": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"DeviceVersionMajor": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SidHistory": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TransmittedServices": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"WorkstationName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SubStatus": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"IdleStateCount": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Path": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SchemaVersion": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"MinorVersion": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"CrashOnAuditFailValue": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ProcessPath": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"DeviceVersionMinor": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"OldTime": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"HandleId": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"IpAddress": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"LastShutdownGood": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"IpPort": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"DriverNameLength": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"LmPackageName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"UserSid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"LastBootGood": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"AccessListDescription": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"PuaCount": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Version": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"MachineAccountQuota": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"OldUacValue": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"UserParameters": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Signed": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"StartTime": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SubCategoryId": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"OldTargetUserName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"NewUacValue": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"CallerProcessId": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ProfilePath": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ServiceName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"State": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"FailureReason": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"BootType": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Binary": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ImpersonationLevel": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"MemberName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TargetUserName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"DomainPolicyChanged": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"CategoryId": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"PreAuthType": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"AccountDomain": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"MemberSid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"DriverName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"NewUACList": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SubcategoryGuid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ShutdownReason": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SidFilteringEnabled": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TargetServerName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"AuditPolicyChanges": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Number": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TargetDomainName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"EventSourceId": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"DriveName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"NewProcessId": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"LogonType": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ExtraInfo": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"PrimaryGroupId": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ObjectName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TargetLogonId": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Workstation": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"PasswordLastSet": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"NewSchemeGuid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"MinimumThrottlePercent": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"GroupTypeChange": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"AccessList": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"AuthenticationPackageName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"NominalFrequency": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SignatureStatus": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"DeviceTime": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"DomainSid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ScriptPath": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TicketEncryptionType": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TicketOptionsDescription": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ServiceType": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ObjectServer": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"HomePath": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"UserWorkstations": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SamAccountName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"DomainName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"CorruptionActionState": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"AuditSourceName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SubCategoryGuid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"PreviousCreationUtcTime": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ServiceVersion": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"AuditPolicyChangesDescription": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"AccessMaskDescription": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SubjectUserSid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"AccountName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"PerformanceImplementation": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TicketEncryptionTypeDescription": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ServiceAccount": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Description": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ProcessPid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ScriptBlockText": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ObjectType": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"MaximumPerformancePercent": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"KerberosPolicyChange": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"NewTime": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"FinalStatus": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"MajorVersion": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"MandatoryLabel": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"HomeDirectory": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TokenElevationType": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SubjectLogonId": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"IdleImplementation": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"QfeVersion": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"AccountExpires": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ServiceStartType": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"UserPrincipalName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"NewSdSacl1": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Dummy": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"NewSdSacl0": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"DeviceName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"NewSdSacl2": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Company": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"PuaPolicyId": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"OldSdSacl2": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"IntegrityLevel": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"OldSdSacl1": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"OldSdSacl0": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TargetSid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"NewSd": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"NewTargetUserName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ClientName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"StatusDescription": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"NewSdDacl0": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"NewSdDacl2": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"NewSdDacl1": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"DomainBehaviorVersion": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"AccessGranted": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ParentProcessName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SubcategoryId": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"AccessRemoved": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ShutdownEventCode": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"NewProcessName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"FailureNameLength": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"PreviousTime": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"MixedDomainMode": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Detail": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"OldSdDacl1": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"OldSdDacl0": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Category": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TerminalSessionId": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"OldSdDacl2": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ClientAddress": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"DeviceNameLength": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"OldSchemeGuid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"CreationUtcTime": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"CallerProcessName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TdoType": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Reason": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ServiceFileName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"DisplayName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"BuildVersion": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SubjectDomainName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"MinimumPerformancePercent": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"LogonId": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"LogonProcessName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TSId": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"PrivilegeList": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"param7": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"param8": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"param5": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"param6": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Service": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"TdoDirection": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"param3": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"param4": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"param1": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"param2": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"CommandLine": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SubjectUserName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"UserAccountControl": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"OemInformation": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"FailureName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Signature": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SubCategory": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ServiceSid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ProcessId": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"EntryCount": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"LogonID": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"BitlockerUserInputTime": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"opcode": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"provider_guid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"activity_id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"time_created": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"trustDirection": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"api": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"provider_name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"outcome": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"computer_name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"process": {
|
|
"properties": {
|
|
"pid": {
|
|
"type": "long"
|
|
},
|
|
"thread": {
|
|
"properties": {
|
|
"id": {
|
|
"type": "long"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"trustAttribute": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"level": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"computerObject": {
|
|
"properties": {
|
|
"domain": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"user_data": {
|
|
"properties": {
|
|
"SubjectUserName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"BackupPath": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"Channel": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SubjectDomainName": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SubjectLogonId": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"SubjectUserSid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"xml_name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"version": {
|
|
"type": "long"
|
|
},
|
|
"record_id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"event_id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"task": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"trustType": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"user": {
|
|
"properties": {
|
|
"identifier": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"domain": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"type": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"log": {
|
|
"properties": {
|
|
"file": {
|
|
"properties": {
|
|
"path": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"level": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"source": {
|
|
"properties": {
|
|
"port": {
|
|
"type": "long"
|
|
},
|
|
"domain": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ip": {
|
|
"type": "ip"
|
|
}
|
|
}
|
|
},
|
|
"message": {
|
|
"type": "match_only_text"
|
|
},
|
|
"tags": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"cloud": {
|
|
"properties": {
|
|
"availability_zone": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"image": {
|
|
"properties": {
|
|
"id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"instance": {
|
|
"properties": {
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"provider": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"machine": {
|
|
"properties": {
|
|
"type": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"project": {
|
|
"properties": {
|
|
"id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"region": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"account": {
|
|
"properties": {
|
|
"id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"input": {
|
|
"properties": {
|
|
"type": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"@timestamp": {
|
|
"type": "date"
|
|
},
|
|
"ecs": {
|
|
"properties": {
|
|
"version": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"related": {
|
|
"properties": {
|
|
"hosts": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ip": {
|
|
"type": "ip"
|
|
},
|
|
"user": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"hash": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"data_stream": {
|
|
"properties": {
|
|
"namespace": {
|
|
"type": "constant_keyword"
|
|
},
|
|
"type": {
|
|
"type": "constant_keyword",
|
|
"value": "logs"
|
|
},
|
|
"dataset": {
|
|
"type": "constant_keyword"
|
|
}
|
|
}
|
|
},
|
|
"service": {
|
|
"properties": {
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"type": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"host": {
|
|
"properties": {
|
|
"hostname": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"os": {
|
|
"properties": {
|
|
"build": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"kernel": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"codename": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword",
|
|
"fields": {
|
|
"text": {
|
|
"type": "text"
|
|
}
|
|
}
|
|
},
|
|
"family": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"version": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"platform": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"domain": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ip": {
|
|
"type": "ip"
|
|
},
|
|
"containerized": {
|
|
"type": "boolean"
|
|
},
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"type": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"mac": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"architecture": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"event": {
|
|
"properties": {
|
|
"sequence": {
|
|
"type": "long"
|
|
},
|
|
"ingested": {
|
|
"type": "date"
|
|
},
|
|
"code": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"provider": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"created": {
|
|
"type": "date"
|
|
},
|
|
"kind": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"module": {
|
|
"type": "constant_keyword",
|
|
"value": "system"
|
|
},
|
|
"action": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"category": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"type": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"dataset": {
|
|
"type": "constant_keyword",
|
|
"value": "system.security"
|
|
},
|
|
"outcome": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"user": {
|
|
"properties": {
|
|
"effective": {
|
|
"properties": {
|
|
"domain": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"domain": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"changes": {
|
|
"properties": {
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"target": {
|
|
"properties": {
|
|
"domain": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"group": {
|
|
"properties": {
|
|
"domain": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"group": {
|
|
"properties": {
|
|
"domain": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"_meta": {
|
|
"package": {
|
|
"name": "system"
|
|
},
|
|
"managed_by": "fleet",
|
|
"managed": true
|
|
}
|
|
}
|