mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-01-01 22:03:37 +01:00
293 lines
8.9 KiB
JSON
293 lines
8.9 KiB
JSON
{
|
|
"_meta": {
|
|
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
|
"ecs_version": "1.12.2"
|
|
},
|
|
"template": {
|
|
"mappings": {
|
|
"properties": {
|
|
"okta": {
|
|
"properties": {
|
|
"actor": {
|
|
"properties": {
|
|
"alternate_id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"display_name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"type": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"authentication_context": {
|
|
"properties": {
|
|
"authentication_provider": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"authentication_step": {
|
|
"type": "long"
|
|
},
|
|
"credential_provider": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"credential_type": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"external_session_id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"interface": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"client": {
|
|
"properties": {
|
|
"device": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"ip": {
|
|
"type": "ip"
|
|
},
|
|
"user_agent": {
|
|
"properties": {
|
|
"browser": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"os": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"raw_user_agent": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"zone": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"debug_context": {
|
|
"properties": {
|
|
"debug_data": {
|
|
"properties": {
|
|
"device_fingerprint": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"request_id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"request_uri": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"suspicious_activity": {
|
|
"properties": {
|
|
"browser": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"event_city": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"event_country": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"event_id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"event_ip": {
|
|
"type": "ip"
|
|
},
|
|
"event_latitude": {
|
|
"type": "float"
|
|
},
|
|
"event_longitude": {
|
|
"type": "float"
|
|
},
|
|
"event_state": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"event_transaction_id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"event_type": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"os": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"timestamp": {
|
|
"type": "date"
|
|
}
|
|
}
|
|
},
|
|
"threat_suspected": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"url": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"display_message": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"event_type": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"outcome": {
|
|
"properties": {
|
|
"reason": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"result": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"request": {
|
|
"properties": {
|
|
"ip_chain": {
|
|
"properties": {
|
|
"geographical_context": {
|
|
"properties": {
|
|
"city": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"country": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"geolocation": {
|
|
"type": "geo_point"
|
|
},
|
|
"postal_code": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"state": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"ip": {
|
|
"type": "ip"
|
|
},
|
|
"source": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"version": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"security_context": {
|
|
"properties": {
|
|
"as": {
|
|
"properties": {
|
|
"number": {
|
|
"type": "long"
|
|
},
|
|
"organization": {
|
|
"properties": {
|
|
"name": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"domain": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"is_proxy": {
|
|
"type": "boolean"
|
|
},
|
|
"isp": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"severity": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"target": {
|
|
"type": "flattened"
|
|
},
|
|
"transaction": {
|
|
"properties": {
|
|
"id": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"type": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
},
|
|
"uuid": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
},
|
|
"version": {
|
|
"ignore_above": 1024,
|
|
"type": "keyword"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
} |