CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
7a71a5369ceca1ab63f1ad2848cd6fe4160d1734
securityonion/salt/elasticsearch/templates/component/ecs/zeek.json
reyesj2 e60a1e4357 zeek ldap & ldap_search parsing 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
2025-01-09 16:06:10 -06:00

2469 lines
74 KiB
JSON
Raw Blame History

{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"zeek": {
"properties": {
"capture_loss": {
"properties": {
"acks": {
"type": "long"
},
"gaps": {
"type": "long"
},
"peer": {
"ignore_above": 1024,
"type": "keyword"
},
"percent_lost": {
"type": "double"
},
"ts_delta": {
"type": "long"
}
}
},
"connection": {
"properties": {
"history": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp": {
"properties": {
"code": {
"type": "long"
},
"type": {
"type": "long"
}
}
},
"inner_vlan": {
"type": "long"
},
"local_orig": {
"type": "boolean"
},
"local_resp": {
"type": "boolean"
},
"missed_bytes": {
"type": "long"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"state_message": {
"ignore_above": 1024,
"type": "keyword"
},
"vlan": {
"type": "long"
}
}
},
"dce_rpc": {
"properties": {
"endpoint": {
"ignore_above": 1024,
"type": "keyword"
},
"named_pipe": {
"ignore_above": 1024,
"type": "keyword"
},
"operation": {
"ignore_above": 1024,
"type": "keyword"
},
"rtt": {
"type": "long"
}
}
},
"dhcp": {
"properties": {
"address": {
"properties": {
"assigned": {
"type": "ip"
},
"client": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"requested": {
"type": "ip"
},
"server": {
"type": "ip"
}
}
},
"client_fqdn": {
"ignore_above": 1024,
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"type": "double"
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"properties": {
"circuit": {
"ignore_above": 1024,
"type": "keyword"
},
"remote_agent": {
"ignore_above": 1024,
"type": "keyword"
},
"subscriber": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"lease_time": {
"type": "long"
},
"msg": {
"properties": {
"client": {
"ignore_above": 1024,
"type": "keyword"
},
"origin": {
"type": "ip"
},
"server": {
"ignore_above": 1024,
"type": "keyword"
},
"types": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"software": {
"properties": {
"client": {
"ignore_above": 1024,
"type": "keyword"
},
"server": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"dnp3": {
"properties": {
"function": {
"properties": {
"reply": {
"ignore_above": 1024,
"type": "keyword"
},
"request": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"id": {
"type": "long"
}
}
},
"dns": {
"properties": {
"AA": {
"type": "boolean"
},
"RA": {
"type": "boolean"
},
"RD": {
"type": "boolean"
},
"TC": {
"type": "boolean"
},
"TTLs": {
"type": "double"
},
"answers": {
"ignore_above": 1024,
"type": "keyword"
},
"qclass": {
"type": "long"
},
"qclass_name": {
"ignore_above": 1024,
"type": "keyword"
},
"qtype": {
"type": "long"
},
"qtype_name": {
"ignore_above": 1024,
"type": "keyword"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"rcode": {
"type": "long"
},
"rcode_name": {
"ignore_above": 1024,
"type": "keyword"
},
"rejected": {
"type": "boolean"
},
"rtt": {
"type": "double"
},
"saw_query": {
"type": "boolean"
},
"saw_reply": {
"type": "boolean"
},
"total_answers": {
"type": "long"
},
"total_replies": {
"type": "long"
},
"trans_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"dpd": {
"properties": {
"analyzer": {
"ignore_above": 1024,
"type": "keyword"
},
"failure_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"packet_segment": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"files": {
"properties": {
"analyzers": {
"ignore_above": 1024,
"type": "keyword"
},
"depth": {
"type": "long"
},
"duration": {
"type": "double"
},
"entropy": {
"type": "double"
},
"extracted": {
"ignore_above": 1024,
"type": "keyword"
},
"extracted_cutoff": {
"type": "boolean"
},
"extracted_size": {
"type": "long"
},
"filename": {
"ignore_above": 1024,
"type": "keyword"
},
"fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"is_orig": {
"type": "boolean"
},
"local_orig": {
"type": "boolean"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"missing_bytes": {
"type": "long"
},
"overflow_bytes": {
"type": "long"
},
"parent_fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"rx_host": {
"type": "ip"
},
"seen_bytes": {
"type": "long"
},
"session_ids": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"source": {
"ignore_above": 1024,
"type": "keyword"
},
"timedout": {
"type": "boolean"
},
"total_bytes": {
"type": "long"
},
"tx_host": {
"type": "ip"
}
}
},
"ftp": {
"properties": {
"arg": {
"ignore_above": 1024,
"type": "keyword"
},
"capture_password": {
"type": "boolean"
},
"cmdarg": {
"properties": {
"arg": {
"ignore_above": 1024,
"type": "keyword"
},
"cmd": {
"ignore_above": 1024,
"type": "keyword"
},
"seq": {
"type": "long"
}
}
},
"command": {
"ignore_above": 1024,
"type": "keyword"
},
"cwd": {
"ignore_above": 1024,
"type": "keyword"
},
"data_channel": {
"properties": {
"originating_host": {
"type": "ip"
},
"passive": {
"type": "boolean"
},
"response_host": {
"type": "ip"
},
"response_port": {
"type": "long"
}
}
},
"file": {
"properties": {
"fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"size": {
"type": "long"
}
}
},
"last_auth_requested": {
"ignore_above": 1024,
"type": "keyword"
},
"passive": {
"type": "boolean"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"pending_commands": {
"type": "long"
},
"reply": {
"properties": {
"code": {
"type": "long"
},
"msg": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"http": {
"properties": {
"captured_password": {
"type": "boolean"
},
"client_header_names": {
"ignore_above": 1024,
"type": "keyword"
},
"info_code": {
"type": "long"
},
"info_msg": {
"ignore_above": 1024,
"type": "keyword"
},
"orig_filenames": {
"ignore_above": 1024,
"type": "keyword"
},
"orig_fuids": {
"ignore_above": 1024,
"type": "keyword"
},
"orig_mime_depth": {
"type": "long"
},
"orig_mime_types": {
"ignore_above": 1024,
"type": "keyword"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"proxied": {
"ignore_above": 1024,
"type": "keyword"
},
"range_request": {
"type": "boolean"
},
"resp_filenames": {
"ignore_above": 1024,
"type": "keyword"
},
"resp_fuids": {
"ignore_above": 1024,
"type": "keyword"
},
"resp_mime_depth": {
"type": "long"
},
"resp_mime_types": {
"ignore_above": 1024,
"type": "keyword"
},
"server_header_names": {
"ignore_above": 1024,
"type": "keyword"
},
"status_msg": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"trans_depth": {
"type": "long"
}
}
},
"intel": {
"properties": {
"file_desc": {
"ignore_above": 1024,
"type": "keyword"
},
"file_mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"matched": {
"ignore_above": 1024,
"type": "keyword"
},
"seen": {
"properties": {
"conn": {
"ignore_above": 1024,
"type": "keyword"
},
"f": {
"type": "object"
},
"fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"host": {
"ignore_above": 1024,
"type": "keyword"
},
"indicator": {
"ignore_above": 1024,
"type": "keyword"
},
"indicator_type": {
"ignore_above": 1024,
"type": "keyword"
},
"node": {
"ignore_above": 1024,
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
},
"where": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sources": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ipsec": {
"properties": {
"certificates": {
"ignore_above": 1024,
"type": "keyword"
},
"exchange_type": {
"type": "short"
},
"flag_a": {
"type": "boolean"
},
"flag_c": {
"type": "boolean"
},
"flag_e": {
"type": "boolean"
},
"flag_i": {
"type": "boolean"
},
"flag_r": {
"type": "boolean"
},
"flag_v": {
"type": "boolean"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"initiator_spi": {
"ignore_above": 1024,
"type": "keyword"
},
"ke_dh_groups": {
"type": "short"
},
"length": {
"type": "long"
},
"maj_version": {
"type": "short"
},
"message_id": {
"type": "long"
},
"min_version": {
"type": "short"
},
"notify_messages": {
"ignore_above": 1024,
"type": "keyword"
},
"proposals": {
"type": "long"
},
"responder_spi": {
"ignore_above": 1024,
"type": "keyword"
},
"situation": {
"ignore_above": 1024,
"type": "keyword"
},
"transform_attributes": {
"ignore_above": 1024,
"type": "keyword"
},
"transforms": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor_ids": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"irc": {
"properties": {
"addl": {
"ignore_above": 1024,
"type": "keyword"
},
"command": {
"ignore_above": 1024,
"type": "keyword"
},
"dcc": {
"properties": {
"file": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"size": {
"type": "long"
}
}
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"nick": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"kerberos": {
"properties": {
"cert": {
"properties": {
"client": {
"properties": {
"fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"server": {
"properties": {
"fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"cipher": {
"ignore_above": 1024,
"type": "keyword"
},
"client": {
"ignore_above": 1024,
"type": "keyword"
},
"error": {
"properties": {
"code": {
"type": "long"
},
"msg": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"forwardable": {
"type": "boolean"
},
"renewable": {
"type": "boolean"
},
"request_type": {
"ignore_above": 1024,
"type": "keyword"
},
"service": {
"ignore_above": 1024,
"type": "keyword"
},
"success": {
"type": "boolean"
},
"ticket": {
"properties": {
"auth": {
"ignore_above": 1024,
"type": "keyword"
},
"new": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"valid": {
"properties": {
"days": {
"type": "long"
},
"from": {
"type": "date"
},
"until": {
"type": "date"
}
}
}
}
},
"ldap": {
"type": "object",
"properties": {
"message_id": {
"type": "short"
},
"opcode": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
},
"diagnostic_message": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"type": "short"
},
"object": {
"ignore_above": 1024,
"type": "keyword"
},
"argument": {
"ignore_above": 1024,
"type": "keyword"
},
"user_email": {
"ignore_above": 1024,
"type": "keyword"
},
"property": {
"ignore_above": 1024,
"type": "keyword"
},
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ldap_search": {
"type": "object",
"properties": {
"scope": {
"ignore_above": 1024,
"type": "keyword"
},
"deref_aliases": {
"ignore_above": 1024,
"type": "keyword"
},
"result_count": {
"type": "long"
},
"filter": {
"ignore_above": 1024,
"type": "keyword"
},
"attributes": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"modbus": {
"properties": {
"exception": {
"ignore_above": 1024,
"type": "keyword"
},
"function": {
"ignore_above": 1024,
"type": "keyword"
},
"track_address": {
"type": "long"
}
}
},
"mysql": {
"properties": {
"arg": {
"ignore_above": 1024,
"type": "keyword"
},
"cmd": {
"ignore_above": 1024,
"type": "keyword"
},
"response": {
"ignore_above": 1024,
"type": "keyword"
},
"rows": {
"type": "long"
},
"success": {
"type": "boolean"
}
}
},
"notice": {
"properties": {
"actions": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_id": {
"ignore_above": 1024,
"type": "keyword"
},
"dropped": {
"type": "boolean"
},
"email_body_sections": {
"norms": false,
"type": "text"
},
"email_delay_tokens": {
"ignore_above": 1024,
"type": "keyword"
},
"false": {
"type": "long"
},
"ffile": {
"properties": {
"total_bytes": {
"type": "long"
}
}
},
"file": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"is_orig": {
"type": "boolean"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"missing_bytes": {
"type": "long"
},
"overflow_bytes": {
"type": "long"
},
"parent_id": {
"ignore_above": 1024,
"type": "keyword"
},
"seen_bytes": {
"type": "long"
},
"source": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_id": {
"ignore_above": 1024,
"type": "keyword"
},
"identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"msg": {
"ignore_above": 1024,
"type": "keyword"
},
"note": {
"ignore_above": 1024,
"type": "keyword"
},
"peer_descr": {
"norms": false,
"type": "text"
},
"peer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"sub": {
"ignore_above": 1024,
"type": "keyword"
},
"suppress_for": {
"type": "double"
}
}
},
"ntlm": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"server": {
"properties": {
"name": {
"properties": {
"dns": {
"ignore_above": 1024,
"type": "keyword"
},
"netbios": {
"ignore_above": 1024,
"type": "keyword"
},
"tree": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"success": {
"type": "boolean"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ntp": {
"properties": {
"mode": {
"type": "long"
},
"num_exts": {
"type": "long"
},
"org_time": {
"type": "date"
},
"poll": {
"type": "double"
},
"precision": {
"type": "double"
},
"rec_time": {
"type": "date"
},
"ref_id": {
"ignore_above": 1024,
"type": "keyword"
},
"ref_time": {
"type": "date"
},
"root_delay": {
"type": "double"
},
"root_disp": {
"type": "double"
},
"stratum": {
"type": "long"
},
"version": {
"type": "long"
},
"xmt_time": {
"type": "date"
}
}
},
"ocsp": {
"properties": {
"file_id": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"properties": {
"algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"properties": {
"key": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"revoke": {
"properties": {
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"time": {
"type": "date"
}
}
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"update": {
"properties": {
"next": {
"type": "date"
},
"this": {
"type": "date"
}
}
}
}
},
"pe": {
"properties": {
"client": {
"ignore_above": 1024,
"type": "keyword"
},
"compile_time": {
"type": "date"
},
"has_cert_table": {
"type": "boolean"
},
"has_debug_data": {
"type": "boolean"
},
"has_export_table": {
"type": "boolean"
},
"has_import_table": {
"type": "boolean"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"is_64bit": {
"type": "boolean"
},
"is_exe": {
"type": "boolean"
},
"machine": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"ignore_above": 1024,
"type": "keyword"
},
"section_names": {
"ignore_above": 1024,
"type": "keyword"
},
"subsystem": {
"ignore_above": 1024,
"type": "keyword"
},
"uses_aslr": {
"type": "boolean"
},
"uses_code_integrity": {
"type": "boolean"
},
"uses_dep": {
"type": "boolean"
},
"uses_seh": {
"type": "boolean"
}
}
},
"quic": {
"type": "object",
"properties": {
"server_name": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"type": "short"
},
"client_initial_dcid": {
"ignore_above": 1024,
"type": "keyword"
},
"client_scid": {
"ignore_above": 1024,
"type": "keyword"
},
"server_scid": {
"ignore_above": 1024,
"type": "keyword"
},
"client_protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"history": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"radius": {
"properties": {
"connect_info": {
"ignore_above": 1024,
"type": "keyword"
},
"framed_addr": {
"type": "ip"
},
"logged": {
"type": "boolean"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"remote_ip": {
"type": "ip"
},
"reply_msg": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
},
"ttl": {
"type": "long"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"rdp": {
"properties": {
"cert": {
"properties": {
"count": {
"type": "long"
},
"permanent": {
"type": "boolean"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"client": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"client_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"cookie": {
"ignore_above": 1024,
"type": "keyword"
},
"desktop": {
"properties": {
"color_depth": {
"ignore_above": 1024,
"type": "keyword"
},
"height": {
"type": "long"
},
"width": {
"type": "long"
}
}
},
"done": {
"type": "boolean"
},
"encryption": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
},
"method": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"keyboard_layout": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
},
"security_protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl": {
"type": "boolean"
}
}
},
"rfb": {
"properties": {
"auth": {
"properties": {
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"success": {
"type": "boolean"
}
}
},
"desktop_name": {
"ignore_above": 1024,
"type": "keyword"
},
"height": {
"type": "long"
},
"share_flag": {
"type": "boolean"
},
"version": {
"properties": {
"client": {
"properties": {
"major": {
"ignore_above": 1024,
"type": "keyword"
},
"minor": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"server": {
"properties": {
"major": {
"ignore_above": 1024,
"type": "keyword"
},
"minor": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"width": {
"type": "long"
}
}
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"signature": {
"properties": {
"event_msg": {
"ignore_above": 1024,
"type": "keyword"
},
"host_count": {
"type": "long"
},
"note": {
"ignore_above": 1024,
"type": "keyword"
},
"sig_count": {
"type": "long"
},
"sig_id": {
"ignore_above": 1024,
"type": "keyword"
},
"sub_msg": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sip": {
"properties": {
"call_id": {
"ignore_above": 1024,
"type": "keyword"
},
"content_type": {
"ignore_above": 1024,
"type": "keyword"
},
"date": {
"ignore_above": 1024,
"type": "keyword"
},
"reply_to": {
"ignore_above": 1024,
"type": "keyword"
},
"request": {
"properties": {
"body_length": {
"type": "long"
},
"from": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"to": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"response": {
"properties": {
"body_length": {
"type": "long"
},
"from": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"to": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sequence": {
"properties": {
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"number": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"status": {
"properties": {
"code": {
"type": "long"
},
"msg": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"transaction_depth": {
"type": "long"
},
"uri": {
"ignore_above": 1024,
"type": "keyword"
},
"user_agent": {
"ignore_above": 1024,
"type": "keyword"
},
"warning": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"smb_cmd": {
"properties": {
"argument": {
"ignore_above": 1024,
"type": "keyword"
},
"command": {
"ignore_above": 1024,
"type": "keyword"
},
"file": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"host": {
"properties": {
"rx": {
"type": "ip"
},
"tx": {
"type": "ip"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"rtt": {
"type": "double"
},
"smb1_offered_dialects": {
"ignore_above": 1024,
"type": "keyword"
},
"smb2_offered_dialects": {
"type": "long"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"sub_command": {
"ignore_above": 1024,
"type": "keyword"
},
"tree": {
"ignore_above": 1024,
"type": "keyword"
},
"tree_service": {
"ignore_above": 1024,
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"smb_files": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"fid": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"previous_name": {
"ignore_above": 1024,
"type": "keyword"
},
"size": {
"type": "long"
},
"times": {
"properties": {
"accessed": {
"type": "date"
},
"changed": {
"type": "date"
},
"created": {
"type": "date"
},
"modified": {
"type": "date"
}
}
},
"uuid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"smb_mapping": {
"properties": {
"native_file_system": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"service": {
"ignore_above": 1024,
"type": "keyword"
},
"share_type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"smtp": {
"properties": {
"cc": {
"ignore_above": 1024,
"type": "keyword"
},
"date": {
"type": "date"
},
"first_received": {
"ignore_above": 1024,
"type": "keyword"
},
"from": {
"ignore_above": 1024,
"type": "keyword"
},
"fuids": {
"ignore_above": 1024,
"type": "keyword"
},
"has_client_activity": {
"type": "boolean"
},
"helo": {
"ignore_above": 1024,
"type": "keyword"
},
"in_reply_to": {
"ignore_above": 1024,
"type": "keyword"
},
"is_webmail": {
"type": "boolean"
},
"last_reply": {
"ignore_above": 1024,
"type": "keyword"
},
"mail_from": {
"ignore_above": 1024,
"type": "keyword"
},
"msg_id": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"type": "ip"
},
"process_received_from": {
"type": "boolean"
},
"rcpt_to": {
"ignore_above": 1024,
"type": "keyword"
},
"reply_to": {
"ignore_above": 1024,
"type": "keyword"
},
"second_received": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"tls": {
"type": "boolean"
},
"to": {
"ignore_above": 1024,
"type": "keyword"
},
"transaction_depth": {
"type": "long"
},
"user_agent": {
"ignore_above": 1024,
"type": "keyword"
},
"x_originating_ip": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"snmp": {
"properties": {
"community": {
"ignore_above": 1024,
"type": "keyword"
},
"display_string": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"type": "double"
},
"get": {
"properties": {
"bulk_requests": {
"type": "long"
},
"requests": {
"type": "long"
},
"responses": {
"type": "long"
}
}
},
"set": {
"properties": {
"requests": {
"type": "long"
}
}
},
"up_since": {
"type": "date"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"socks": {
"properties": {
"bound": {
"properties": {
"host": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
}
}
},
"capture_password": {
"type": "boolean"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"request": {
"properties": {
"host": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
}
}
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"type": "long"
}
}
},
"ssh": {
"properties": {
"algorithm": {
"properties": {
"cipher": {
"ignore_above": 1024,
"type": "keyword"
},
"compression": {
"ignore_above": 1024,
"type": "keyword"
},
"host_key": {
"ignore_above": 1024,
"type": "keyword"
},
"key_exchange": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"auth": {
"properties": {
"attempts": {
"type": "long"
},
"success": {
"type": "boolean"
}
}
},
"client": {
"ignore_above": 1024,
"type": "keyword"
},
"direction": {
"ignore_above": 1024,
"type": "keyword"
},
"host_key": {
"ignore_above": 1024,
"type": "keyword"
},
"server": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"type": "long"
}
}
},
"ssl": {
"properties": {
"cipher": {
"ignore_above": 1024,
"type": "keyword"
},
"client": {
"properties": {
"cert_chain": {
"ignore_above": 1024,
"type": "keyword"
},
"cert_chain_fuids": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"curve": {
"ignore_above": 1024,
"type": "keyword"
},
"established": {
"type": "boolean"
},
"last_alert": {
"ignore_above": 1024,
"type": "keyword"
},
"next_protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"resumed": {
"type": "boolean"
},
"server": {
"properties": {
"cert_chain": {
"ignore_above": 1024,
"type": "keyword"
},
"cert_chain_fuids": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"validation": {
"properties": {
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"stats": {
"properties": {
"bytes": {
"properties": {
"received": {
"type": "long"
}
}
},
"connections": {
"properties": {
"icmp": {
"properties": {
"active": {
"type": "long"
},
"count": {
"type": "long"
}
}
},
"tcp": {
"properties": {
"active": {
"type": "long"
},
"count": {
"type": "long"
}
}
},
"udp": {
"properties": {
"active": {
"type": "long"
},
"count": {
"type": "long"
}
}
}
}
},
"dns_requests": {
"properties": {
"active": {
"type": "long"
},
"count": {
"type": "long"
}
}
},
"events": {
"properties": {
"processed": {
"type": "long"
},
"queued": {
"type": "long"
}
}
},
"files": {
"properties": {
"active": {
"type": "long"
},
"count": {
"type": "long"
}
}
},
"memory": {
"type": "long"
},
"packets": {
"properties": {
"dropped": {
"type": "long"
},
"processed": {
"type": "long"
},
"received": {
"type": "long"
}
}
},
"peer": {
"ignore_above": 1024,
"type": "keyword"
},
"reassembly_size": {
"properties": {
"file": {
"type": "long"
},
"frag": {
"type": "long"
},
"tcp": {
"type": "long"
},
"unknown": {
"type": "long"
}
}
},
"timers": {
"properties": {
"active": {
"type": "long"
},
"count": {
"type": "long"
}
}
},
"timestamp_lag": {
"type": "long"
}
}
},
"syslog": {
"properties": {
"facility": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tunnel": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"weird": {
"properties": {
"additional_info": {
"ignore_above": 1024,
"type": "keyword"
},
"identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"notice": {
"type": "boolean"
},
"peer": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"x509": {
"properties": {
"basic_constraints": {
"properties": {
"certificate_authority": {
"type": "boolean"
},
"path_length": {
"type": "long"
}
}
},
"certificate": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"curve": {
"ignore_above": 1024,
"type": "keyword"
},
"exponent": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"key": {
"properties": {
"algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"length": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"serial": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"valid": {
"properties": {
"from": {
"type": "date"
},
"until": {
"type": "date"
}
}
},
"version": {
"type": "long"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"log_cert": {
"type": "boolean"
},
"san": {
"properties": {
"dns": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"other_fields": {
"type": "boolean"
},
"uri": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink