This guide will take you through how to configure Filebeat 8 to write logs to specific index. Are you collecting logs using Filebeat 8 and want to write them to specific index on Elasticsearch 8? This guide will help you with that.
Table of Contents
Configuring Filebeat 8 to Write Logs to Specific Index
Default Filebeat Data Streams
By default, Filebeat 8 uses a new feature on Elasticsearch 8 called data streams. Data stream is a logical groupings of indices, that are created using index templates. They are used to store append-only time series data across multiple backing indices. Data stream backing indices are usually hidden by default.
Data streams are designed for use cases where existing data is rarely, if ever, updated. You cannot send update or deletion requests for existing documents directly to a data stream. Instead, use the update by query and delete by query APIs.
If needed, you can update or delete documents by submitting requests directly to the document’s backing index.
If you frequently update or delete existing time series data, use an index alias with a write index instead of a data stream.
Elasticsearch Data Streams
Consider the Filebeat we installed on Debian 12 in our previous guide;
Install Filebeat 8 on Debian 12
By default, unless configured otherwise, Filebeat will write any event data collected to the default data stream, filebeat-X.X.X, on Elasticsearch.
To confirm, see under Stack Management > Data > Index Management > Data Streams;
If you want to see Data stream indices, click Indices under Index Management and toggle the include hidden indices option.
As already mentioned, data streams are created using index templates. Index templates define how Elasticsearch has to configure an index when it is created. For example, filebeat-8.8.1 index is created by the index template named Filebeat-8.8.1. You can find index templates under Index Templates section.
You can get the details about the index template using the command below. Update it to match your ELK setup;
curl -k -XGET https://elk.kifarunix-demo.com:9200/_index_template/filebeat-8.8.1?pretty \
-u elastic --cacert /etc/elasticsearch/certs/http_ca.crtOr login to Kibana, Management > DevTools > Console and execute the command below;
GET _index_template/filebeat-8.8.1You can also learn how to write data to custom data stream.
Configure Filebeat 8 to Write Logs to Specific Data Stream
Configuring Filebeat 8 to Write Logs to Specific Index
Now, as already mentioned, If you frequently update or delete existing time series data, use an index alias with a write index instead of a data stream.
[Optional] Create Index Lifecycle Management Policy
This step is optional, but if you want to control the lifecycle tasks of your indices such as creation, deletion, rollover to new phases etc, ILM policies come in very handy. You can manage the ILM policies on Kibana under Stack Management > Data > Index Lifecycle Policies.
So, for the purposes of demonstration, let’s create a custom ILM policy to apply to our custom index. Thus;
- Navigate to Kibana > Stack Management > Data > Index Lifecycle Policies > Create Policy.
- Enter the name of the policy, for example, demo in our example.
- Configure the policy phases;
- Hot Phase: Can be used to store Most recent and most frequently searched data. This phase is Required.
- Warm Phase: Stores the data that you are still likely to search it, but infrequently need to update it.
- Cold Phase: Stores the data that you less often search and don’t need to update it.
- Delete Phase: At this phase, you can delete data you no longer need.
- Note that you can jump straight into delete phase after each phase by clicking the trash icon.
Here is a screenshot of our ILM policy configuration. Note that the values we have here are for demonstration purposes.
Hot Phase
- Ensure Rollover is enabled
Warm, cold, phases;
Create a policy that suits your needs!
You can always verify your policy with API command. Replace the index pattern accordingly.
GET <INDEX>-*/_ilm/explainCreate Component Index Template
Component index template defines mappings, settings, and aliases that can be used while creating index templates.
We will use the default component index templates in this guide.
Create/Bootstrap Index Template
An index template on the other hand is a template that is used to define specific settings for a specific index. Index templates can contain settings and mappings that are defined in component templates, as well as settings and mappings that are specific to the index.
So, let’s create our own custom index template.
Navigate to Kibana > Stack Management > Data > Index Management > Index Templates.
Note that I have this default Filebeat index template created already automatically by other Filebeats sending data to my Elasticsearch. So, to make life easier, let’s clone an existing Filebeat index template and modify it to suit our needs.
If you want, this is the JSON config of the index template used in this demo.
PUT _index_template/demo
{
"template": {
"settings": {
"index": {
"lifecycle": {
"name": "demo",
"rollover_alias": "demo"
},
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"refresh_interval": "5s",
"number_of_shards": "1",
"max_docvalue_fields_search": "200",
"query": {
"default_field": [
"message",
"tags",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"as.organization.name",
"client.address",
"client.as.organization.name",
"client.domain",
"client.geo.city_name",
"client.geo.continent_name",
"client.geo.country_iso_code",
"client.geo.country_name",
"client.geo.name",
"client.geo.region_iso_code",
"client.geo.region_name",
"client.mac",
"client.registered_domain",
"client.top_level_domain",
"client.user.domain",
"client.user.email",
"client.user.full_name",
"client.user.group.domain",
"client.user.group.id",
"client.user.group.name",
"client.user.hash",
"client.user.id",
"client.user.name",
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"container.id",
"container.image.name",
"container.image.tag",
"container.name",
"container.runtime",
"destination.address",
"destination.as.organization.name",
"destination.domain",
"destination.geo.city_name",
"destination.geo.continent_name",
"destination.geo.country_iso_code",
"destination.geo.country_name",
"destination.geo.name",
"destination.geo.region_iso_code",
"destination.geo.region_name",
"destination.mac",
"destination.registered_domain",
"destination.top_level_domain",
"destination.user.domain",
"destination.user.email",
"destination.user.full_name",
"destination.user.group.domain",
"destination.user.group.id",
"destination.user.group.name",
"destination.user.hash",
"destination.user.id",
"destination.user.name",
"dns.answers.class",
"dns.answers.data",
"dns.answers.name",
"dns.answers.type",
"dns.header_flags",
"dns.id",
"dns.op_code",
"dns.question.class",
"dns.question.name",
"dns.question.registered_domain",
"dns.question.subdomain",
"dns.question.top_level_domain",
"dns.question.type",
"dns.response_code",
"dns.type",
"ecs.version",
"error.code",
"error.id",
"error.message",
"error.stack_trace",
"error.type",
"event.action",
"event.category",
"event.code",
"event.dataset",
"event.hash",
"event.id",
"event.kind",
"event.module",
"event.outcome",
"event.provider",
"event.timezone",
"event.type",
"file.device",
"file.directory",
"file.extension",
"file.gid",
"file.group",
"file.hash.md5",
"file.hash.sha1",
"file.hash.sha256",
"file.hash.sha512",
"file.inode",
"file.mode",
"file.name",
"file.owner",
"file.path",
"file.target_path",
"file.type",
"file.uid",
"geo.city_name",
"geo.continent_name",
"geo.country_iso_code",
"geo.country_name",
"geo.name",
"geo.region_iso_code",
"geo.region_name",
"group.domain",
"group.id",
"group.name",
"hash.md5",
"hash.sha1",
"hash.sha256",
"hash.sha512",
"host.architecture",
"host.geo.city_name",
"host.geo.continent_name",
"host.geo.country_iso_code",
"host.geo.country_name",
"host.geo.name",
"host.geo.region_iso_code",
"host.geo.region_name",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.full",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.type",
"http.request.body.content",
"http.request.method",
"http.request.referrer",
"http.response.body.content",
"http.version",
"log.level",
"log.logger",
"log.origin.file.name",
"log.origin.function",
"log.syslog.facility.name",
"log.syslog.severity.name",
"network.application",
"network.community_id",
"network.direction",
"network.iana_number",
"network.name",
"network.protocol",
"network.transport",
"network.type",
"observer.geo.city_name",
"observer.geo.continent_name",
"observer.geo.country_iso_code",
"observer.geo.country_name",
"observer.geo.name",
"observer.geo.region_iso_code",
"observer.geo.region_name",
"observer.hostname",
"observer.mac",
"observer.name",
"observer.os.family",
"observer.os.full",
"observer.os.kernel",
"observer.os.name",
"observer.os.platform",
"observer.os.version",
"observer.product",
"observer.serial_number",
"observer.type",
"observer.vendor",
"observer.version",
"organization.id",
"organization.name",
"os.family",
"os.full",
"os.kernel",
"os.name",
"os.platform",
"os.version",
"package.architecture",
"package.checksum",
"package.description",
"package.install_scope",
"package.license",
"package.name",
"package.path",
"package.version",
"process.args",
"process.executable",
"process.hash.md5",
"process.hash.sha1",
"process.hash.sha256",
"process.hash.sha512",
"process.name",
"process.thread.name",
"process.title",
"process.working_directory",
"server.address",
"server.as.organization.name",
"server.domain",
"server.geo.city_name",
"server.geo.continent_name",
"server.geo.country_iso_code",
"server.geo.country_name",
"server.geo.name",
"server.geo.region_iso_code",
"server.geo.region_name",
"server.mac",
"server.registered_domain",
"server.top_level_domain",
"server.user.domain",
"server.user.email",
"server.user.full_name",
"server.user.group.domain",
"server.user.group.id",
"server.user.group.name",
"server.user.hash",
"server.user.id",
"server.user.name",
"service.ephemeral_id",
"service.id",
"service.name",
"service.node.name",
"service.state",
"service.type",
"service.version",
"source.address",
"source.as.organization.name",
"source.domain",
"source.geo.city_name",
"source.geo.continent_name",
"source.geo.country_iso_code",
"source.geo.country_name",
"source.geo.name",
"source.geo.region_iso_code",
"source.geo.region_name",
"source.mac",
"source.registered_domain",
"source.top_level_domain",
"source.user.domain",
"source.user.email",
"source.user.full_name",
"source.user.group.domain",
"source.user.group.id",
"source.user.group.name",
"source.user.hash",
"source.user.id",
"source.user.name",
"threat.framework",
"threat.tactic.id",
"threat.tactic.name",
"threat.tactic.reference",
"threat.technique.id",
"threat.technique.name",
"threat.technique.reference",
"trace.id",
"transaction.id",
"url.domain",
"url.extension",
"url.fragment",
"url.full",
"url.original",
"url.password",
"url.path",
"url.query",
"url.registered_domain",
"url.scheme",
"url.top_level_domain",
"url.username",
"user.domain",
"user.email",
"user.full_name",
"user.group.domain",
"user.group.id",
"user.group.name",
"user.hash",
"user.id",
"user.name",
"user_agent.device.name",
"user_agent.name",
"user_agent.original.text",
"user_agent.original",
"user_agent.os.family",
"user_agent.os.full",
"user_agent.os.kernel",
"user_agent.os.name",
"user_agent.os.platform",
"user_agent.os.version",
"user_agent.version",
"cloud.image.id",
"host.os.build",
"host.os.codename",
"kubernetes.pod.name",
"kubernetes.pod.uid",
"kubernetes.namespace",
"kubernetes.node.name",
"kubernetes.node.hostname",
"kubernetes.replicaset.name",
"kubernetes.deployment.name",
"kubernetes.statefulset.name",
"kubernetes.container.name",
"process.owner.id",
"process.owner.name.text",
"process.owner.name",
"jolokia.agent.version",
"jolokia.agent.id",
"jolokia.server.product",
"jolokia.server.version",
"jolokia.server.vendor",
"jolokia.url",
"awscloudwatch.log_group",
"awscloudwatch.log_stream",
"awscloudwatch.ingestion_time",
"aws.cloudwatch.log_group",
"aws.cloudwatch.log_stream",
"aws.cloudwatch.ingestion_time",
"bucket.name",
"bucket.arn",
"object.key",
"fields.*"
]
}
}
},
"mappings": {
"_meta": {
"beat": "filebeat",
"version": "8.8.1"
},
"date_detection": false,
"dynamic_templates": [
{
"labels": {
"path_match": "labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"fields": {
"path_match": "fields.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"docker.container.labels": {
"path_match": "docker.container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"kubernetes.labels.*": {
"path_match": "kubernetes.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "*"
}
},
{
"kubernetes.annotations.*": {
"path_match": "kubernetes.annotations.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "*"
}
},
{
"kubernetes.selectors.*": {
"path_match": "kubernetes.selectors.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "*"
}
},
{
"docker.attrs": {
"path_match": "docker.attrs.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"azure.activitylogs.identity.claims.*": {
"path_match": "azure.activitylogs.identity.claims.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "*"
}
},
{
"kibana.log.meta": {
"path_match": "kibana.log.meta.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"activemq": {
"type": "object",
"properties": {
"caller": {
"ignore_above": 1024,
"type": "keyword"
},
"log": {
"type": "object",
"properties": {
"stack_trace": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"thread": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"type": "object",
"properties": {
"build": {
"type": "object",
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"hostname": {
"path": "agent.name",
"type": "alias"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"apache": {
"type": "object",
"properties": {
"access": {
"type": "object",
"properties": {
"ssl": {
"type": "object",
"properties": {
"cipher": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"error": {
"type": "object",
"properties": {
"module": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"as": {
"type": "object",
"properties": {
"number": {
"type": "long"
},
"organization": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
}
},
"auditd": {
"type": "object",
"properties": {
"log": {
"type": "object",
"properties": {
"a0": {
"ignore_above": 1024,
"type": "keyword"
},
"addr": {
"type": "ip"
},
"item": {
"ignore_above": 1024,
"type": "keyword"
},
"items": {
"ignore_above": 1024,
"type": "keyword"
},
"laddr": {
"type": "ip"
},
"lport": {
"type": "long"
},
"new_auid": {
"ignore_above": 1024,
"type": "keyword"
},
"new_ses": {
"ignore_above": 1024,
"type": "keyword"
},
"old_auid": {
"ignore_above": 1024,
"type": "keyword"
},
"old_ses": {
"ignore_above": 1024,
"type": "keyword"
},
"rport": {
"type": "long"
},
"sequence": {
"type": "long"
},
"tty": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"aws": {
"type": "object",
"properties": {
"cloudtrail": {
"type": "object",
"properties": {
"additional_eventdata": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"norms": false,
"type": "text"
}
}
},
"api_version": {
"ignore_above": 1024,
"type": "keyword"
},
"console_login": {
"type": "object",
"properties": {
"additional_eventdata": {
"type": "object",
"properties": {
"login_to": {
"ignore_above": 1024,
"type": "keyword"
},
"mfa_used": {
"type": "boolean"
},
"mobile_version": {
"type": "boolean"
}
}
}
}
},
"digest": {
"type": "object",
"properties": {
"end_time": {
"type": "date"
},
"log_files": {
"type": "nested"
},
"newest_event_time": {
"type": "date"
},
"oldest_event_time": {
"type": "date"
},
"previous_hash_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"previous_s3_bucket": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_fingerprint": {
"ignore_above": 1024,
"type": "keyword"
},
"s3_bucket": {
"ignore_above": 1024,
"type": "keyword"
},
"s3_object": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"start_time": {
"type": "date"
}
}
},
"error_code": {
"ignore_above": 1024,
"type": "keyword"
},
"error_message": {
"ignore_above": 1024,
"type": "keyword"
},
"event_category": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"event_version": {
"ignore_above": 1024,
"type": "keyword"
},
"flattened": {
"type": "object",
"properties": {
"additional_eventdata": {
"type": "flattened"
},
"request_parameters": {
"type": "flattened"
},
"response_elements": {
"type": "flattened"
},
"service_event_details": {
"type": "flattened"
}
}
},
"insight_details": {
"type": "flattened"
},
"management_event": {
"ignore_above": 1024,
"type": "keyword"
},
"read_only": {
"ignore_above": 1024,
"type": "keyword"
},
"recipient_account_id": {
"ignore_above": 1024,
"type": "keyword"
},
"request_id": {
"ignore_above": 1024,
"type": "keyword"
},
"request_parameters": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"norms": false,
"type": "text"
}
}
},
"resources": {
"type": "object",
"properties": {
"account_id": {
"ignore_above": 1024,
"type": "keyword"
},
"arn": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"response_elements": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"norms": false,
"type": "text"
}
}
},
"service_event_details": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"norms": false,
"type": "text"
}
}
},
"shared_event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"user_identity": {
"type": "object",
"properties": {
"access_key_id": {
"ignore_above": 1024,
"type": "keyword"
},
"arn": {
"ignore_above": 1024,
"type": "keyword"
},
"invoked_by": {
"ignore_above": 1024,
"type": "keyword"
},
"session_context": {
"type": "object",
"properties": {
"creation_date": {
"type": "date"
},
"mfa_authenticated": {
"ignore_above": 1024,
"type": "keyword"
},
"session_issuer": {
"type": "object",
"properties": {
"account_id": {
"ignore_above": 1024,
"type": "keyword"
},
"arn": {
"ignore_above": 1024,
"type": "keyword"
},
"principal_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vpc_endpoint_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"cloudwatch": {
"type": "object",
"properties": {
"ingestion_time": {
"ignore_above": 1024,
"type": "keyword"
},
"log_group": {
"ignore_above": 1024,
"type": "keyword"
},
"log_stream": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"norms": false,
"type": "text"
}
}
},
"ec2": {
"type": "object",
"properties": {
"ip_address": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elb": {
"type": "object",
"properties": {
"action_executed": {
"ignore_above": 1024,
"type": "keyword"
},
"backend": {
"type": "object",
"properties": {
"http": {
"type": "object",
"properties": {
"response": {
"type": "object",
"properties": {
"status_code": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"ip": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"backend_processing_time": {
"type": "object",
"properties": {
"sec": {
"type": "float"
}
}
},
"chosen_cert": {
"type": "object",
"properties": {
"arn": {
"ignore_above": 1024,
"type": "keyword"
},
"serial": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"classification_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_time": {
"type": "object",
"properties": {
"ms": {
"type": "long"
}
}
},
"error": {
"type": "object",
"properties": {
"reason": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"incoming_tls_alert": {
"ignore_above": 1024,
"type": "keyword"
},
"listener": {
"ignore_above": 1024,
"type": "keyword"
},
"matched_rule_priority": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"redirect_url": {
"ignore_above": 1024,
"type": "keyword"
},
"request_processing_time": {
"type": "object",
"properties": {
"sec": {
"type": "float"
}
}
},
"response_processing_time": {
"type": "object",
"properties": {
"sec": {
"type": "float"
}
}
},
"ssl_cipher": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl_protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"target_group": {
"type": "object",
"properties": {
"arn": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"target_port": {
"ignore_above": 1024,
"type": "keyword"
},
"target_status_code": {
"ignore_above": 1024,
"type": "keyword"
},
"tls_handshake_time": {
"type": "object",
"properties": {
"ms": {
"type": "long"
}
}
},
"tls_named_group": {
"ignore_above": 1024,
"type": "keyword"
},
"trace_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"s3access": {
"type": "object",
"properties": {
"authentication_type": {
"ignore_above": 1024,
"type": "keyword"
},
"bucket": {
"ignore_above": 1024,
"type": "keyword"
},
"bucket_owner": {
"ignore_above": 1024,
"type": "keyword"
},
"bytes_sent": {
"type": "long"
},
"cipher_suite": {
"ignore_above": 1024,
"type": "keyword"
},
"error_code": {
"ignore_above": 1024,
"type": "keyword"
},
"host_header": {
"ignore_above": 1024,
"type": "keyword"
},
"host_id": {
"ignore_above": 1024,
"type": "keyword"
},
"http_status": {
"type": "long"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
},
"object_size": {
"type": "long"
},
"operation": {
"ignore_above": 1024,
"type": "keyword"
},
"referrer": {
"ignore_above": 1024,
"type": "keyword"
},
"remote_ip": {
"type": "ip"
},
"request_id": {
"ignore_above": 1024,
"type": "keyword"
},
"request_uri": {
"ignore_above": 1024,
"type": "keyword"
},
"requester": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_version": {
"ignore_above": 1024,
"type": "keyword"
},
"tls_version": {
"ignore_above": 1024,
"type": "keyword"
},
"total_time": {
"type": "long"
},
"turn_around_time": {
"type": "long"
},
"user_agent": {
"ignore_above": 1024,
"type": "keyword"
},
"version_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vpcflow": {
"type": "object",
"properties": {
"account_id": {
"ignore_above": 1024,
"type": "keyword"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"instance_id": {
"ignore_above": 1024,
"type": "keyword"
},
"interface_id": {
"ignore_above": 1024,
"type": "keyword"
},
"log_status": {
"ignore_above": 1024,
"type": "keyword"
},
"pkt_dstaddr": {
"type": "ip"
},
"pkt_srcaddr": {
"type": "ip"
},
"subnet_id": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_flags": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_flags_array": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"vpc_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"awscloudwatch": {
"type": "object",
"properties": {
"ingestion_time": {
"ignore_above": 1024,
"type": "keyword"
},
"log_group": {
"ignore_above": 1024,
"type": "keyword"
},
"log_stream": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"azure": {
"type": "object",
"properties": {
"activitylogs": {
"type": "object",
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"event_category": {
"ignore_above": 1024,
"type": "keyword"
},
"identity": {
"type": "object",
"properties": {
"authorization": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"evidence": {
"type": "object",
"properties": {
"principal_id": {
"ignore_above": 1024,
"type": "keyword"
},
"principal_type": {
"ignore_above": 1024,
"type": "keyword"
},
"role": {
"ignore_above": 1024,
"type": "keyword"
},
"role_assignment_id": {
"ignore_above": 1024,
"type": "keyword"
},
"role_assignment_scope": {
"ignore_above": 1024,
"type": "keyword"
},
"role_definition_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"scope": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"claims": {
"type": "object",
"properties": {
"*": {
"type": "object"
}
}
},
"claims_initiated_by_user": {
"type": "object",
"properties": {
"fullname": {
"ignore_above": 1024,
"type": "keyword"
},
"givenname": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"schema": {
"ignore_above": 1024,
"type": "keyword"
},
"surname": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"identity_name": {
"ignore_above": 1024,
"type": "keyword"
},
"level": {
"type": "long"
},
"operation_name": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_version": {
"ignore_above": 1024,
"type": "keyword"
},
"properties": {
"type": "flattened"
},
"result_signature": {
"ignore_above": 1024,
"type": "keyword"
},
"result_type": {
"ignore_above": 1024,
"type": "keyword"
},
"tenant_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"auditlogs": {
"type": "object",
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"identity": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_name": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_version": {
"ignore_above": 1024,
"type": "keyword"
},
"properties": {
"type": "object",
"properties": {
"activity_datetime": {
"type": "date"
},
"activity_display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"correlation_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"initiated_by": {
"type": "object",
"properties": {
"app": {
"type": "object",
"properties": {
"appId": {
"ignore_above": 1024,
"type": "keyword"
},
"displayName": {
"ignore_above": 1024,
"type": "keyword"
},
"servicePrincipalId": {
"ignore_above": 1024,
"type": "keyword"
},
"servicePrincipalName": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user": {
"type": "object",
"properties": {
"displayName": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ipAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"userPrincipalName": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"logged_by_service": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_type": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
},
"result_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"target_resources": {
"type": "object",
"properties": {
"*": {
"type": "object",
"properties": {
"display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ip_address": {
"ignore_above": 1024,
"type": "keyword"
},
"modified_properties": {
"type": "object",
"properties": {
"*": {
"type": "object",
"properties": {
"display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"new_value": {
"ignore_above": 1024,
"type": "keyword"
},
"old_value": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"user_principal_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"result_signature": {
"ignore_above": 1024,
"type": "keyword"
},
"tenant_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"consumer_group": {
"ignore_above": 1024,
"type": "keyword"
},
"correlation_id": {
"ignore_above": 1024,
"type": "keyword"
},
"enqueued_time": {
"type": "date"
},
"eventhub": {
"ignore_above": 1024,
"type": "keyword"
},
"offset": {
"type": "long"
},
"partition_id": {
"type": "long"
},
"platformlogs": {
"type": "object",
"properties": {
"ActivityId": {
"ignore_above": 1024,
"type": "keyword"
},
"Caller": {
"ignore_above": 1024,
"type": "keyword"
},
"Cloud": {
"ignore_above": 1024,
"type": "keyword"
},
"Environment": {
"ignore_above": 1024,
"type": "keyword"
},
"EventTimeString": {
"ignore_above": 1024,
"type": "keyword"
},
"ScaleUnit": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"ccpNamespace": {
"ignore_above": 1024,
"type": "keyword"
},
"event_category": {
"ignore_above": 1024,
"type": "keyword"
},
"identity_name": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_name": {
"ignore_above": 1024,
"type": "keyword"
},
"properties": {
"type": "flattened"
},
"result_signature": {
"ignore_above": 1024,
"type": "keyword"
},
"result_type": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"resource": {
"type": "object",
"properties": {
"authorization_rule": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"namespace": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sequence_number": {
"type": "long"
},
"signinlogs": {
"type": "object",
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"identity": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_name": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_version": {
"ignore_above": 1024,
"type": "keyword"
},
"properties": {
"type": "object",
"properties": {
"app_display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"app_id": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_processing_details": {
"type": "flattened"
},
"authentication_protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_requirement": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_requirement_policies": {
"type": "flattened"
},
"autonomous_system_number": {
"type": "long"
},
"client_app_used": {
"ignore_above": 1024,
"type": "keyword"
},
"conditional_access_status": {
"ignore_above": 1024,
"type": "keyword"
},
"correlation_id": {
"ignore_above": 1024,
"type": "keyword"
},
"created_at": {
"type": "date"
},
"cross_tenant_access_type": {
"ignore_above": 1024,
"type": "keyword"
},
"device_detail": {
"type": "object",
"properties": {
"browser": {
"ignore_above": 1024,
"type": "keyword"
},
"device_id": {
"ignore_above": 1024,
"type": "keyword"
},
"display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"is_compliant": {
"type": "boolean"
},
"is_managed": {
"type": "boolean"
},
"operating_system": {
"ignore_above": 1024,
"type": "keyword"
},
"trust_type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"flagged_for_review": {
"type": "boolean"
},
"home_tenant_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"incoming_token_type": {
"ignore_above": 1024,
"type": "keyword"
},
"is_interactive": {
"type": "boolean"
},
"is_tenant_restricted": {
"type": "boolean"
},
"original_request_id": {
"ignore_above": 1024,
"type": "keyword"
},
"processing_time_ms": {
"type": "float"
},
"resource_display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"resource_id": {
"ignore_above": 1024,
"type": "keyword"
},
"resource_tenant_id": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_detail": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_event_types": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_event_types_v2": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_level_aggregated": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_level_during_signin": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_state": {
"ignore_above": 1024,
"type": "keyword"
},
"service_principal_id": {
"ignore_above": 1024,
"type": "keyword"
},
"service_principal_name": {
"ignore_above": 1024,
"type": "keyword"
},
"sso_extension_version": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"type": "object",
"properties": {
"error_code": {
"type": "long"
}
}
},
"token_issuer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"token_issuer_type": {
"ignore_above": 1024,
"type": "keyword"
},
"unique_token_identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"user_display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"user_id": {
"ignore_above": 1024,
"type": "keyword"
},
"user_principal_name": {
"ignore_above": 1024,
"type": "keyword"
},
"user_type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"result_description": {
"ignore_above": 1024,
"type": "keyword"
},
"result_signature": {
"ignore_above": 1024,
"type": "keyword"
},
"result_type": {
"ignore_above": 1024,
"type": "keyword"
},
"tenant_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"subscription_id": {
"ignore_above": 1024,
"type": "keyword"
},
"tenant_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"bucket": {
"type": "object",
"properties": {
"arn": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"cef": {
"type": "object",
"properties": {
"device": {
"type": "object",
"properties": {
"event_class_id": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"extensions": {
"type": "object",
"properties": {
"Reason": {
"ignore_above": 1024,
"type": "keyword"
},
"agentAddress": {
"type": "ip"
},
"agentDnsDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"agentHostName": {
"ignore_above": 1024,
"type": "keyword"
},
"agentId": {
"ignore_above": 1024,
"type": "keyword"
},
"agentMacAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"agentNtDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"agentReceiptTime": {
"type": "date"
},
"agentTimeZone": {
"ignore_above": 1024,
"type": "keyword"
},
"agentTranslatedAddress": {
"type": "ip"
},
"agentTranslatedZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"agentTranslatedZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"agentType": {
"ignore_above": 1024,
"type": "keyword"
},
"agentVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"agentZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"agentZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"applicationProtocol": {
"ignore_above": 1024,
"type": "keyword"
},
"baseEventCount": {
"type": "long"
},
"bytesIn": {
"type": "long"
},
"bytesOut": {
"type": "long"
},
"categoryBehavior": {
"ignore_above": 1024,
"type": "keyword"
},
"categoryDeviceGroup": {
"ignore_above": 1024,
"type": "keyword"
},
"categoryDeviceType": {
"ignore_above": 1024,
"type": "keyword"
},
"categoryObject": {
"ignore_above": 1024,
"type": "keyword"
},
"categoryOutcome": {
"ignore_above": 1024,
"type": "keyword"
},
"categorySignificance": {
"ignore_above": 1024,
"type": "keyword"
},
"categoryTechnique": {
"ignore_above": 1024,
"type": "keyword"
},
"cp_app_risk": {
"ignore_above": 1024,
"type": "keyword"
},
"cp_severity": {
"ignore_above": 1024,
"type": "keyword"
},
"customerExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"customerURI": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationAddress": {
"type": "ip"
},
"destinationDnsDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationGeoLatitude": {
"type": "double"
},
"destinationGeoLongitude": {
"type": "double"
},
"destinationHostName": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationMacAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationNtDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationPort": {
"type": "long"
},
"destinationProcessId": {
"type": "long"
},
"destinationProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationServiceName": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationTranslatedAddress": {
"type": "ip"
},
"destinationTranslatedPort": {
"type": "long"
},
"destinationTranslatedZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationTranslatedZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationUserId": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationUserPrivileges": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceAction": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceAddress": {
"type": "ip"
},
"deviceCustomDate1": {
"type": "date"
},
"deviceCustomDate1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomDate2": {
"type": "date"
},
"deviceCustomDate2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomFloatingPoint1": {
"type": "double"
},
"deviceCustomFloatingPoint1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomFloatingPoint2": {
"type": "double"
},
"deviceCustomFloatingPoint2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomFloatingPoint3": {
"type": "double"
},
"deviceCustomFloatingPoint3Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomFloatingPoint4": {
"type": "double"
},
"deviceCustomFloatingPoint4Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomIPv6Address1": {
"type": "ip"
},
"deviceCustomIPv6Address1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomIPv6Address2": {
"type": "ip"
},
"deviceCustomIPv6Address2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomIPv6Address3": {
"type": "ip"
},
"deviceCustomIPv6Address3Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomIPv6Address4": {
"type": "ip"
},
"deviceCustomIPv6Address4Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomNumber1": {
"type": "long"
},
"deviceCustomNumber1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomNumber2": {
"type": "long"
},
"deviceCustomNumber2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomNumber3": {
"type": "long"
},
"deviceCustomNumber3Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString1": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString2": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString3": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString3Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString4": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString4Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString5": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString5Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString6": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString6Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceDirection": {
"type": "long"
},
"deviceDnsDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceEventCategory": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceExternalId": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceFacility": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceFlexNumber1": {
"type": "long"
},
"deviceFlexNumber1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceFlexNumber2": {
"type": "long"
},
"deviceFlexNumber2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceHostName": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceInboundInterface": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceMacAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceNtDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceOutboundInterface": {
"ignore_above": 1024,
"type": "keyword"
},
"devicePayloadId": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceProcessId": {
"type": "long"
},
"deviceProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceReceiptTime": {
"type": "date"
},
"deviceTimeZone": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceTranslatedAddress": {
"type": "ip"
},
"deviceTranslatedZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceTranslatedZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"endTime": {
"type": "date"
},
"eventId": {
"type": "long"
},
"eventOutcome": {
"ignore_above": 1024,
"type": "keyword"
},
"externalId": {
"ignore_above": 1024,
"type": "keyword"
},
"fileCreateTime": {
"type": "date"
},
"fileHash": {
"ignore_above": 1024,
"type": "keyword"
},
"fileId": {
"ignore_above": 1024,
"type": "keyword"
},
"fileModificationTime": {
"type": "date"
},
"filePath": {
"ignore_above": 1024,
"type": "keyword"
},
"filePermission": {
"ignore_above": 1024,
"type": "keyword"
},
"fileSize": {
"type": "long"
},
"fileType": {
"ignore_above": 1024,
"type": "keyword"
},
"filename": {
"ignore_above": 1024,
"type": "keyword"
},
"flexDate1": {
"type": "date"
},
"flexDate1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"flexString1": {
"ignore_above": 1024,
"type": "keyword"
},
"flexString1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"flexString2": {
"ignore_above": 1024,
"type": "keyword"
},
"flexString2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"ifname": {
"ignore_above": 1024,
"type": "keyword"
},
"inzone": {
"ignore_above": 1024,
"type": "keyword"
},
"layer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"layer_uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"logid": {
"ignore_above": 1024,
"type": "keyword"
},
"loguid": {
"ignore_above": 1024,
"type": "keyword"
},
"managerReceiptTime": {
"type": "date"
},
"match_id": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"nat_addtnl_rulenum": {
"ignore_above": 1024,
"type": "keyword"
},
"nat_rulenum": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFileCreateTime": {
"type": "date"
},
"oldFileHash": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFileId": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFileModificationTime": {
"type": "date"
},
"oldFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFilePath": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFilePermission": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFileSize": {
"type": "long"
},
"oldFileType": {
"ignore_above": 1024,
"type": "keyword"
},
"origin": {
"ignore_above": 1024,
"type": "keyword"
},
"originsicname": {
"ignore_above": 1024,
"type": "keyword"
},
"outzone": {
"ignore_above": 1024,
"type": "keyword"
},
"parent_rule": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"rawEvent": {
"ignore_above": 1024,
"type": "keyword"
},
"requestClientApplication": {
"ignore_above": 1024,
"type": "keyword"
},
"requestContext": {
"ignore_above": 1024,
"type": "keyword"
},
"requestCookies": {
"ignore_above": 1024,
"type": "keyword"
},
"requestMethod": {
"ignore_above": 1024,
"type": "keyword"
},
"requestUrl": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_action": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_uid": {
"ignore_above": 1024,
"type": "keyword"
},
"sequencenum": {
"ignore_above": 1024,
"type": "keyword"
},
"service_id": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceAddress": {
"type": "ip"
},
"sourceDnsDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceGeoLatitude": {
"type": "double"
},
"sourceGeoLongitude": {
"type": "double"
},
"sourceHostName": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceMacAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceNtDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"sourcePort": {
"type": "long"
},
"sourceProcessId": {
"type": "long"
},
"sourceProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceServiceName": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceTranslatedAddress": {
"type": "ip"
},
"sourceTranslatedPort": {
"type": "long"
},
"sourceTranslatedZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceTranslatedZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceUserId": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceUserPrivileges": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"startTime": {
"type": "date"
},
"transportProtocol": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"type": "long"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"checkpoint": {
"type": "object",
"properties": {
"action_reason": {
"type": "long"
},
"action_reason_msg": {
"ignore_above": 1024,
"type": "keyword"
},
"additional_info": {
"ignore_above": 1024,
"type": "keyword"
},
"additional_ip": {
"ignore_above": 1024,
"type": "keyword"
},
"additional_rdata": {
"ignore_above": 1024,
"type": "keyword"
},
"alert": {
"ignore_above": 1024,
"type": "keyword"
},
"allocated_ports": {
"type": "long"
},
"analyzed_on": {
"ignore_above": 1024,
"type": "keyword"
},
"answer_rdata": {
"ignore_above": 1024,
"type": "keyword"
},
"anti_virus_type": {
"ignore_above": 1024,
"type": "keyword"
},
"app_desc": {
"ignore_above": 1024,
"type": "keyword"
},
"app_id": {
"type": "long"
},
"app_package": {
"ignore_above": 1024,
"type": "keyword"
},
"app_properties": {
"ignore_above": 1024,
"type": "keyword"
},
"app_repackaged": {
"ignore_above": 1024,
"type": "keyword"
},
"app_risk": {
"ignore_above": 1024,
"type": "keyword"
},
"app_severity": {
"ignore_above": 1024,
"type": "keyword"
},
"app_sid_id": {
"ignore_above": 1024,
"type": "keyword"
},
"app_sig_id": {
"ignore_above": 1024,
"type": "keyword"
},
"app_version": {
"ignore_above": 1024,
"type": "keyword"
},
"appi_name": {
"ignore_above": 1024,
"type": "keyword"
},
"arrival_time": {
"ignore_above": 1024,
"type": "keyword"
},
"attachments_num": {
"type": "long"
},
"attack_status": {
"ignore_above": 1024,
"type": "keyword"
},
"audit_status": {
"ignore_above": 1024,
"type": "keyword"
},
"auth_method": {
"ignore_above": 1024,
"type": "keyword"
},
"auth_status": {
"ignore_above": 1024,
"type": "keyword"
},
"authority_rdata": {
"ignore_above": 1024,
"type": "keyword"
},
"authorization": {
"ignore_above": 1024,
"type": "keyword"
},
"bcc": {
"ignore_above": 1024,
"type": "keyword"
},
"blade_name": {
"ignore_above": 1024,
"type": "keyword"
},
"broker_publisher": {
"type": "ip"
},
"browse_time": {
"ignore_above": 1024,
"type": "keyword"
},
"c_bytes": {
"type": "long"
},
"calc_desc": {
"ignore_above": 1024,
"type": "keyword"
},
"capacity": {
"type": "long"
},
"capture_uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"cc": {
"ignore_above": 1024,
"type": "keyword"
},
"certificate_resource": {
"ignore_above": 1024,
"type": "keyword"
},
"certificate_validation": {
"ignore_above": 1024,
"type": "keyword"
},
"cgnet": {
"ignore_above": 1024,
"type": "keyword"
},
"chunk_type": {
"ignore_above": 1024,
"type": "keyword"
},
"client_name": {
"ignore_above": 1024,
"type": "keyword"
},
"client_type": {
"ignore_above": 1024,
"type": "keyword"
},
"client_type_os": {
"ignore_above": 1024,
"type": "keyword"
},
"client_version": {
"ignore_above": 1024,
"type": "keyword"
},
"cluster_info": {
"ignore_above": 1024,
"type": "keyword"
},
"comment": {
"ignore_above": 1024,
"type": "keyword"
},
"community": {
"ignore_above": 1024,
"type": "keyword"
},
"confidence_level": {
"type": "long"
},
"conn_direction": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_uid": {
"ignore_above": 1024,
"type": "keyword"
},
"connectivity_level": {
"ignore_above": 1024,
"type": "keyword"
},
"connectivity_state": {
"ignore_above": 1024,
"type": "keyword"
},
"conns_amount": {
"type": "long"
},
"content_disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"content_length": {
"ignore_above": 1024,
"type": "keyword"
},
"content_risk": {
"type": "long"
},
"content_type": {
"ignore_above": 1024,
"type": "keyword"
},
"context_num": {
"type": "long"
},
"cookie": {
"ignore_above": 1024,
"type": "keyword"
},
"cookieI": {
"ignore_above": 1024,
"type": "keyword"
},
"cookieR": {
"ignore_above": 1024,
"type": "keyword"
},
"cp_message": {
"type": "long"
},
"cvpn_category": {
"ignore_above": 1024,
"type": "keyword"
},
"cvpn_resource": {
"ignore_above": 1024,
"type": "keyword"
},
"data_type_name": {
"ignore_above": 1024,
"type": "keyword"
},
"db_ver": {
"ignore_above": 1024,
"type": "keyword"
},
"dce-rpc_interface_uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"delivery_time": {
"ignore_above": 1024,
"type": "keyword"
},
"desc": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_object": {
"ignore_above": 1024,
"type": "keyword"
},
"detected_on": {
"ignore_above": 1024,
"type": "keyword"
},
"developer_certificate_name": {
"ignore_above": 1024,
"type": "keyword"
},
"diameter_app_ID": {
"type": "long"
},
"diameter_cmd_code": {
"type": "long"
},
"diameter_msg_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_action_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_additional_action": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_categories": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_data_type_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_data_type_uid": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_fingerprint_files_number": {
"type": "long"
},
"dlp_fingerprint_long_status": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_fingerprint_short_status": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_incident_uid": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_recipients": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_related_incident_uid": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_relevant_data_types": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_repository_directories_number": {
"type": "long"
},
"dlp_repository_files_number": {
"type": "long"
},
"dlp_repository_id": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_repository_not_scanned_directories_percentage": {
"type": "long"
},
"dlp_repository_reached_directories_number": {
"type": "long"
},
"dlp_repository_root_path": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_repository_scan_progress": {
"type": "long"
},
"dlp_repository_scanned_directories_number": {
"type": "long"
},
"dlp_repository_scanned_files_number": {
"type": "long"
},
"dlp_repository_scanned_total_size": {
"type": "long"
},
"dlp_repository_skipped_files_number": {
"type": "long"
},
"dlp_repository_total_size": {
"type": "long"
},
"dlp_repository_unreachable_directories_number": {
"type": "long"
},
"dlp_rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_subject": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_template_score": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_transint": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_violation_description": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_watermark_profile": {
"ignore_above": 1024,
"type": "keyword"
},
"dlp_word_list": {
"ignore_above": 1024,
"type": "keyword"
},
"dns_query": {
"ignore_above": 1024,
"type": "keyword"
},
"drop_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"dropped_file_hash": {
"ignore_above": 1024,
"type": "keyword"
},
"dropped_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dropped_file_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dropped_file_verdict": {
"ignore_above": 1024,
"type": "keyword"
},
"dropped_incoming": {
"type": "long"
},
"dropped_outgoing": {
"type": "long"
},
"dropped_total": {
"type": "long"
},
"drops_amount": {
"type": "long"
},
"dst_country": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_phone_number": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_user_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dstkeyid": {
"ignore_above": 1024,
"type": "keyword"
},
"duplicate": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"ignore_above": 1024,
"type": "keyword"
},
"elapsed": {
"ignore_above": 1024,
"type": "keyword"
},
"email_content": {
"ignore_above": 1024,
"type": "keyword"
},
"email_control": {
"ignore_above": 1024,
"type": "keyword"
},
"email_control_analysis": {
"ignore_above": 1024,
"type": "keyword"
},
"email_headers": {
"ignore_above": 1024,
"type": "keyword"
},
"email_id": {
"ignore_above": 1024,
"type": "keyword"
},
"email_message_id": {
"ignore_above": 1024,
"type": "keyword"
},
"email_queue_id": {
"ignore_above": 1024,
"type": "keyword"
},
"email_queue_name": {
"ignore_above": 1024,
"type": "keyword"
},
"email_recipients_num": {
"type": "long"
},
"email_session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"email_spam_category": {
"ignore_above": 1024,
"type": "keyword"
},
"email_spool_id": {
"ignore_above": 1024,
"type": "keyword"
},
"email_status": {
"ignore_above": 1024,
"type": "keyword"
},
"email_subject": {
"ignore_above": 1024,
"type": "keyword"
},
"emulated_on": {
"ignore_above": 1024,
"type": "keyword"
},
"encryption_failure": {
"ignore_above": 1024,
"type": "keyword"
},
"end_time": {
"ignore_above": 1024,
"type": "keyword"
},
"end_user_firewall_type": {
"ignore_above": 1024,
"type": "keyword"
},
"esod_access_status": {
"ignore_above": 1024,
"type": "keyword"
},
"esod_associated_policies": {
"ignore_above": 1024,
"type": "keyword"
},
"esod_noncompliance_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"esod_rule_action": {
"ignore_above": 1024,
"type": "keyword"
},
"esod_rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"esod_rule_type": {
"ignore_above": 1024,
"type": "keyword"
},
"esod_scan_status": {
"ignore_above": 1024,
"type": "keyword"
},
"event_count": {
"type": "long"
},
"expire_time": {
"ignore_above": 1024,
"type": "keyword"
},
"extension_version": {
"ignore_above": 1024,
"type": "keyword"
},
"extracted_file_hash": {
"ignore_above": 1024,
"type": "keyword"
},
"extracted_file_names": {
"ignore_above": 1024,
"type": "keyword"
},
"extracted_file_type": {
"ignore_above": 1024,
"type": "keyword"
},
"extracted_file_uid": {
"ignore_above": 1024,
"type": "keyword"
},
"extracted_file_verdict": {
"ignore_above": 1024,
"type": "keyword"
},
"failure_impact": {
"ignore_above": 1024,
"type": "keyword"
},
"failure_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"file_direction": {
"ignore_above": 1024,
"type": "keyword"
},
"file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"files_names": {
"ignore_above": 1024,
"type": "keyword"
},
"first_hit_time": {
"type": "long"
},
"frequency": {
"ignore_above": 1024,
"type": "keyword"
},
"fs-proto": {
"ignore_above": 1024,
"type": "keyword"
},
"ftp_user": {
"ignore_above": 1024,
"type": "keyword"
},
"fw_message": {
"ignore_above": 1024,
"type": "keyword"
},
"fw_subproduct": {
"ignore_above": 1024,
"type": "keyword"
},
"hide_ip": {
"type": "ip"
},
"hit": {
"type": "long"
},
"host_time": {
"ignore_above": 1024,
"type": "keyword"
},
"http_host": {
"ignore_above": 1024,
"type": "keyword"
},
"http_location": {
"ignore_above": 1024,
"type": "keyword"
},
"http_server": {
"ignore_above": 1024,
"type": "keyword"
},
"https_inspection_action": {
"ignore_above": 1024,
"type": "keyword"
},
"https_inspection_rule_id": {
"ignore_above": 1024,
"type": "keyword"
},
"https_inspection_rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"https_validation": {
"ignore_above": 1024,
"type": "keyword"
},
"icap_more_info": {
"type": "long"
},
"icap_server_name": {
"ignore_above": 1024,
"type": "keyword"
},
"icap_server_service": {
"ignore_above": 1024,
"type": "keyword"
},
"icap_service_id": {
"type": "long"
},
"icmp": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_code": {
"type": "long"
},
"icmp_type": {
"type": "long"
},
"id": {
"type": "long"
},
"identity_src": {
"ignore_above": 1024,
"type": "keyword"
},
"identity_type": {
"ignore_above": 1024,
"type": "keyword"
},
"ike": {
"ignore_above": 1024,
"type": "keyword"
},
"ike_ids": {
"ignore_above": 1024,
"type": "keyword"
},
"impacted_files": {
"ignore_above": 1024,
"type": "keyword"
},
"incident_extension": {
"ignore_above": 1024,
"type": "keyword"
},
"indicator_description": {
"ignore_above": 1024,
"type": "keyword"
},
"indicator_name": {
"ignore_above": 1024,
"type": "keyword"
},
"indicator_reference": {
"ignore_above": 1024,
"type": "keyword"
},
"indicator_uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"info": {
"ignore_above": 1024,
"type": "keyword"
},
"information": {
"ignore_above": 1024,
"type": "keyword"
},
"inspection_category": {
"ignore_above": 1024,
"type": "keyword"
},
"inspection_item": {
"ignore_above": 1024,
"type": "keyword"
},
"inspection_profile": {
"ignore_above": 1024,
"type": "keyword"
},
"inspection_settings_log": {
"ignore_above": 1024,
"type": "keyword"
},
"installed_products": {
"ignore_above": 1024,
"type": "keyword"
},
"int_end": {
"type": "long"
},
"int_start": {
"type": "long"
},
"integrity_av_invoke_type": {
"ignore_above": 1024,
"type": "keyword"
},
"interface_name": {
"ignore_above": 1024,
"type": "keyword"
},
"internal_error": {
"ignore_above": 1024,
"type": "keyword"
},
"invalid_file_size": {
"type": "long"
},
"ip_option": {
"type": "long"
},
"isp_link": {
"ignore_above": 1024,
"type": "keyword"
},
"last_hit_time": {
"type": "long"
},
"last_rematch_time": {
"ignore_above": 1024,
"type": "keyword"
},
"layer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"layer_uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"limit_applied": {
"type": "long"
},
"limit_requested": {
"type": "long"
},
"link_probing_status_update": {
"ignore_above": 1024,
"type": "keyword"
},
"links_num": {
"type": "long"
},
"log_delay": {
"type": "long"
},
"log_id": {
"type": "long"
},
"logid": {
"ignore_above": 1024,
"type": "keyword"
},
"long_desc": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"ignore_above": 1024,
"type": "keyword"
},
"malware_family": {
"ignore_above": 1024,
"type": "keyword"
},
"match_fk": {
"type": "long"
},
"match_id": {
"type": "long"
},
"matched_file": {
"ignore_above": 1024,
"type": "keyword"
},
"matched_file_percentage": {
"type": "long"
},
"matched_file_text_segments": {
"type": "long"
},
"media_type": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"message_info": {
"ignore_above": 1024,
"type": "keyword"
},
"message_size": {
"type": "long"
},
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"methods": {
"ignore_above": 1024,
"type": "keyword"
},
"mime_from": {
"ignore_above": 1024,
"type": "keyword"
},
"mime_to": {
"ignore_above": 1024,
"type": "keyword"
},
"mirror_and_decrypt_type": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_collection": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_command_and_control": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_credential_access": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_defense_evasion": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_discovery": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_execution": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_exfiltration": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_impact": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_initial_access": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_lateral_movement": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_persistence": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_privilege_escalation": {
"ignore_above": 1024,
"type": "keyword"
},
"monitor_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"msgid": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"nat46": {
"ignore_above": 1024,
"type": "keyword"
},
"nat_addtnl_rulenum": {
"type": "long"
},
"nat_exhausted_pool": {
"ignore_above": 1024,
"type": "keyword"
},
"nat_rulenum": {
"type": "long"
},
"needs_browse_time": {
"type": "long"
},
"next_hop_ip": {
"ignore_above": 1024,
"type": "keyword"
},
"next_scheduled_scan_date": {
"ignore_above": 1024,
"type": "keyword"
},
"number_of_errors": {
"type": "long"
},
"objecttable": {
"ignore_above": 1024,
"type": "keyword"
},
"objecttype": {
"ignore_above": 1024,
"type": "keyword"
},
"observable_comment": {
"ignore_above": 1024,
"type": "keyword"
},
"observable_id": {
"ignore_above": 1024,
"type": "keyword"
},
"observable_name": {
"ignore_above": 1024,
"type": "keyword"
},
"operation": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_number": {
"ignore_above": 1024,
"type": "keyword"
},
"origin_sic_name": {
"ignore_above": 1024,
"type": "keyword"
},
"original_queue_id": {
"ignore_above": 1024,
"type": "keyword"
},
"outgoing_url": {
"ignore_above": 1024,
"type": "keyword"
},
"packet_amount": {
"type": "long"
},
"packet_capture_unique_id": {
"ignore_above": 1024,
"type": "keyword"
},
"parent_file_hash": {
"ignore_above": 1024,
"type": "keyword"
},
"parent_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"parent_file_uid": {
"ignore_above": 1024,
"type": "keyword"
},
"parent_process_username": {
"ignore_above": 1024,
"type": "keyword"
},
"parent_rule": {
"type": "long"
},
"peer_gateway": {
"type": "ip"
},
"peer_ip": {
"ignore_above": 1024,
"type": "keyword"
},
"peer_ip_probing_status_update": {
"ignore_above": 1024,
"type": "keyword"
},
"performance_impact": {
"type": "long"
},
"policy_mgmt": {
"ignore_above": 1024,
"type": "keyword"
},
"policy_name": {
"ignore_above": 1024,
"type": "keyword"
},
"ports_usage": {
"type": "long"
},
"ppp": {
"ignore_above": 1024,
"type": "keyword"
},
"precise_error": {
"ignore_above": 1024,
"type": "keyword"
},
"process_username": {
"ignore_above": 1024,
"type": "keyword"
},
"properties": {
"ignore_above": 1024,
"type": "keyword"
},
"protection_id": {
"ignore_above": 1024,
"type": "keyword"
},
"protection_name": {
"ignore_above": 1024,
"type": "keyword"
},
"protection_type": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"proxy_machine_name": {
"type": "long"
},
"proxy_src_ip": {
"type": "ip"
},
"proxy_user_dn": {
"ignore_above": 1024,
"type": "keyword"
},
"proxy_user_name": {
"ignore_above": 1024,
"type": "keyword"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"question_rdata": {
"ignore_above": 1024,
"type": "keyword"
},
"referrer": {
"ignore_above": 1024,
"type": "keyword"
},
"referrer_parent_uid": {
"ignore_above": 1024,
"type": "keyword"
},
"referrer_self_uid": {
"ignore_above": 1024,
"type": "keyword"
},
"registered_ip-phones": {
"ignore_above": 1024,
"type": "keyword"
},
"reject_category": {
"ignore_above": 1024,
"type": "keyword"
},
"reject_id": {
"ignore_above": 1024,
"type": "keyword"
},
"rematch_info": {
"ignore_above": 1024,
"type": "keyword"
},
"remediated_files": {
"ignore_above": 1024,
"type": "keyword"
},
"reply_status": {
"type": "long"
},
"risk": {
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
},
"rpc_prog": {
"type": "long"
},
"rule": {
"type": "long"
},
"rule_action": {
"ignore_above": 1024,
"type": "keyword"
},
"rulebase_id": {
"type": "long"
},
"scan_direction": {
"ignore_above": 1024,
"type": "keyword"
},
"scan_hosts_day": {
"type": "long"
},
"scan_hosts_hour": {
"type": "long"
},
"scan_hosts_week": {
"type": "long"
},
"scan_id": {
"ignore_above": 1024,
"type": "keyword"
},
"scan_mail": {
"type": "long"
},
"scan_result": {
"ignore_above": 1024,
"type": "keyword"
},
"scan_results": {
"ignore_above": 1024,
"type": "keyword"
},
"scheme": {
"ignore_above": 1024,
"type": "keyword"
},
"scope": {
"ignore_above": 1024,
"type": "keyword"
},
"scrub_activity": {
"ignore_above": 1024,
"type": "keyword"
},
"scrub_download_time": {
"ignore_above": 1024,
"type": "keyword"
},
"scrub_time": {
"ignore_above": 1024,
"type": "keyword"
},
"scrub_total_time": {
"ignore_above": 1024,
"type": "keyword"
},
"scrubbed_content": {
"ignore_above": 1024,
"type": "keyword"
},
"sctp_association_state": {
"ignore_above": 1024,
"type": "keyword"
},
"sctp_error": {
"ignore_above": 1024,
"type": "keyword"
},
"scv_message_info": {
"ignore_above": 1024,
"type": "keyword"
},
"scv_user": {
"ignore_above": 1024,
"type": "keyword"
},
"securexl_message": {
"ignore_above": 1024,
"type": "keyword"
},
"sensor_mode": {
"ignore_above": 1024,
"type": "keyword"
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"session_uid": {
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"short_desc": {
"ignore_above": 1024,
"type": "keyword"
},
"sig_id": {
"ignore_above": 1024,
"type": "keyword"
},
"similar_communication": {
"ignore_above": 1024,
"type": "keyword"
},
"similar_hashes": {
"ignore_above": 1024,
"type": "keyword"
},
"similar_strings": {
"ignore_above": 1024,
"type": "keyword"
},
"similiar_iocs": {
"ignore_above": 1024,
"type": "keyword"
},
"sip_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"site_name": {
"ignore_above": 1024,
"type": "keyword"
},
"snid": {
"ignore_above": 1024,
"type": "keyword"
},
"source_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"source_object": {
"ignore_above": 1024,
"type": "keyword"
},
"source_os": {
"ignore_above": 1024,
"type": "keyword"
},
"special_properties": {
"type": "long"
},
"specific_data_type_name": {
"ignore_above": 1024,
"type": "keyword"
},
"speed": {
"type": "long"
},
"spyware_name": {
"ignore_above": 1024,
"type": "keyword"
},
"spyware_status": {
"ignore_above": 1024,
"type": "keyword"
},
"spyware_type": {
"ignore_above": 1024,
"type": "keyword"
},
"src_country": {
"ignore_above": 1024,
"type": "keyword"
},
"src_phone_number": {
"ignore_above": 1024,
"type": "keyword"
},
"src_user_dn": {
"ignore_above": 1024,
"type": "keyword"
},
"src_user_name": {
"ignore_above": 1024,
"type": "keyword"
},
"srckeyid": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"status_update": {
"ignore_above": 1024,
"type": "keyword"
},
"sub_policy_name": {
"ignore_above": 1024,
"type": "keyword"
},
"sub_policy_uid": {
"ignore_above": 1024,
"type": "keyword"
},
"subs_exp": {
"type": "date"
},
"subscriber": {
"type": "ip"
},
"summary": {
"ignore_above": 1024,
"type": "keyword"
},
"suppressed_logs": {
"type": "long"
},
"sync": {
"ignore_above": 1024,
"type": "keyword"
},
"sys_message": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_end_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_flags": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_packet_out_of_state": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_state": {
"ignore_above": 1024,
"type": "keyword"
},
"te_verdict_determined_by": {
"ignore_above": 1024,
"type": "keyword"
},
"termination_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"ticket_id": {
"ignore_above": 1024,
"type": "keyword"
},
"tls_server_host_name": {
"ignore_above": 1024,
"type": "keyword"
},
"top_archive_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"total_attachments": {
"type": "long"
},
"triggered_by": {
"ignore_above": 1024,
"type": "keyword"
},
"trusted_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"unique_detected_day": {
"type": "long"
},
"unique_detected_hour": {
"type": "long"
},
"unique_detected_week": {
"type": "long"
},
"update_status": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
},
"user_agent": {
"ignore_above": 1024,
"type": "keyword"
},
"user_status": {
"ignore_above": 1024,
"type": "keyword"
},
"uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor_list": {
"ignore_above": 1024,
"type": "keyword"
},
"verdict": {
"ignore_above": 1024,
"type": "keyword"
},
"via": {
"ignore_above": 1024,
"type": "keyword"
},
"virus_name": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_attach_action_info": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_attach_sz": {
"type": "long"
},
"voip_call_dir": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_call_id": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_call_state": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_call_term_time": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_config": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_duration": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_est_codec": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_exp": {
"type": "long"
},
"voip_from_user_type": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_log_type": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_media_codec": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_media_ipp": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_media_port": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_method": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_reason_info": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_reg_int": {
"type": "long"
},
"voip_reg_ipp": {
"type": "long"
},
"voip_reg_period": {
"type": "long"
},
"voip_reg_server": {
"type": "ip"
},
"voip_reg_user_type": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_reject_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"voip_to_user_type": {
"ignore_above": 1024,
"type": "keyword"
},
"vpn_feature_name": {
"ignore_above": 1024,
"type": "keyword"
},
"watermark": {
"ignore_above": 1024,
"type": "keyword"
},
"web_server_type": {
"ignore_above": 1024,
"type": "keyword"
},
"word_list": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"cisco": {
"type": "object",
"properties": {
"amp": {
"type": "object",
"properties": {
"bp_data": {
"type": "flattened"
},
"cloud_ioc": {
"type": "object",
"properties": {
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"short_description": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"command_line": {
"type": "object",
"properties": {
"arguments": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"computer": {
"type": "object",
"properties": {
"active": {
"type": "boolean"
},
"connector_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"external_ip": {
"type": "ip"
},
"network_addresses": {
"type": "flattened"
}
}
},
"connector_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"detection": {
"ignore_above": 1024,
"type": "keyword"
},
"detection_id": {
"ignore_above": 1024,
"type": "keyword"
},
"error": {
"type": "object",
"properties": {
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"error_code": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event_type_id": {
"ignore_above": 1024,
"type": "keyword"
},
"file": {
"type": "object",
"properties": {
"archived_file": {
"type": "object",
"properties": {
"disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"identity": {
"type": "object",
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"attack_details": {
"type": "object",
"properties": {
"application": {
"ignore_above": 1024,
"type": "keyword"
},
"attacked_module": {
"ignore_above": 1024,
"type": "keyword"
},
"base_address": {
"ignore_above": 1024,
"type": "keyword"
},
"indicators": {
"type": "flattened"
},
"suspicious_files": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"parent": {
"type": "object",
"properties": {
"disposition": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"group_guids": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_tactics": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_techniques": {
"ignore_above": 1024,
"type": "keyword"
},
"network_info": {
"type": "object",
"properties": {
"disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"nfm": {
"type": "object",
"properties": {
"direction": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"parent": {
"type": "object",
"properties": {
"disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"identify": {
"type": "object",
"properties": {
"sha256": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"identity": {
"type": "object",
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"related": {
"type": "object",
"properties": {
"cve": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"scan": {
"type": "object",
"properties": {
"clean": {
"type": "boolean"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"malicious_detections": {
"type": "long"
},
"scanned_files": {
"type": "long"
},
"scanned_paths": {
"type": "long"
},
"scanned_processes": {
"type": "long"
}
}
},
"tactics": {
"type": "flattened"
},
"techniques": {
"type": "flattened"
},
"threat_hunting": {
"type": "object",
"properties": {
"incident_end_time": {
"type": "date"
},
"incident_hunt_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"incident_id": {
"ignore_above": 1024,
"type": "keyword"
},
"incident_remediation": {
"ignore_above": 1024,
"type": "keyword"
},
"incident_report_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"incident_start_time": {
"type": "date"
},
"incident_summary": {
"ignore_above": 1024,
"type": "keyword"
},
"incident_title": {
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"tactics": {
"type": "flattened"
},
"techniques": {
"type": "flattened"
}
}
},
"timestamp_nanoseconds": {
"type": "date"
},
"vulnerabilities": {
"type": "flattened"
}
}
},
"asa": {
"type": "object",
"properties": {
"assigned_ip": {
"type": "ip"
},
"burst": {
"type": "object",
"properties": {
"avg_rate": {
"ignore_above": 1024,
"type": "keyword"
},
"configured_avg_rate": {
"ignore_above": 1024,
"type": "keyword"
},
"configured_rate": {
"ignore_above": 1024,
"type": "keyword"
},
"cumulative_count": {
"ignore_above": 1024,
"type": "keyword"
},
"current_rate": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"object": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"command_line_arguments": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_id": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dap_records": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_user_security_group_tag": {
"type": "long"
},
"destination_username": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_code": {
"type": "short"
},
"icmp_type": {
"type": "short"
},
"mapped_destination_host": {
"ignore_above": 1024,
"type": "keyword"
},
"mapped_destination_ip": {
"type": "ip"
},
"mapped_destination_port": {
"type": "long"
},
"mapped_source_host": {
"ignore_above": 1024,
"type": "keyword"
},
"mapped_source_ip": {
"type": "ip"
},
"mapped_source_port": {
"type": "long"
},
"message_id": {
"ignore_above": 1024,
"type": "keyword"
},
"privilege": {
"type": "object",
"properties": {
"new": {
"ignore_above": 1024,
"type": "keyword"
},
"old": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"session_type": {
"ignore_above": 1024,
"type": "keyword"
},
"source_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"source_user_security_group_tag": {
"type": "long"
},
"source_username": {
"ignore_above": 1024,
"type": "keyword"
},
"suffix": {
"ignore_above": 1024,
"type": "keyword"
},
"termination_initiator": {
"ignore_above": 1024,
"type": "keyword"
},
"termination_user": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_category": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_level": {
"ignore_above": 1024,
"type": "keyword"
},
"tunnel_type": {
"ignore_above": 1024,
"type": "keyword"
},
"webvpn": {
"type": "object",
"properties": {
"group_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"ftd": {
"type": "object",
"properties": {
"connection_id": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dap_records": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_username": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_code": {
"type": "short"
},
"icmp_type": {
"type": "short"
},
"mapped_destination_host": {
"ignore_above": 1024,
"type": "keyword"
},
"mapped_destination_ip": {
"type": "ip"
},
"mapped_destination_port": {
"type": "long"
},
"mapped_source_host": {
"ignore_above": 1024,
"type": "keyword"
},
"mapped_source_ip": {
"type": "ip"
},
"mapped_source_port": {
"type": "long"
},
"message_id": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"security": {
"type": "object"
},
"source_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"source_username": {
"ignore_above": 1024,
"type": "keyword"
},
"suffix": {
"ignore_above": 1024,
"type": "keyword"
},
"termination_initiator": {
"ignore_above": 1024,
"type": "keyword"
},
"termination_user": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_category": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_level": {
"ignore_above": 1024,
"type": "keyword"
},
"webvpn": {
"type": "object",
"properties": {
"group_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"ios": {
"type": "object",
"properties": {
"access_list": {
"ignore_above": 1024,
"type": "keyword"
},
"facility": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"umbrella": {
"type": "object",
"properties": {
"amp_disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"amp_malware_name": {
"ignore_above": 1024,
"type": "keyword"
},
"amp_score": {
"ignore_above": 1024,
"type": "keyword"
},
"av_detections": {
"ignore_above": 1024,
"type": "keyword"
},
"blocked_categories": {
"ignore_above": 1024,
"type": "keyword"
},
"categories": {
"ignore_above": 1024,
"type": "keyword"
},
"content_type": {
"ignore_above": 1024,
"type": "keyword"
},
"datacenter": {
"ignore_above": 1024,
"type": "keyword"
},
"identities": {
"ignore_above": 1024,
"type": "keyword"
},
"identity_types": {
"ignore_above": 1024,
"type": "keyword"
},
"origin_id": {
"ignore_above": 1024,
"type": "keyword"
},
"policy_identity_type": {
"ignore_above": 1024,
"type": "keyword"
},
"puas": {
"ignore_above": 1024,
"type": "keyword"
},
"sha_sha256": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"client": {
"type": "object",
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"as": {
"type": "object",
"properties": {
"number": {
"type": "long"
},
"organization": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
}
},
"bytes": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"type": "object",
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"nat": {
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
},
"packets": {
"type": "long"
},
"port": {
"type": "long"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"group": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"cloud": {
"type": "object",
"properties": {
"account": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"machine": {
"type": "object",
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"origin": {
"type": "object",
"properties": {
"account": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"instance": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"machine": {
"type": "object",
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"service": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"project": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"service": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"target": {
"type": "object",
"properties": {
"account": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"instance": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"machine": {
"type": "object",
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"service": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"code_signature": {
"type": "object",
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"container": {
"type": "object",
"properties": {
"cpu": {
"type": "object",
"properties": {
"usage": {
"scaling_factor": 1000,
"type": "scaled_float"
}
}
},
"disk": {
"type": "object",
"properties": {
"read": {
"type": "object",
"properties": {
"bytes": {
"type": "long"
}
}
},
"write": {
"type": "object",
"properties": {
"bytes": {
"type": "long"
}
}
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"tag": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"labels": {
"type": "object"
},
"memory": {
"type": "object",
"properties": {
"usage": {
"scaling_factor": 1000,
"type": "scaled_float"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"network": {
"type": "object",
"properties": {
"egress": {
"type": "object",
"properties": {
"bytes": {
"type": "long"
}
}
},
"ingress": {
"type": "object",
"properties": {
"bytes": {
"type": "long"
}
}
}
}
},
"runtime": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"coredns": {
"type": "object",
"properties": {
"query": {
"type": "object",
"properties": {
"size": {
"type": "long"
}
}
},
"response": {
"type": "object",
"properties": {
"size": {
"type": "long"
}
}
}
}
},
"crowdstrike": {
"type": "object",
"properties": {
"event": {
"type": "object",
"properties": {
"AuditKeyValues": {
"type": "nested"
},
"CommandLine": {
"ignore_above": 1024,
"type": "keyword"
},
"Commands": {
"ignore_above": 1024,
"type": "keyword"
},
"ComputerName": {
"ignore_above": 1024,
"type": "keyword"
},
"ConnectionDirection": {
"ignore_above": 1024,
"type": "keyword"
},
"CustomerId": {
"ignore_above": 1024,
"type": "keyword"
},
"DetectDescription": {
"ignore_above": 1024,
"type": "keyword"
},
"DetectId": {
"ignore_above": 1024,
"type": "keyword"
},
"DetectName": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceId": {
"ignore_above": 1024,
"type": "keyword"
},
"EndTimestamp": {
"type": "date"
},
"EventType": {
"ignore_above": 1024,
"type": "keyword"
},
"ExecutablesWritten": {
"type": "nested"
},
"FalconHostLink": {
"ignore_above": 1024,
"type": "keyword"
},
"FileName": {
"ignore_above": 1024,
"type": "keyword"
},
"FilePath": {
"ignore_above": 1024,
"type": "keyword"
},
"FineScore": {
"type": "float"
},
"Flags": {
"type": "object",
"properties": {
"Audit": {
"type": "boolean"
},
"Log": {
"type": "boolean"
},
"Monitor": {
"type": "boolean"
}
}
},
"GrandparentCommandLine": {
"ignore_above": 1024,
"type": "keyword"
},
"GrandparentImageFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"HostName": {
"ignore_above": 1024,
"type": "keyword"
},
"HostnameField": {
"ignore_above": 1024,
"type": "keyword"
},
"ICMPCode": {
"ignore_above": 1024,
"type": "keyword"
},
"ICMPType": {
"ignore_above": 1024,
"type": "keyword"
},
"IOCType": {
"ignore_above": 1024,
"type": "keyword"
},
"IOCValue": {
"ignore_above": 1024,
"type": "keyword"
},
"ImageFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"IncidentEndTime": {
"type": "date"
},
"IncidentStartTime": {
"type": "date"
},
"Ipv": {
"ignore_above": 1024,
"type": "keyword"
},
"LateralMovement": {
"type": "long"
},
"LocalAddress": {
"type": "ip"
},
"LocalIP": {
"ignore_above": 1024,
"type": "keyword"
},
"LocalPort": {
"type": "long"
},
"MACAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"MD5String": {
"ignore_above": 1024,
"type": "keyword"
},
"MachineDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"MatchCount": {
"type": "long"
},
"MatchCountSinceLastReport": {
"type": "long"
},
"NetworkProfile": {
"ignore_above": 1024,
"type": "keyword"
},
"Objective": {
"ignore_above": 1024,
"type": "keyword"
},
"OperationName": {
"ignore_above": 1024,
"type": "keyword"
},
"PID": {
"type": "long"
},
"ParentCommandLine": {
"ignore_above": 1024,
"type": "keyword"
},
"ParentImageFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"ParentProcessId": {
"type": "long"
},
"PatternDispositionDescription": {
"ignore_above": 1024,
"type": "keyword"
},
"PatternDispositionFlags": {
"type": "object"
},
"PatternDispositionValue": {
"type": "long"
},
"PolicyID": {
"ignore_above": 1024,
"type": "keyword"
},
"PolicyName": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessEndTime": {
"type": "date"
},
"ProcessId": {
"type": "long"
},
"ProcessStartTime": {
"type": "date"
},
"Protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"RemoteAddress": {
"type": "ip"
},
"RemotePort": {
"type": "long"
},
"RuleAction": {
"ignore_above": 1024,
"type": "keyword"
},
"RuleDescription": {
"ignore_above": 1024,
"type": "keyword"
},
"RuleFamilyID": {
"ignore_above": 1024,
"type": "keyword"
},
"RuleGroupName": {
"ignore_above": 1024,
"type": "keyword"
},
"RuleId": {
"ignore_above": 1024,
"type": "keyword"
},
"RuleName": {
"ignore_above": 1024,
"type": "keyword"
},
"SHA1String": {
"ignore_above": 1024,
"type": "keyword"
},
"SHA256String": {
"ignore_above": 1024,
"type": "keyword"
},
"SensorId": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceName": {
"ignore_above": 1024,
"type": "keyword"
},
"SessionId": {
"ignore_above": 1024,
"type": "keyword"
},
"Severity": {
"type": "long"
},
"SeverityName": {
"ignore_above": 1024,
"type": "keyword"
},
"StartTimestamp": {
"type": "date"
},
"State": {
"ignore_above": 1024,
"type": "keyword"
},
"Status": {
"ignore_above": 1024,
"type": "keyword"
},
"Success": {
"type": "boolean"
},
"Tactic": {
"ignore_above": 1024,
"type": "keyword"
},
"Technique": {
"ignore_above": 1024,
"type": "keyword"
},
"Timestamp": {
"type": "date"
},
"TreeID": {
"ignore_above": 1024,
"type": "keyword"
},
"UTCTimestamp": {
"type": "date"
},
"UserId": {
"ignore_above": 1024,
"type": "keyword"
},
"UserIp": {
"ignore_above": 1024,
"type": "keyword"
},
"UserName": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"metadata": {
"type": "object",
"properties": {
"customerIDString": {
"ignore_above": 1024,
"type": "keyword"
},
"eventCreationTime": {
"type": "date"
},
"eventType": {
"ignore_above": 1024,
"type": "keyword"
},
"offset": {
"type": "long"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"cyberarkpas": {
"type": "object",
"properties": {
"audit": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"ca_properties": {
"type": "object",
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"cpm_disabled": {
"ignore_above": 1024,
"type": "keyword"
},
"cpm_error_details": {
"ignore_above": 1024,
"type": "keyword"
},
"cpm_status": {
"ignore_above": 1024,
"type": "keyword"
},
"creation_method": {
"ignore_above": 1024,
"type": "keyword"
},
"customer": {
"ignore_above": 1024,
"type": "keyword"
},
"database": {
"ignore_above": 1024,
"type": "keyword"
},
"device_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dual_account_status": {
"ignore_above": 1024,
"type": "keyword"
},
"group_name": {
"ignore_above": 1024,
"type": "keyword"
},
"in_process": {
"ignore_above": 1024,
"type": "keyword"
},
"index": {
"ignore_above": 1024,
"type": "keyword"
},
"last_fail_date": {
"ignore_above": 1024,
"type": "keyword"
},
"last_success_change": {
"ignore_above": 1024,
"type": "keyword"
},
"last_success_reconciliation": {
"ignore_above": 1024,
"type": "keyword"
},
"last_success_verification": {
"ignore_above": 1024,
"type": "keyword"
},
"last_task": {
"ignore_above": 1024,
"type": "keyword"
},
"logon_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"other": {
"type": "flattened"
},
"policy_id": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"ignore_above": 1024,
"type": "keyword"
},
"privcloud": {
"ignore_above": 1024,
"type": "keyword"
},
"reset_immediately": {
"ignore_above": 1024,
"type": "keyword"
},
"retries_count": {
"ignore_above": 1024,
"type": "keyword"
},
"sequence_id": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"user_dn": {
"ignore_above": 1024,
"type": "keyword"
},
"user_name": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"desc": {
"ignore_above": 1024,
"type": "keyword"
},
"extra_details": {
"type": "object",
"properties": {
"ad_process_id": {
"ignore_above": 1024,
"type": "keyword"
},
"ad_process_name": {
"ignore_above": 1024,
"type": "keyword"
},
"application_type": {
"ignore_above": 1024,
"type": "keyword"
},
"command": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_component_id": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_host": {
"ignore_above": 1024,
"type": "keyword"
},
"logon_account": {
"ignore_above": 1024,
"type": "keyword"
},
"managed_account": {
"ignore_above": 1024,
"type": "keyword"
},
"other": {
"type": "flattened"
},
"process_id": {
"ignore_above": 1024,
"type": "keyword"
},
"process_name": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"psmid": {
"ignore_above": 1024,
"type": "keyword"
},
"session_duration": {
"ignore_above": 1024,
"type": "keyword"
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"src_host": {
"ignore_above": 1024,
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"file": {
"ignore_above": 1024,
"type": "keyword"
},
"gateway_station": {
"type": "ip"
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"iso_timestamp": {
"type": "date"
},
"issuer": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"ignore_above": 4096,
"index": false,
"type": "keyword",
"doc_values": false
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"message_id": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"pvwa_details": {
"type": "flattened"
},
"raw": {
"ignore_above": 4096,
"index": false,
"type": "keyword",
"doc_values": false
},
"reason": {
"norms": false,
"type": "text"
},
"rfc5424": {
"type": "boolean"
},
"safe": {
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"source_user": {
"ignore_above": 1024,
"type": "keyword"
},
"station": {
"type": "ip"
},
"target_user": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"data_stream": {
"type": "object",
"properties": {
"dataset": {
"type": "constant_keyword"
},
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
}
}
},
"destination": {
"type": "object",
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"as": {
"type": "object",
"properties": {
"number": {
"type": "long"
},
"organization": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
}
},
"bytes": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"type": "object",
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"nat": {
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
},
"packets": {
"type": "long"
},
"port": {
"type": "long"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"service": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"group": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"dll": {
"type": "object",
"properties": {
"code_signature": {
"type": "object",
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"hash": {
"type": "object",
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"pe": {
"type": "object",
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"dns": {
"type": "object",
"properties": {
"answers": {
"type": "object",
"properties": {
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"ttl": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"header_flags": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"op_code": {
"ignore_above": 1024,
"type": "keyword"
},
"question": {
"type": "object",
"properties": {
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"resolved_ip": {
"type": "ip"
},
"response_code": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"docker": {
"type": "object",
"properties": {
"attrs": {
"type": "object"
},
"container": {
"type": "object",
"properties": {
"labels": {
"type": "object"
}
}
}
}
},
"ecs": {
"type": "object",
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elasticsearch": {
"type": "object",
"properties": {
"audit": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication": {
"type": "object",
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"component": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"indices": {
"ignore_above": 1024,
"type": "keyword"
},
"invalidate": {
"type": "object",
"properties": {
"apikeys": {
"type": "object",
"properties": {
"owned_by_authenticated_user": {
"type": "boolean"
}
}
}
}
},
"layer": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"norms": false,
"type": "text"
},
"opaque_id": {
"norms": false,
"type": "text"
},
"origin": {
"type": "object",
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"realm": {
"ignore_above": 1024,
"type": "keyword"
},
"request": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"url": {
"type": "object",
"properties": {
"params": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user": {
"type": "object",
"properties": {
"realm": {
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
},
"run_as": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"realm": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"cluster": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"uuid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"component": {
"ignore_above": 1024,
"type": "keyword"
},
"elastic_product_origin": {
"ignore_above": 1024,
"type": "keyword"
},
"event": {
"type": "object",
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"gc": {
"type": "object",
"properties": {
"heap": {
"type": "object",
"properties": {
"size_kb": {
"type": "long"
},
"used_kb": {
"type": "long"
}
}
},
"jvm_runtime_sec": {
"type": "float"
},
"old_gen": {
"type": "object",
"properties": {
"size_kb": {
"type": "long"
},
"used_kb": {
"type": "long"
}
}
},
"phase": {
"type": "object",
"properties": {
"class_unload_time_sec": {
"type": "float"
},
"cpu_time": {
"type": "object",
"properties": {
"real_sec": {
"type": "float"
},
"sys_sec": {
"type": "float"
},
"user_sec": {
"type": "float"
}
}
},
"duration_sec": {
"type": "float"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"parallel_rescan_time_sec": {
"type": "float"
},
"scrub_string_table_time_sec": {
"type": "float"
},
"scrub_symbol_table_time_sec": {
"type": "float"
},
"weak_refs_processing_time_sec": {
"type": "float"
}
}
},
"stopping_threads_time_sec": {
"type": "float"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"threads_total_stop_time_sec": {
"type": "float"
},
"young_gen": {
"type": "object",
"properties": {
"size_kb": {
"type": "long"
},
"used_kb": {
"type": "long"
}
}
}
}
},
"http": {
"type": "object",
"properties": {
"request": {
"type": "object",
"properties": {
"x_opaque_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"index": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"node": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"server": {
"type": "object",
"properties": {
"gc": {
"type": "object",
"properties": {
"collection_duration": {
"type": "object",
"properties": {
"ms": {
"type": "float"
}
}
},
"observation_duration": {
"type": "object",
"properties": {
"ms": {
"type": "float"
}
}
},
"overhead_seq": {
"type": "long"
},
"young": {
"type": "object",
"properties": {
"one": {
"type": "long"
},
"two": {
"type": "long"
}
}
}
}
},
"stacktrace": {
"ignore_above": 1024,
"index": false,
"type": "keyword"
}
}
},
"shard": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"slowlog": {
"type": "object",
"properties": {
"extra_source": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"logger": {
"ignore_above": 1024,
"type": "keyword"
},
"routing": {
"ignore_above": 1024,
"type": "keyword"
},
"search_type": {
"ignore_above": 1024,
"type": "keyword"
},
"source": {
"ignore_above": 1024,
"type": "keyword"
},
"source_query": {
"ignore_above": 1024,
"type": "keyword"
},
"stats": {
"ignore_above": 1024,
"type": "keyword"
},
"took": {
"ignore_above": 1024,
"type": "keyword"
},
"total_hits": {
"ignore_above": 1024,
"type": "keyword"
},
"total_shards": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"types": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"elf": {
"type": "object",
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
},
"creation_date": {
"type": "date"
},
"exports": {
"type": "flattened"
},
"header": {
"type": "object",
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword"
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"imports": {
"type": "flattened"
},
"sections": {
"type": "nested",
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "long"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_address": {
"type": "long"
},
"virtual_size": {
"type": "long"
}
}
},
"segments": {
"type": "nested",
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"envoyproxy": {
"type": "object",
"properties": {
"authority": {
"ignore_above": 1024,
"type": "keyword"
},
"log_type": {
"ignore_above": 1024,
"type": "keyword"
},
"proxy_type": {
"ignore_above": 1024,
"type": "keyword"
},
"request_id": {
"ignore_above": 1024,
"type": "keyword"
},
"response_flags": {
"ignore_above": 1024,
"type": "keyword"
},
"upstream_service_time": {
"type": "long"
}
}
},
"error": {
"type": "object",
"properties": {
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"type": "match_only_text"
},
"stack_trace": {
"type": "wildcard"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"dataset": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"type": "long"
},
"end": {
"type": "date"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"ignore_above": 1024,
"index": false,
"type": "keyword",
"doc_values": false
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_score": {
"type": "float"
},
"risk_score_norm": {
"type": "float"
},
"sequence": {
"type": "long"
},
"severity": {
"type": "long"
},
"start": {
"type": "date"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"faas": {
"type": "object",
"properties": {
"coldstart": {
"type": "boolean"
},
"execution": {
"ignore_above": 1024,
"type": "keyword"
},
"trigger": {
"type": "nested",
"properties": {
"request_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"fields": {
"type": "object"
},
"file": {
"type": "object",
"properties": {
"accessed": {
"type": "date"
},
"attributes": {
"ignore_above": 1024,
"type": "keyword"
},
"code_signature": {
"type": "object",
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"created": {
"type": "date"
},
"ctime": {
"type": "date"
},
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"directory": {
"ignore_above": 1024,
"type": "keyword"
},
"drive_letter": {
"ignore_above": 1,
"type": "keyword"
},
"elf": {
"type": "object",
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
},
"creation_date": {
"type": "date"
},
"exports": {
"type": "flattened"
},
"header": {
"type": "object",
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword"
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"imports": {
"type": "flattened"
},
"sections": {
"type": "nested",
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "long"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_address": {
"type": "long"
},
"virtual_size": {
"type": "long"
}
}
},
"segments": {
"type": "nested",
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"fork_name": {
"ignore_above": 1024,
"type": "keyword"
},
"gid": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"type": "object",
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"inode": {
"ignore_above": 1024,
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"mode": {
"ignore_above": 1024,
"type": "keyword"
},
"mtime": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"pe": {
"type": "object",
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"size": {
"type": "long"
},
"target_path": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
},
"x509": {
"type": "object",
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_exponent": {
"index": false,
"type": "long",
"doc_values": false
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"fileset": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"forcepoint": {
"type": "object",
"properties": {
"virus_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"fortinet": {
"type": "object",
"properties": {
"file": {
"type": "object",
"properties": {
"hash": {
"type": "object",
"properties": {
"crc32": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"firewall": {
"type": "object",
"properties": {
"acct_stat": {
"ignore_above": 1024,
"type": "keyword"
},
"acktime": {
"ignore_above": 1024,
"type": "keyword"
},
"act": {
"ignore_above": 1024,
"type": "keyword"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"activity": {
"ignore_above": 1024,
"type": "keyword"
},
"addr": {
"type": "ip"
},
"addr_type": {
"ignore_above": 1024,
"type": "keyword"
},
"addrgrp": {
"ignore_above": 1024,
"type": "keyword"
},
"adgroup": {
"ignore_above": 1024,
"type": "keyword"
},
"admin": {
"ignore_above": 1024,
"type": "keyword"
},
"age": {
"type": "long"
},
"agent": {
"ignore_above": 1024,
"type": "keyword"
},
"alarmid": {
"type": "long"
},
"alert": {
"ignore_above": 1024,
"type": "keyword"
},
"analyticscksum": {
"ignore_above": 1024,
"type": "keyword"
},
"analyticssubmit": {
"ignore_above": 1024,
"type": "keyword"
},
"ap": {
"ignore_above": 1024,
"type": "keyword"
},
"app-type": {
"ignore_above": 1024,
"type": "keyword"
},
"appact": {
"ignore_above": 1024,
"type": "keyword"
},
"appid": {
"type": "long"
},
"applist": {
"ignore_above": 1024,
"type": "keyword"
},
"apprisk": {
"ignore_above": 1024,
"type": "keyword"
},
"apscan": {
"ignore_above": 1024,
"type": "keyword"
},
"apsn": {
"ignore_above": 1024,
"type": "keyword"
},
"apstatus": {
"ignore_above": 1024,
"type": "keyword"
},
"aptype": {
"ignore_above": 1024,
"type": "keyword"
},
"assigned": {
"type": "ip"
},
"assignip": {
"type": "ip"
},
"attachment": {
"ignore_above": 1024,
"type": "keyword"
},
"attack": {
"ignore_above": 1024,
"type": "keyword"
},
"attackcontext": {
"ignore_above": 1024,
"type": "keyword"
},
"attackcontextid": {
"ignore_above": 1024,
"type": "keyword"
},
"attackid": {
"type": "long"
},
"auditid": {
"type": "long"
},
"auditscore": {
"ignore_above": 1024,
"type": "keyword"
},
"audittime": {
"type": "long"
},
"authgrp": {
"ignore_above": 1024,
"type": "keyword"
},
"authid": {
"ignore_above": 1024,
"type": "keyword"
},
"authproto": {
"ignore_above": 1024,
"type": "keyword"
},
"authserver": {
"ignore_above": 1024,
"type": "keyword"
},
"bandwidth": {
"ignore_above": 1024,
"type": "keyword"
},
"banned_rule": {
"ignore_above": 1024,
"type": "keyword"
},
"banned_src": {
"ignore_above": 1024,
"type": "keyword"
},
"banword": {
"ignore_above": 1024,
"type": "keyword"
},
"botnetdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"botnetip": {
"type": "ip"
},
"bssid": {
"ignore_above": 1024,
"type": "keyword"
},
"call_id": {
"ignore_above": 1024,
"type": "keyword"
},
"carrier_ep": {
"ignore_above": 1024,
"type": "keyword"
},
"cat": {
"type": "long"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"cc": {
"ignore_above": 1024,
"type": "keyword"
},
"cdrcontent": {
"ignore_above": 1024,
"type": "keyword"
},
"centralnatid": {
"type": "long"
},
"cert": {
"ignore_above": 1024,
"type": "keyword"
},
"cert-type": {
"ignore_above": 1024,
"type": "keyword"
},
"certhash": {
"ignore_above": 1024,
"type": "keyword"
},
"cfgattr": {
"ignore_above": 1024,
"type": "keyword"
},
"cfgobj": {
"ignore_above": 1024,
"type": "keyword"
},
"cfgpath": {
"ignore_above": 1024,
"type": "keyword"
},
"cfgtid": {
"ignore_above": 1024,
"type": "keyword"
},
"cfgtxpower": {
"type": "long"
},
"channel": {
"type": "long"
},
"channeltype": {
"ignore_above": 1024,
"type": "keyword"
},
"chassisid": {
"type": "long"
},
"checksum": {
"ignore_above": 1024,
"type": "keyword"
},
"chgheaders": {
"ignore_above": 1024,
"type": "keyword"
},
"cldobjid": {
"ignore_above": 1024,
"type": "keyword"
},
"client_addr": {
"ignore_above": 1024,
"type": "keyword"
},
"cloudaction": {
"ignore_above": 1024,
"type": "keyword"
},
"clouduser": {
"ignore_above": 1024,
"type": "keyword"
},
"column": {
"type": "long"
},
"command": {
"ignore_above": 1024,
"type": "keyword"
},
"community": {
"ignore_above": 1024,
"type": "keyword"
},
"configcountry": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_type": {
"ignore_above": 1024,
"type": "keyword"
},
"conserve": {
"ignore_above": 1024,
"type": "keyword"
},
"constraint": {
"ignore_above": 1024,
"type": "keyword"
},
"contentdisarmed": {
"ignore_above": 1024,
"type": "keyword"
},
"contenttype": {
"ignore_above": 1024,
"type": "keyword"
},
"cookies": {
"ignore_above": 1024,
"type": "keyword"
},
"count": {
"type": "long"
},
"countapp": {
"type": "long"
},
"countav": {
"type": "long"
},
"countcifs": {
"type": "long"
},
"countdlp": {
"type": "long"
},
"countdns": {
"type": "long"
},
"countemail": {
"type": "long"
},
"countff": {
"type": "long"
},
"countips": {
"type": "long"
},
"countssh": {
"type": "long"
},
"countssl": {
"type": "long"
},
"countwaf": {
"type": "long"
},
"countweb": {
"type": "long"
},
"cpu": {
"type": "long"
},
"craction": {
"type": "long"
},
"criticalcount": {
"type": "long"
},
"crl": {
"ignore_above": 1024,
"type": "keyword"
},
"crlevel": {
"ignore_above": 1024,
"type": "keyword"
},
"crscore": {
"type": "long"
},
"cveid": {
"ignore_above": 1024,
"type": "keyword"
},
"daemon": {
"ignore_above": 1024,
"type": "keyword"
},
"datarange": {
"ignore_above": 1024,
"type": "keyword"
},
"date": {
"ignore_above": 1024,
"type": "keyword"
},
"ddnsserver": {
"type": "ip"
},
"desc": {
"ignore_above": 1024,
"type": "keyword"
},
"detectionmethod": {
"ignore_above": 1024,
"type": "keyword"
},
"devcategory": {
"ignore_above": 1024,
"type": "keyword"
},
"devintfname": {
"ignore_above": 1024,
"type": "keyword"
},
"devtype": {
"ignore_above": 1024,
"type": "keyword"
},
"dhcp_msg": {
"ignore_above": 1024,
"type": "keyword"
},
"dintf": {
"ignore_above": 1024,
"type": "keyword"
},
"disk": {
"ignore_above": 1024,
"type": "keyword"
},
"disklograte": {
"type": "long"
},
"dlpextra": {
"ignore_above": 1024,
"type": "keyword"
},
"docsource": {
"ignore_above": 1024,
"type": "keyword"
},
"domainctrlauthstate": {
"type": "long"
},
"domainctrlauthtype": {
"type": "long"
},
"domainctrldomain": {
"ignore_above": 1024,
"type": "keyword"
},
"domainctrlip": {
"type": "ip"
},
"domainctrlname": {
"ignore_above": 1024,
"type": "keyword"
},
"domainctrlprotocoltype": {
"type": "long"
},
"domainctrlusername": {
"ignore_above": 1024,
"type": "keyword"
},
"domainfilteridx": {
"type": "long"
},
"domainfilterlist": {
"ignore_above": 1024,
"type": "keyword"
},
"ds": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_int": {
"ignore_above": 1024,
"type": "keyword"
},
"dstcountry": {
"ignore_above": 1024,
"type": "keyword"
},
"dstdevcategory": {
"ignore_above": 1024,
"type": "keyword"
},
"dstdevtype": {
"ignore_above": 1024,
"type": "keyword"
},
"dstfamily": {
"ignore_above": 1024,
"type": "keyword"
},
"dsthwvendor": {
"ignore_above": 1024,
"type": "keyword"
},
"dsthwversion": {
"ignore_above": 1024,
"type": "keyword"
},
"dstinetsvc": {
"ignore_above": 1024,
"type": "keyword"
},
"dstintfrole": {
"ignore_above": 1024,
"type": "keyword"
},
"dstosname": {
"ignore_above": 1024,
"type": "keyword"
},
"dstosversion": {
"ignore_above": 1024,
"type": "keyword"
},
"dstserver": {
"type": "long"
},
"dstssid": {
"ignore_above": 1024,
"type": "keyword"
},
"dstswversion": {
"ignore_above": 1024,
"type": "keyword"
},
"dstunauthusersource": {
"ignore_above": 1024,
"type": "keyword"
},
"dstuuid": {
"ignore_above": 1024,
"type": "keyword"
},
"duid": {
"ignore_above": 1024,
"type": "keyword"
},
"eapolcnt": {
"type": "long"
},
"eapoltype": {
"ignore_above": 1024,
"type": "keyword"
},
"encrypt": {
"type": "long"
},
"encryption": {
"ignore_above": 1024,
"type": "keyword"
},
"epoch": {
"type": "long"
},
"espauth": {
"ignore_above": 1024,
"type": "keyword"
},
"esptransform": {
"ignore_above": 1024,
"type": "keyword"
},
"eventtype": {
"ignore_above": 1024,
"type": "keyword"
},
"exch": {
"ignore_above": 1024,
"type": "keyword"
},
"exchange": {
"ignore_above": 1024,
"type": "keyword"
},
"expectedsignature": {
"ignore_above": 1024,
"type": "keyword"
},
"expiry": {
"ignore_above": 1024,
"type": "keyword"
},
"fams_pause": {
"type": "long"
},
"fazlograte": {
"type": "long"
},
"fctemssn": {
"ignore_above": 1024,
"type": "keyword"
},
"fctuid": {
"ignore_above": 1024,
"type": "keyword"
},
"field": {
"ignore_above": 1024,
"type": "keyword"
},
"filefilter": {
"ignore_above": 1024,
"type": "keyword"
},
"filehashsrc": {
"ignore_above": 1024,
"type": "keyword"
},
"filtercat": {
"ignore_above": 1024,
"type": "keyword"
},
"filteridx": {
"type": "long"
},
"filtername": {
"ignore_above": 1024,
"type": "keyword"
},
"filtertype": {
"ignore_above": 1024,
"type": "keyword"
},
"fortiguardresp": {
"ignore_above": 1024,
"type": "keyword"
},
"forwardedfor": {
"ignore_above": 1024,
"type": "keyword"
},
"fqdn": {
"ignore_above": 1024,
"type": "keyword"
},
"frametype": {
"ignore_above": 1024,
"type": "keyword"
},
"freediskstorage": {
"type": "long"
},
"from": {
"ignore_above": 1024,
"type": "keyword"
},
"from_vcluster": {
"type": "long"
},
"fsaverdict": {
"ignore_above": 1024,
"type": "keyword"
},
"fwserver_name": {
"ignore_above": 1024,
"type": "keyword"
},
"gateway": {
"type": "ip"
},
"green": {
"ignore_above": 1024,
"type": "keyword"
},
"groupid": {
"type": "long"
},
"ha-prio": {
"type": "long"
},
"ha_group": {
"ignore_above": 1024,
"type": "keyword"
},
"ha_role": {
"ignore_above": 1024,
"type": "keyword"
},
"handshake": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"hbdn_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"highcount": {
"type": "long"
},
"host": {
"ignore_above": 1024,
"type": "keyword"
},
"iaid": {
"ignore_above": 1024,
"type": "keyword"
},
"icmpcode": {
"ignore_above": 1024,
"type": "keyword"
},
"icmpid": {
"ignore_above": 1024,
"type": "keyword"
},
"icmptype": {
"ignore_above": 1024,
"type": "keyword"
},
"identifier": {
"type": "long"
},
"in_spi": {
"ignore_above": 1024,
"type": "keyword"
},
"incidentserialno": {
"type": "long"
},
"infected": {
"type": "long"
},
"infectedfilelevel": {
"type": "long"
},
"informationsource": {
"ignore_above": 1024,
"type": "keyword"
},
"init": {
"ignore_above": 1024,
"type": "keyword"
},
"initiator": {
"ignore_above": 1024,
"type": "keyword"
},
"interface": {
"ignore_above": 1024,
"type": "keyword"
},
"intf": {
"ignore_above": 1024,
"type": "keyword"
},
"invalidmac": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"iptype": {
"ignore_above": 1024,
"type": "keyword"
},
"keyword": {
"ignore_above": 1024,
"type": "keyword"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"lanin": {
"type": "long"
},
"lanout": {
"type": "long"
},
"lease": {
"type": "long"
},
"license_limit": {
"ignore_above": 1024,
"type": "keyword"
},
"limit": {
"type": "long"
},
"line": {
"ignore_above": 1024,
"type": "keyword"
},
"live": {
"type": "long"
},
"local": {
"type": "ip"
},
"log": {
"ignore_above": 1024,
"type": "keyword"
},
"login": {
"ignore_above": 1024,
"type": "keyword"
},
"lowcount": {
"type": "long"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"malform_data": {
"type": "long"
},
"malform_desc": {
"ignore_above": 1024,
"type": "keyword"
},
"manuf": {
"ignore_above": 1024,
"type": "keyword"
},
"masterdstmac": {
"ignore_above": 1024,
"type": "keyword"
},
"mastersrcmac": {
"ignore_above": 1024,
"type": "keyword"
},
"mediumcount": {
"type": "long"
},
"mem": {
"type": "long"
},
"meshmode": {
"ignore_above": 1024,
"type": "keyword"
},
"message_type": {
"ignore_above": 1024,
"type": "keyword"
},
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"mgmtcnt": {
"type": "long"
},
"mode": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"monitor-name": {
"ignore_above": 1024,
"type": "keyword"
},
"monitor-type": {
"ignore_above": 1024,
"type": "keyword"
},
"mpsk": {
"ignore_above": 1024,
"type": "keyword"
},
"msgproto": {
"ignore_above": 1024,
"type": "keyword"
},
"mtu": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"nat": {
"ignore_above": 1024,
"type": "keyword"
},
"netid": {
"ignore_above": 1024,
"type": "keyword"
},
"new_status": {
"ignore_above": 1024,
"type": "keyword"
},
"new_value": {
"ignore_above": 1024,
"type": "keyword"
},
"newchannel": {
"type": "long"
},
"newchassisid": {
"type": "long"
},
"newslot": {
"type": "long"
},
"nextstat": {
"type": "long"
},
"nf_type": {
"ignore_above": 1024,
"type": "keyword"
},
"noise": {
"type": "long"
},
"old_status": {
"ignore_above": 1024,
"type": "keyword"
},
"old_value": {
"ignore_above": 1024,
"type": "keyword"
},
"oldchannel": {
"type": "long"
},
"oldchassisid": {
"type": "long"
},
"oldslot": {
"type": "long"
},
"oldsn": {
"ignore_above": 1024,
"type": "keyword"
},
"oldwprof": {
"ignore_above": 1024,
"type": "keyword"
},
"onwire": {
"ignore_above": 1024,
"type": "keyword"
},
"opercountry": {
"ignore_above": 1024,
"type": "keyword"
},
"opertxpower": {
"type": "long"
},
"osname": {
"ignore_above": 1024,
"type": "keyword"
},
"osversion": {
"ignore_above": 1024,
"type": "keyword"
},
"out_spi": {
"ignore_above": 1024,
"type": "keyword"
},
"outintf": {
"ignore_above": 1024,
"type": "keyword"
},
"passedcount": {
"type": "long"
},
"passwd": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"peer": {
"ignore_above": 1024,
"type": "keyword"
},
"peer_notif": {
"ignore_above": 1024,
"type": "keyword"
},
"phase2_name": {
"ignore_above": 1024,
"type": "keyword"
},
"phone": {
"ignore_above": 1024,
"type": "keyword"
},
"pid": {
"type": "long"
},
"policytype": {
"ignore_above": 1024,
"type": "keyword"
},
"poolname": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
},
"portbegin": {
"type": "long"
},
"portend": {
"type": "long"
},
"probeproto": {
"ignore_above": 1024,
"type": "keyword"
},
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"processtime": {
"type": "long"
},
"profile": {
"ignore_above": 1024,
"type": "keyword"
},
"profile_vd": {
"ignore_above": 1024,
"type": "keyword"
},
"profilegroup": {
"ignore_above": 1024,
"type": "keyword"
},
"profiletype": {
"ignore_above": 1024,
"type": "keyword"
},
"qtypeval": {
"type": "long"
},
"quarskip": {
"ignore_above": 1024,
"type": "keyword"
},
"quotaexceeded": {
"ignore_above": 1024,
"type": "keyword"
},
"quotamax": {
"type": "long"
},
"quotatype": {
"ignore_above": 1024,
"type": "keyword"
},
"quotaused": {
"type": "long"
},
"radioband": {
"ignore_above": 1024,
"type": "keyword"
},
"radioid": {
"type": "long"
},
"radioidclosest": {
"type": "long"
},
"radioiddetected": {
"type": "long"
},
"rate": {
"ignore_above": 1024,
"type": "keyword"
},
"rawdata": {
"ignore_above": 1024,
"type": "keyword"
},
"rawdataid": {
"ignore_above": 1024,
"type": "keyword"
},
"rcvddelta": {
"ignore_above": 1024,
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"received": {
"type": "long"
},
"receivedsignature": {
"ignore_above": 1024,
"type": "keyword"
},
"red": {
"ignore_above": 1024,
"type": "keyword"
},
"referralurl": {
"ignore_above": 1024,
"type": "keyword"
},
"remote": {
"type": "ip"
},
"remotewtptime": {
"ignore_above": 1024,
"type": "keyword"
},
"reporttype": {
"ignore_above": 1024,
"type": "keyword"
},
"reqtype": {
"ignore_above": 1024,
"type": "keyword"
},
"request_name": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
},
"role": {
"ignore_above": 1024,
"type": "keyword"
},
"rssi": {
"type": "long"
},
"rsso_key": {
"ignore_above": 1024,
"type": "keyword"
},
"ruledata": {
"ignore_above": 1024,
"type": "keyword"
},
"ruletype": {
"ignore_above": 1024,
"type": "keyword"
},
"scanned": {
"type": "long"
},
"scantime": {
"type": "long"
},
"scope": {
"ignore_above": 1024,
"type": "keyword"
},
"security": {
"ignore_above": 1024,
"type": "keyword"
},
"sensitivity": {
"ignore_above": 1024,
"type": "keyword"
},
"sensor": {
"ignore_above": 1024,
"type": "keyword"
},
"sentdelta": {
"ignore_above": 1024,
"type": "keyword"
},
"seq": {
"ignore_above": 1024,
"type": "keyword"
},
"serial": {
"ignore_above": 1024,
"type": "keyword"
},
"serialno": {
"ignore_above": 1024,
"type": "keyword"
},
"server": {
"ignore_above": 1024,
"type": "keyword"
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"sessionid": {
"type": "long"
},
"setuprate": {
"type": "long"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"shaperdroprcvdbyte": {
"type": "long"
},
"shaperdropsentbyte": {
"type": "long"
},
"shaperperipdropbyte": {
"type": "long"
},
"shaperperipname": {
"ignore_above": 1024,
"type": "keyword"
},
"shaperrcvdname": {
"ignore_above": 1024,
"type": "keyword"
},
"shapersentname": {
"ignore_above": 1024,
"type": "keyword"
},
"shapingpolicyid": {
"type": "long"
},
"signal": {
"type": "long"
},
"size": {
"type": "long"
},
"slot": {
"type": "long"
},
"sn": {
"ignore_above": 1024,
"type": "keyword"
},
"snclosest": {
"ignore_above": 1024,
"type": "keyword"
},
"sndetected": {
"ignore_above": 1024,
"type": "keyword"
},
"snmeshparent": {
"ignore_above": 1024,
"type": "keyword"
},
"spi": {
"ignore_above": 1024,
"type": "keyword"
},
"src_int": {
"ignore_above": 1024,
"type": "keyword"
},
"srccountry": {
"ignore_above": 1024,
"type": "keyword"
},
"srcfamily": {
"ignore_above": 1024,
"type": "keyword"
},
"srchwvendor": {
"ignore_above": 1024,
"type": "keyword"
},
"srchwversion": {
"ignore_above": 1024,
"type": "keyword"
},
"srcinetsvc": {
"ignore_above": 1024,
"type": "keyword"
},
"srcintfrole": {
"ignore_above": 1024,
"type": "keyword"
},
"srcname": {
"ignore_above": 1024,
"type": "keyword"
},
"srcserver": {
"type": "long"
},
"srcssid": {
"ignore_above": 1024,
"type": "keyword"
},
"srcswversion": {
"ignore_above": 1024,
"type": "keyword"
},
"srcuuid": {
"ignore_above": 1024,
"type": "keyword"
},
"sscname": {
"ignore_above": 1024,
"type": "keyword"
},
"ssid": {
"ignore_above": 1024,
"type": "keyword"
},
"sslaction": {
"ignore_above": 1024,
"type": "keyword"
},
"ssllocal": {
"ignore_above": 1024,
"type": "keyword"
},
"sslremote": {
"ignore_above": 1024,
"type": "keyword"
},
"stacount": {
"type": "long"
},
"stage": {
"ignore_above": 1024,
"type": "keyword"
},
"stamac": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"stitch": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"submodule": {
"ignore_above": 1024,
"type": "keyword"
},
"subservice": {
"ignore_above": 1024,
"type": "keyword"
},
"subtype": {
"ignore_above": 1024,
"type": "keyword"
},
"suspicious": {
"type": "long"
},
"switchproto": {
"ignore_above": 1024,
"type": "keyword"
},
"sync_status": {
"ignore_above": 1024,
"type": "keyword"
},
"sync_type": {
"ignore_above": 1024,
"type": "keyword"
},
"sysuptime": {
"ignore_above": 1024,
"type": "keyword"
},
"tamac": {
"ignore_above": 1024,
"type": "keyword"
},
"threattype": {
"ignore_above": 1024,
"type": "keyword"
},
"time": {
"ignore_above": 1024,
"type": "keyword"
},
"to": {
"ignore_above": 1024,
"type": "keyword"
},
"to_vcluster": {
"type": "long"
},
"total": {
"type": "long"
},
"totalsession": {
"type": "long"
},
"trace_id": {
"ignore_above": 1024,
"type": "keyword"
},
"trandisp": {
"ignore_above": 1024,
"type": "keyword"
},
"transid": {
"type": "long"
},
"translationid": {
"ignore_above": 1024,
"type": "keyword"
},
"trigger": {
"ignore_above": 1024,
"type": "keyword"
},
"trueclntip": {
"type": "ip"
},
"tunnelid": {
"type": "long"
},
"tunnelip": {
"type": "ip"
},
"tunneltype": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"ui": {
"ignore_above": 1024,
"type": "keyword"
},
"unauthusersource": {
"ignore_above": 1024,
"type": "keyword"
},
"unit": {
"type": "long"
},
"urlfilteridx": {
"type": "long"
},
"urlfilterlist": {
"ignore_above": 1024,
"type": "keyword"
},
"urlsource": {
"ignore_above": 1024,
"type": "keyword"
},
"urltype": {
"ignore_above": 1024,
"type": "keyword"
},
"used": {
"type": "long"
},
"used_for_type": {
"type": "long"
},
"utmaction": {
"ignore_above": 1024,
"type": "keyword"
},
"utmref": {
"ignore_above": 1024,
"type": "keyword"
},
"vap": {
"ignore_above": 1024,
"type": "keyword"
},
"vapmode": {
"ignore_above": 1024,
"type": "keyword"
},
"vcluster": {
"type": "long"
},
"vcluster_member": {
"type": "long"
},
"vcluster_state": {
"ignore_above": 1024,
"type": "keyword"
},
"vd": {
"ignore_above": 1024,
"type": "keyword"
},
"vdname": {
"ignore_above": 1024,
"type": "keyword"
},
"vendorurl": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"vip": {
"ignore_above": 1024,
"type": "keyword"
},
"virus": {
"ignore_above": 1024,
"type": "keyword"
},
"virusid": {
"type": "long"
},
"voip_proto": {
"ignore_above": 1024,
"type": "keyword"
},
"vpn": {
"ignore_above": 1024,
"type": "keyword"
},
"vpntunnel": {
"ignore_above": 1024,
"type": "keyword"
},
"vpntype": {
"ignore_above": 1024,
"type": "keyword"
},
"vrf": {
"type": "long"
},
"vulncat": {
"ignore_above": 1024,
"type": "keyword"
},
"vulnid": {
"type": "long"
},
"vulnname": {
"ignore_above": 1024,
"type": "keyword"
},
"vwlid": {
"type": "long"
},
"vwlquality": {
"ignore_above": 1024,
"type": "keyword"
},
"vwlservice": {
"ignore_above": 1024,
"type": "keyword"
},
"vwpvlanid": {
"type": "long"
},
"wanin": {
"type": "long"
},
"wanoptapptype": {
"ignore_above": 1024,
"type": "keyword"
},
"wanout": {
"type": "long"
},
"weakwepiv": {
"ignore_above": 1024,
"type": "keyword"
},
"xauthgroup": {
"ignore_above": 1024,
"type": "keyword"
},
"xauthuser": {
"ignore_above": 1024,
"type": "keyword"
},
"xid": {
"type": "long"
}
}
}
}
},
"gcp": {
"type": "object",
"properties": {
"audit": {
"type": "object",
"properties": {
"authentication_info": {
"type": "object",
"properties": {
"authority_selector": {
"ignore_above": 1024,
"type": "keyword"
},
"principal_email": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"method_name": {
"ignore_above": 1024,
"type": "keyword"
},
"num_response_items": {
"type": "long"
},
"request": {
"type": "object",
"properties": {
"filter": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"proto_name": {
"ignore_above": 1024,
"type": "keyword"
},
"resource_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"request_metadata": {
"type": "object",
"properties": {
"caller_ip": {
"type": "ip"
},
"caller_supplied_user_agent": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"resource_location": {
"type": "object",
"properties": {
"current_locations": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"resource_name": {
"ignore_above": 1024,
"type": "keyword"
},
"response": {
"type": "object",
"properties": {
"details": {
"type": "object",
"properties": {
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"proto_name": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"service_name": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"type": "object",
"properties": {
"code": {
"type": "long"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"destination": {
"type": "object",
"properties": {
"instance": {
"type": "object",
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword"
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vpc": {
"type": "object",
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword"
},
"subnetwork_name": {
"ignore_above": 1024,
"type": "keyword"
},
"vpc_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"firewall": {
"type": "object",
"properties": {
"rule_details": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_range": {
"ignore_above": 1024,
"type": "keyword"
},
"direction": {
"ignore_above": 1024,
"type": "keyword"
},
"priority": {
"type": "long"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"source_range": {
"ignore_above": 1024,
"type": "keyword"
},
"source_service_account": {
"ignore_above": 1024,
"type": "keyword"
},
"source_tag": {
"ignore_above": 1024,
"type": "keyword"
},
"target_service_account": {
"ignore_above": 1024,
"type": "keyword"
},
"target_tag": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"source": {
"type": "object",
"properties": {
"instance": {
"type": "object",
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword"
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vpc": {
"type": "object",
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword"
},
"subnetwork_name": {
"ignore_above": 1024,
"type": "keyword"
},
"vpc_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"vpcflow": {
"type": "object",
"properties": {
"reporter": {
"ignore_above": 1024,
"type": "keyword"
},
"rtt": {
"type": "object",
"properties": {
"ms": {
"type": "long"
}
}
}
}
}
}
},
"geo": {
"type": "object",
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"google_workspace": {
"type": "object",
"properties": {
"actor": {
"type": "object",
"properties": {
"key": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"admin": {
"type": "object",
"properties": {
"alert": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"api": {
"type": "object",
"properties": {
"client": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"scopes": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"application": {
"type": "object",
"properties": {
"asp_id": {
"ignore_above": 1024,
"type": "keyword"
},
"edition": {
"ignore_above": 1024,
"type": "keyword"
},
"enabled": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"licences_order_number": {
"ignore_above": 1024,
"type": "keyword"
},
"licences_purchased": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"package_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"bulk_upload": {
"type": "object",
"properties": {
"failed": {
"type": "long"
},
"total": {
"type": "long"
}
}
},
"chrome_licenses": {
"type": "object",
"properties": {
"allowed": {
"ignore_above": 1024,
"type": "keyword"
},
"enabled": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"chrome_os": {
"type": "object",
"properties": {
"session_type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"device": {
"type": "object",
"properties": {
"command_details": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"distribution": {
"type": "object",
"properties": {
"entity": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"domain": {
"type": "object",
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"secondary_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"email": {
"type": "object",
"properties": {
"log_search_filter": {
"type": "object",
"properties": {
"end_date": {
"type": "date"
},
"message_id": {
"ignore_above": 1024,
"type": "keyword"
},
"recipient": {
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sender": {
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"start_date": {
"type": "date"
}
}
},
"quarantine_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"email_dump": {
"type": "object",
"properties": {
"include_deleted": {
"type": "boolean"
},
"package_content": {
"ignore_above": 1024,
"type": "keyword"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"email_monitor": {
"type": "object",
"properties": {
"dest_email": {
"ignore_above": 1024,
"type": "keyword"
},
"level": {
"type": "object",
"properties": {
"chat": {
"ignore_above": 1024,
"type": "keyword"
},
"draft": {
"ignore_above": 1024,
"type": "keyword"
},
"incoming": {
"ignore_above": 1024,
"type": "keyword"
},
"outgoing": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"field": {
"ignore_above": 1024,
"type": "keyword"
},
"gateway": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"group": {
"type": "object",
"properties": {
"allowed_list": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"priorities": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"info_type": {
"ignore_above": 1024,
"type": "keyword"
},
"managed_configuration": {
"ignore_above": 1024,
"type": "keyword"
},
"mdm": {
"type": "object",
"properties": {
"token": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"mobile": {
"type": "object",
"properties": {
"action": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"certificate": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"company_owned_devices": {
"type": "long"
}
}
},
"new_value": {
"ignore_above": 1024,
"type": "keyword"
},
"non_featured_services_selection": {
"ignore_above": 1024,
"type": "keyword"
},
"oauth2": {
"type": "object",
"properties": {
"application": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"service": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"old_value": {
"ignore_above": 1024,
"type": "keyword"
},
"org_unit": {
"type": "object",
"properties": {
"full": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"print_server": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"printer": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"privilege": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"product": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"sku": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"request": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"resource": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"role": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"rule": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"service": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"setting": {
"type": "object",
"properties": {
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"url": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user": {
"type": "object",
"properties": {
"birthdate": {
"type": "date"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"nickname": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user_defined_setting": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"verification_method": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"drive": {
"type": "object",
"properties": {
"added_role": {
"ignore_above": 1024,
"type": "keyword"
},
"billable": {
"type": "boolean"
},
"destination_folder_id": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_folder_title": {
"ignore_above": 1024,
"type": "keyword"
},
"file": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"owner": {
"type": "object",
"properties": {
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"is_shared_drive": {
"type": "boolean"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"membership_change_type": {
"ignore_above": 1024,
"type": "keyword"
},
"new_value": {
"ignore_above": 1024,
"type": "keyword"
},
"old_value": {
"ignore_above": 1024,
"type": "keyword"
},
"old_visibility": {
"ignore_above": 1024,
"type": "keyword"
},
"originating_app_id": {
"ignore_above": 1024,
"type": "keyword"
},
"primary_event": {
"type": "boolean"
},
"removed_role": {
"ignore_above": 1024,
"type": "keyword"
},
"shared_drive_id": {
"ignore_above": 1024,
"type": "keyword"
},
"shared_drive_settings_change_type": {
"ignore_above": 1024,
"type": "keyword"
},
"sheets_import_range_recipient_doc": {
"ignore_above": 1024,
"type": "keyword"
},
"source_folder_id": {
"ignore_above": 1024,
"type": "keyword"
},
"source_folder_title": {
"ignore_above": 1024,
"type": "keyword"
},
"target": {
"ignore_above": 1024,
"type": "keyword"
},
"target_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"visibility": {
"ignore_above": 1024,
"type": "keyword"
},
"visibility_change": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"type": "object",
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"groups": {
"type": "object",
"properties": {
"acl_permission": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"member": {
"type": "object",
"properties": {
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"role": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"message": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"moderation_action": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"new_value": {
"ignore_above": 1024,
"type": "keyword"
},
"old_value": {
"ignore_above": 1024,
"type": "keyword"
},
"setting": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"login": {
"type": "object",
"properties": {
"affected_email_address": {
"ignore_above": 1024,
"type": "keyword"
},
"challenge_method": {
"ignore_above": 1024,
"type": "keyword"
},
"failure_type": {
"ignore_above": 1024,
"type": "keyword"
},
"is_second_factor": {
"type": "boolean"
},
"is_suspicious": {
"type": "boolean"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"organization": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"saml": {
"type": "object",
"properties": {
"application_name": {
"ignore_above": 1024,
"type": "keyword"
},
"failure_type": {
"ignore_above": 1024,
"type": "keyword"
},
"initiated_by": {
"ignore_above": 1024,
"type": "keyword"
},
"orgunit_path": {
"ignore_above": 1024,
"type": "keyword"
},
"second_level_status_code": {
"ignore_above": 1024,
"type": "keyword"
},
"status_code": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"group": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"haproxy": {
"type": "object",
"properties": {
"backend_name": {
"ignore_above": 1024,
"type": "keyword"
},
"backend_queue": {
"type": "long"
},
"bind_name": {
"ignore_above": 1024,
"type": "keyword"
},
"bytes_read": {
"type": "long"
},
"connection_wait_time_ms": {
"type": "long"
},
"connections": {
"type": "object",
"properties": {
"active": {
"type": "long"
},
"backend": {
"type": "long"
},
"frontend": {
"type": "long"
},
"retries": {
"type": "long"
},
"server": {
"type": "long"
}
}
},
"error_message": {
"norms": false,
"type": "text"
},
"frontend_name": {
"ignore_above": 1024,
"type": "keyword"
},
"http": {
"type": "object",
"properties": {
"request": {
"type": "object",
"properties": {
"captured_cookie": {
"ignore_above": 1024,
"type": "keyword"
},
"captured_headers": {
"ignore_above": 1024,
"type": "keyword"
},
"raw_request_line": {
"ignore_above": 1024,
"type": "keyword"
},
"time_wait_ms": {
"type": "long"
},
"time_wait_without_data_ms": {
"type": "long"
}
}
},
"response": {
"type": "object",
"properties": {
"captured_cookie": {
"ignore_above": 1024,
"type": "keyword"
},
"captured_headers": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"mode": {
"ignore_above": 1024,
"type": "keyword"
},
"server_name": {
"ignore_above": 1024,
"type": "keyword"
},
"server_queue": {
"type": "long"
},
"source": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp": {
"type": "object",
"properties": {
"connection_waiting_time_ms": {
"type": "long"
}
}
},
"termination_state": {
"ignore_above": 1024,
"type": "keyword"
},
"time_backend_connect": {
"type": "long"
},
"time_queue": {
"type": "long"
},
"total_waiting_time_ms": {
"type": "long"
}
}
},
"hash": {
"type": "object",
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"host": {
"type": "object",
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"containerized": {
"type": "boolean"
},
"cpu": {
"type": "object",
"properties": {
"usage": {
"scaling_factor": 1000,
"type": "scaled_float"
}
}
},
"disk": {
"type": "object",
"properties": {
"read": {
"type": "object",
"properties": {
"bytes": {
"type": "long"
}
}
},
"write": {
"type": "object",
"properties": {
"bytes": {
"type": "long"
}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"type": "object",
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"network": {
"type": "object",
"properties": {
"egress": {
"type": "object",
"properties": {
"bytes": {
"type": "long"
},
"packets": {
"type": "long"
}
}
},
"ingress": {
"type": "object",
"properties": {
"bytes": {
"type": "long"
},
"packets": {
"type": "long"
}
}
}
}
},
"os": {
"type": "object",
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uptime": {
"type": "long"
}
}
},
"http": {
"type": "object",
"properties": {
"request": {
"type": "object",
"properties": {
"body": {
"type": "object",
"properties": {
"bytes": {
"type": "long"
},
"content": {
"type": "wildcard"
}
}
},
"bytes": {
"type": "long"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"referrer": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"response": {
"type": "object",
"properties": {
"body": {
"type": "object",
"properties": {
"bytes": {
"type": "long"
},
"content": {
"type": "wildcard"
}
}
},
"bytes": {
"type": "long"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"status_code": {
"type": "long"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ibmmq": {
"type": "object",
"properties": {
"errorlog": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"arithinsert": {
"ignore_above": 1024,
"type": "keyword"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"commentinsert": {
"ignore_above": 1024,
"type": "keyword"
},
"errordescription": {
"norms": false,
"type": "text"
},
"explanation": {
"ignore_above": 1024,
"type": "keyword"
},
"installation": {
"ignore_above": 1024,
"type": "keyword"
},
"qmgr": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"icinga": {
"type": "object",
"properties": {
"debug": {
"type": "object",
"properties": {
"facility": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"main": {
"type": "object",
"properties": {
"facility": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"startup": {
"type": "object",
"properties": {
"facility": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"icmp": {
"type": "object",
"properties": {
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"igmp": {
"type": "object",
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"iis": {
"type": "object",
"properties": {
"access": {
"type": "object",
"properties": {
"cookie": {
"ignore_above": 1024,
"type": "keyword"
},
"server_name": {
"ignore_above": 1024,
"type": "keyword"
},
"site_name": {
"ignore_above": 1024,
"type": "keyword"
},
"sub_status": {
"type": "long"
},
"win32_status": {
"type": "long"
}
}
},
"error": {
"type": "object",
"properties": {
"queue_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reason_phrase": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"input": {
"type": "object",
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"interface": {
"type": "object",
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"iptables": {
"type": "object",
"properties": {
"ether_type": {
"type": "long"
},
"flow_label": {
"type": "long"
},
"fragment_flags": {
"ignore_above": 1024,
"type": "keyword"
},
"fragment_offset": {
"type": "long"
},
"icmp": {
"type": "object",
"properties": {
"code": {
"type": "long"
},
"id": {
"type": "long"
},
"parameter": {
"type": "long"
},
"redirect": {
"type": "ip"
},
"seq": {
"type": "long"
},
"type": {
"type": "long"
}
}
},
"id": {
"type": "long"
},
"incomplete_bytes": {
"type": "long"
},
"input_device": {
"ignore_above": 1024,
"type": "keyword"
},
"length": {
"type": "long"
},
"output_device": {
"ignore_above": 1024,
"type": "keyword"
},
"precedence_bits": {
"type": "short"
},
"tcp": {
"type": "object",
"properties": {
"ack": {
"type": "long"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"reserved_bits": {
"type": "short"
},
"seq": {
"type": "long"
},
"window": {
"type": "long"
}
}
},
"tos": {
"type": "long"
},
"ttl": {
"type": "long"
},
"ubiquiti": {
"type": "object",
"properties": {
"input_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"output_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_number": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_set": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"udp": {
"type": "object",
"properties": {
"length": {
"type": "long"
}
}
}
}
},
"jolokia": {
"type": "object",
"properties": {
"agent": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"secured": {
"type": "boolean"
},
"server": {
"type": "object",
"properties": {
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"url": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"juniper": {
"type": "object",
"properties": {
"srx": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"action_detail": {
"ignore_above": 1024,
"type": "keyword"
},
"alert": {
"ignore_above": 1024,
"type": "keyword"
},
"apbr_rule_type": {
"ignore_above": 1024,
"type": "keyword"
},
"application": {
"ignore_above": 1024,
"type": "keyword"
},
"application_category": {
"ignore_above": 1024,
"type": "keyword"
},
"application_characteristics": {
"ignore_above": 1024,
"type": "keyword"
},
"application_name": {
"ignore_above": 1024,
"type": "keyword"
},
"application_sub_category": {
"ignore_above": 1024,
"type": "keyword"
},
"attack_name": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"client_ip": {
"type": "ip"
},
"connection_hit_rate": {
"type": "long"
},
"connection_tag": {
"ignore_above": 1024,
"type": "keyword"
},
"context_hit_rate": {
"type": "long"
},
"context_name": {
"ignore_above": 1024,
"type": "keyword"
},
"context_value": {
"ignore_above": 1024,
"type": "keyword"
},
"context_value_hit_rate": {
"type": "long"
},
"ddos_application_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dscp_value": {
"type": "long"
},
"dst_nat_rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_nat_rule_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_vrf_grp": {
"ignore_above": 1024,
"type": "keyword"
},
"elapsed_time": {
"type": "date"
},
"encrypted": {
"ignore_above": 1024,
"type": "keyword"
},
"epoch_time": {
"type": "date"
},
"error_code": {
"ignore_above": 1024,
"type": "keyword"
},
"error_message": {
"ignore_above": 1024,
"type": "keyword"
},
"export_id": {
"type": "long"
},
"feed_name": {
"ignore_above": 1024,
"type": "keyword"
},
"file_category": {
"ignore_above": 1024,
"type": "keyword"
},
"file_hash_lookup": {
"ignore_above": 1024,
"type": "keyword"
},
"file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"filename": {
"ignore_above": 1024,
"type": "keyword"
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_type": {
"type": "long"
},
"inbound_bytes": {
"type": "long"
},
"inbound_packets": {
"type": "long"
},
"index": {
"ignore_above": 1024,
"type": "keyword"
},
"logical_system_name": {
"ignore_above": 1024,
"type": "keyword"
},
"malware_info": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"message_type": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"nat_connection_tag": {
"ignore_above": 1024,
"type": "keyword"
},
"nested_application": {
"ignore_above": 1024,
"type": "keyword"
},
"obj": {
"ignore_above": 1024,
"type": "keyword"
},
"occur_count": {
"type": "long"
},
"outbound_bytes": {
"type": "long"
},
"outbound_packets": {
"type": "long"
},
"packet_log_id": {
"type": "long"
},
"peer_destination_address": {
"type": "ip"
},
"peer_destination_port": {
"type": "long"
},
"peer_session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"peer_source_address": {
"type": "ip"
},
"peer_source_port": {
"type": "long"
},
"policy_name": {
"ignore_above": 1024,
"type": "keyword"
},
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"profile": {
"ignore_above": 1024,
"type": "keyword"
},
"profile_name": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol_id": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"repeat_count": {
"type": "long"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
},
"routing_instance": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"ruleebase_name": {
"ignore_above": 1024,
"type": "keyword"
},
"sample_sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"secure_web_proxy_session_type": {
"ignore_above": 1024,
"type": "keyword"
},
"service_name": {
"ignore_above": 1024,
"type": "keyword"
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"session_id_32": {
"ignore_above": 1024,
"type": "keyword"
},
"src_nat_rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"src_nat_rule_type": {
"ignore_above": 1024,
"type": "keyword"
},
"src_vrf_grp": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"sub_category": {
"ignore_above": 1024,
"type": "keyword"
},
"tag": {
"ignore_above": 1024,
"type": "keyword"
},
"temporary_filename": {
"ignore_above": 1024,
"type": "keyword"
},
"tenant_id": {
"ignore_above": 1024,
"type": "keyword"
},
"th": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_severity": {
"ignore_above": 1024,
"type": "keyword"
},
"time_count": {
"type": "long"
},
"time_period": {
"type": "long"
},
"time_scope": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uplink_rx_bytes": {
"type": "long"
},
"uplink_tx_bytes": {
"type": "long"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
},
"verdict_number": {
"type": "long"
},
"verdict_source": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"kafka": {
"type": "object",
"properties": {
"block_timestamp": {
"type": "date"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
},
"log": {
"type": "object",
"properties": {
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"component": {
"ignore_above": 1024,
"type": "keyword"
},
"thread": {
"ignore_above": 1024,
"type": "keyword"
},
"trace": {
"type": "object",
"properties": {
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"norms": false,
"type": "text"
}
}
}
}
},
"offset": {
"type": "long"
},
"partition": {
"type": "long"
},
"topic": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"kibana": {
"type": "object",
"properties": {
"add_to_spaces": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_provider": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_realm": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_type": {
"ignore_above": 1024,
"type": "keyword"
},
"delete_from_spaces": {
"ignore_above": 1024,
"type": "keyword"
},
"log": {
"type": "object",
"properties": {
"meta": {
"type": "object",
"properties": {
"req": {
"type": "object",
"properties": {
"headers": {
"type": "flattened"
}
}
},
"res": {
"type": "object",
"properties": {
"headers": {
"type": "flattened"
}
}
}
}
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"lookup_realm": {
"ignore_above": 1024,
"type": "keyword"
},
"saved_object": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"space_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"kubernetes": {
"type": "object",
"properties": {
"annotations": {
"type": "object",
"properties": {
"*": {
"type": "object"
}
}
},
"container": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"deployment": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"labels": {
"type": "object",
"properties": {
"*": {
"type": "object"
}
}
},
"namespace": {
"ignore_above": 1024,
"type": "keyword"
},
"node": {
"type": "object",
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pod": {
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"replicaset": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"selectors": {
"type": "object",
"properties": {
"*": {
"type": "object"
}
}
},
"statefulset": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"labels": {
"type": "object"
},
"log": {
"type": "object",
"properties": {
"file": {
"type": "object",
"properties": {
"path": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"level": {
"ignore_above": 1024,
"type": "keyword"
},
"logger": {
"ignore_above": 1024,
"type": "keyword"
},
"offset": {
"type": "long"
},
"origin": {
"type": "object",
"properties": {
"file": {
"type": "object",
"properties": {
"line": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"function": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"source": {
"type": "object",
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"syslog": {
"type": "object",
"properties": {
"facility": {
"type": "object",
"properties": {
"code": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"priority": {
"type": "long"
},
"severity": {
"type": "object",
"properties": {
"code": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"logstash": {
"type": "object",
"properties": {
"log": {
"type": "object",
"properties": {
"log_event": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"pipeline_id": {
"ignore_above": 1024,
"type": "keyword"
},
"thread": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"norms": false,
"type": "text"
}
}
}
}
},
"slowlog": {
"type": "object",
"properties": {
"event": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"norms": false,
"type": "text"
}
}
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"plugin_name": {
"ignore_above": 1024,
"type": "keyword"
},
"plugin_params": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"norms": false,
"type": "text"
}
}
},
"plugin_params_object": {
"type": "object"
},
"plugin_type": {
"ignore_above": 1024,
"type": "keyword"
},
"thread": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"norms": false,
"type": "text"
}
}
},
"took_in_millis": {
"type": "long"
}
}
}
}
},
"lumberjack": {
"type": "flattened"
},
"message": {
"type": "match_only_text"
},
"metadata": {
"type": "flattened"
},
"microsoft": {
"type": "object",
"properties": {
"defender_atp": {
"type": "object",
"properties": {
"assignedTo": {
"ignore_above": 1024,
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"determination": {
"ignore_above": 1024,
"type": "keyword"
},
"evidence": {
"type": "object",
"properties": {
"aadUserId": {
"ignore_above": 1024,
"type": "keyword"
},
"accountName": {
"ignore_above": 1024,
"type": "keyword"
},
"domainName": {
"ignore_above": 1024,
"type": "keyword"
},
"entityType": {
"ignore_above": 1024,
"type": "keyword"
},
"ipAddress": {
"type": "ip"
},
"userPrincipalName": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"incidentId": {
"ignore_above": 1024,
"type": "keyword"
},
"investigationId": {
"ignore_above": 1024,
"type": "keyword"
},
"investigationState": {
"ignore_above": 1024,
"type": "keyword"
},
"lastUpdateTime": {
"type": "date"
},
"rbacGroupName": {
"ignore_above": 1024,
"type": "keyword"
},
"resolvedTime": {
"type": "date"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"threatFamilyName": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"m365_defender": {
"type": "object",
"properties": {
"alerts": {
"type": "object",
"properties": {
"actorName": {
"ignore_above": 1024,
"type": "keyword"
},
"assignedTo": {
"ignore_above": 1024,
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"creationTime": {
"type": "date"
},
"detectionSource": {
"ignore_above": 1024,
"type": "keyword"
},
"determination": {
"ignore_above": 1024,
"type": "keyword"
},
"devices": {
"type": "flattened"
},
"entities": {
"type": "object",
"properties": {
"accountName": {
"ignore_above": 1024,
"type": "keyword"
},
"clusterBy": {
"ignore_above": 1024,
"type": "keyword"
},
"deliveryAction": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceId": {
"ignore_above": 1024,
"type": "keyword"
},
"entityType": {
"ignore_above": 1024,
"type": "keyword"
},
"ipAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"mailboxAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"mailboxDisplayName": {
"ignore_above": 1024,
"type": "keyword"
},
"recipient": {
"ignore_above": 1024,
"type": "keyword"
},
"registryHive": {
"ignore_above": 1024,
"type": "keyword"
},
"registryKey": {
"ignore_above": 1024,
"type": "keyword"
},
"registryValueType": {
"ignore_above": 1024,
"type": "keyword"
},
"securityGroupId": {
"ignore_above": 1024,
"type": "keyword"
},
"securityGroupName": {
"ignore_above": 1024,
"type": "keyword"
},
"sender": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"incidentId": {
"ignore_above": 1024,
"type": "keyword"
},
"investigationId": {
"ignore_above": 1024,
"type": "keyword"
},
"investigationState": {
"ignore_above": 1024,
"type": "keyword"
},
"lastUpdatedTime": {
"type": "date"
},
"mitreTechniques": {
"ignore_above": 1024,
"type": "keyword"
},
"resolvedTime": {
"type": "date"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"threatFamilyName": {
"ignore_above": 1024,
"type": "keyword"
},
"userSid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"assignedTo": {
"ignore_above": 1024,
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"determination": {
"ignore_above": 1024,
"type": "keyword"
},
"incidentId": {
"ignore_above": 1024,
"type": "keyword"
},
"incidentName": {
"ignore_above": 1024,
"type": "keyword"
},
"investigationState": {
"ignore_above": 1024,
"type": "keyword"
},
"redirectIncidentId": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"misp": {
"type": "object",
"properties": {
"attack_pattern": {
"type": "object",
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"kill_chain_phases": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"campaign": {
"type": "object",
"properties": {
"aliases": {
"norms": false,
"type": "text"
},
"description": {
"norms": false,
"type": "text"
},
"first_seen": {
"type": "date"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"last_seen": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"objective": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"course_of_action": {
"type": "object",
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"identity": {
"type": "object",
"properties": {
"contact_information": {
"norms": false,
"type": "text"
},
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"identity_class": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"sectors": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"intrusion_set": {
"type": "object",
"properties": {
"aliases": {
"norms": false,
"type": "text"
},
"description": {
"norms": false,
"type": "text"
},
"first_seen": {
"type": "date"
},
"goals": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"last_seen": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"primary_motivation": {
"norms": false,
"type": "text"
},
"resource_level": {
"norms": false,
"type": "text"
},
"secondary_motivations": {
"norms": false,
"type": "text"
}
}
},
"malware": {
"type": "object",
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"kill_chain_phases": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"note": {
"type": "object",
"properties": {
"authors": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"object_refs": {
"ignore_above": 1024,
"type": "keyword"
},
"summary": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"observed_data": {
"type": "object",
"properties": {
"first_observed": {
"type": "date"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"last_observed": {
"type": "date"
},
"number_observed": {
"type": "long"
},
"objects": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"report": {
"type": "object",
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"object_refs": {
"norms": false,
"type": "text"
},
"published": {
"type": "date"
}
}
},
"threat_actor": {
"type": "object",
"properties": {
"aliases": {
"norms": false,
"type": "text"
},
"description": {
"norms": false,
"type": "text"
},
"goals": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"personal_motivations": {
"norms": false,
"type": "text"
},
"primary_motivation": {
"norms": false,
"type": "text"
},
"resource_level": {
"norms": false,
"type": "text"
},
"roles": {
"norms": false,
"type": "text"
},
"secondary_motivations": {
"norms": false,
"type": "text"
},
"sophistication": {
"norms": false,
"type": "text"
}
}
},
"threat_indicator": {
"type": "object",
"properties": {
"attack_pattern": {
"ignore_above": 1024,
"type": "keyword"
},
"attack_pattern_kql": {
"ignore_above": 1024,
"type": "keyword"
},
"campaign": {
"ignore_above": 1024,
"type": "keyword"
},
"confidence": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"norms": false,
"type": "text"
},
"feed": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"intrusion_set": {
"ignore_above": 1024,
"type": "keyword"
},
"kill_chain_phases": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_tactic": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_technique": {
"ignore_above": 1024,
"type": "keyword"
},
"negate": {
"type": "boolean"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_actor": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"valid_from": {
"type": "date"
},
"valid_until": {
"type": "date"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tool": {
"type": "object",
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"kill_chain_phases": {
"norms": false,
"type": "text"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"tool_version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vulnerability": {
"type": "object",
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"mongodb": {
"type": "object",
"properties": {
"log": {
"type": "object",
"properties": {
"component": {
"ignore_above": 1024,
"type": "keyword"
},
"context": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"type": "long"
}
}
}
}
},
"mssql": {
"type": "object",
"properties": {
"log": {
"type": "object",
"properties": {
"origin": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"mysql": {
"type": "object",
"properties": {
"slowlog": {
"type": "object",
"properties": {
"bytes_received": {
"type": "long"
},
"bytes_sent": {
"type": "long"
},
"current_user": {
"ignore_above": 1024,
"type": "keyword"
},
"filesort": {
"type": "boolean"
},
"filesort_on_disk": {
"type": "boolean"
},
"full_join": {
"type": "boolean"
},
"full_scan": {
"type": "boolean"
},
"innodb": {
"type": "object",
"properties": {
"io_r_bytes": {
"type": "long"
},
"io_r_ops": {
"type": "long"
},
"io_r_wait": {
"type": "object",
"properties": {
"sec": {
"type": "long"
}
}
},
"pages_distinct": {
"type": "long"
},
"queue_wait": {
"type": "object",
"properties": {
"sec": {
"type": "long"
}
}
},
"rec_lock_wait": {
"type": "object",
"properties": {
"sec": {
"type": "long"
}
}
},
"trx_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"killed": {
"ignore_above": 1024,
"type": "keyword"
},
"last_errno": {
"ignore_above": 1024,
"type": "keyword"
},
"lock_time": {
"type": "object",
"properties": {
"sec": {
"type": "float"
}
}
},
"log_slow_rate_limit": {
"ignore_above": 1024,
"type": "keyword"
},
"log_slow_rate_type": {
"ignore_above": 1024,
"type": "keyword"
},
"merge_passes": {
"type": "long"
},
"priority_queue": {
"type": "boolean"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"query_cache_hit": {
"type": "boolean"
},
"read_first": {
"type": "long"
},
"read_key": {
"type": "long"
},
"read_last": {
"type": "long"
},
"read_next": {
"type": "long"
},
"read_prev": {
"type": "long"
},
"read_rnd": {
"type": "long"
},
"read_rnd_next": {
"type": "long"
},
"rows_affected": {
"type": "long"
},
"rows_examined": {
"type": "long"
},
"rows_sent": {
"type": "long"
},
"schema": {
"ignore_above": 1024,
"type": "keyword"
},
"sort_merge_passes": {
"type": "long"
},
"sort_range_count": {
"type": "long"
},
"sort_rows": {
"type": "long"
},
"sort_scan_count": {
"type": "long"
},
"tmp_disk_tables": {
"type": "long"
},
"tmp_table": {
"type": "boolean"
},
"tmp_table_on_disk": {
"type": "boolean"
},
"tmp_table_sizes": {
"type": "long"
},
"tmp_tables": {
"type": "long"
}
}
},
"thread_id": {
"type": "long"
}
}
},
"mysqlenterprise": {
"type": "object",
"properties": {
"audit": {
"type": "object",
"properties": {
"account": {
"type": "object",
"properties": {
"host": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_data": {
"type": "object",
"properties": {
"connection_attributes": {
"type": "flattened"
},
"connection_type": {
"ignore_above": 1024,
"type": "keyword"
},
"db": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"type": "long"
}
}
},
"connection_id": {
"ignore_above": 1024,
"type": "keyword"
},
"general_data": {
"type": "object",
"properties": {
"command": {
"ignore_above": 1024,
"type": "keyword"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"sql_command": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"type": "long"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"login": {
"type": "object",
"properties": {
"os": {
"ignore_above": 1024,
"type": "keyword"
},
"proxy": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"shutdown_data": {
"type": "object",
"properties": {
"server_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"startup_data": {
"type": "object",
"properties": {
"mysql_version": {
"ignore_above": 1024,
"type": "keyword"
},
"server_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"table_access_data": {
"type": "object",
"properties": {
"db": {
"ignore_above": 1024,
"type": "keyword"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"sql_command": {
"ignore_above": 1024,
"type": "keyword"
},
"table": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"nats": {
"type": "object",
"properties": {
"log": {
"type": "object",
"properties": {
"client": {
"type": "object",
"properties": {
"id": {
"type": "long"
}
}
},
"msg": {
"type": "object",
"properties": {
"bytes": {
"type": "long"
},
"error": {
"type": "object",
"properties": {
"message": {
"norms": false,
"type": "text"
}
}
},
"max_messages": {
"type": "long"
},
"queue_group": {
"norms": false,
"type": "text"
},
"reply_to": {
"ignore_above": 1024,
"type": "keyword"
},
"sid": {
"type": "long"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"netflow": {
"type": "object",
"properties": {
"absolute_error": {
"type": "double"
},
"address_pool_high_threshold": {
"type": "long"
},
"address_pool_low_threshold": {
"type": "long"
},
"address_port_mapping_high_threshold": {
"type": "long"
},
"address_port_mapping_low_threshold": {
"type": "long"
},
"address_port_mapping_per_user_high_threshold": {
"type": "long"
},
"afc_protocol": {
"type": "long"
},
"afc_protocol_name": {
"ignore_above": 1024,
"type": "keyword"
},
"anonymization_flags": {
"type": "long"
},
"anonymization_technique": {
"type": "long"
},
"application_business-relevance": {
"type": "long"
},
"application_category_name": {
"ignore_above": 1024,
"type": "keyword"
},
"application_description": {
"ignore_above": 1024,
"type": "keyword"
},
"application_group_name": {
"ignore_above": 1024,
"type": "keyword"
},
"application_http_uri_statistics": {
"type": "short"
},
"application_http_user-agent": {
"type": "short"
},
"application_id": {
"type": "short"
},
"application_name": {
"ignore_above": 1024,
"type": "keyword"
},
"application_sub_category_name": {
"ignore_above": 1024,
"type": "keyword"
},
"application_traffic-class": {
"type": "long"
},
"art_client_network_time_maximum": {
"type": "long"
},
"art_client_network_time_minimum": {
"type": "long"
},
"art_client_network_time_sum": {
"type": "long"
},
"art_clientpackets": {
"type": "long"
},
"art_count_late_responses": {
"type": "long"
},
"art_count_new_connections": {
"type": "long"
},
"art_count_responses": {
"type": "long"
},
"art_count_responses_histogram_bucket1": {
"type": "long"
},
"art_count_responses_histogram_bucket2": {
"type": "long"
},
"art_count_responses_histogram_bucket3": {
"type": "long"
},
"art_count_responses_histogram_bucket4": {
"type": "long"
},
"art_count_responses_histogram_bucket5": {
"type": "long"
},
"art_count_responses_histogram_bucket6": {
"type": "long"
},
"art_count_responses_histogram_bucket7": {
"type": "long"
},
"art_count_retransmissions": {
"type": "long"
},
"art_count_transactions": {
"type": "long"
},
"art_network_time_maximum": {
"type": "long"
},
"art_network_time_minimum": {
"type": "long"
},
"art_network_time_sum": {
"type": "long"
},
"art_response_time_maximum": {
"type": "long"
},
"art_response_time_minimum": {
"type": "long"
},
"art_response_time_sum": {
"type": "long"
},
"art_server_network_time_maximum": {
"type": "long"
},
"art_server_network_time_minimum": {
"type": "long"
},
"art_server_network_time_sum": {
"type": "long"
},
"art_server_response_time_maximum": {
"type": "long"
},
"art_server_response_time_minimum": {
"type": "long"
},
"art_server_response_time_sum": {
"type": "long"
},
"art_serverpackets": {
"type": "long"
},
"art_total_response_time_maximum": {
"type": "long"
},
"art_total_response_time_minimum": {
"type": "long"
},
"art_total_response_time_sum": {
"type": "long"
},
"art_total_transaction_time_maximum": {
"type": "long"
},
"art_total_transaction_time_minimum": {
"type": "long"
},
"art_total_transaction_time_sum": {
"type": "long"
},
"assembled_fragment_count": {
"type": "long"
},
"audit_counter": {
"type": "long"
},
"average_interarrival_time": {
"type": "long"
},
"bgp_destination_as_number": {
"type": "long"
},
"bgp_next_adjacent_as_number": {
"type": "long"
},
"bgp_next_hop_ipv4_address": {
"type": "ip"
},
"bgp_next_hop_ipv6_address": {
"type": "ip"
},
"bgp_prev_adjacent_as_number": {
"type": "long"
},
"bgp_source_as_number": {
"type": "long"
},
"bgp_validity_state": {
"type": "short"
},
"biflow_direction": {
"type": "short"
},
"bind_ipv4_address": {
"type": "ip"
},
"bind_transport_port": {
"type": "long"
},
"class_id": {
"type": "long"
},
"class_name": {
"ignore_above": 1024,
"type": "keyword"
},
"classification_engine_id": {
"type": "short"
},
"collection_time_milliseconds": {
"type": "date"
},
"collector_certificate": {
"type": "short"
},
"collector_ipv4_address": {
"type": "ip"
},
"collector_ipv6_address": {
"type": "ip"
},
"collector_transport_port": {
"type": "long"
},
"common_properties_id": {
"type": "long"
},
"confidence_level": {
"type": "double"
},
"conn_ipv4_address": {
"type": "ip"
},
"conn_transport_port": {
"type": "long"
},
"connection_sum_duration_seconds": {
"type": "long"
},
"connection_transaction_id": {
"type": "long"
},
"conntrack_id": {
"type": "long"
},
"data_byte_count": {
"type": "long"
},
"data_link_frame_section": {
"type": "short"
},
"data_link_frame_size": {
"type": "long"
},
"data_link_frame_type": {
"type": "long"
},
"data_records_reliability": {
"type": "boolean"
},
"delta_flow_count": {
"type": "long"
},
"destination_ipv4_address": {
"type": "ip"
},
"destination_ipv4_prefix": {
"type": "ip"
},
"destination_ipv4_prefix_length": {
"type": "short"
},
"destination_ipv6_address": {
"type": "ip"
},
"destination_ipv6_prefix": {
"type": "ip"
},
"destination_ipv6_prefix_length": {
"type": "short"
},
"destination_mac_address": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_transport_port": {
"type": "long"
},
"digest_hash_value": {
"type": "long"
},
"distinct_count_of_destination_ip_address": {
"type": "long"
},
"distinct_count_of_destination_ipv4_address": {
"type": "long"
},
"distinct_count_of_destination_ipv6_address": {
"type": "long"
},
"distinct_count_of_source_ip_address": {
"type": "long"
},
"distinct_count_of_source_ipv4_address": {
"type": "long"
},
"distinct_count_of_source_ipv6_address": {
"type": "long"
},
"dns_authoritative": {
"type": "short"
},
"dns_cname": {
"ignore_above": 1024,
"type": "keyword"
},
"dns_id": {
"type": "long"
},
"dns_mx_exchange": {
"ignore_above": 1024,
"type": "keyword"
},
"dns_mx_preference": {
"type": "long"
},
"dns_nsd_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dns_nx_domain": {
"type": "short"
},
"dns_ptrd_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dns_qname": {
"ignore_above": 1024,
"type": "keyword"
},
"dns_qr_type": {
"type": "long"
},
"dns_query_response": {
"type": "short"
},
"dns_rr_section": {
"type": "short"
},
"dns_soa_expire": {
"type": "long"
},
"dns_soa_minimum": {
"type": "long"
},
"dns_soa_refresh": {
"type": "long"
},
"dns_soa_retry": {
"type": "long"
},
"dns_soa_serial": {
"type": "long"
},
"dns_soam_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dns_soar_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dns_srv_port": {
"type": "long"
},
"dns_srv_priority": {
"type": "long"
},
"dns_srv_target": {
"type": "long"
},
"dns_srv_weight": {
"type": "long"
},
"dns_ttl": {
"type": "long"
},
"dns_txt_data": {
"ignore_above": 1024,
"type": "keyword"
},
"dot1q_customer_dei": {
"type": "boolean"
},
"dot1q_customer_destination_mac_address": {
"ignore_above": 1024,
"type": "keyword"
},
"dot1q_customer_priority": {
"type": "short"
},
"dot1q_customer_source_mac_address": {
"ignore_above": 1024,
"type": "keyword"
},
"dot1q_customer_vlan_id": {
"type": "long"
},
"dot1q_dei": {
"type": "boolean"
},
"dot1q_priority": {
"type": "short"
},
"dot1q_service_instance_id": {
"type": "long"
},
"dot1q_service_instance_priority": {
"type": "short"
},
"dot1q_service_instance_tag": {
"type": "short"
},
"dot1q_vlan_id": {
"type": "long"
},
"dropped_layer2_octet_delta_count": {
"type": "long"
},
"dropped_layer2_octet_total_count": {
"type": "long"
},
"dropped_octet_delta_count": {
"type": "long"
},
"dropped_octet_total_count": {
"type": "long"
},
"dropped_packet_delta_count": {
"type": "long"
},
"dropped_packet_total_count": {
"type": "long"
},
"dst_traffic_index": {
"type": "long"
},
"egress_broadcast_packet_total_count": {
"type": "long"
},
"egress_interface": {
"type": "long"
},
"egress_interface_type": {
"type": "long"
},
"egress_physical_interface": {
"type": "long"
},
"egress_unicast_packet_total_count": {
"type": "long"
},
"egress_vrfid": {
"type": "long"
},
"encrypted_technology": {
"ignore_above": 1024,
"type": "keyword"
},
"engine_id": {
"type": "short"
},
"engine_type": {
"type": "short"
},
"ethernet_header_length": {
"type": "short"
},
"ethernet_payload_length": {
"type": "long"
},
"ethernet_total_length": {
"type": "long"
},
"ethernet_type": {
"type": "long"
},
"expired_fragment_count": {
"type": "long"
},
"export_interface": {
"type": "long"
},
"export_protocol_version": {
"type": "short"
},
"export_sctp_stream_id": {
"type": "long"
},
"export_transport_protocol": {
"type": "short"
},
"exported_flow_record_total_count": {
"type": "long"
},
"exported_message_total_count": {
"type": "long"
},
"exported_octet_total_count": {
"type": "long"
},
"exporter": {
"type": "object",
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"source_id": {
"type": "long"
},
"timestamp": {
"type": "date"
},
"uptime_millis": {
"type": "long"
},
"version": {
"type": "long"
}
}
},
"exporter_certificate": {
"type": "short"
},
"exporter_ipv4_address": {
"type": "ip"
},
"exporter_ipv6_address": {
"type": "ip"
},
"exporter_transport_port": {
"type": "long"
},
"exporting_process_id": {
"type": "long"
},
"external_address_realm": {
"type": "short"
},
"firewall_event": {
"type": "short"
},
"first_eight_non_empty_packet_directions": {
"type": "short"
},
"first_non_empty_packet_size": {
"type": "long"
},
"first_packet_banner": {
"ignore_above": 1024,
"type": "keyword"
},
"flags_and_sampler_id": {
"type": "long"
},
"flow_active_timeout": {
"type": "long"
},
"flow_attributes": {
"type": "long"
},
"flow_direction": {
"type": "short"
},
"flow_duration_microseconds": {
"type": "long"
},
"flow_duration_milliseconds": {
"type": "long"
},
"flow_end_delta_microseconds": {
"type": "long"
},
"flow_end_microseconds": {
"type": "date"
},
"flow_end_milliseconds": {
"type": "date"
},
"flow_end_nanoseconds": {
"type": "date"
},
"flow_end_reason": {
"type": "short"
},
"flow_end_seconds": {
"type": "date"
},
"flow_end_sys_up_time": {
"type": "long"
},
"flow_id": {
"type": "long"
},
"flow_idle_timeout": {
"type": "long"
},
"flow_key_indicator": {
"type": "long"
},
"flow_label_ipv6": {
"type": "long"
},
"flow_sampling_time_interval": {
"type": "long"
},
"flow_sampling_time_spacing": {
"type": "long"
},
"flow_selected_flow_delta_count": {
"type": "long"
},
"flow_selected_octet_delta_count": {
"type": "long"
},
"flow_selected_packet_delta_count": {
"type": "long"
},
"flow_selector_algorithm": {
"type": "long"
},
"flow_start_delta_microseconds": {
"type": "long"
},
"flow_start_microseconds": {
"type": "date"
},
"flow_start_milliseconds": {
"type": "date"
},
"flow_start_nanoseconds": {
"type": "date"
},
"flow_start_seconds": {
"type": "date"
},
"flow_start_sys_up_time": {
"type": "long"
},
"flow_table_flush_event_count": {
"type": "long"
},
"flow_table_peak_count": {
"type": "long"
},
"forwarding_status": {
"type": "short"
},
"fragment_flags": {
"type": "short"
},
"fragment_identification": {
"type": "long"
},
"fragment_offset": {
"type": "long"
},
"fw_blackout_secs": {
"type": "long"
},
"fw_configured_value": {
"type": "long"
},
"fw_cts_src_sgt": {
"type": "long"
},
"fw_event_level": {
"type": "long"
},
"fw_event_level_id": {
"type": "long"
},
"fw_ext_event": {
"type": "long"
},
"fw_ext_event_alt": {
"type": "long"
},
"fw_ext_event_desc": {
"ignore_above": 1024,
"type": "keyword"
},
"fw_half_open_count": {
"type": "long"
},
"fw_half_open_high": {
"type": "long"
},
"fw_half_open_rate": {
"type": "long"
},
"fw_max_sessions": {
"type": "long"
},
"fw_rule": {
"ignore_above": 1024,
"type": "keyword"
},
"fw_summary_pkt_count": {
"type": "long"
},
"fw_zone_pair_id": {
"type": "long"
},
"fw_zone_pair_name": {
"type": "long"
},
"global_address_mapping_high_threshold": {
"type": "long"
},
"gre_key": {
"type": "long"
},
"hash_digest_output": {
"type": "boolean"
},
"hash_flow_domain": {
"type": "long"
},
"hash_initialiser_value": {
"type": "long"
},
"hash_ip_payload_offset": {
"type": "long"
},
"hash_ip_payload_size": {
"type": "long"
},
"hash_output_range_max": {
"type": "long"
},
"hash_output_range_min": {
"type": "long"
},
"hash_selected_range_max": {
"type": "long"
},
"hash_selected_range_min": {
"type": "long"
},
"http_content_type": {
"ignore_above": 1024,
"type": "keyword"
},
"http_message_version": {
"ignore_above": 1024,
"type": "keyword"
},
"http_reason_phrase": {
"ignore_above": 1024,
"type": "keyword"
},
"http_request_host": {
"ignore_above": 1024,
"type": "keyword"
},
"http_request_method": {
"ignore_above": 1024,
"type": "keyword"
},
"http_request_target": {
"ignore_above": 1024,
"type": "keyword"
},
"http_status_code": {
"type": "long"
},
"http_user_agent": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_code_ipv4": {
"type": "short"
},
"icmp_code_ipv6": {
"type": "short"
},
"icmp_type_code_ipv4": {
"type": "long"
},
"icmp_type_code_ipv6": {
"type": "long"
},
"icmp_type_ipv4": {
"type": "short"
},
"icmp_type_ipv6": {
"type": "short"
},
"igmp_type": {
"type": "short"
},
"ignored_data_record_total_count": {
"type": "long"
},
"ignored_layer2_frame_total_count": {
"type": "long"
},
"ignored_layer2_octet_total_count": {
"type": "long"
},
"ignored_octet_total_count": {
"type": "long"
},
"ignored_packet_total_count": {
"type": "long"
},
"information_element_data_type": {
"type": "short"
},
"information_element_description": {
"ignore_above": 1024,
"type": "keyword"
},
"information_element_id": {
"type": "long"
},
"information_element_index": {
"type": "long"
},
"information_element_name": {
"ignore_above": 1024,
"type": "keyword"
},
"information_element_range_begin": {
"type": "long"
},
"information_element_range_end": {
"type": "long"
},
"information_element_semantics": {
"type": "short"
},
"information_element_units": {
"type": "long"
},
"ingress_broadcast_packet_total_count": {
"type": "long"
},
"ingress_interface": {
"type": "long"
},
"ingress_interface_type": {
"type": "long"
},
"ingress_multicast_packet_total_count": {
"type": "long"
},
"ingress_physical_interface": {
"type": "long"
},
"ingress_unicast_packet_total_count": {
"type": "long"
},
"ingress_vrfid": {
"type": "long"
},
"initial_tcp_flags": {
"type": "short"
},
"initiator_octets": {
"type": "long"
},
"initiator_packets": {
"type": "long"
},
"interface_description": {
"ignore_above": 1024,
"type": "keyword"
},
"interface_name": {
"ignore_above": 1024,
"type": "keyword"
},
"intermediate_process_id": {
"type": "long"
},
"internal_address_realm": {
"type": "short"
},
"ip_class_of_service": {
"type": "short"
},
"ip_diff_serv_code_point": {
"type": "short"
},
"ip_header_length": {
"type": "short"
},
"ip_header_packet_section": {
"type": "short"
},
"ip_next_hop_ipv4_address": {
"type": "ip"
},
"ip_next_hop_ipv6_address": {
"type": "ip"
},
"ip_payload_length": {
"type": "long"
},
"ip_payload_packet_section": {
"type": "short"
},
"ip_precedence": {
"type": "short"
},
"ip_sec_spi": {
"type": "long"
},
"ip_total_length": {
"type": "long"
},
"ip_ttl": {
"type": "short"
},
"ip_version": {
"type": "short"
},
"ipv4_ihl": {
"type": "short"
},
"ipv4_options": {
"type": "long"
},
"ipv4_router_sc": {
"type": "ip"
},
"ipv6_extension_headers": {
"type": "long"
},
"is_multicast": {
"type": "short"
},
"ixia_browser_id": {
"type": "short"
},
"ixia_browser_name": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_device_id": {
"type": "short"
},
"ixia_device_name": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_dns_answer": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_dns_classes": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_dns_query": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_dns_record_txt": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_dst_as_name": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_dst_city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_dst_country_code": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_dst_country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_dst_latitude": {
"type": "float"
},
"ixia_dst_longitude": {
"type": "float"
},
"ixia_dst_region_code": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_dst_region_node": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_encrypt_cipher": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_encrypt_key_length": {
"type": "long"
},
"ixia_encrypt_type": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_http_host_name": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_http_uri": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_http_user_agent": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_imsi_subscriber": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_l7_app_id": {
"type": "long"
},
"ixia_l7_app_name": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_latency": {
"type": "long"
},
"ixia_rev_octet_delta_count": {
"type": "long"
},
"ixia_rev_packet_delta_count": {
"type": "long"
},
"ixia_src_as_name": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_src_city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_src_country_code": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_src_country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_src_latitude": {
"type": "float"
},
"ixia_src_longitude": {
"type": "float"
},
"ixia_src_region_code": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_src_region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"ixia_threat_ipv4": {
"type": "ip"
},
"ixia_threat_ipv6": {
"type": "ip"
},
"ixia_threat_type": {
"ignore_above": 1024,
"type": "keyword"
},
"large_packet_count": {
"type": "long"
},
"layer2_frame_delta_count": {
"type": "long"
},
"layer2_frame_total_count": {
"type": "long"
},
"layer2_octet_delta_count": {
"type": "long"
},
"layer2_octet_delta_sum_of_squares": {
"type": "long"
},
"layer2_octet_total_count": {
"type": "long"
},
"layer2_octet_total_sum_of_squares": {
"type": "long"
},
"layer2_segment_id": {
"type": "long"
},
"layer2packet_section_data": {
"type": "short"
},
"layer2packet_section_offset": {
"type": "long"
},
"layer2packet_section_size": {
"type": "long"
},
"line_card_id": {
"type": "long"
},
"log_op": {
"type": "short"
},
"lower_ci_limit": {
"type": "double"
},
"mark": {
"type": "long"
},
"max_bib_entries": {
"type": "long"
},
"max_entries_per_user": {
"type": "long"
},
"max_export_seconds": {
"type": "date"
},
"max_flow_end_microseconds": {
"type": "date"
},
"max_flow_end_milliseconds": {
"type": "date"
},
"max_flow_end_nanoseconds": {
"type": "date"
},
"max_flow_end_seconds": {
"type": "date"
},
"max_fragments_pending_reassembly": {
"type": "long"
},
"max_packet_size": {
"type": "long"
},
"max_session_entries": {
"type": "long"
},
"max_subscribers": {
"type": "long"
},
"maximum_ip_total_length": {
"type": "long"
},
"maximum_layer2_total_length": {
"type": "long"
},
"maximum_ttl": {
"type": "short"
},
"mean_flow_rate": {
"type": "long"
},
"mean_packet_rate": {
"type": "long"
},
"message_md5_checksum": {
"type": "short"
},
"message_scope": {
"type": "short"
},
"metering_process_id": {
"type": "long"
},
"metro_evc_id": {
"ignore_above": 1024,
"type": "keyword"
},
"metro_evc_type": {
"type": "short"
},
"mib_capture_time_semantics": {
"type": "short"
},
"mib_context_engine_id": {
"type": "short"
},
"mib_context_name": {
"ignore_above": 1024,
"type": "keyword"
},
"mib_index_indicator": {
"type": "long"
},
"mib_module_name": {
"ignore_above": 1024,
"type": "keyword"
},
"mib_object_description": {
"ignore_above": 1024,
"type": "keyword"
},
"mib_object_identifier": {
"type": "short"
},
"mib_object_name": {
"ignore_above": 1024,
"type": "keyword"
},
"mib_object_syntax": {
"ignore_above": 1024,
"type": "keyword"
},
"mib_object_value_bits": {
"type": "short"
},
"mib_object_value_counter": {
"type": "long"
},
"mib_object_value_gauge": {
"type": "long"
},
"mib_object_value_integer": {
"type": "long"
},
"mib_object_value_ip_address": {
"type": "ip"
},
"mib_object_value_octet_string": {
"type": "short"
},
"mib_object_value_oid": {
"type": "short"
},
"mib_object_value_time_ticks": {
"type": "long"
},
"mib_object_value_unsigned": {
"type": "long"
},
"mib_sub_identifier": {
"type": "long"
},
"min_export_seconds": {
"type": "date"
},
"min_flow_start_microseconds": {
"type": "date"
},
"min_flow_start_milliseconds": {
"type": "date"
},
"min_flow_start_nanoseconds": {
"type": "date"
},
"min_flow_start_seconds": {
"type": "date"
},
"minimum_ip_total_length": {
"type": "long"
},
"minimum_layer2_total_length": {
"type": "long"
},
"minimum_ttl": {
"type": "short"
},
"mobile_imsi": {
"ignore_above": 1024,
"type": "keyword"
},
"mobile_msisdn": {
"ignore_above": 1024,
"type": "keyword"
},
"monitoring_interval_end_milli_seconds": {
"type": "date"
},
"monitoring_interval_start_milli_seconds": {
"type": "date"
},
"mpls_label_stack_depth": {
"type": "long"
},
"mpls_label_stack_length": {
"type": "long"
},
"mpls_label_stack_section": {
"type": "short"
},
"mpls_label_stack_section10": {
"type": "short"
},
"mpls_label_stack_section2": {
"type": "short"
},
"mpls_label_stack_section3": {
"type": "short"
},
"mpls_label_stack_section4": {
"type": "short"
},
"mpls_label_stack_section5": {
"type": "short"
},
"mpls_label_stack_section6": {
"type": "short"
},
"mpls_label_stack_section7": {
"type": "short"
},
"mpls_label_stack_section8": {
"type": "short"
},
"mpls_label_stack_section9": {
"type": "short"
},
"mpls_payload_length": {
"type": "long"
},
"mpls_payload_packet_section": {
"type": "short"
},
"mpls_top_label_exp": {
"type": "short"
},
"mpls_top_label_ipv4_address": {
"type": "ip"
},
"mpls_top_label_ipv6_address": {
"type": "ip"
},
"mpls_top_label_prefix_length": {
"type": "short"
},
"mpls_top_label_stack_section": {
"type": "short"
},
"mpls_top_label_ttl": {
"type": "short"
},
"mpls_top_label_type": {
"type": "short"
},
"mpls_vpn_route_distinguisher": {
"type": "short"
},
"mptcp_address_id": {
"type": "short"
},
"mptcp_flags": {
"type": "short"
},
"mptcp_initial_data_sequence_number": {
"type": "long"
},
"mptcp_maximum_segment_size": {
"type": "long"
},
"mptcp_receiver_token": {
"type": "long"
},
"multicast_replication_factor": {
"type": "long"
},
"nat_event": {
"type": "short"
},
"nat_inside_svcid": {
"type": "long"
},
"nat_instance_id": {
"type": "long"
},
"nat_originating_address_realm": {
"type": "short"
},
"nat_outside_svcid": {
"type": "long"
},
"nat_pool_id": {
"type": "long"
},
"nat_pool_name": {
"ignore_above": 1024,
"type": "keyword"
},
"nat_quota_exceeded_event": {
"type": "long"
},
"nat_sub_string": {
"ignore_above": 1024,
"type": "keyword"
},
"nat_threshold_event": {
"type": "long"
},
"nat_type": {
"type": "short"
},
"netscale_ica_client_version": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_aaa_username": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_app_name": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_app_name_app_id": {
"type": "long"
},
"netscaler_app_name_incarnation_number": {
"type": "long"
},
"netscaler_app_template_name": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_app_unit_name_app_id": {
"type": "long"
},
"netscaler_application_startup_duration": {
"type": "long"
},
"netscaler_application_startup_time": {
"type": "long"
},
"netscaler_cache_redir_client_connection_core_id": {
"type": "long"
},
"netscaler_cache_redir_client_connection_transaction_id": {
"type": "long"
},
"netscaler_client_rtt": {
"type": "long"
},
"netscaler_connection_chain_hop_count": {
"type": "long"
},
"netscaler_connection_chain_id": {
"type": "short"
},
"netscaler_connection_id": {
"type": "long"
},
"netscaler_current_license_consumed": {
"type": "long"
},
"netscaler_db_clt_host_name": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_db_database_name": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_db_login_flags": {
"type": "long"
},
"netscaler_db_protocol_name": {
"type": "short"
},
"netscaler_db_req_string": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_db_req_type": {
"type": "short"
},
"netscaler_db_resp_length": {
"type": "long"
},
"netscaler_db_resp_status": {
"type": "long"
},
"netscaler_db_resp_status_string": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_db_user_name": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_flow_flags": {
"type": "long"
},
"netscaler_http_client_interaction_end_time": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_client_interaction_start_time": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_client_render_end_time": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_client_render_start_time": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_content_type": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_domain_name": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_req_authorization": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_req_cookie": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_req_forw_fb": {
"type": "long"
},
"netscaler_http_req_forw_lb": {
"type": "long"
},
"netscaler_http_req_host": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_req_method": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_req_rcv_fb": {
"type": "long"
},
"netscaler_http_req_rcv_lb": {
"type": "long"
},
"netscaler_http_req_referer": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_req_url": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_req_user_agent": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_req_via": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_req_xforwarded_for": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_res_forw_fb": {
"type": "long"
},
"netscaler_http_res_forw_lb": {
"type": "long"
},
"netscaler_http_res_location": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_res_rcv_fb": {
"type": "long"
},
"netscaler_http_res_rcv_lb": {
"type": "long"
},
"netscaler_http_res_set_cookie": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_res_set_cookie2": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_http_rsp_len": {
"type": "long"
},
"netscaler_http_rsp_status": {
"type": "long"
},
"netscaler_ica_app_module_path": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_ica_app_process_id": {
"type": "long"
},
"netscaler_ica_application_name": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_ica_application_termination_time": {
"type": "long"
},
"netscaler_ica_application_termination_type": {
"type": "long"
},
"netscaler_ica_channel_id1": {
"type": "long"
},
"netscaler_ica_channel_id1_bytes": {
"type": "long"
},
"netscaler_ica_channel_id2": {
"type": "long"
},
"netscaler_ica_channel_id2_bytes": {
"type": "long"
},
"netscaler_ica_channel_id3": {
"type": "long"
},
"netscaler_ica_channel_id3_bytes": {
"type": "long"
},
"netscaler_ica_channel_id4": {
"type": "long"
},
"netscaler_ica_channel_id4_bytes": {
"type": "long"
},
"netscaler_ica_channel_id5": {
"type": "long"
},
"netscaler_ica_channel_id5_bytes": {
"type": "long"
},
"netscaler_ica_client_host_name": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_ica_client_ip": {
"type": "ip"
},
"netscaler_ica_client_launcher": {
"type": "long"
},
"netscaler_ica_client_side_rto_count": {
"type": "long"
},
"netscaler_ica_client_side_window_size": {
"type": "long"
},
"netscaler_ica_client_type": {
"type": "long"
},
"netscaler_ica_clientside_delay": {
"type": "long"
},
"netscaler_ica_clientside_jitter": {
"type": "long"
},
"netscaler_ica_clientside_packets_retransmit": {
"type": "long"
},
"netscaler_ica_clientside_rtt": {
"type": "long"
},
"netscaler_ica_clientside_rx_bytes": {
"type": "long"
},
"netscaler_ica_clientside_srtt": {
"type": "long"
},
"netscaler_ica_clientside_tx_bytes": {
"type": "long"
},
"netscaler_ica_connection_priority": {
"type": "long"
},
"netscaler_ica_device_serial_no": {
"type": "long"
},
"netscaler_ica_domain_name": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_ica_flags": {
"type": "long"
},
"netscaler_ica_host_delay": {
"type": "long"
},
"netscaler_ica_l7_client_latency": {
"type": "long"
},
"netscaler_ica_l7_server_latency": {
"type": "long"
},
"netscaler_ica_launch_mechanism": {
"type": "long"
},
"netscaler_ica_network_update_end_time": {
"type": "long"
},
"netscaler_ica_network_update_start_time": {
"type": "long"
},
"netscaler_ica_rtt": {
"type": "long"
},
"netscaler_ica_server_name": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_ica_server_side_rto_count": {
"type": "long"
},
"netscaler_ica_server_side_window_size": {
"type": "long"
},
"netscaler_ica_serverside_delay": {
"type": "long"
},
"netscaler_ica_serverside_jitter": {
"type": "long"
},
"netscaler_ica_serverside_packets_retransmit": {
"type": "long"
},
"netscaler_ica_serverside_rtt": {
"type": "long"
},
"netscaler_ica_serverside_srtt": {
"type": "long"
},
"netscaler_ica_session_end_time": {
"type": "long"
},
"netscaler_ica_session_guid": {
"type": "short"
},
"netscaler_ica_session_reconnects": {
"type": "short"
},
"netscaler_ica_session_setup_time": {
"type": "long"
},
"netscaler_ica_session_update_begin_sec": {
"type": "long"
},
"netscaler_ica_session_update_end_sec": {
"type": "long"
},
"netscaler_ica_username": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_license_type": {
"type": "short"
},
"netscaler_main_page_core_id": {
"type": "long"
},
"netscaler_main_page_id": {
"type": "long"
},
"netscaler_max_license_count": {
"type": "long"
},
"netscaler_msi_client_cookie": {
"type": "short"
},
"netscaler_round_trip_time": {
"type": "long"
},
"netscaler_server_ttfb": {
"type": "long"
},
"netscaler_server_ttlb": {
"type": "long"
},
"netscaler_syslog_message": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_syslog_priority": {
"type": "short"
},
"netscaler_syslog_timestamp": {
"type": "long"
},
"netscaler_transaction_id": {
"type": "long"
},
"netscaler_unknown270": {
"type": "long"
},
"netscaler_unknown271": {
"type": "long"
},
"netscaler_unknown272": {
"type": "long"
},
"netscaler_unknown273": {
"type": "long"
},
"netscaler_unknown274": {
"type": "long"
},
"netscaler_unknown275": {
"type": "long"
},
"netscaler_unknown276": {
"type": "long"
},
"netscaler_unknown277": {
"type": "long"
},
"netscaler_unknown278": {
"type": "long"
},
"netscaler_unknown279": {
"type": "long"
},
"netscaler_unknown280": {
"type": "long"
},
"netscaler_unknown281": {
"type": "long"
},
"netscaler_unknown282": {
"type": "long"
},
"netscaler_unknown283": {
"type": "long"
},
"netscaler_unknown284": {
"type": "long"
},
"netscaler_unknown285": {
"type": "long"
},
"netscaler_unknown286": {
"type": "long"
},
"netscaler_unknown287": {
"type": "long"
},
"netscaler_unknown288": {
"type": "long"
},
"netscaler_unknown289": {
"type": "long"
},
"netscaler_unknown290": {
"type": "long"
},
"netscaler_unknown291": {
"type": "long"
},
"netscaler_unknown292": {
"type": "long"
},
"netscaler_unknown293": {
"type": "long"
},
"netscaler_unknown294": {
"type": "long"
},
"netscaler_unknown295": {
"type": "long"
},
"netscaler_unknown296": {
"type": "long"
},
"netscaler_unknown297": {
"type": "long"
},
"netscaler_unknown298": {
"type": "long"
},
"netscaler_unknown299": {
"type": "long"
},
"netscaler_unknown300": {
"type": "long"
},
"netscaler_unknown301": {
"type": "long"
},
"netscaler_unknown302": {
"type": "long"
},
"netscaler_unknown303": {
"type": "long"
},
"netscaler_unknown304": {
"type": "long"
},
"netscaler_unknown305": {
"type": "long"
},
"netscaler_unknown306": {
"type": "long"
},
"netscaler_unknown307": {
"type": "long"
},
"netscaler_unknown308": {
"type": "long"
},
"netscaler_unknown309": {
"type": "long"
},
"netscaler_unknown310": {
"type": "long"
},
"netscaler_unknown311": {
"type": "long"
},
"netscaler_unknown312": {
"type": "long"
},
"netscaler_unknown313": {
"type": "long"
},
"netscaler_unknown314": {
"type": "long"
},
"netscaler_unknown315": {
"type": "long"
},
"netscaler_unknown316": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_unknown317": {
"type": "long"
},
"netscaler_unknown318": {
"type": "long"
},
"netscaler_unknown319": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_unknown320": {
"type": "long"
},
"netscaler_unknown321": {
"type": "long"
},
"netscaler_unknown322": {
"type": "long"
},
"netscaler_unknown323": {
"type": "long"
},
"netscaler_unknown324": {
"type": "long"
},
"netscaler_unknown325": {
"type": "long"
},
"netscaler_unknown326": {
"type": "long"
},
"netscaler_unknown327": {
"type": "long"
},
"netscaler_unknown328": {
"type": "long"
},
"netscaler_unknown329": {
"type": "long"
},
"netscaler_unknown330": {
"type": "long"
},
"netscaler_unknown331": {
"type": "long"
},
"netscaler_unknown332": {
"type": "long"
},
"netscaler_unknown333": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_unknown334": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_unknown335": {
"type": "long"
},
"netscaler_unknown336": {
"type": "long"
},
"netscaler_unknown337": {
"type": "long"
},
"netscaler_unknown338": {
"type": "long"
},
"netscaler_unknown339": {
"type": "long"
},
"netscaler_unknown340": {
"type": "long"
},
"netscaler_unknown341": {
"type": "long"
},
"netscaler_unknown342": {
"type": "long"
},
"netscaler_unknown343": {
"type": "long"
},
"netscaler_unknown344": {
"type": "long"
},
"netscaler_unknown345": {
"type": "long"
},
"netscaler_unknown346": {
"type": "long"
},
"netscaler_unknown347": {
"type": "long"
},
"netscaler_unknown348": {
"type": "long"
},
"netscaler_unknown349": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_unknown350": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_unknown351": {
"ignore_above": 1024,
"type": "keyword"
},
"netscaler_unknown352": {
"type": "long"
},
"netscaler_unknown353": {
"type": "long"
},
"netscaler_unknown354": {
"type": "long"
},
"netscaler_unknown355": {
"type": "long"
},
"netscaler_unknown356": {
"type": "long"
},
"netscaler_unknown357": {
"type": "long"
},
"netscaler_unknown363": {
"type": "short"
},
"netscaler_unknown383": {
"type": "short"
},
"netscaler_unknown391": {
"type": "long"
},
"netscaler_unknown398": {
"type": "long"
},
"netscaler_unknown404": {
"type": "long"
},
"netscaler_unknown405": {
"type": "long"
},
"netscaler_unknown427": {
"type": "long"
},
"netscaler_unknown429": {
"type": "short"
},
"netscaler_unknown432": {
"type": "short"
},
"netscaler_unknown433": {
"type": "short"
},
"netscaler_unknown453": {
"type": "long"
},
"netscaler_unknown465": {
"type": "long"
},
"new_connection_delta_count": {
"type": "long"
},
"next_header_ipv6": {
"type": "short"
},
"non_empty_packet_count": {
"type": "long"
},
"not_sent_flow_total_count": {
"type": "long"
},
"not_sent_layer2_octet_total_count": {
"type": "long"
},
"not_sent_octet_total_count": {
"type": "long"
},
"not_sent_packet_total_count": {
"type": "long"
},
"observation_domain_id": {
"type": "long"
},
"observation_domain_name": {
"ignore_above": 1024,
"type": "keyword"
},
"observation_point_id": {
"type": "long"
},
"observation_point_type": {
"type": "short"
},
"observation_time_microseconds": {
"type": "date"
},
"observation_time_milliseconds": {
"type": "date"
},
"observation_time_nanoseconds": {
"type": "date"
},
"observation_time_seconds": {
"type": "date"
},
"observed_flow_total_count": {
"type": "long"
},
"octet_delta_count": {
"type": "long"
},
"octet_delta_sum_of_squares": {
"type": "long"
},
"octet_total_count": {
"type": "long"
},
"octet_total_sum_of_squares": {
"type": "long"
},
"opaque_octets": {
"type": "short"
},
"original_exporter_ipv4_address": {
"type": "ip"
},
"original_exporter_ipv6_address": {
"type": "ip"
},
"original_flows_completed": {
"type": "long"
},
"original_flows_initiated": {
"type": "long"
},
"original_flows_present": {
"type": "long"
},
"original_observation_domain_id": {
"type": "long"
},
"os_finger_print": {
"ignore_above": 1024,
"type": "keyword"
},
"os_name": {
"ignore_above": 1024,
"type": "keyword"
},
"os_version": {
"ignore_above": 1024,
"type": "keyword"
},
"p2p_technology": {
"ignore_above": 1024,
"type": "keyword"
},
"packet_delta_count": {
"type": "long"
},
"packet_total_count": {
"type": "long"
},
"padding_octets": {
"type": "short"
},
"payload": {
"ignore_above": 1024,
"type": "keyword"
},
"payload_entropy": {
"type": "short"
},
"payload_length_ipv6": {
"type": "long"
},
"policy_qos_classification_hierarchy": {
"type": "long"
},
"policy_qos_queue_index": {
"type": "long"
},
"policy_qos_queuedrops": {
"type": "long"
},
"policy_qos_queueindex": {
"type": "long"
},
"port_id": {
"type": "long"
},
"port_range_end": {
"type": "long"
},
"port_range_num_ports": {
"type": "long"
},
"port_range_start": {
"type": "long"
},
"port_range_step_size": {
"type": "long"
},
"post_destination_mac_address": {
"ignore_above": 1024,
"type": "keyword"
},
"post_dot1q_customer_vlan_id": {
"type": "long"
},
"post_dot1q_vlan_id": {
"type": "long"
},
"post_ip_class_of_service": {
"type": "short"
},
"post_ip_diff_serv_code_point": {
"type": "short"
},
"post_ip_precedence": {
"type": "short"
},
"post_layer2_octet_delta_count": {
"type": "long"
},
"post_layer2_octet_total_count": {
"type": "long"
},
"post_mcast_layer2_octet_delta_count": {
"type": "long"
},
"post_mcast_layer2_octet_total_count": {
"type": "long"
},
"post_mcast_octet_delta_count": {
"type": "long"
},
"post_mcast_octet_total_count": {
"type": "long"
},
"post_mcast_packet_delta_count": {
"type": "long"
},
"post_mcast_packet_total_count": {
"type": "long"
},
"post_mpls_top_label_exp": {
"type": "short"
},
"post_napt_destination_transport_port": {
"type": "long"
},
"post_napt_source_transport_port": {
"type": "long"
},
"post_nat_destination_ipv4_address": {
"type": "ip"
},
"post_nat_destination_ipv6_address": {
"type": "ip"
},
"post_nat_source_ipv4_address": {
"type": "ip"
},
"post_nat_source_ipv6_address": {
"type": "ip"
},
"post_octet_delta_count": {
"type": "long"
},
"post_octet_total_count": {
"type": "long"
},
"post_packet_delta_count": {
"type": "long"
},
"post_packet_total_count": {
"type": "long"
},
"post_source_mac_address": {
"ignore_above": 1024,
"type": "keyword"
},
"post_vlan_id": {
"type": "long"
},
"private_enterprise_number": {
"type": "long"
},
"procera_apn": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_base_service": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_content_categories": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_device_id": {
"type": "long"
},
"procera_external_rtt": {
"type": "long"
},
"procera_flow_behavior": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_ggsn": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_http_content_type": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_http_file_length": {
"type": "long"
},
"procera_http_language": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_http_location": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_http_referer": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_http_request_method": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_http_request_version": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_http_response_status": {
"type": "long"
},
"procera_http_url": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_http_user_agent": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_imsi": {
"type": "long"
},
"procera_incoming_octets": {
"type": "long"
},
"procera_incoming_packets": {
"type": "long"
},
"procera_incoming_shaping_drops": {
"type": "long"
},
"procera_incoming_shaping_latency": {
"type": "long"
},
"procera_internal_rtt": {
"type": "long"
},
"procera_local_ipv4_host": {
"type": "ip"
},
"procera_local_ipv6_host": {
"type": "ip"
},
"procera_msisdn": {
"type": "long"
},
"procera_outgoing_octets": {
"type": "long"
},
"procera_outgoing_packets": {
"type": "long"
},
"procera_outgoing_shaping_drops": {
"type": "long"
},
"procera_outgoing_shaping_latency": {
"type": "long"
},
"procera_property": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_qoe_incoming_external": {
"type": "float"
},
"procera_qoe_incoming_internal": {
"type": "float"
},
"procera_qoe_outgoing_external": {
"type": "float"
},
"procera_qoe_outgoing_internal": {
"type": "float"
},
"procera_rat": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_remote_ipv4_host": {
"type": "ip"
},
"procera_remote_ipv6_host": {
"type": "ip"
},
"procera_rnc": {
"type": "long"
},
"procera_server_hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_service": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_sgsn": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_subscriber_identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_template_name": {
"ignore_above": 1024,
"type": "keyword"
},
"procera_user_location_information": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol_identifier": {
"type": "short"
},
"pseudo_wire_control_word": {
"type": "long"
},
"pseudo_wire_destination_ipv4_address": {
"type": "ip"
},
"pseudo_wire_id": {
"type": "long"
},
"pseudo_wire_type": {
"type": "long"
},
"reason": {
"type": "long"
},
"reason_text": {
"ignore_above": 1024,
"type": "keyword"
},
"relative_error": {
"type": "double"
},
"responder_octets": {
"type": "long"
},
"responder_packets": {
"type": "long"
},
"reverse_absolute_error": {
"type": "double"
},
"reverse_anonymization_flags": {
"type": "long"
},
"reverse_anonymization_technique": {
"type": "long"
},
"reverse_application_category_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_application_description": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_application_group_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_application_id": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_application_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_application_sub_category_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_average_interarrival_time": {
"type": "long"
},
"reverse_bgp_destination_as_number": {
"type": "long"
},
"reverse_bgp_next_adjacent_as_number": {
"type": "long"
},
"reverse_bgp_next_hop_ipv4_address": {
"type": "ip"
},
"reverse_bgp_next_hop_ipv6_address": {
"type": "ip"
},
"reverse_bgp_prev_adjacent_as_number": {
"type": "long"
},
"reverse_bgp_source_as_number": {
"type": "long"
},
"reverse_bgp_validity_state": {
"type": "short"
},
"reverse_class_id": {
"type": "short"
},
"reverse_class_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_classification_engine_id": {
"type": "short"
},
"reverse_collection_time_milliseconds": {
"type": "long"
},
"reverse_collector_certificate": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_confidence_level": {
"type": "double"
},
"reverse_connection_sum_duration_seconds": {
"type": "long"
},
"reverse_connection_transaction_id": {
"type": "long"
},
"reverse_data_byte_count": {
"type": "long"
},
"reverse_data_link_frame_section": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_data_link_frame_size": {
"type": "long"
},
"reverse_data_link_frame_type": {
"type": "long"
},
"reverse_data_records_reliability": {
"type": "short"
},
"reverse_delta_flow_count": {
"type": "long"
},
"reverse_destination_ipv4_address": {
"type": "ip"
},
"reverse_destination_ipv4_prefix": {
"type": "ip"
},
"reverse_destination_ipv4_prefix_length": {
"type": "short"
},
"reverse_destination_ipv6_address": {
"type": "ip"
},
"reverse_destination_ipv6_prefix": {
"type": "ip"
},
"reverse_destination_ipv6_prefix_length": {
"type": "short"
},
"reverse_destination_mac_address": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_destination_transport_port": {
"type": "long"
},
"reverse_digest_hash_value": {
"type": "long"
},
"reverse_distinct_count_of_destination_ip_address": {
"type": "long"
},
"reverse_distinct_count_of_destination_ipv4_address": {
"type": "long"
},
"reverse_distinct_count_of_destination_ipv6_address": {
"type": "long"
},
"reverse_distinct_count_of_source_ip_address": {
"type": "long"
},
"reverse_distinct_count_of_source_ipv4_address": {
"type": "long"
},
"reverse_distinct_count_of_source_ipv6_address": {
"type": "long"
},
"reverse_dot1q_customer_dei": {
"type": "short"
},
"reverse_dot1q_customer_destination_mac_address": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_dot1q_customer_priority": {
"type": "short"
},
"reverse_dot1q_customer_source_mac_address": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_dot1q_customer_vlan_id": {
"type": "long"
},
"reverse_dot1q_dei": {
"type": "short"
},
"reverse_dot1q_priority": {
"type": "short"
},
"reverse_dot1q_service_instance_id": {
"type": "long"
},
"reverse_dot1q_service_instance_priority": {
"type": "short"
},
"reverse_dot1q_service_instance_tag": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_dot1q_vlan_id": {
"type": "long"
},
"reverse_dropped_layer2_octet_delta_count": {
"type": "long"
},
"reverse_dropped_layer2_octet_total_count": {
"type": "long"
},
"reverse_dropped_octet_delta_count": {
"type": "long"
},
"reverse_dropped_octet_total_count": {
"type": "long"
},
"reverse_dropped_packet_delta_count": {
"type": "long"
},
"reverse_dropped_packet_total_count": {
"type": "long"
},
"reverse_dst_traffic_index": {
"type": "long"
},
"reverse_egress_broadcast_packet_total_count": {
"type": "long"
},
"reverse_egress_interface": {
"type": "long"
},
"reverse_egress_interface_type": {
"type": "long"
},
"reverse_egress_physical_interface": {
"type": "long"
},
"reverse_egress_unicast_packet_total_count": {
"type": "long"
},
"reverse_egress_vrfid": {
"type": "long"
},
"reverse_encrypted_technology": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_engine_id": {
"type": "short"
},
"reverse_engine_type": {
"type": "short"
},
"reverse_ethernet_header_length": {
"type": "short"
},
"reverse_ethernet_payload_length": {
"type": "long"
},
"reverse_ethernet_total_length": {
"type": "long"
},
"reverse_ethernet_type": {
"type": "long"
},
"reverse_export_sctp_stream_id": {
"type": "long"
},
"reverse_exporter_certificate": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_exporting_process_id": {
"type": "long"
},
"reverse_firewall_event": {
"type": "short"
},
"reverse_first_non_empty_packet_size": {
"type": "long"
},
"reverse_first_packet_banner": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_flags_and_sampler_id": {
"type": "long"
},
"reverse_flow_active_timeout": {
"type": "long"
},
"reverse_flow_attributes": {
"type": "long"
},
"reverse_flow_delta_milliseconds": {
"type": "long"
},
"reverse_flow_direction": {
"type": "short"
},
"reverse_flow_duration_microseconds": {
"type": "long"
},
"reverse_flow_duration_milliseconds": {
"type": "long"
},
"reverse_flow_end_delta_microseconds": {
"type": "long"
},
"reverse_flow_end_microseconds": {
"type": "long"
},
"reverse_flow_end_milliseconds": {
"type": "long"
},
"reverse_flow_end_nanoseconds": {
"type": "long"
},
"reverse_flow_end_reason": {
"type": "short"
},
"reverse_flow_end_seconds": {
"type": "long"
},
"reverse_flow_end_sys_up_time": {
"type": "long"
},
"reverse_flow_idle_timeout": {
"type": "long"
},
"reverse_flow_label_ipv6": {
"type": "long"
},
"reverse_flow_sampling_time_interval": {
"type": "long"
},
"reverse_flow_sampling_time_spacing": {
"type": "long"
},
"reverse_flow_selected_flow_delta_count": {
"type": "long"
},
"reverse_flow_selected_octet_delta_count": {
"type": "long"
},
"reverse_flow_selected_packet_delta_count": {
"type": "long"
},
"reverse_flow_selector_algorithm": {
"type": "long"
},
"reverse_flow_start_delta_microseconds": {
"type": "long"
},
"reverse_flow_start_microseconds": {
"type": "long"
},
"reverse_flow_start_milliseconds": {
"type": "long"
},
"reverse_flow_start_nanoseconds": {
"type": "long"
},
"reverse_flow_start_seconds": {
"type": "long"
},
"reverse_flow_start_sys_up_time": {
"type": "long"
},
"reverse_forwarding_status": {
"type": "long"
},
"reverse_fragment_flags": {
"type": "short"
},
"reverse_fragment_identification": {
"type": "long"
},
"reverse_fragment_offset": {
"type": "long"
},
"reverse_gre_key": {
"type": "long"
},
"reverse_hash_digest_output": {
"type": "short"
},
"reverse_hash_flow_domain": {
"type": "long"
},
"reverse_hash_initialiser_value": {
"type": "long"
},
"reverse_hash_ip_payload_offset": {
"type": "long"
},
"reverse_hash_ip_payload_size": {
"type": "long"
},
"reverse_hash_output_range_max": {
"type": "long"
},
"reverse_hash_output_range_min": {
"type": "long"
},
"reverse_hash_selected_range_max": {
"type": "long"
},
"reverse_hash_selected_range_min": {
"type": "long"
},
"reverse_icmp_code_ipv4": {
"type": "short"
},
"reverse_icmp_code_ipv6": {
"type": "short"
},
"reverse_icmp_type_code_ipv4": {
"type": "long"
},
"reverse_icmp_type_code_ipv6": {
"type": "long"
},
"reverse_icmp_type_ipv4": {
"type": "short"
},
"reverse_icmp_type_ipv6": {
"type": "short"
},
"reverse_igmp_type": {
"type": "short"
},
"reverse_ignored_data_record_total_count": {
"type": "long"
},
"reverse_ignored_layer2_frame_total_count": {
"type": "long"
},
"reverse_ignored_layer2_octet_total_count": {
"type": "long"
},
"reverse_information_element_data_type": {
"type": "short"
},
"reverse_information_element_description": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_information_element_id": {
"type": "long"
},
"reverse_information_element_index": {
"type": "long"
},
"reverse_information_element_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_information_element_range_begin": {
"type": "long"
},
"reverse_information_element_range_end": {
"type": "long"
},
"reverse_information_element_semantics": {
"type": "short"
},
"reverse_information_element_units": {
"type": "long"
},
"reverse_ingress_broadcast_packet_total_count": {
"type": "long"
},
"reverse_ingress_interface": {
"type": "long"
},
"reverse_ingress_interface_type": {
"type": "long"
},
"reverse_ingress_multicast_packet_total_count": {
"type": "long"
},
"reverse_ingress_physical_interface": {
"type": "long"
},
"reverse_ingress_unicast_packet_total_count": {
"type": "long"
},
"reverse_ingress_vrfid": {
"type": "long"
},
"reverse_initial_tcp_flags": {
"type": "short"
},
"reverse_initiator_octets": {
"type": "long"
},
"reverse_initiator_packets": {
"type": "long"
},
"reverse_interface_description": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_interface_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_intermediate_process_id": {
"type": "long"
},
"reverse_ip_class_of_service": {
"type": "short"
},
"reverse_ip_diff_serv_code_point": {
"type": "short"
},
"reverse_ip_header_length": {
"type": "short"
},
"reverse_ip_header_packet_section": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_ip_next_hop_ipv4_address": {
"type": "ip"
},
"reverse_ip_next_hop_ipv6_address": {
"type": "ip"
},
"reverse_ip_payload_length": {
"type": "long"
},
"reverse_ip_payload_packet_section": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_ip_precedence": {
"type": "short"
},
"reverse_ip_sec_spi": {
"type": "long"
},
"reverse_ip_total_length": {
"type": "long"
},
"reverse_ip_ttl": {
"type": "short"
},
"reverse_ip_version": {
"type": "short"
},
"reverse_ipv4_ihl": {
"type": "short"
},
"reverse_ipv4_options": {
"type": "long"
},
"reverse_ipv4_router_sc": {
"type": "ip"
},
"reverse_ipv6_extension_headers": {
"type": "long"
},
"reverse_is_multicast": {
"type": "short"
},
"reverse_large_packet_count": {
"type": "long"
},
"reverse_layer2_frame_delta_count": {
"type": "long"
},
"reverse_layer2_frame_total_count": {
"type": "long"
},
"reverse_layer2_octet_delta_count": {
"type": "long"
},
"reverse_layer2_octet_delta_sum_of_squares": {
"type": "long"
},
"reverse_layer2_octet_total_count": {
"type": "long"
},
"reverse_layer2_octet_total_sum_of_squares": {
"type": "long"
},
"reverse_layer2_segment_id": {
"type": "long"
},
"reverse_layer2packet_section_data": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_layer2packet_section_offset": {
"type": "long"
},
"reverse_layer2packet_section_size": {
"type": "long"
},
"reverse_line_card_id": {
"type": "long"
},
"reverse_lower_ci_limit": {
"type": "double"
},
"reverse_max_export_seconds": {
"type": "long"
},
"reverse_max_flow_end_microseconds": {
"type": "long"
},
"reverse_max_flow_end_milliseconds": {
"type": "long"
},
"reverse_max_flow_end_nanoseconds": {
"type": "long"
},
"reverse_max_flow_end_seconds": {
"type": "long"
},
"reverse_max_packet_size": {
"type": "long"
},
"reverse_maximum_ip_total_length": {
"type": "long"
},
"reverse_maximum_layer2_total_length": {
"type": "long"
},
"reverse_maximum_ttl": {
"type": "short"
},
"reverse_message_md5_checksum": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_message_scope": {
"type": "short"
},
"reverse_metering_process_id": {
"type": "long"
},
"reverse_metro_evc_id": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_metro_evc_type": {
"type": "short"
},
"reverse_min_export_seconds": {
"type": "long"
},
"reverse_min_flow_start_microseconds": {
"type": "long"
},
"reverse_min_flow_start_milliseconds": {
"type": "long"
},
"reverse_min_flow_start_nanoseconds": {
"type": "long"
},
"reverse_min_flow_start_seconds": {
"type": "long"
},
"reverse_minimum_ip_total_length": {
"type": "long"
},
"reverse_minimum_layer2_total_length": {
"type": "long"
},
"reverse_minimum_ttl": {
"type": "short"
},
"reverse_monitoring_interval_end_milli_seconds": {
"type": "long"
},
"reverse_monitoring_interval_start_milli_seconds": {
"type": "long"
},
"reverse_mpls_label_stack_depth": {
"type": "long"
},
"reverse_mpls_label_stack_length": {
"type": "long"
},
"reverse_mpls_label_stack_section": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_mpls_label_stack_section10": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_mpls_label_stack_section2": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_mpls_label_stack_section3": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_mpls_label_stack_section4": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_mpls_label_stack_section5": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_mpls_label_stack_section6": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_mpls_label_stack_section7": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_mpls_label_stack_section8": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_mpls_label_stack_section9": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_mpls_payload_length": {
"type": "long"
},
"reverse_mpls_payload_packet_section": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_mpls_top_label_exp": {
"type": "short"
},
"reverse_mpls_top_label_ipv4_address": {
"type": "ip"
},
"reverse_mpls_top_label_ipv6_address": {
"type": "ip"
},
"reverse_mpls_top_label_prefix_length": {
"type": "short"
},
"reverse_mpls_top_label_stack_section": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_mpls_top_label_ttl": {
"type": "short"
},
"reverse_mpls_top_label_type": {
"type": "short"
},
"reverse_mpls_vpn_route_distinguisher": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_multicast_replication_factor": {
"type": "long"
},
"reverse_nat_event": {
"type": "short"
},
"reverse_nat_originating_address_realm": {
"type": "short"
},
"reverse_nat_pool_id": {
"type": "long"
},
"reverse_nat_pool_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_nat_type": {
"type": "short"
},
"reverse_new_connection_delta_count": {
"type": "long"
},
"reverse_next_header_ipv6": {
"type": "short"
},
"reverse_non_empty_packet_count": {
"type": "long"
},
"reverse_not_sent_layer2_octet_total_count": {
"type": "long"
},
"reverse_observation_domain_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_observation_point_id": {
"type": "long"
},
"reverse_observation_point_type": {
"type": "short"
},
"reverse_observation_time_microseconds": {
"type": "long"
},
"reverse_observation_time_milliseconds": {
"type": "long"
},
"reverse_observation_time_nanoseconds": {
"type": "long"
},
"reverse_observation_time_seconds": {
"type": "long"
},
"reverse_octet_delta_count": {
"type": "long"
},
"reverse_octet_delta_sum_of_squares": {
"type": "long"
},
"reverse_octet_total_count": {
"type": "long"
},
"reverse_octet_total_sum_of_squares": {
"type": "long"
},
"reverse_opaque_octets": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_original_exporter_ipv4_address": {
"type": "ip"
},
"reverse_original_exporter_ipv6_address": {
"type": "ip"
},
"reverse_original_flows_completed": {
"type": "long"
},
"reverse_original_flows_initiated": {
"type": "long"
},
"reverse_original_flows_present": {
"type": "long"
},
"reverse_original_observation_domain_id": {
"type": "long"
},
"reverse_os_finger_print": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_os_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_os_version": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_p2p_technology": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_packet_delta_count": {
"type": "long"
},
"reverse_packet_total_count": {
"type": "long"
},
"reverse_payload": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_payload_entropy": {
"type": "short"
},
"reverse_payload_length_ipv6": {
"type": "long"
},
"reverse_port_id": {
"type": "long"
},
"reverse_port_range_end": {
"type": "long"
},
"reverse_port_range_num_ports": {
"type": "long"
},
"reverse_port_range_start": {
"type": "long"
},
"reverse_port_range_step_size": {
"type": "long"
},
"reverse_post_destination_mac_address": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_post_dot1q_customer_vlan_id": {
"type": "long"
},
"reverse_post_dot1q_vlan_id": {
"type": "long"
},
"reverse_post_ip_class_of_service": {
"type": "short"
},
"reverse_post_ip_diff_serv_code_point": {
"type": "short"
},
"reverse_post_ip_precedence": {
"type": "short"
},
"reverse_post_layer2_octet_delta_count": {
"type": "long"
},
"reverse_post_layer2_octet_total_count": {
"type": "long"
},
"reverse_post_mcast_layer2_octet_delta_count": {
"type": "long"
},
"reverse_post_mcast_layer2_octet_total_count": {
"type": "long"
},
"reverse_post_mcast_octet_delta_count": {
"type": "long"
},
"reverse_post_mcast_octet_total_count": {
"type": "long"
},
"reverse_post_mcast_packet_delta_count": {
"type": "long"
},
"reverse_post_mcast_packet_total_count": {
"type": "long"
},
"reverse_post_mpls_top_label_exp": {
"type": "short"
},
"reverse_post_napt_destination_transport_port": {
"type": "long"
},
"reverse_post_napt_source_transport_port": {
"type": "long"
},
"reverse_post_nat_destination_ipv4_address": {
"type": "ip"
},
"reverse_post_nat_destination_ipv6_address": {
"type": "ip"
},
"reverse_post_nat_source_ipv4_address": {
"type": "ip"
},
"reverse_post_nat_source_ipv6_address": {
"type": "ip"
},
"reverse_post_octet_delta_count": {
"type": "long"
},
"reverse_post_octet_total_count": {
"type": "long"
},
"reverse_post_packet_delta_count": {
"type": "long"
},
"reverse_post_packet_total_count": {
"type": "long"
},
"reverse_post_source_mac_address": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_post_vlan_id": {
"type": "long"
},
"reverse_private_enterprise_number": {
"type": "long"
},
"reverse_protocol_identifier": {
"type": "short"
},
"reverse_pseudo_wire_control_word": {
"type": "long"
},
"reverse_pseudo_wire_destination_ipv4_address": {
"type": "ip"
},
"reverse_pseudo_wire_id": {
"type": "long"
},
"reverse_pseudo_wire_type": {
"type": "long"
},
"reverse_relative_error": {
"type": "double"
},
"reverse_responder_octets": {
"type": "long"
},
"reverse_responder_packets": {
"type": "long"
},
"reverse_rfc3550_jitter_microseconds": {
"type": "long"
},
"reverse_rfc3550_jitter_milliseconds": {
"type": "long"
},
"reverse_rfc3550_jitter_nanoseconds": {
"type": "long"
},
"reverse_rtp_payload_type": {
"type": "short"
},
"reverse_rtp_sequence_number": {
"type": "long"
},
"reverse_sampler_id": {
"type": "short"
},
"reverse_sampler_mode": {
"type": "short"
},
"reverse_sampler_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_sampler_random_interval": {
"type": "long"
},
"reverse_sampling_algorithm": {
"type": "short"
},
"reverse_sampling_flow_interval": {
"type": "long"
},
"reverse_sampling_flow_spacing": {
"type": "long"
},
"reverse_sampling_interval": {
"type": "long"
},
"reverse_sampling_packet_interval": {
"type": "long"
},
"reverse_sampling_packet_space": {
"type": "long"
},
"reverse_sampling_population": {
"type": "long"
},
"reverse_sampling_probability": {
"type": "double"
},
"reverse_sampling_size": {
"type": "long"
},
"reverse_sampling_time_interval": {
"type": "long"
},
"reverse_sampling_time_space": {
"type": "long"
},
"reverse_second_packet_banner": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_section_exported_octets": {
"type": "long"
},
"reverse_section_offset": {
"type": "long"
},
"reverse_selection_sequence_id": {
"type": "long"
},
"reverse_selector_algorithm": {
"type": "long"
},
"reverse_selector_id": {
"type": "long"
},
"reverse_selector_id_total_flows_observed": {
"type": "long"
},
"reverse_selector_id_total_flows_selected": {
"type": "long"
},
"reverse_selector_id_total_pkts_observed": {
"type": "long"
},
"reverse_selector_id_total_pkts_selected": {
"type": "long"
},
"reverse_selector_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_session_scope": {
"type": "short"
},
"reverse_small_packet_count": {
"type": "long"
},
"reverse_source_ipv4_address": {
"type": "ip"
},
"reverse_source_ipv4_prefix": {
"type": "ip"
},
"reverse_source_ipv4_prefix_length": {
"type": "short"
},
"reverse_source_ipv6_address": {
"type": "ip"
},
"reverse_source_ipv6_prefix": {
"type": "ip"
},
"reverse_source_ipv6_prefix_length": {
"type": "short"
},
"reverse_source_mac_address": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_source_transport_port": {
"type": "long"
},
"reverse_src_traffic_index": {
"type": "long"
},
"reverse_sta_ipv4_address": {
"type": "ip"
},
"reverse_sta_mac_address": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_standard_deviation_interarrival_time": {
"type": "long"
},
"reverse_standard_deviation_payload_length": {
"type": "long"
},
"reverse_system_init_time_milliseconds": {
"type": "long"
},
"reverse_tcp_ack_total_count": {
"type": "long"
},
"reverse_tcp_acknowledgement_number": {
"type": "long"
},
"reverse_tcp_control_bits": {
"type": "long"
},
"reverse_tcp_destination_port": {
"type": "long"
},
"reverse_tcp_fin_total_count": {
"type": "long"
},
"reverse_tcp_header_length": {
"type": "short"
},
"reverse_tcp_options": {
"type": "long"
},
"reverse_tcp_psh_total_count": {
"type": "long"
},
"reverse_tcp_rst_total_count": {
"type": "long"
},
"reverse_tcp_sequence_number": {
"type": "long"
},
"reverse_tcp_source_port": {
"type": "long"
},
"reverse_tcp_syn_total_count": {
"type": "long"
},
"reverse_tcp_urg_total_count": {
"type": "long"
},
"reverse_tcp_urgent_pointer": {
"type": "long"
},
"reverse_tcp_window_scale": {
"type": "long"
},
"reverse_tcp_window_size": {
"type": "long"
},
"reverse_total_length_ipv4": {
"type": "long"
},
"reverse_transport_octet_delta_count": {
"type": "long"
},
"reverse_transport_packet_delta_count": {
"type": "long"
},
"reverse_tunnel_technology": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_udp_destination_port": {
"type": "long"
},
"reverse_udp_message_length": {
"type": "long"
},
"reverse_udp_source_port": {
"type": "long"
},
"reverse_union_tcp_flags": {
"type": "short"
},
"reverse_upper_ci_limit": {
"type": "double"
},
"reverse_user_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_value_distribution_method": {
"type": "short"
},
"reverse_virtual_station_interface_id": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_virtual_station_interface_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_virtual_station_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_virtual_station_uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_vlan_id": {
"type": "long"
},
"reverse_vr_fname": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_wlan_channel_id": {
"type": "short"
},
"reverse_wlan_ssid": {
"ignore_above": 1024,
"type": "keyword"
},
"reverse_wtp_mac_address": {
"ignore_above": 1024,
"type": "keyword"
},
"rfc3550_jitter_microseconds": {
"type": "long"
},
"rfc3550_jitter_milliseconds": {
"type": "long"
},
"rfc3550_jitter_nanoseconds": {
"type": "long"
},
"rtp_payload_type": {
"type": "short"
},
"rtp_sequence_number": {
"type": "long"
},
"sampler_id": {
"type": "short"
},
"sampler_mode": {
"type": "short"
},
"sampler_name": {
"ignore_above": 1024,
"type": "keyword"
},
"sampler_random_interval": {
"type": "long"
},
"sampling_algorithm": {
"type": "short"
},
"sampling_flow_interval": {
"type": "long"
},
"sampling_flow_spacing": {
"type": "long"
},
"sampling_interval": {
"type": "long"
},
"sampling_packet_interval": {
"type": "long"
},
"sampling_packet_space": {
"type": "long"
},
"sampling_population": {
"type": "long"
},
"sampling_probability": {
"type": "double"
},
"sampling_size": {
"type": "long"
},
"sampling_time_interval": {
"type": "long"
},
"sampling_time_space": {
"type": "long"
},
"second_packet_banner": {
"ignore_above": 1024,
"type": "keyword"
},
"section_exported_octets": {
"type": "long"
},
"section_offset": {
"type": "long"
},
"selection_sequence_id": {
"type": "long"
},
"selector_algorithm": {
"type": "long"
},
"selector_id": {
"type": "long"
},
"selector_id_total_flows_observed": {
"type": "long"
},
"selector_id_total_flows_selected": {
"type": "long"
},
"selector_id_total_pkts_observed": {
"type": "long"
},
"selector_id_total_pkts_selected": {
"type": "long"
},
"selector_name": {
"ignore_above": 1024,
"type": "keyword"
},
"service_name": {
"ignore_above": 1024,
"type": "keyword"
},
"session_scope": {
"type": "short"
},
"silk_app_label": {
"type": "long"
},
"small_packet_count": {
"type": "long"
},
"source_ipv4_address": {
"type": "ip"
},
"source_ipv4_prefix": {
"type": "ip"
},
"source_ipv4_prefix_length": {
"type": "short"
},
"source_ipv6_address": {
"type": "ip"
},
"source_ipv6_prefix": {
"type": "ip"
},
"source_ipv6_prefix_length": {
"type": "short"
},
"source_mac_address": {
"ignore_above": 1024,
"type": "keyword"
},
"source_transport_port": {
"type": "long"
},
"source_transport_ports_limit": {
"type": "long"
},
"src_traffic_index": {
"type": "long"
},
"ssl_cert_serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl_cert_signature": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl_cert_validity_not_after": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl_cert_validity_not_before": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl_cert_version": {
"type": "short"
},
"ssl_certificate_hash": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl_cipher": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl_client_version": {
"type": "short"
},
"ssl_compression_method": {
"type": "short"
},
"ssl_object_type": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl_object_value": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl_public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl_public_key_length": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl_server_cipher": {
"type": "long"
},
"ssl_server_name": {
"ignore_above": 1024,
"type": "keyword"
},
"sta_ipv4_address": {
"type": "ip"
},
"sta_mac_address": {
"ignore_above": 1024,
"type": "keyword"
},
"standard_deviation_interarrival_time": {
"type": "long"
},
"standard_deviation_payload_length": {
"type": "short"
},
"system_init_time_milliseconds": {
"type": "date"
},
"tcp_ack_total_count": {
"type": "long"
},
"tcp_acknowledgement_number": {
"type": "long"
},
"tcp_control_bits": {
"type": "long"
},
"tcp_destination_port": {
"type": "long"
},
"tcp_fin_total_count": {
"type": "long"
},
"tcp_header_length": {
"type": "short"
},
"tcp_options": {
"type": "long"
},
"tcp_psh_total_count": {
"type": "long"
},
"tcp_rst_total_count": {
"type": "long"
},
"tcp_sequence_number": {
"type": "long"
},
"tcp_source_port": {
"type": "long"
},
"tcp_syn_total_count": {
"type": "long"
},
"tcp_urg_total_count": {
"type": "long"
},
"tcp_urgent_pointer": {
"type": "long"
},
"tcp_window_scale": {
"type": "long"
},
"tcp_window_size": {
"type": "long"
},
"template_id": {
"type": "long"
},
"tftp_filename": {
"ignore_above": 1024,
"type": "keyword"
},
"tftp_mode": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "long"
},
"timestamp_absolute_monitoring-interval": {
"type": "long"
},
"total_length_ipv4": {
"type": "long"
},
"traffic_type": {
"type": "short"
},
"transport_octet_delta_count": {
"type": "long"
},
"transport_packet_delta_count": {
"type": "long"
},
"tunnel_technology": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"udp_destination_port": {
"type": "long"
},
"udp_message_length": {
"type": "long"
},
"udp_source_port": {
"type": "long"
},
"union_tcp_flags": {
"type": "short"
},
"upper_ci_limit": {
"type": "double"
},
"user_name": {
"ignore_above": 1024,
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
},
"value_distribution_method": {
"type": "short"
},
"viptela_vpn_id": {
"type": "long"
},
"virtual_station_interface_id": {
"type": "short"
},
"virtual_station_interface_name": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_station_name": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_station_uuid": {
"type": "short"
},
"vlan_id": {
"type": "long"
},
"vmware_egress_interface_attr": {
"type": "long"
},
"vmware_ingress_interface_attr": {
"type": "long"
},
"vmware_tenant_dest_ipv4": {
"type": "ip"
},
"vmware_tenant_dest_ipv6": {
"type": "ip"
},
"vmware_tenant_dest_port": {
"type": "long"
},
"vmware_tenant_protocol": {
"type": "short"
},
"vmware_tenant_source_ipv4": {
"type": "ip"
},
"vmware_tenant_source_ipv6": {
"type": "ip"
},
"vmware_tenant_source_port": {
"type": "long"
},
"vmware_vxlan_export_role": {
"type": "short"
},
"vpn_identifier": {
"type": "short"
},
"vr_fname": {
"ignore_above": 1024,
"type": "keyword"
},
"waasoptimization_segment": {
"type": "short"
},
"wlan_channel_id": {
"type": "short"
},
"wlan_ssid": {
"ignore_above": 1024,
"type": "keyword"
},
"wtp_mac_address": {
"ignore_above": 1024,
"type": "keyword"
},
"xlate_destination_address_ip_v4": {
"type": "ip"
},
"xlate_destination_port": {
"type": "long"
},
"xlate_source_address_ip_v4": {
"type": "ip"
},
"xlate_source_port": {
"type": "long"
}
}
},
"network": {
"type": "object",
"properties": {
"application": {
"ignore_above": 1024,
"type": "keyword"
},
"bytes": {
"type": "long"
},
"community_id": {
"ignore_above": 1024,
"type": "keyword"
},
"direction": {
"ignore_above": 1024,
"type": "keyword"
},
"forwarded_ip": {
"type": "ip"
},
"iana_number": {
"ignore_above": 1024,
"type": "keyword"
},
"inner": {
"type": "object",
"properties": {
"vlan": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"interface": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"packets": {
"type": "long"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"transport": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"vlan": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"nginx": {
"type": "object",
"properties": {
"error": {
"type": "object",
"properties": {
"connection_id": {
"type": "long"
}
}
},
"ingress_controller": {
"type": "object",
"properties": {
"http": {
"type": "object",
"properties": {
"request": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"length": {
"type": "long"
},
"time": {
"type": "double"
}
}
}
}
},
"upstream": {
"type": "object",
"properties": {
"alternative_name": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
},
"response": {
"type": "object",
"properties": {
"length": {
"type": "long"
},
"length_list": {
"ignore_above": 1024,
"type": "keyword"
},
"status_code": {
"type": "long"
},
"status_code_list": {
"ignore_above": 1024,
"type": "keyword"
},
"time": {
"type": "double"
},
"time_list": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"upstream_address_list": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"o365": {
"type": "object",
"properties": {
"audit": {
"type": "object",
"properties": {
"AADGroupId": {
"ignore_above": 1024,
"type": "keyword"
},
"ActorContextId": {
"ignore_above": 1024,
"type": "keyword"
},
"ActorIpAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"ActorUserId": {
"ignore_above": 1024,
"type": "keyword"
},
"ActorYammerUserId": {
"ignore_above": 1024,
"type": "keyword"
},
"AlertEntityId": {
"ignore_above": 1024,
"type": "keyword"
},
"AlertId": {
"ignore_above": 1024,
"type": "keyword"
},
"AlertType": {
"ignore_above": 1024,
"type": "keyword"
},
"AppId": {
"ignore_above": 1024,
"type": "keyword"
},
"ApplicationDisplayName": {
"ignore_above": 1024,
"type": "keyword"
},
"ApplicationId": {
"ignore_above": 1024,
"type": "keyword"
},
"AzureActiveDirectoryEventType": {
"ignore_above": 1024,
"type": "keyword"
},
"Category": {
"ignore_above": 1024,
"type": "keyword"
},
"ClientAppId": {
"ignore_above": 1024,
"type": "keyword"
},
"ClientIP": {
"ignore_above": 1024,
"type": "keyword"
},
"ClientIPAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"ClientInfoString": {
"ignore_above": 1024,
"type": "keyword"
},
"Comments": {
"norms": false,
"type": "text"
},
"CommunicationType": {
"ignore_above": 1024,
"type": "keyword"
},
"CorrelationId": {
"ignore_above": 1024,
"type": "keyword"
},
"CreationTime": {
"ignore_above": 1024,
"type": "keyword"
},
"CustomUniqueId": {
"ignore_above": 1024,
"type": "keyword"
},
"Data": {
"ignore_above": 1024,
"type": "keyword"
},
"DataType": {
"ignore_above": 1024,
"type": "keyword"
},
"DoNotDistributeEvent": {
"type": "boolean"
},
"EntityType": {
"ignore_above": 1024,
"type": "keyword"
},
"ErrorNumber": {
"ignore_above": 1024,
"type": "keyword"
},
"EventData": {
"ignore_above": 1024,
"type": "keyword"
},
"EventSource": {
"ignore_above": 1024,
"type": "keyword"
},
"ExceptionInfo": {
"type": "object",
"properties": {
"*": {
"type": "object"
}
}
},
"ExchangeMetaData": {
"type": "object",
"properties": {
"*": {
"type": "object"
}
}
},
"ExtendedProperties": {
"type": "object",
"properties": {
"*": {
"type": "object"
}
}
},
"ExternalAccess": {
"ignore_above": 1024,
"type": "keyword"
},
"FromApp": {
"type": "boolean"
},
"GroupName": {
"ignore_above": 1024,
"type": "keyword"
},
"Id": {
"ignore_above": 1024,
"type": "keyword"
},
"ImplicitShare": {
"ignore_above": 1024,
"type": "keyword"
},
"IncidentId": {
"ignore_above": 1024,
"type": "keyword"
},
"InterSystemsId": {
"ignore_above": 1024,
"type": "keyword"
},
"InternalLogonType": {
"ignore_above": 1024,
"type": "keyword"
},
"IntraSystemId": {
"ignore_above": 1024,
"type": "keyword"
},
"IsDocLib": {
"type": "boolean"
},
"Item": {
"type": "object",
"properties": {
"*": {
"type": "object",
"properties": {
"*": {
"type": "object"
}
}
}
}
},
"ItemCount": {
"type": "long"
},
"ItemName": {
"ignore_above": 1024,
"type": "keyword"
},
"ItemType": {
"ignore_above": 1024,
"type": "keyword"
},
"ListBaseTemplateType": {
"ignore_above": 1024,
"type": "keyword"
},
"ListBaseType": {
"ignore_above": 1024,
"type": "keyword"
},
"ListColor": {
"ignore_above": 1024,
"type": "keyword"
},
"ListIcon": {
"ignore_above": 1024,
"type": "keyword"
},
"ListId": {
"ignore_above": 1024,
"type": "keyword"
},
"ListItemUniqueId": {
"ignore_above": 1024,
"type": "keyword"
},
"ListTitle": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonError": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonType": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"MailboxGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"MailboxOwnerMasterAccountSid": {
"ignore_above": 1024,
"type": "keyword"
},
"MailboxOwnerSid": {
"ignore_above": 1024,
"type": "keyword"
},
"MailboxOwnerUPN": {
"ignore_above": 1024,
"type": "keyword"
},
"Members": {
"type": "object",
"properties": {
"*": {
"type": "object"
}
}
},
"ModifiedProperties": {
"type": "object",
"properties": {
"*": {
"type": "object",
"properties": {
"*": {
"type": "object"
}
}
}
}
},
"Name": {
"ignore_above": 1024,
"type": "keyword"
},
"ObjectId": {
"ignore_above": 1024,
"type": "keyword"
},
"Operation": {
"ignore_above": 1024,
"type": "keyword"
},
"OrganizationId": {
"ignore_above": 1024,
"type": "keyword"
},
"OrganizationName": {
"ignore_above": 1024,
"type": "keyword"
},
"OriginatingServer": {
"ignore_above": 1024,
"type": "keyword"
},
"Parameters": {
"type": "object",
"properties": {
"*": {
"type": "object"
}
}
},
"PolicyId": {
"ignore_above": 1024,
"type": "keyword"
},
"RecordType": {
"ignore_above": 1024,
"type": "keyword"
},
"ResultStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"SensitiveInfoDetectionIsIncluded": {
"ignore_above": 1024,
"type": "keyword"
},
"SessionId": {
"ignore_above": 1024,
"type": "keyword"
},
"Severity": {
"ignore_above": 1024,
"type": "keyword"
},
"SharePointMetaData": {
"type": "object",
"properties": {
"*": {
"type": "object"
}
}
},
"Site": {
"ignore_above": 1024,
"type": "keyword"
},
"SiteUrl": {
"ignore_above": 1024,
"type": "keyword"
},
"Source": {
"ignore_above": 1024,
"type": "keyword"
},
"SourceFileExtension": {
"ignore_above": 1024,
"type": "keyword"
},
"SourceFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"SourceRelativeUrl": {
"ignore_above": 1024,
"type": "keyword"
},
"Status": {
"ignore_above": 1024,
"type": "keyword"
},
"SupportTicketId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetContextId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserOrGroupName": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserOrGroupType": {
"ignore_above": 1024,
"type": "keyword"
},
"TeamGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"TeamName": {
"ignore_above": 1024,
"type": "keyword"
},
"TemplateTypeId": {
"ignore_above": 1024,
"type": "keyword"
},
"UniqueSharingId": {
"ignore_above": 1024,
"type": "keyword"
},
"UserAgent": {
"ignore_above": 1024,
"type": "keyword"
},
"UserId": {
"ignore_above": 1024,
"type": "keyword"
},
"UserKey": {
"ignore_above": 1024,
"type": "keyword"
},
"UserType": {
"ignore_above": 1024,
"type": "keyword"
},
"Version": {
"ignore_above": 1024,
"type": "keyword"
},
"WebId": {
"ignore_above": 1024,
"type": "keyword"
},
"Workload": {
"ignore_above": 1024,
"type": "keyword"
},
"YammerNetworkId": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"object": {
"type": "object",
"properties": {
"key": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"observer": {
"type": "object",
"properties": {
"egress": {
"type": "object",
"properties": {
"interface": {
"type": "object",
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vlan": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"geo": {
"type": "object",
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"ingress": {
"type": "object",
"properties": {
"interface": {
"type": "object",
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vlan": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"type": "object",
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"okta": {
"type": "object",
"properties": {
"actor": {
"type": "object",
"properties": {
"alternate_id": {
"ignore_above": 1024,
"type": "keyword"
},
"display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"authentication_context": {
"type": "object",
"properties": {
"authentication_provider": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_step": {
"type": "long"
},
"credential_provider": {
"ignore_above": 1024,
"type": "keyword"
},
"credential_type": {
"ignore_above": 1024,
"type": "keyword"
},
"external_session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"interface": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"client": {
"type": "object",
"properties": {
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"user_agent": {
"type": "object",
"properties": {
"browser": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"ignore_above": 1024,
"type": "keyword"
},
"raw_user_agent": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"debug_context": {
"type": "object",
"properties": {
"debug_data": {
"type": "object",
"properties": {
"device_fingerprint": {
"ignore_above": 1024,
"type": "keyword"
},
"factor": {
"ignore_above": 1024,
"type": "keyword"
},
"flattened": {
"type": "flattened"
},
"request_id": {
"ignore_above": 1024,
"type": "keyword"
},
"request_uri": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_behaviors": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_level": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_reasons": {
"ignore_above": 1024,
"type": "keyword"
},
"suspicious_activity": {
"type": "object",
"properties": {
"browser": {
"ignore_above": 1024,
"type": "keyword"
},
"event_city": {
"ignore_above": 1024,
"type": "keyword"
},
"event_country": {
"ignore_above": 1024,
"type": "keyword"
},
"event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"event_ip": {
"type": "ip"
},
"event_latitude": {
"type": "float"
},
"event_longitude": {
"type": "float"
},
"event_state": {
"ignore_above": 1024,
"type": "keyword"
},
"event_transaction_id": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
}
}
},
"threat_suspected": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"display_message": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"outcome": {
"type": "object",
"properties": {
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"request": {
"type": "object",
"properties": {
"ip_chain": {
"type": "flattened"
}
}
},
"security_context": {
"type": "object",
"properties": {
"as": {
"type": "object",
"properties": {
"number": {
"type": "long"
},
"organization": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"is_proxy": {
"type": "boolean"
},
"isp": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"target": {
"type": "flattened"
},
"transaction": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"oracle": {
"type": "object",
"properties": {
"database_audit": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"action_number": {
"ignore_above": 1024,
"type": "keyword"
},
"client": {
"type": "object",
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"terminal": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"comment_text": {
"norms": false,
"type": "text"
},
"database": {
"type": "object",
"properties": {
"host": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"entry": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"entryid": {
"type": "long"
},
"length": {
"type": "long"
},
"logoff_dead": {
"type": "long"
},
"logoff_lread": {
"type": "long"
},
"logoff_lwrite": {
"type": "long"
},
"logoff_pread": {
"type": "long"
},
"os_userid": {
"ignore_above": 1024,
"type": "keyword"
},
"priv_used": {
"type": "long"
},
"privilege": {
"ignore_above": 1024,
"type": "keyword"
},
"returncode": {
"type": "long"
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"sessioncpu": {
"type": "long"
},
"statement": {
"type": "long"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"terminal": {
"norms": false,
"type": "text"
},
"userid": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"orchestrator": {
"type": "object",
"properties": {
"api_version": {
"ignore_above": 1024,
"type": "keyword"
},
"cluster": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"namespace": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"resource": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"organization": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"os": {
"type": "object",
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"osquery": {
"type": "object",
"properties": {
"result": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"calendar_time": {
"ignore_above": 1024,
"type": "keyword"
},
"host_identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"unix_time": {
"type": "long"
}
}
}
}
},
"package": {
"type": "object",
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"build_version": {
"ignore_above": 1024,
"type": "keyword"
},
"checksum": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"install_scope": {
"ignore_above": 1024,
"type": "keyword"
},
"installed": {
"type": "date"
},
"license": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"panw": {
"type": "object",
"properties": {
"panos": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"actionflags": {
"ignore_above": 1024,
"type": "keyword"
},
"attempted_gateways": {
"ignore_above": 1024,
"type": "keyword"
},
"auth_method": {
"ignore_above": 1024,
"type": "keyword"
},
"client_os": {
"ignore_above": 1024,
"type": "keyword"
},
"client_os_ver": {
"ignore_above": 1024,
"type": "keyword"
},
"client_ver": {
"ignore_above": 1024,
"type": "keyword"
},
"connect_method": {
"ignore_above": 1024,
"type": "keyword"
},
"datasource": {
"ignore_above": 1024,
"type": "keyword"
},
"datasourcename": {
"ignore_above": 1024,
"type": "keyword"
},
"datasourcetype": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"destination": {
"type": "object",
"properties": {
"interface": {
"ignore_above": 1024,
"type": "keyword"
},
"nat": {
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"device_group_hierarchy": {
"type": "object",
"properties": {
"level_1": {
"ignore_above": 1024,
"type": "keyword"
},
"level_2": {
"ignore_above": 1024,
"type": "keyword"
},
"level_3": {
"ignore_above": 1024,
"type": "keyword"
},
"level_4": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"endreason": {
"ignore_above": 1024,
"type": "keyword"
},
"error": {
"ignore_above": 1024,
"type": "keyword"
},
"error_code": {
"type": "long"
},
"factorcompletiontime": {
"type": "date"
},
"factorno": {
"type": "long"
},
"factortype": {
"ignore_above": 1024,
"type": "keyword"
},
"file": {
"type": "object",
"properties": {
"hash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"flow_id": {
"ignore_above": 1024,
"type": "keyword"
},
"gateway": {
"ignore_above": 1024,
"type": "keyword"
},
"matchname": {
"ignore_above": 1024,
"type": "keyword"
},
"matchtype": {
"ignore_above": 1024,
"type": "keyword"
},
"network": {
"type": "object",
"properties": {
"nat": {
"type": "object",
"properties": {
"community_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pcap_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"priority": {
"ignore_above": 1024,
"type": "keyword"
},
"repeatcnt": {
"type": "long"
},
"response_time": {
"ignore_above": 1024,
"type": "keyword"
},
"ruleset": {
"ignore_above": 1024,
"type": "keyword"
},
"selection_type": {
"ignore_above": 1024,
"type": "keyword"
},
"sequence_number": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"source": {
"type": "object",
"properties": {
"interface": {
"ignore_above": 1024,
"type": "keyword"
},
"nat": {
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"stage": {
"ignore_above": 1024,
"type": "keyword"
},
"sub_type": {
"ignore_above": 1024,
"type": "keyword"
},
"threat": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"resource": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"timeout": {
"type": "long"
},
"tunnel_type": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"ugflags": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"type": "object",
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"virtual_sys": {
"ignore_above": 1024,
"type": "keyword"
},
"vsys_id": {
"ignore_above": 1024,
"type": "keyword"
},
"vsys_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"pe": {
"type": "object",
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pensando": {
"type": "object",
"properties": {
"dfw": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"app_id": {
"type": "long"
},
"destination_address": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_port": {
"type": "long"
},
"direction": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_id": {
"ignore_above": 1024,
"type": "keyword"
},
"session_id": {
"type": "long"
},
"session_state": {
"ignore_above": 1024,
"type": "keyword"
},
"source_address": {
"ignore_above": 1024,
"type": "keyword"
},
"source_port": {
"type": "long"
},
"timestamp": {
"type": "date"
}
}
}
}
},
"postgresql": {
"type": "object",
"properties": {
"log": {
"type": "object",
"properties": {
"application_name": {
"ignore_above": 1024,
"type": "keyword"
},
"backend_type": {
"ignore_above": 1024,
"type": "keyword"
},
"client_addr": {
"ignore_above": 1024,
"type": "keyword"
},
"client_port": {
"ignore_above": 1024,
"type": "keyword"
},
"command_tag": {
"ignore_above": 1024,
"type": "keyword"
},
"context": {
"ignore_above": 1024,
"type": "keyword"
},
"core_id": {
"path": "postgresql.log.session_line_number",
"type": "alias"
},
"database": {
"ignore_above": 1024,
"type": "keyword"
},
"detail": {
"ignore_above": 1024,
"type": "keyword"
},
"error": {
"type": "object",
"properties": {
"code": {
"path": "postgresql.log.sql_state_code",
"type": "alias"
}
}
},
"hint": {
"ignore_above": 1024,
"type": "keyword"
},
"internal_query": {
"ignore_above": 1024,
"type": "keyword"
},
"internal_query_pos": {
"type": "long"
},
"location": {
"ignore_above": 1024,
"type": "keyword"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"query_name": {
"ignore_above": 1024,
"type": "keyword"
},
"query_pos": {
"type": "long"
},
"query_step": {
"ignore_above": 1024,
"type": "keyword"
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"session_line_number": {
"type": "long"
},
"session_start_time": {
"type": "date"
},
"sql_state_code": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"ignore_above": 1024,
"type": "keyword"
},
"transaction_id": {
"type": "long"
},
"virtual_transaction_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"process": {
"type": "object",
"properties": {
"args": {
"ignore_above": 1024,
"type": "keyword"
},
"args_count": {
"type": "long"
},
"code_signature": {
"type": "object",
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"command_line": {
"type": "wildcard"
},
"elf": {
"type": "object",
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
},
"creation_date": {
"type": "date"
},
"exports": {
"type": "flattened"
},
"header": {
"type": "object",
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword"
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"imports": {
"type": "flattened"
},
"sections": {
"type": "nested",
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "long"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_address": {
"type": "long"
},
"virtual_size": {
"type": "long"
}
}
},
"segments": {
"type": "nested",
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"end": {
"type": "date"
},
"entity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"executable": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"exit_code": {
"type": "long"
},
"hash": {
"type": "object",
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"owner": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"norms": false,
"type": "text"
}
}
}
}
},
"parent": {
"type": "object",
"properties": {
"args": {
"ignore_above": 1024,
"type": "keyword"
},
"args_count": {
"type": "long"
},
"code_signature": {
"type": "object",
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"command_line": {
"type": "wildcard"
},
"elf": {
"type": "object",
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
},
"creation_date": {
"type": "date"
},
"exports": {
"type": "flattened"
},
"header": {
"type": "object",
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword"
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"imports": {
"type": "flattened"
},
"sections": {
"type": "nested",
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "long"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_address": {
"type": "long"
},
"virtual_size": {
"type": "long"
}
}
},
"segments": {
"type": "nested",
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"end": {
"type": "date"
},
"entity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"executable": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"exit_code": {
"type": "long"
},
"hash": {
"type": "object",
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"pe": {
"type": "object",
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pgid": {
"type": "long"
},
"pid": {
"type": "long"
},
"start": {
"type": "date"
},
"thread": {
"type": "object",
"properties": {
"id": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"title": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"uptime": {
"type": "long"
},
"working_directory": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"pe": {
"type": "object",
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pgid": {
"type": "long"
},
"pid": {
"type": "long"
},
"program": {
"ignore_above": 1024,
"type": "keyword"
},
"start": {
"type": "date"
},
"thread": {
"type": "object",
"properties": {
"id": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"title": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"uptime": {
"type": "long"
},
"working_directory": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"rabbitmq": {
"type": "object",
"properties": {
"log": {
"type": "object",
"properties": {
"pid": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"redis": {
"type": "object",
"properties": {
"log": {
"type": "object",
"properties": {
"role": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"slowlog": {
"type": "object",
"properties": {
"args": {
"ignore_above": 1024,
"type": "keyword"
},
"cmd": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"type": "object",
"properties": {
"us": {
"type": "long"
}
}
},
"id": {
"type": "long"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"registry": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"bytes": {
"ignore_above": 1024,
"type": "keyword"
},
"strings": {
"type": "wildcard"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hive": {
"ignore_above": 1024,
"type": "keyword"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"related": {
"type": "object",
"properties": {
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"hosts": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"rsa": {
"type": "object",
"properties": {
"counters": {
"type": "object",
"properties": {
"dclass_c1": {
"type": "long"
},
"dclass_c1_str": {
"ignore_above": 1024,
"type": "keyword"
},
"dclass_c2": {
"type": "long"
},
"dclass_c2_str": {
"ignore_above": 1024,
"type": "keyword"
},
"dclass_c3": {
"type": "long"
},
"dclass_c3_str": {
"ignore_above": 1024,
"type": "keyword"
},
"dclass_r1": {
"ignore_above": 1024,
"type": "keyword"
},
"dclass_r1_str": {
"ignore_above": 1024,
"type": "keyword"
},
"dclass_r2": {
"ignore_above": 1024,
"type": "keyword"
},
"dclass_r2_str": {
"ignore_above": 1024,
"type": "keyword"
},
"dclass_r3": {
"ignore_above": 1024,
"type": "keyword"
},
"dclass_r3_str": {
"ignore_above": 1024,
"type": "keyword"
},
"event_counter": {
"type": "long"
}
}
},
"crypto": {
"type": "object",
"properties": {
"cert_ca": {
"ignore_above": 1024,
"type": "keyword"
},
"cert_checksum": {
"ignore_above": 1024,
"type": "keyword"
},
"cert_common": {
"ignore_above": 1024,
"type": "keyword"
},
"cert_error": {
"ignore_above": 1024,
"type": "keyword"
},
"cert_host_cat": {
"ignore_above": 1024,
"type": "keyword"
},
"cert_host_name": {
"ignore_above": 1024,
"type": "keyword"
},
"cert_issuer": {
"ignore_above": 1024,
"type": "keyword"
},
"cert_keysize": {
"ignore_above": 1024,
"type": "keyword"
},
"cert_serial": {
"ignore_above": 1024,
"type": "keyword"
},
"cert_status": {
"ignore_above": 1024,
"type": "keyword"
},
"cert_subject": {
"ignore_above": 1024,
"type": "keyword"
},
"cert_username": {
"ignore_above": 1024,
"type": "keyword"
},
"cipher_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"cipher_size_dst": {
"type": "long"
},
"cipher_size_src": {
"type": "long"
},
"cipher_src": {
"ignore_above": 1024,
"type": "keyword"
},
"crypto": {
"ignore_above": 1024,
"type": "keyword"
},
"d_certauth": {
"ignore_above": 1024,
"type": "keyword"
},
"https_insact": {
"ignore_above": 1024,
"type": "keyword"
},
"https_valid": {
"ignore_above": 1024,
"type": "keyword"
},
"ike": {
"ignore_above": 1024,
"type": "keyword"
},
"ike_cookie1": {
"ignore_above": 1024,
"type": "keyword"
},
"ike_cookie2": {
"ignore_above": 1024,
"type": "keyword"
},
"peer": {
"ignore_above": 1024,
"type": "keyword"
},
"peer_id": {
"ignore_above": 1024,
"type": "keyword"
},
"s_certauth": {
"ignore_above": 1024,
"type": "keyword"
},
"scheme": {
"ignore_above": 1024,
"type": "keyword"
},
"sig_type": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl_ver_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl_ver_src": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"db": {
"type": "object",
"properties": {
"database": {
"ignore_above": 1024,
"type": "keyword"
},
"db_id": {
"ignore_above": 1024,
"type": "keyword"
},
"db_pid": {
"type": "long"
},
"index": {
"ignore_above": 1024,
"type": "keyword"
},
"instance": {
"ignore_above": 1024,
"type": "keyword"
},
"lread": {
"type": "long"
},
"lwrite": {
"type": "long"
},
"permissions": {
"ignore_above": 1024,
"type": "keyword"
},
"pread": {
"type": "long"
},
"table_name": {
"ignore_above": 1024,
"type": "keyword"
},
"transact_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"email": {
"type": "object",
"properties": {
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"email_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"email_src": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"trans_from": {
"ignore_above": 1024,
"type": "keyword"
},
"trans_to": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"endpoint": {
"type": "object",
"properties": {
"host_state": {
"ignore_above": 1024,
"type": "keyword"
},
"registry_key": {
"ignore_above": 1024,
"type": "keyword"
},
"registry_value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"file": {
"type": "object",
"properties": {
"attachment": {
"ignore_above": 1024,
"type": "keyword"
},
"binary": {
"ignore_above": 1024,
"type": "keyword"
},
"directory_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"directory_src": {
"ignore_above": 1024,
"type": "keyword"
},
"file_entropy": {
"type": "double"
},
"file_vendor": {
"ignore_above": 1024,
"type": "keyword"
},
"filename_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"filename_src": {
"ignore_above": 1024,
"type": "keyword"
},
"filename_tmp": {
"ignore_above": 1024,
"type": "keyword"
},
"filesystem": {
"ignore_above": 1024,
"type": "keyword"
},
"privilege": {
"ignore_above": 1024,
"type": "keyword"
},
"task_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"healthcare": {
"type": "object",
"properties": {
"patient_fname": {
"ignore_above": 1024,
"type": "keyword"
},
"patient_id": {
"ignore_above": 1024,
"type": "keyword"
},
"patient_lname": {
"ignore_above": 1024,
"type": "keyword"
},
"patient_mname": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"identity": {
"type": "object",
"properties": {
"accesses": {
"ignore_above": 1024,
"type": "keyword"
},
"auth_method": {
"ignore_above": 1024,
"type": "keyword"
},
"dn": {
"ignore_above": 1024,
"type": "keyword"
},
"dn_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"dn_src": {
"ignore_above": 1024,
"type": "keyword"
},
"federated_idp": {
"ignore_above": 1024,
"type": "keyword"
},
"federated_sp": {
"ignore_above": 1024,
"type": "keyword"
},
"firstname": {
"ignore_above": 1024,
"type": "keyword"
},
"host_role": {
"ignore_above": 1024,
"type": "keyword"
},
"lastname": {
"ignore_above": 1024,
"type": "keyword"
},
"ldap": {
"ignore_above": 1024,
"type": "keyword"
},
"ldap_query": {
"ignore_above": 1024,
"type": "keyword"
},
"ldap_response": {
"ignore_above": 1024,
"type": "keyword"
},
"logon_type": {
"ignore_above": 1024,
"type": "keyword"
},
"logon_type_desc": {
"ignore_above": 1024,
"type": "keyword"
},
"middlename": {
"ignore_above": 1024,
"type": "keyword"
},
"org": {
"ignore_above": 1024,
"type": "keyword"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"profile": {
"ignore_above": 1024,
"type": "keyword"
},
"realm": {
"ignore_above": 1024,
"type": "keyword"
},
"service_account": {
"ignore_above": 1024,
"type": "keyword"
},
"user_dept": {
"ignore_above": 1024,
"type": "keyword"
},
"user_role": {
"ignore_above": 1024,
"type": "keyword"
},
"user_sid_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"user_sid_src": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"internal": {
"type": "object",
"properties": {
"audit_class": {
"ignore_above": 1024,
"type": "keyword"
},
"cid": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"dead": {
"type": "long"
},
"device_class": {
"ignore_above": 1024,
"type": "keyword"
},
"device_group": {
"ignore_above": 1024,
"type": "keyword"
},
"device_host": {
"ignore_above": 1024,
"type": "keyword"
},
"device_ip": {
"type": "ip"
},
"device_ipv6": {
"type": "ip"
},
"device_type": {
"ignore_above": 1024,
"type": "keyword"
},
"device_type_id": {
"type": "long"
},
"did": {
"ignore_above": 1024,
"type": "keyword"
},
"entropy_req": {
"type": "long"
},
"entropy_res": {
"type": "long"
},
"entry": {
"ignore_above": 1024,
"type": "keyword"
},
"event_desc": {
"ignore_above": 1024,
"type": "keyword"
},
"event_name": {
"ignore_above": 1024,
"type": "keyword"
},
"feed_category": {
"ignore_above": 1024,
"type": "keyword"
},
"feed_desc": {
"ignore_above": 1024,
"type": "keyword"
},
"feed_name": {
"ignore_above": 1024,
"type": "keyword"
},
"forward_ip": {
"type": "ip"
},
"forward_ipv6": {
"type": "ip"
},
"hcode": {
"ignore_above": 1024,
"type": "keyword"
},
"header_id": {
"ignore_above": 1024,
"type": "keyword"
},
"inode": {
"type": "long"
},
"lc_cid": {
"ignore_above": 1024,
"type": "keyword"
},
"lc_ctime": {
"type": "date"
},
"level": {
"type": "long"
},
"mcb_req": {
"type": "long"
},
"mcb_res": {
"type": "long"
},
"mcbc_req": {
"type": "long"
},
"mcbc_res": {
"type": "long"
},
"medium": {
"type": "long"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"messageid": {
"ignore_above": 1024,
"type": "keyword"
},
"msg": {
"ignore_above": 1024,
"type": "keyword"
},
"msg_id": {
"ignore_above": 1024,
"type": "keyword"
},
"msg_vid": {
"ignore_above": 1024,
"type": "keyword"
},
"node_name": {
"ignore_above": 1024,
"type": "keyword"
},
"nwe_callback_id": {
"ignore_above": 1024,
"type": "keyword"
},
"obj_id": {
"ignore_above": 1024,
"type": "keyword"
},
"obj_server": {
"ignore_above": 1024,
"type": "keyword"
},
"obj_val": {
"ignore_above": 1024,
"type": "keyword"
},
"parse_error": {
"ignore_above": 1024,
"type": "keyword"
},
"payload_req": {
"type": "long"
},
"payload_res": {
"type": "long"
},
"process_vid_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"process_vid_src": {
"ignore_above": 1024,
"type": "keyword"
},
"resource": {
"ignore_above": 1024,
"type": "keyword"
},
"resource_class": {
"ignore_above": 1024,
"type": "keyword"
},
"rid": {
"type": "long"
},
"session_split": {
"ignore_above": 1024,
"type": "keyword"
},
"site": {
"ignore_above": 1024,
"type": "keyword"
},
"size": {
"type": "long"
},
"sourcefile": {
"ignore_above": 1024,
"type": "keyword"
},
"statement": {
"ignore_above": 1024,
"type": "keyword"
},
"time": {
"type": "date"
},
"ubc_req": {
"type": "long"
},
"ubc_res": {
"type": "long"
},
"word": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"investigations": {
"type": "object",
"properties": {
"analysis_file": {
"ignore_above": 1024,
"type": "keyword"
},
"analysis_service": {
"ignore_above": 1024,
"type": "keyword"
},
"analysis_session": {
"ignore_above": 1024,
"type": "keyword"
},
"boc": {
"ignore_above": 1024,
"type": "keyword"
},
"ec_activity": {
"ignore_above": 1024,
"type": "keyword"
},
"ec_outcome": {
"ignore_above": 1024,
"type": "keyword"
},
"ec_subject": {
"ignore_above": 1024,
"type": "keyword"
},
"ec_theme": {
"ignore_above": 1024,
"type": "keyword"
},
"eoc": {
"ignore_above": 1024,
"type": "keyword"
},
"event_cat": {
"type": "long"
},
"event_cat_name": {
"ignore_above": 1024,
"type": "keyword"
},
"event_vcat": {
"ignore_above": 1024,
"type": "keyword"
},
"inv_category": {
"ignore_above": 1024,
"type": "keyword"
},
"inv_context": {
"ignore_above": 1024,
"type": "keyword"
},
"ioc": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"misc": {
"type": "object",
"properties": {
"OS": {
"ignore_above": 1024,
"type": "keyword"
},
"acl_id": {
"ignore_above": 1024,
"type": "keyword"
},
"acl_op": {
"ignore_above": 1024,
"type": "keyword"
},
"acl_pos": {
"ignore_above": 1024,
"type": "keyword"
},
"acl_table": {
"ignore_above": 1024,
"type": "keyword"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"admin": {
"ignore_above": 1024,
"type": "keyword"
},
"agent_id": {
"ignore_above": 1024,
"type": "keyword"
},
"alarm_id": {
"ignore_above": 1024,
"type": "keyword"
},
"alarmname": {
"ignore_above": 1024,
"type": "keyword"
},
"alert_id": {
"ignore_above": 1024,
"type": "keyword"
},
"app_id": {
"ignore_above": 1024,
"type": "keyword"
},
"audit": {
"ignore_above": 1024,
"type": "keyword"
},
"audit_object": {
"ignore_above": 1024,
"type": "keyword"
},
"auditdata": {
"ignore_above": 1024,
"type": "keyword"
},
"autorun_type": {
"ignore_above": 1024,
"type": "keyword"
},
"benchmark": {
"ignore_above": 1024,
"type": "keyword"
},
"bypass": {
"ignore_above": 1024,
"type": "keyword"
},
"cache": {
"ignore_above": 1024,
"type": "keyword"
},
"cache_hit": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"cc_number": {
"type": "long"
},
"cefversion": {
"ignore_above": 1024,
"type": "keyword"
},
"cfg_attr": {
"ignore_above": 1024,
"type": "keyword"
},
"cfg_obj": {
"ignore_above": 1024,
"type": "keyword"
},
"cfg_path": {
"ignore_above": 1024,
"type": "keyword"
},
"change_attrib": {
"ignore_above": 1024,
"type": "keyword"
},
"change_new": {
"ignore_above": 1024,
"type": "keyword"
},
"change_old": {
"ignore_above": 1024,
"type": "keyword"
},
"changes": {
"ignore_above": 1024,
"type": "keyword"
},
"checksum": {
"ignore_above": 1024,
"type": "keyword"
},
"checksum_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"checksum_src": {
"ignore_above": 1024,
"type": "keyword"
},
"client": {
"ignore_above": 1024,
"type": "keyword"
},
"client_ip": {
"ignore_above": 1024,
"type": "keyword"
},
"clustermembers": {
"ignore_above": 1024,
"type": "keyword"
},
"cmd": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_acttimeout": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_asn_src": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_bgpv4nxthop": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_ctr_dst_code": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_dst_tos": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_dst_vlan": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_engine_id": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_engine_type": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_f_switch": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_flowsampid": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_flowsampintv": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_flowsampmode": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_inacttimeout": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_inpermbyts": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_inpermpckts": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_invalid": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_ip_proto_ver": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_ipv4_ident": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_l_switch": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_log_did": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_log_rid": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_max_ttl": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_maxpcktlen": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_min_ttl": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_minpcktlen": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_mpls_lbl_1": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_mpls_lbl_10": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_mpls_lbl_2": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_mpls_lbl_3": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_mpls_lbl_4": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_mpls_lbl_5": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_mpls_lbl_6": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_mpls_lbl_7": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_mpls_lbl_8": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_mpls_lbl_9": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_mplstoplabel": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_mplstoplabip": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_mul_dst_byt": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_mul_dst_pks": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_muligmptype": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_sampalgo": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_sampint": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_seqctr": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_spackets": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_src_tos": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_src_vlan": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_sysuptime": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_template_id": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_totbytsexp": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_totflowexp": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_totpcktsexp": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_unixnanosecs": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_v6flowlabel": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_v6optheaders": {
"ignore_above": 1024,
"type": "keyword"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"command": {
"ignore_above": 1024,
"type": "keyword"
},
"comments": {
"ignore_above": 1024,
"type": "keyword"
},
"comp_class": {
"ignore_above": 1024,
"type": "keyword"
},
"comp_name": {
"ignore_above": 1024,
"type": "keyword"
},
"comp_rbytes": {
"ignore_above": 1024,
"type": "keyword"
},
"comp_sbytes": {
"ignore_above": 1024,
"type": "keyword"
},
"comp_version": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_id": {
"ignore_above": 1024,
"type": "keyword"
},
"content": {
"ignore_above": 1024,
"type": "keyword"
},
"content_type": {
"ignore_above": 1024,
"type": "keyword"
},
"content_version": {
"ignore_above": 1024,
"type": "keyword"
},
"context": {
"ignore_above": 1024,
"type": "keyword"
},
"context_subject": {
"ignore_above": 1024,
"type": "keyword"
},
"context_target": {
"ignore_above": 1024,
"type": "keyword"
},
"count": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu": {
"type": "long"
},
"cpu_data": {
"ignore_above": 1024,
"type": "keyword"
},
"criticality": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_agency_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_analyzedby": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_av_other": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_av_primary": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_av_secondary": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_bgpv6nxthop": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_bit9status": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_context": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_control": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_data": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_datecret": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_dst_tld": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_eth_dst_ven": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_eth_src_ven": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_event_uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_filetype": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_fld": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_if_desc": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_if_name": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_ip_next_hop": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_ipv4dstpre": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_ipv4srcpre": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_lifetime": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_log_medium": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_loginname": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_modulescore": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_modulesign": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_opswatresult": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_payload": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_registrant": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_registrar": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_represult": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_rpayload": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_sampler_name": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_sourcemodule": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_streams": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_targetmodule": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_v6nxthop": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_whois_server": {
"ignore_above": 1024,
"type": "keyword"
},
"cs_yararesult": {
"ignore_above": 1024,
"type": "keyword"
},
"cve": {
"ignore_above": 1024,
"type": "keyword"
},
"data_type": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"device_name": {
"ignore_above": 1024,
"type": "keyword"
},
"devvendor": {
"ignore_above": 1024,
"type": "keyword"
},
"disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"distance": {
"ignore_above": 1024,
"type": "keyword"
},
"doc_number": {
"type": "long"
},
"dstburb": {
"ignore_above": 1024,
"type": "keyword"
},
"edomain": {
"ignore_above": 1024,
"type": "keyword"
},
"edomaub": {
"ignore_above": 1024,
"type": "keyword"
},
"ein_number": {
"type": "long"
},
"error": {
"ignore_above": 1024,
"type": "keyword"
},
"euid": {
"ignore_above": 1024,
"type": "keyword"
},
"event_category": {
"ignore_above": 1024,
"type": "keyword"
},
"event_computer": {
"ignore_above": 1024,
"type": "keyword"
},
"event_desc": {
"ignore_above": 1024,
"type": "keyword"
},
"event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"event_log": {
"ignore_above": 1024,
"type": "keyword"
},
"event_source": {
"ignore_above": 1024,
"type": "keyword"
},
"event_state": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"event_user": {
"ignore_above": 1024,
"type": "keyword"
},
"expected_val": {
"ignore_above": 1024,
"type": "keyword"
},
"facility": {
"ignore_above": 1024,
"type": "keyword"
},
"facilityname": {
"ignore_above": 1024,
"type": "keyword"
},
"fcatnum": {
"ignore_above": 1024,
"type": "keyword"
},
"filter": {
"ignore_above": 1024,
"type": "keyword"
},
"finterface": {
"ignore_above": 1024,
"type": "keyword"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"forensic_info": {
"ignore_above": 1024,
"type": "keyword"
},
"found": {
"ignore_above": 1024,
"type": "keyword"
},
"fresult": {
"type": "long"
},
"gaddr": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"group_id": {
"ignore_above": 1024,
"type": "keyword"
},
"group_object": {
"ignore_above": 1024,
"type": "keyword"
},
"hardware_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id3": {
"ignore_above": 1024,
"type": "keyword"
},
"im_buddyid": {
"ignore_above": 1024,
"type": "keyword"
},
"im_buddyname": {
"ignore_above": 1024,
"type": "keyword"
},
"im_client": {
"ignore_above": 1024,
"type": "keyword"
},
"im_croomid": {
"ignore_above": 1024,
"type": "keyword"
},
"im_croomtype": {
"ignore_above": 1024,
"type": "keyword"
},
"im_members": {
"ignore_above": 1024,
"type": "keyword"
},
"im_userid": {
"ignore_above": 1024,
"type": "keyword"
},
"im_username": {
"ignore_above": 1024,
"type": "keyword"
},
"index": {
"ignore_above": 1024,
"type": "keyword"
},
"inout": {
"ignore_above": 1024,
"type": "keyword"
},
"ipkt": {
"ignore_above": 1024,
"type": "keyword"
},
"ipscat": {
"ignore_above": 1024,
"type": "keyword"
},
"ipspri": {
"ignore_above": 1024,
"type": "keyword"
},
"job_num": {
"ignore_above": 1024,
"type": "keyword"
},
"jobname": {
"ignore_above": 1024,
"type": "keyword"
},
"language": {
"ignore_above": 1024,
"type": "keyword"
},
"latitude": {
"ignore_above": 1024,
"type": "keyword"
},
"library": {
"ignore_above": 1024,
"type": "keyword"
},
"lifetime": {
"type": "long"
},
"linenum": {
"ignore_above": 1024,
"type": "keyword"
},
"link": {
"ignore_above": 1024,
"type": "keyword"
},
"list_name": {
"ignore_above": 1024,
"type": "keyword"
},
"listnum": {
"ignore_above": 1024,
"type": "keyword"
},
"load_data": {
"ignore_above": 1024,
"type": "keyword"
},
"location_floor": {
"ignore_above": 1024,
"type": "keyword"
},
"location_mark": {
"ignore_above": 1024,
"type": "keyword"
},
"log_id": {
"ignore_above": 1024,
"type": "keyword"
},
"log_session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"log_session_id1": {
"ignore_above": 1024,
"type": "keyword"
},
"log_type": {
"ignore_above": 1024,
"type": "keyword"
},
"logid": {
"ignore_above": 1024,
"type": "keyword"
},
"logip": {
"ignore_above": 1024,
"type": "keyword"
},
"logname": {
"ignore_above": 1024,
"type": "keyword"
},
"longitude": {
"ignore_above": 1024,
"type": "keyword"
},
"lport": {
"ignore_above": 1024,
"type": "keyword"
},
"mail_id": {
"ignore_above": 1024,
"type": "keyword"
},
"match": {
"ignore_above": 1024,
"type": "keyword"
},
"mbug_data": {
"ignore_above": 1024,
"type": "keyword"
},
"message_body": {
"ignore_above": 1024,
"type": "keyword"
},
"misc": {
"ignore_above": 1024,
"type": "keyword"
},
"misc_name": {
"ignore_above": 1024,
"type": "keyword"
},
"mode": {
"ignore_above": 1024,
"type": "keyword"
},
"msgIdPart1": {
"ignore_above": 1024,
"type": "keyword"
},
"msgIdPart2": {
"ignore_above": 1024,
"type": "keyword"
},
"msgIdPart3": {
"ignore_above": 1024,
"type": "keyword"
},
"msgIdPart4": {
"ignore_above": 1024,
"type": "keyword"
},
"msg_type": {
"ignore_above": 1024,
"type": "keyword"
},
"msgid": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"netsessid": {
"ignore_above": 1024,
"type": "keyword"
},
"node": {
"ignore_above": 1024,
"type": "keyword"
},
"ntype": {
"ignore_above": 1024,
"type": "keyword"
},
"num": {
"ignore_above": 1024,
"type": "keyword"
},
"number": {
"ignore_above": 1024,
"type": "keyword"
},
"number1": {
"ignore_above": 1024,
"type": "keyword"
},
"number2": {
"ignore_above": 1024,
"type": "keyword"
},
"nwwn": {
"ignore_above": 1024,
"type": "keyword"
},
"obj_name": {
"ignore_above": 1024,
"type": "keyword"
},
"obj_type": {
"ignore_above": 1024,
"type": "keyword"
},
"object": {
"ignore_above": 1024,
"type": "keyword"
},
"observed_val": {
"ignore_above": 1024,
"type": "keyword"
},
"operation": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_id": {
"ignore_above": 1024,
"type": "keyword"
},
"opkt": {
"ignore_above": 1024,
"type": "keyword"
},
"orig_from": {
"ignore_above": 1024,
"type": "keyword"
},
"owner_id": {
"ignore_above": 1024,
"type": "keyword"
},
"p_action": {
"ignore_above": 1024,
"type": "keyword"
},
"p_filter": {
"ignore_above": 1024,
"type": "keyword"
},
"p_group_object": {
"ignore_above": 1024,
"type": "keyword"
},
"p_id": {
"ignore_above": 1024,
"type": "keyword"
},
"p_msgid": {
"ignore_above": 1024,
"type": "keyword"
},
"p_msgid1": {
"ignore_above": 1024,
"type": "keyword"
},
"p_msgid2": {
"ignore_above": 1024,
"type": "keyword"
},
"p_result1": {
"ignore_above": 1024,
"type": "keyword"
},
"param": {
"ignore_above": 1024,
"type": "keyword"
},
"param_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"param_src": {
"ignore_above": 1024,
"type": "keyword"
},
"parent_node": {
"ignore_above": 1024,
"type": "keyword"
},
"password_chg": {
"ignore_above": 1024,
"type": "keyword"
},
"password_expire": {
"ignore_above": 1024,
"type": "keyword"
},
"payload_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"payload_src": {
"ignore_above": 1024,
"type": "keyword"
},
"permgranted": {
"ignore_above": 1024,
"type": "keyword"
},
"permwanted": {
"ignore_above": 1024,
"type": "keyword"
},
"pgid": {
"ignore_above": 1024,
"type": "keyword"
},
"phone": {
"ignore_above": 1024,
"type": "keyword"
},
"pid": {
"ignore_above": 1024,
"type": "keyword"
},
"policy": {
"ignore_above": 1024,
"type": "keyword"
},
"policyUUID": {
"ignore_above": 1024,
"type": "keyword"
},
"policy_id": {
"ignore_above": 1024,
"type": "keyword"
},
"policy_name": {
"ignore_above": 1024,
"type": "keyword"
},
"policy_value": {
"ignore_above": 1024,
"type": "keyword"
},
"policy_waiver": {
"ignore_above": 1024,
"type": "keyword"
},
"pool_id": {
"ignore_above": 1024,
"type": "keyword"
},
"pool_name": {
"ignore_above": 1024,
"type": "keyword"
},
"port_name": {
"ignore_above": 1024,
"type": "keyword"
},
"priority": {
"ignore_above": 1024,
"type": "keyword"
},
"process_id_val": {
"ignore_above": 1024,
"type": "keyword"
},
"prog_asp_num": {
"ignore_above": 1024,
"type": "keyword"
},
"program": {
"ignore_above": 1024,
"type": "keyword"
},
"real_data": {
"ignore_above": 1024,
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"rec_asp_device": {
"ignore_above": 1024,
"type": "keyword"
},
"rec_asp_num": {
"ignore_above": 1024,
"type": "keyword"
},
"rec_library": {
"ignore_above": 1024,
"type": "keyword"
},
"recordnum": {
"ignore_above": 1024,
"type": "keyword"
},
"reference_id": {
"ignore_above": 1024,
"type": "keyword"
},
"reference_id1": {
"ignore_above": 1024,
"type": "keyword"
},
"reference_id2": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
},
"result_code": {
"ignore_above": 1024,
"type": "keyword"
},
"risk": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_info": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_num": {
"type": "double"
},
"risk_num_comm": {
"type": "double"
},
"risk_num_next": {
"type": "double"
},
"risk_num_sand": {
"type": "double"
},
"risk_num_static": {
"type": "double"
},
"risk_suspicious": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_warning": {
"ignore_above": 1024,
"type": "keyword"
},
"ruid": {
"ignore_above": 1024,
"type": "keyword"
},
"rule": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_group": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_template": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_uid": {
"ignore_above": 1024,
"type": "keyword"
},
"sburb": {
"ignore_above": 1024,
"type": "keyword"
},
"sdomain_fld": {
"ignore_above": 1024,
"type": "keyword"
},
"search_text": {
"ignore_above": 1024,
"type": "keyword"
},
"sec": {
"ignore_above": 1024,
"type": "keyword"
},
"second": {
"ignore_above": 1024,
"type": "keyword"
},
"sensor": {
"ignore_above": 1024,
"type": "keyword"
},
"sensorname": {
"ignore_above": 1024,
"type": "keyword"
},
"seqnum": {
"ignore_above": 1024,
"type": "keyword"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"session": {
"ignore_above": 1024,
"type": "keyword"
},
"sessiontype": {
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"sigUUID": {
"ignore_above": 1024,
"type": "keyword"
},
"sig_id": {
"type": "long"
},
"sig_id1": {
"type": "long"
},
"sig_id_str": {
"ignore_above": 1024,
"type": "keyword"
},
"sig_name": {
"ignore_above": 1024,
"type": "keyword"
},
"sigcat": {
"ignore_above": 1024,
"type": "keyword"
},
"snmp_oid": {
"ignore_above": 1024,
"type": "keyword"
},
"snmp_value": {
"ignore_above": 1024,
"type": "keyword"
},
"space": {
"ignore_above": 1024,
"type": "keyword"
},
"space1": {
"ignore_above": 1024,
"type": "keyword"
},
"spi": {
"ignore_above": 1024,
"type": "keyword"
},
"spi_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"spi_src": {
"ignore_above": 1024,
"type": "keyword"
},
"sql": {
"ignore_above": 1024,
"type": "keyword"
},
"srcburb": {
"ignore_above": 1024,
"type": "keyword"
},
"srcdom": {
"ignore_above": 1024,
"type": "keyword"
},
"srcservice": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"status1": {
"ignore_above": 1024,
"type": "keyword"
},
"streams": {
"type": "long"
},
"subcategory": {
"ignore_above": 1024,
"type": "keyword"
},
"svcno": {
"ignore_above": 1024,
"type": "keyword"
},
"system": {
"ignore_above": 1024,
"type": "keyword"
},
"tbdstr1": {
"ignore_above": 1024,
"type": "keyword"
},
"tbdstr2": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_flags": {
"type": "long"
},
"terminal": {
"ignore_above": 1024,
"type": "keyword"
},
"tgtdom": {
"ignore_above": 1024,
"type": "keyword"
},
"tgtdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"threshold": {
"ignore_above": 1024,
"type": "keyword"
},
"tos": {
"type": "long"
},
"trigger_desc": {
"ignore_above": 1024,
"type": "keyword"
},
"trigger_val": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"type1": {
"ignore_above": 1024,
"type": "keyword"
},
"udb_class": {
"ignore_above": 1024,
"type": "keyword"
},
"url_fld": {
"ignore_above": 1024,
"type": "keyword"
},
"user_div": {
"ignore_above": 1024,
"type": "keyword"
},
"userid": {
"ignore_above": 1024,
"type": "keyword"
},
"username_fld": {
"ignore_above": 1024,
"type": "keyword"
},
"utcstamp": {
"ignore_above": 1024,
"type": "keyword"
},
"v_instafname": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"virt_data": {
"ignore_above": 1024,
"type": "keyword"
},
"virusname": {
"ignore_above": 1024,
"type": "keyword"
},
"vm_target": {
"ignore_above": 1024,
"type": "keyword"
},
"vpnid": {
"ignore_above": 1024,
"type": "keyword"
},
"vsys": {
"ignore_above": 1024,
"type": "keyword"
},
"vuln_ref": {
"ignore_above": 1024,
"type": "keyword"
},
"workspace": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"network": {
"type": "object",
"properties": {
"ad_computer_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"addr": {
"ignore_above": 1024,
"type": "keyword"
},
"alias_host": {
"ignore_above": 1024,
"type": "keyword"
},
"dinterface": {
"ignore_above": 1024,
"type": "keyword"
},
"dmask": {
"ignore_above": 1024,
"type": "keyword"
},
"dns_a_record": {
"ignore_above": 1024,
"type": "keyword"
},
"dns_cname_record": {
"ignore_above": 1024,
"type": "keyword"
},
"dns_id": {
"ignore_above": 1024,
"type": "keyword"
},
"dns_opcode": {
"ignore_above": 1024,
"type": "keyword"
},
"dns_ptr_record": {
"ignore_above": 1024,
"type": "keyword"
},
"dns_resp": {
"ignore_above": 1024,
"type": "keyword"
},
"dns_type": {
"ignore_above": 1024,
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"domain1": {
"ignore_above": 1024,
"type": "keyword"
},
"eth_host": {
"ignore_above": 1024,
"type": "keyword"
},
"eth_type": {
"type": "long"
},
"faddr": {
"ignore_above": 1024,
"type": "keyword"
},
"fhost": {
"ignore_above": 1024,
"type": "keyword"
},
"fport": {
"ignore_above": 1024,
"type": "keyword"
},
"gateway": {
"ignore_above": 1024,
"type": "keyword"
},
"host_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"host_orig": {
"ignore_above": 1024,
"type": "keyword"
},
"host_type": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_code": {
"type": "long"
},
"icmp_type": {
"type": "long"
},
"interface": {
"ignore_above": 1024,
"type": "keyword"
},
"ip_proto": {
"type": "long"
},
"laddr": {
"ignore_above": 1024,
"type": "keyword"
},
"lhost": {
"ignore_above": 1024,
"type": "keyword"
},
"linterface": {
"ignore_above": 1024,
"type": "keyword"
},
"mask": {
"ignore_above": 1024,
"type": "keyword"
},
"netname": {
"ignore_above": 1024,
"type": "keyword"
},
"network_port": {
"type": "long"
},
"network_service": {
"ignore_above": 1024,
"type": "keyword"
},
"origin": {
"ignore_above": 1024,
"type": "keyword"
},
"packet_length": {
"ignore_above": 1024,
"type": "keyword"
},
"paddr": {
"type": "ip"
},
"phost": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
},
"protocol_detail": {
"ignore_above": 1024,
"type": "keyword"
},
"remote_domain_id": {
"ignore_above": 1024,
"type": "keyword"
},
"rpayload": {
"ignore_above": 1024,
"type": "keyword"
},
"sinterface": {
"ignore_above": 1024,
"type": "keyword"
},
"smask": {
"ignore_above": 1024,
"type": "keyword"
},
"vlan": {
"type": "long"
},
"vlan_name": {
"ignore_above": 1024,
"type": "keyword"
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
},
"zone_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"zone_src": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"physical": {
"type": "object",
"properties": {
"org_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"org_src": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"storage": {
"type": "object",
"properties": {
"disk_volume": {
"ignore_above": 1024,
"type": "keyword"
},
"lun": {
"ignore_above": 1024,
"type": "keyword"
},
"pwwn": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"threat": {
"type": "object",
"properties": {
"alert": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_category": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_desc": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_source": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"time": {
"type": "object",
"properties": {
"date": {
"ignore_above": 1024,
"type": "keyword"
},
"datetime": {
"ignore_above": 1024,
"type": "keyword"
},
"day": {
"ignore_above": 1024,
"type": "keyword"
},
"duration_str": {
"ignore_above": 1024,
"type": "keyword"
},
"duration_time": {
"type": "double"
},
"effective_time": {
"type": "date"
},
"endtime": {
"type": "date"
},
"event_queue_time": {
"type": "date"
},
"event_time": {
"type": "date"
},
"event_time_str": {
"ignore_above": 1024,
"type": "keyword"
},
"eventtime": {
"ignore_above": 1024,
"type": "keyword"
},
"expire_time": {
"type": "date"
},
"expire_time_str": {
"ignore_above": 1024,
"type": "keyword"
},
"gmtdate": {
"ignore_above": 1024,
"type": "keyword"
},
"gmttime": {
"ignore_above": 1024,
"type": "keyword"
},
"hour": {
"ignore_above": 1024,
"type": "keyword"
},
"min": {
"ignore_above": 1024,
"type": "keyword"
},
"month": {
"ignore_above": 1024,
"type": "keyword"
},
"p_date": {
"ignore_above": 1024,
"type": "keyword"
},
"p_month": {
"ignore_above": 1024,
"type": "keyword"
},
"p_time": {
"ignore_above": 1024,
"type": "keyword"
},
"p_time1": {
"ignore_above": 1024,
"type": "keyword"
},
"p_time2": {
"ignore_above": 1024,
"type": "keyword"
},
"p_year": {
"ignore_above": 1024,
"type": "keyword"
},
"process_time": {
"ignore_above": 1024,
"type": "keyword"
},
"recorded_time": {
"type": "date"
},
"stamp": {
"type": "date"
},
"starttime": {
"type": "date"
},
"timestamp": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"tzone": {
"ignore_above": 1024,
"type": "keyword"
},
"year": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"web": {
"type": "object",
"properties": {
"alias_host": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_asn_dst": {
"ignore_above": 1024,
"type": "keyword"
},
"cn_rpackets": {
"ignore_above": 1024,
"type": "keyword"
},
"fqdn": {
"ignore_above": 1024,
"type": "keyword"
},
"p_url": {
"ignore_above": 1024,
"type": "keyword"
},
"p_user_agent": {
"ignore_above": 1024,
"type": "keyword"
},
"p_web_cookie": {
"ignore_above": 1024,
"type": "keyword"
},
"p_web_method": {
"ignore_above": 1024,
"type": "keyword"
},
"p_web_referer": {
"ignore_above": 1024,
"type": "keyword"
},
"remote_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"reputation_num": {
"type": "double"
},
"urlpage": {
"ignore_above": 1024,
"type": "keyword"
},
"urlroot": {
"ignore_above": 1024,
"type": "keyword"
},
"web_cookie": {
"ignore_above": 1024,
"type": "keyword"
},
"web_extension_tmp": {
"ignore_above": 1024,
"type": "keyword"
},
"web_page": {
"ignore_above": 1024,
"type": "keyword"
},
"web_ref_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"web_ref_page": {
"ignore_above": 1024,
"type": "keyword"
},
"web_ref_query": {
"ignore_above": 1024,
"type": "keyword"
},
"web_ref_root": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"wireless": {
"type": "object",
"properties": {
"access_point": {
"ignore_above": 1024,
"type": "keyword"
},
"wlan_channel": {
"type": "long"
},
"wlan_name": {
"ignore_above": 1024,
"type": "keyword"
},
"wlan_ssid": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"rule": {
"type": "object",
"properties": {
"author": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"license": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"ruleset": {
"ignore_above": 1024,
"type": "keyword"
},
"uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"salesforce": {
"type": "object",
"properties": {
"access_mode": {
"ignore_above": 1024,
"type": "keyword"
},
"apex": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"callout_time": {
"ignore_above": 1024,
"type": "keyword"
},
"class_name": {
"ignore_above": 1024,
"type": "keyword"
},
"client_name": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu_time": {
"ignore_above": 1024,
"type": "keyword"
},
"db_blocks": {
"ignore_above": 1024,
"type": "keyword"
},
"db_cpu_time": {
"ignore_above": 1024,
"type": "keyword"
},
"db_total_time": {
"ignore_above": 1024,
"type": "keyword"
},
"entity": {
"ignore_above": 1024,
"type": "keyword"
},
"entity_name": {
"ignore_above": 1024,
"type": "keyword"
},
"entry_point": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"execute_ms": {
"ignore_above": 1024,
"type": "keyword"
},
"fetch_ms": {
"ignore_above": 1024,
"type": "keyword"
},
"filter": {
"ignore_above": 1024,
"type": "keyword"
},
"is_long_running_request": {
"ignore_above": 1024,
"type": "keyword"
},
"limit": {
"ignore_above": 1024,
"type": "keyword"
},
"limit_usage_percent": {
"ignore_above": 1024,
"type": "keyword"
},
"login_key": {
"ignore_above": 1024,
"type": "keyword"
},
"media_type": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"method_name": {
"ignore_above": 1024,
"type": "keyword"
},
"number_fields": {
"ignore_above": 1024,
"type": "keyword"
},
"number_soql_queries": {
"ignore_above": 1024,
"type": "keyword"
},
"offset": {
"ignore_above": 1024,
"type": "keyword"
},
"orderby": {
"ignore_above": 1024,
"type": "keyword"
},
"organization_id": {
"ignore_above": 1024,
"type": "keyword"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"quiddity": {
"ignore_above": 1024,
"type": "keyword"
},
"request": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"rows": {
"type": "object",
"properties": {
"fetched": {
"ignore_above": 1024,
"type": "keyword"
},
"processed": {
"ignore_above": 1024,
"type": "keyword"
},
"total": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"run_time": {
"ignore_above": 1024,
"type": "keyword"
},
"select": {
"ignore_above": 1024,
"type": "keyword"
},
"subqueries": {
"ignore_above": 1024,
"type": "keyword"
},
"throughput": {
"ignore_above": 1024,
"type": "keyword"
},
"trigger": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uri": {
"ignore_above": 1024,
"type": "keyword"
},
"uri_id_derived": {
"ignore_above": 1024,
"type": "keyword"
},
"user_agent": {
"ignore_above": 1024,
"type": "keyword"
},
"user_id_derived": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"login": {
"type": "object",
"properties": {
"api_type": {
"ignore_above": 1024,
"type": "keyword"
},
"api_version": {
"ignore_above": 1024,
"type": "keyword"
},
"application": {
"ignore_above": 1024,
"type": "keyword"
},
"auth_method_reference": {
"ignore_above": 1024,
"type": "keyword"
},
"auth_service_id": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_method_reference": {
"ignore_above": 1024,
"type": "keyword"
},
"client_ip": {
"ignore_above": 1024,
"type": "keyword"
},
"client_version": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu_time": {
"ignore_above": 1024,
"type": "keyword"
},
"created_by_id": {
"ignore_above": 1024,
"type": "keyword"
},
"db_total_time": {
"ignore_above": 1024,
"type": "keyword"
},
"evaluation_time": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"login_geo_id": {
"ignore_above": 1024,
"type": "keyword"
},
"login_history_id": {
"ignore_above": 1024,
"type": "keyword"
},
"login_key": {
"ignore_above": 1024,
"type": "keyword"
},
"login_type": {
"ignore_above": 1024,
"type": "keyword"
},
"organization_id": {
"ignore_above": 1024,
"type": "keyword"
},
"policy_id": {
"ignore_above": 1024,
"type": "keyword"
},
"policy_outcome": {
"ignore_above": 1024,
"type": "keyword"
},
"related_event_identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"request_id": {
"ignore_above": 1024,
"type": "keyword"
},
"request_status": {
"ignore_above": 1024,
"type": "keyword"
},
"run_time": {
"ignore_above": 1024,
"type": "keyword"
},
"session_level": {
"ignore_above": 1024,
"type": "keyword"
},
"uri_id_derived": {
"ignore_above": 1024,
"type": "keyword"
},
"user_id_derived": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"logout": {
"type": "object",
"properties": {
"api_type": {
"ignore_above": 1024,
"type": "keyword"
},
"api_version": {
"ignore_above": 1024,
"type": "keyword"
},
"app_type": {
"ignore_above": 1024,
"type": "keyword"
},
"browser_type": {
"ignore_above": 1024,
"type": "keyword"
},
"client_version": {
"ignore_above": 1024,
"type": "keyword"
},
"created_by_id": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"login_key": {
"ignore_above": 1024,
"type": "keyword"
},
"organization_by_id": {
"ignore_above": 1024,
"type": "keyword"
},
"platform_type": {
"ignore_above": 1024,
"type": "keyword"
},
"related_event_identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"replay_id": {
"ignore_above": 1024,
"type": "keyword"
},
"resolution_type": {
"ignore_above": 1024,
"type": "keyword"
},
"schema": {
"ignore_above": 1024,
"type": "keyword"
},
"session_level": {
"ignore_above": 1024,
"type": "keyword"
},
"session_type": {
"ignore_above": 1024,
"type": "keyword"
},
"user_id_derived": {
"ignore_above": 1024,
"type": "keyword"
},
"user_initiated_logout": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"setup_audit_trail": {
"type": "object",
"properties": {
"created_by_context": {
"ignore_above": 1024,
"type": "keyword"
},
"created_by_id": {
"ignore_above": 1024,
"type": "keyword"
},
"created_by_issuer": {
"ignore_above": 1024,
"type": "keyword"
},
"delegate_user": {
"ignore_above": 1024,
"type": "keyword"
},
"display": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"responsible_namespace_prefix": {
"ignore_above": 1024,
"type": "keyword"
},
"section": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"santa": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"certificate": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"decision": {
"ignore_above": 1024,
"type": "keyword"
},
"disk": {
"type": "object",
"properties": {
"bsdname": {
"ignore_above": 1024,
"type": "keyword"
},
"bus": {
"ignore_above": 1024,
"type": "keyword"
},
"fs": {
"ignore_above": 1024,
"type": "keyword"
},
"model": {
"ignore_above": 1024,
"type": "keyword"
},
"mount": {
"ignore_above": 1024,
"type": "keyword"
},
"serial": {
"ignore_above": 1024,
"type": "keyword"
},
"volume": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"mode": {
"ignore_above": 1024,
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"server": {
"type": "object",
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"as": {
"type": "object",
"properties": {
"number": {
"type": "long"
},
"organization": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
}
},
"bytes": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"type": "object",
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"nat": {
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
},
"packets": {
"type": "long"
},
"port": {
"type": "long"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"group": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"service": {
"type": "object",
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"environment": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"node": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"origin": {
"type": "object",
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"environment": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"node": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"target": {
"type": "object",
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"environment": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"node": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"snyk": {
"type": "object",
"properties": {
"audit": {
"type": "object",
"properties": {
"content": {
"type": "flattened"
},
"org_id": {
"ignore_above": 1024,
"type": "keyword"
},
"project_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"projects": {
"type": "flattened"
},
"related": {
"type": "object",
"properties": {
"projects": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vulnerabilities": {
"type": "object",
"properties": {
"credit": {
"ignore_above": 1024,
"type": "keyword"
},
"cvss3": {
"ignore_above": 1024,
"type": "keyword"
},
"disclosure_time": {
"type": "date"
},
"exploit_maturity": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"identifiers": {
"type": "object",
"properties": {
"alternative": {
"ignore_above": 1024,
"type": "keyword"
},
"cwe": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"introduced_date": {
"type": "date"
},
"is_fixed": {
"type": "boolean"
},
"is_ignored": {
"type": "boolean"
},
"is_patchable": {
"type": "boolean"
},
"is_patched": {
"type": "boolean"
},
"is_pinnable": {
"type": "boolean"
},
"is_upgradable": {
"type": "boolean"
},
"jira_issue_url": {
"ignore_above": 1024,
"type": "keyword"
},
"language": {
"ignore_above": 1024,
"type": "keyword"
},
"original_severity": {
"type": "long"
},
"package": {
"ignore_above": 1024,
"type": "keyword"
},
"package_manager": {
"ignore_above": 1024,
"type": "keyword"
},
"patches": {
"type": "flattened"
},
"priority_score": {
"type": "long"
},
"publication_time": {
"type": "date"
},
"reachability": {
"ignore_above": 1024,
"type": "keyword"
},
"semver": {
"type": "flattened"
},
"title": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"unique_severities_list": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"sophos": {
"type": "object",
"properties": {
"xg": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"activityname": {
"ignore_above": 1024,
"type": "keyword"
},
"ap": {
"ignore_above": 1024,
"type": "keyword"
},
"app_category": {
"ignore_above": 1024,
"type": "keyword"
},
"app_filter_policy_id": {
"ignore_above": 1024,
"type": "keyword"
},
"app_is_cloud": {
"ignore_above": 1024,
"type": "keyword"
},
"app_name": {
"ignore_above": 1024,
"type": "keyword"
},
"app_resolved_by": {
"ignore_above": 1024,
"type": "keyword"
},
"app_risk": {
"ignore_above": 1024,
"type": "keyword"
},
"app_technology": {
"ignore_above": 1024,
"type": "keyword"
},
"appfilter_policy_id": {
"type": "long"
},
"application": {
"ignore_above": 1024,
"type": "keyword"
},
"application_category": {
"ignore_above": 1024,
"type": "keyword"
},
"application_filter_policy": {
"type": "long"
},
"application_name": {
"ignore_above": 1024,
"type": "keyword"
},
"application_risk": {
"ignore_above": 1024,
"type": "keyword"
},
"application_technology": {
"ignore_above": 1024,
"type": "keyword"
},
"appresolvedby": {
"ignore_above": 1024,
"type": "keyword"
},
"auth_client": {
"ignore_above": 1024,
"type": "keyword"
},
"auth_mechanism": {
"ignore_above": 1024,
"type": "keyword"
},
"av_policy_name": {
"ignore_above": 1024,
"type": "keyword"
},
"backup_mode": {
"ignore_above": 1024,
"type": "keyword"
},
"branch_name": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"category_type": {
"ignore_above": 1024,
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"client_host_name": {
"ignore_above": 1024,
"type": "keyword"
},
"client_physical_address": {
"ignore_above": 1024,
"type": "keyword"
},
"clients_conn_ssid": {
"type": "long"
},
"collisions": {
"type": "long"
},
"con_event": {
"ignore_above": 1024,
"type": "keyword"
},
"con_id": {
"type": "long"
},
"configuration": {
"type": "float"
},
"conn_id": {
"type": "long"
},
"connectionname": {
"ignore_above": 1024,
"type": "keyword"
},
"connectiontype": {
"ignore_above": 1024,
"type": "keyword"
},
"connevent": {
"ignore_above": 1024,
"type": "keyword"
},
"connid": {
"ignore_above": 1024,
"type": "keyword"
},
"content_type": {
"ignore_above": 1024,
"type": "keyword"
},
"contenttype": {
"ignore_above": 1024,
"type": "keyword"
},
"context_match": {
"ignore_above": 1024,
"type": "keyword"
},
"context_prefix": {
"ignore_above": 1024,
"type": "keyword"
},
"context_suffix": {
"ignore_above": 1024,
"type": "keyword"
},
"cookie": {
"ignore_above": 1024,
"type": "keyword"
},
"date": {
"type": "date"
},
"destinationip": {
"type": "ip"
},
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"device_id": {
"ignore_above": 1024,
"type": "keyword"
},
"device_model": {
"ignore_above": 1024,
"type": "keyword"
},
"device_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dictionary_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dir_disp": {
"ignore_above": 1024,
"type": "keyword"
},
"direction": {
"ignore_above": 1024,
"type": "keyword"
},
"domainname": {
"ignore_above": 1024,
"type": "keyword"
},
"download_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"download_file_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_country_code": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_domainname": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_ip": {
"type": "ip"
},
"dst_port": {
"type": "long"
},
"dst_zone_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dstdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"type": "long"
},
"email_subject": {
"ignore_above": 1024,
"type": "keyword"
},
"ep_uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"ether_type": {
"ignore_above": 1024,
"type": "keyword"
},
"eventid": {
"ignore_above": 1024,
"type": "keyword"
},
"eventtime": {
"type": "date"
},
"eventtype": {
"ignore_above": 1024,
"type": "keyword"
},
"exceptions": {
"ignore_above": 1024,
"type": "keyword"
},
"execution_path": {
"ignore_above": 1024,
"type": "keyword"
},
"extra": {
"ignore_above": 1024,
"type": "keyword"
},
"file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"file_path": {
"ignore_above": 1024,
"type": "keyword"
},
"file_size": {
"type": "long"
},
"filename": {
"ignore_above": 1024,
"type": "keyword"
},
"filepath": {
"ignore_above": 1024,
"type": "keyword"
},
"filesize": {
"type": "long"
},
"free": {
"type": "long"
},
"from_email_address": {
"ignore_above": 1024,
"type": "keyword"
},
"ftp_direction": {
"ignore_above": 1024,
"type": "keyword"
},
"ftp_url": {
"ignore_above": 1024,
"type": "keyword"
},
"ftpcommand": {
"ignore_above": 1024,
"type": "keyword"
},
"fw_rule_id": {
"type": "long"
},
"fw_rule_type": {
"ignore_above": 1024,
"type": "keyword"
},
"hb_health": {
"ignore_above": 1024,
"type": "keyword"
},
"hb_status": {
"ignore_above": 1024,
"type": "keyword"
},
"host": {
"ignore_above": 1024,
"type": "keyword"
},
"http_category": {
"ignore_above": 1024,
"type": "keyword"
},
"http_category_type": {
"ignore_above": 1024,
"type": "keyword"
},
"httpresponsecode": {
"type": "long"
},
"iap": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_code": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_type": {
"ignore_above": 1024,
"type": "keyword"
},
"idle_cpu": {
"type": "float"
},
"idp_policy_id": {
"type": "long"
},
"idp_policy_name": {
"ignore_above": 1024,
"type": "keyword"
},
"in_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"interface": {
"ignore_above": 1024,
"type": "keyword"
},
"ipaddress": {
"ignore_above": 1024,
"type": "keyword"
},
"ips_policy_id": {
"type": "long"
},
"lease_time": {
"ignore_above": 1024,
"type": "keyword"
},
"localgateway": {
"ignore_above": 1024,
"type": "keyword"
},
"localnetwork": {
"ignore_above": 1024,
"type": "keyword"
},
"log_component": {
"ignore_above": 1024,
"type": "keyword"
},
"log_id": {
"ignore_above": 1024,
"type": "keyword"
},
"log_subtype": {
"ignore_above": 1024,
"type": "keyword"
},
"log_type": {
"ignore_above": 1024,
"type": "keyword"
},
"log_version": {
"ignore_above": 1024,
"type": "keyword"
},
"login_user": {
"ignore_above": 1024,
"type": "keyword"
},
"mailid": {
"ignore_above": 1024,
"type": "keyword"
},
"mailsize": {
"type": "long"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"mode": {
"ignore_above": 1024,
"type": "keyword"
},
"nat_rule_id": {
"ignore_above": 1024,
"type": "keyword"
},
"newversion": {
"ignore_above": 1024,
"type": "keyword"
},
"oldversion": {
"ignore_above": 1024,
"type": "keyword"
},
"out_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"override_authorizer": {
"ignore_above": 1024,
"type": "keyword"
},
"override_name": {
"ignore_above": 1024,
"type": "keyword"
},
"override_token": {
"ignore_above": 1024,
"type": "keyword"
},
"phpsessid": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"policy_type": {
"ignore_above": 1024,
"type": "keyword"
},
"priority": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"qualifier": {
"ignore_above": 1024,
"type": "keyword"
},
"quarantine": {
"ignore_above": 1024,
"type": "keyword"
},
"quarantine_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"querystring": {
"ignore_above": 1024,
"type": "keyword"
},
"raw_data": {
"ignore_above": 1024,
"type": "keyword"
},
"received_pkts": {
"type": "long"
},
"receiveddrops": {
"type": "long"
},
"receivederrors": {
"ignore_above": 1024,
"type": "keyword"
},
"receivedkbits": {
"type": "long"
},
"recv_bytes": {
"type": "long"
},
"red_id": {
"ignore_above": 1024,
"type": "keyword"
},
"referer": {
"ignore_above": 1024,
"type": "keyword"
},
"remote_ip": {
"type": "ip"
},
"remotenetwork": {
"ignore_above": 1024,
"type": "keyword"
},
"reported_host": {
"ignore_above": 1024,
"type": "keyword"
},
"reported_ip": {
"ignore_above": 1024,
"type": "keyword"
},
"reports": {
"type": "float"
},
"rule_priority": {
"ignore_above": 1024,
"type": "keyword"
},
"sent_bytes": {
"type": "long"
},
"sent_pkts": {
"type": "long"
},
"server": {
"ignore_above": 1024,
"type": "keyword"
},
"sessionid": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1sum": {
"ignore_above": 1024,
"type": "keyword"
},
"signature": {
"type": "float"
},
"signature_id": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_msg": {
"ignore_above": 1024,
"type": "keyword"
},
"site_category": {
"ignore_above": 1024,
"type": "keyword"
},
"source": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceip": {
"type": "ip"
},
"spamaction": {
"ignore_above": 1024,
"type": "keyword"
},
"sqli": {
"ignore_above": 1024,
"type": "keyword"
},
"src_country_code": {
"ignore_above": 1024,
"type": "keyword"
},
"src_domainname": {
"ignore_above": 1024,
"type": "keyword"
},
"src_ip": {
"type": "ip"
},
"src_mac": {
"ignore_above": 1024,
"type": "keyword"
},
"src_port": {
"type": "long"
},
"src_zone_type": {
"ignore_above": 1024,
"type": "keyword"
},
"ssid": {
"ignore_above": 1024,
"type": "keyword"
},
"start_time": {
"type": "date"
},
"starttime": {
"type": "date"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"status_code": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"syslog_server_name": {
"ignore_above": 1024,
"type": "keyword"
},
"system_cpu": {
"type": "float"
},
"target": {
"ignore_above": 1024,
"type": "keyword"
},
"temp": {
"type": "float"
},
"threatname": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"to_email_address": {
"ignore_above": 1024,
"type": "keyword"
},
"total_memory": {
"type": "long"
},
"trans_dst_ip": {
"type": "ip"
},
"trans_dst_port": {
"type": "long"
},
"trans_src_ip": {
"type": "ip"
},
"trans_src_port": {
"type": "long"
},
"transaction_id": {
"ignore_above": 1024,
"type": "keyword"
},
"transactionid": {
"ignore_above": 1024,
"type": "keyword"
},
"transmitteddrops": {
"type": "long"
},
"transmittederrors": {
"ignore_above": 1024,
"type": "keyword"
},
"transmittedkbits": {
"type": "long"
},
"unit": {
"ignore_above": 1024,
"type": "keyword"
},
"updatedip": {
"type": "ip"
},
"upload_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"upload_file_type": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
},
"used": {
"type": "long"
},
"used_quota": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
},
"user_cpu": {
"type": "float"
},
"user_gp": {
"ignore_above": 1024,
"type": "keyword"
},
"user_group": {
"ignore_above": 1024,
"type": "keyword"
},
"user_name": {
"ignore_above": 1024,
"type": "keyword"
},
"users": {
"type": "long"
},
"vconn_id": {
"type": "long"
},
"virus": {
"ignore_above": 1024,
"type": "keyword"
},
"web_policy_id": {
"ignore_above": 1024,
"type": "keyword"
},
"website": {
"ignore_above": 1024,
"type": "keyword"
},
"xss": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"source": {
"type": "object",
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"as": {
"type": "object",
"properties": {
"number": {
"type": "long"
},
"organization": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
}
},
"bytes": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"type": "object",
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"nat": {
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
},
"packets": {
"type": "long"
},
"port": {
"type": "long"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"service": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"group": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"span": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"stream": {
"ignore_above": 1024,
"type": "keyword"
},
"suricata": {
"type": "object",
"properties": {
"eve": {
"type": "object",
"properties": {
"alert": {
"type": "object",
"properties": {
"affected_product": {
"ignore_above": 1024,
"type": "keyword"
},
"attack_target": {
"ignore_above": 1024,
"type": "keyword"
},
"capec_id": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"classtype": {
"ignore_above": 1024,
"type": "keyword"
},
"created_at": {
"type": "date"
},
"cve": {
"ignore_above": 1024,
"type": "keyword"
},
"cvss_v2_base": {
"ignore_above": 1024,
"type": "keyword"
},
"cvss_v2_temporal": {
"ignore_above": 1024,
"type": "keyword"
},
"cvss_v3_base": {
"ignore_above": 1024,
"type": "keyword"
},
"cvss_v3_temporal": {
"ignore_above": 1024,
"type": "keyword"
},
"cwe_id": {
"ignore_above": 1024,
"type": "keyword"
},
"deployment": {
"ignore_above": 1024,
"type": "keyword"
},
"former_category": {
"ignore_above": 1024,
"type": "keyword"
},
"gid": {
"type": "long"
},
"hostile": {
"ignore_above": 1024,
"type": "keyword"
},
"infected": {
"ignore_above": 1024,
"type": "keyword"
},
"malware": {
"ignore_above": 1024,
"type": "keyword"
},
"metadata": {
"type": "flattened"
},
"mitre_tool_id": {
"ignore_above": 1024,
"type": "keyword"
},
"performance_impact": {
"ignore_above": 1024,
"type": "keyword"
},
"priority": {
"ignore_above": 1024,
"type": "keyword"
},
"protocols": {
"ignore_above": 1024,
"type": "keyword"
},
"rev": {
"type": "long"
},
"rule_source": {
"ignore_above": 1024,
"type": "keyword"
},
"sid": {
"ignore_above": 1024,
"type": "keyword"
},
"signature": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_id": {
"type": "long"
},
"signature_severity": {
"ignore_above": 1024,
"type": "keyword"
},
"tag": {
"ignore_above": 1024,
"type": "keyword"
},
"updated_at": {
"type": "date"
}
}
},
"app_proto_expected": {
"ignore_above": 1024,
"type": "keyword"
},
"app_proto_orig": {
"ignore_above": 1024,
"type": "keyword"
},
"app_proto_tc": {
"ignore_above": 1024,
"type": "keyword"
},
"app_proto_ts": {
"ignore_above": 1024,
"type": "keyword"
},
"dns": {
"type": "object",
"properties": {
"id": {
"type": "long"
},
"rcode": {
"ignore_above": 1024,
"type": "keyword"
},
"rdata": {
"ignore_above": 1024,
"type": "keyword"
},
"rrname": {
"ignore_above": 1024,
"type": "keyword"
},
"rrtype": {
"ignore_above": 1024,
"type": "keyword"
},
"ttl": {
"type": "long"
},
"tx_id": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"email": {
"type": "object",
"properties": {
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"fileinfo": {
"type": "object",
"properties": {
"gaps": {
"type": "boolean"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"stored": {
"type": "boolean"
},
"tx_id": {
"type": "long"
}
}
},
"flow": {
"type": "object",
"properties": {
"age": {
"type": "long"
},
"alerted": {
"type": "boolean"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"flow_id": {
"ignore_above": 1024,
"type": "keyword"
},
"http": {
"type": "object",
"properties": {
"http_content_type": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"redirect": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"icmp_code": {
"type": "long"
},
"icmp_type": {
"type": "long"
},
"in_iface": {
"ignore_above": 1024,
"type": "keyword"
},
"pcap_cnt": {
"type": "long"
},
"smtp": {
"type": "object",
"properties": {
"helo": {
"ignore_above": 1024,
"type": "keyword"
},
"mail_from": {
"ignore_above": 1024,
"type": "keyword"
},
"rcpt_to": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ssh": {
"type": "object",
"properties": {
"client": {
"type": "object",
"properties": {
"proto_version": {
"ignore_above": 1024,
"type": "keyword"
},
"software_version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"server": {
"type": "object",
"properties": {
"proto_version": {
"ignore_above": 1024,
"type": "keyword"
},
"software_version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"stats": {
"type": "object",
"properties": {
"app_layer": {
"type": "object",
"properties": {
"flow": {
"type": "object",
"properties": {
"dcerpc_tcp": {
"type": "long"
},
"dcerpc_udp": {
"type": "long"
},
"dns_tcp": {
"type": "long"
},
"dns_udp": {
"type": "long"
},
"failed_tcp": {
"type": "long"
},
"failed_udp": {
"type": "long"
},
"ftp": {
"type": "long"
},
"http": {
"type": "long"
},
"imap": {
"type": "long"
},
"msn": {
"type": "long"
},
"smb": {
"type": "long"
},
"smtp": {
"type": "long"
},
"ssh": {
"type": "long"
},
"tls": {
"type": "long"
}
}
},
"tx": {
"type": "object",
"properties": {
"dcerpc_tcp": {
"type": "long"
},
"dcerpc_udp": {
"type": "long"
},
"dns_tcp": {
"type": "long"
},
"dns_udp": {
"type": "long"
},
"ftp": {
"type": "long"
},
"http": {
"type": "long"
},
"smb": {
"type": "long"
},
"smtp": {
"type": "long"
},
"ssh": {
"type": "long"
},
"tls": {
"type": "long"
}
}
}
}
},
"capture": {
"type": "object",
"properties": {
"kernel_drops": {
"type": "long"
},
"kernel_ifdrops": {
"type": "long"
},
"kernel_packets": {
"type": "long"
}
}
},
"decoder": {
"type": "object",
"properties": {
"avg_pkt_size": {
"type": "long"
},
"bytes": {
"type": "long"
},
"dce": {
"type": "object",
"properties": {
"pkt_too_small": {
"type": "long"
}
}
},
"erspan": {
"type": "long"
},
"ethernet": {
"type": "long"
},
"gre": {
"type": "long"
},
"icmpv4": {
"type": "long"
},
"icmpv6": {
"type": "long"
},
"ieee8021ah": {
"type": "long"
},
"invalid": {
"type": "long"
},
"ipraw": {
"type": "object",
"properties": {
"invalid_ip_version": {
"type": "long"
}
}
},
"ipv4": {
"type": "long"
},
"ipv4_in_ipv6": {
"type": "long"
},
"ipv6": {
"type": "long"
},
"ipv6_in_ipv6": {
"type": "long"
},
"ltnull": {
"type": "object",
"properties": {
"pkt_too_small": {
"type": "long"
},
"unsupported_type": {
"type": "long"
}
}
},
"max_pkt_size": {
"type": "long"
},
"mpls": {
"type": "long"
},
"null": {
"type": "long"
},
"pkts": {
"type": "long"
},
"ppp": {
"type": "long"
},
"pppoe": {
"type": "long"
},
"raw": {
"type": "long"
},
"sctp": {
"type": "long"
},
"sll": {
"type": "long"
},
"tcp": {
"type": "long"
},
"teredo": {
"type": "long"
},
"udp": {
"type": "long"
},
"vlan": {
"type": "long"
},
"vlan_qinq": {
"type": "long"
}
}
},
"defrag": {
"type": "object",
"properties": {
"ipv4": {
"type": "object",
"properties": {
"fragments": {
"type": "long"
},
"reassembled": {
"type": "long"
},
"timeouts": {
"type": "long"
}
}
},
"ipv6": {
"type": "object",
"properties": {
"fragments": {
"type": "long"
},
"reassembled": {
"type": "long"
},
"timeouts": {
"type": "long"
}
}
},
"max_frag_hits": {
"type": "long"
}
}
},
"detect": {
"type": "object",
"properties": {
"alert": {
"type": "long"
}
}
},
"dns": {
"type": "object",
"properties": {
"memcap_global": {
"type": "long"
},
"memcap_state": {
"type": "long"
},
"memuse": {
"type": "long"
}
}
},
"file_store": {
"type": "object",
"properties": {
"open_files": {
"type": "long"
}
}
},
"flow": {
"type": "object",
"properties": {
"emerg_mode_entered": {
"type": "long"
},
"emerg_mode_over": {
"type": "long"
},
"icmpv4": {
"type": "long"
},
"icmpv6": {
"type": "long"
},
"memcap": {
"type": "long"
},
"memuse": {
"type": "long"
},
"spare": {
"type": "long"
},
"tcp": {
"type": "long"
},
"tcp_reuse": {
"type": "long"
},
"udp": {
"type": "long"
}
}
},
"flow_mgr": {
"type": "object",
"properties": {
"bypassed_pruned": {
"type": "long"
},
"closed_pruned": {
"type": "long"
},
"est_pruned": {
"type": "long"
},
"flows_checked": {
"type": "long"
},
"flows_notimeout": {
"type": "long"
},
"flows_removed": {
"type": "long"
},
"flows_timeout": {
"type": "long"
},
"flows_timeout_inuse": {
"type": "long"
},
"new_pruned": {
"type": "long"
},
"rows_busy": {
"type": "long"
},
"rows_checked": {
"type": "long"
},
"rows_empty": {
"type": "long"
},
"rows_maxlen": {
"type": "long"
},
"rows_skipped": {
"type": "long"
}
}
},
"http": {
"type": "object",
"properties": {
"memcap": {
"type": "long"
},
"memuse": {
"type": "long"
}
}
},
"tcp": {
"type": "object",
"properties": {
"insert_data_normal_fail": {
"type": "long"
},
"insert_data_overlap_fail": {
"type": "long"
},
"insert_list_fail": {
"type": "long"
},
"invalid_checksum": {
"type": "long"
},
"memuse": {
"type": "long"
},
"no_flow": {
"type": "long"
},
"overlap": {
"type": "long"
},
"overlap_diff_data": {
"type": "long"
},
"pseudo": {
"type": "long"
},
"pseudo_failed": {
"type": "long"
},
"reassembly_gap": {
"type": "long"
},
"reassembly_memuse": {
"type": "long"
},
"rst": {
"type": "long"
},
"segment_memcap_drop": {
"type": "long"
},
"sessions": {
"type": "long"
},
"ssn_memcap_drop": {
"type": "long"
},
"stream_depth_reached": {
"type": "long"
},
"syn": {
"type": "long"
},
"synack": {
"type": "long"
}
}
},
"uptime": {
"type": "long"
}
}
},
"tcp": {
"type": "object",
"properties": {
"ack": {
"type": "boolean"
},
"fin": {
"type": "boolean"
},
"psh": {
"type": "boolean"
},
"rst": {
"type": "boolean"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"syn": {
"type": "boolean"
},
"tcp_flags": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_flags_tc": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_flags_ts": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tls": {
"type": "object",
"properties": {
"fingerprint": {
"ignore_above": 1024,
"type": "keyword"
},
"issuerdn": {
"ignore_above": 1024,
"type": "keyword"
},
"ja3": {
"type": "object",
"properties": {
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"string": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ja3s": {
"type": "object",
"properties": {
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"string": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"notafter": {
"type": "date"
},
"notbefore": {
"type": "date"
},
"serial": {
"ignore_above": 1024,
"type": "keyword"
},
"session_resumed": {
"type": "boolean"
},
"sni": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tx_id": {
"type": "long"
}
}
}
}
},
"syslog": {
"type": "object",
"properties": {
"facility": {
"type": "long"
},
"facility_label": {
"ignore_above": 1024,
"type": "keyword"
},
"priority": {
"type": "long"
},
"severity_label": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"system": {
"type": "object",
"properties": {
"auth": {
"type": "object",
"properties": {
"ssh": {
"type": "object",
"properties": {
"dropped_ip": {
"type": "ip"
},
"event": {
"ignore_above": 1024,
"type": "keyword"
},
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"signature": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sudo": {
"type": "object",
"properties": {
"command": {
"ignore_above": 1024,
"type": "keyword"
},
"error": {
"ignore_above": 1024,
"type": "keyword"
},
"pwd": {
"ignore_above": 1024,
"type": "keyword"
},
"tty": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"useradd": {
"type": "object",
"properties": {
"home": {
"ignore_above": 1024,
"type": "keyword"
},
"shell": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"threat": {
"type": "object",
"properties": {
"enrichments": {
"type": "nested",
"properties": {
"indicator": {
"type": "object",
"properties": {
"as": {
"type": "object",
"properties": {
"number": {
"type": "long"
},
"organization": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
}
},
"confidence": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"type": "object",
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"file": {
"type": "object",
"properties": {
"accessed": {
"type": "date"
},
"attributes": {
"ignore_above": 1024,
"type": "keyword"
},
"code_signature": {
"type": "object",
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"created": {
"type": "date"
},
"ctime": {
"type": "date"
},
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"directory": {
"ignore_above": 1024,
"type": "keyword"
},
"drive_letter": {
"ignore_above": 1,
"type": "keyword"
},
"elf": {
"type": "object",
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
},
"creation_date": {
"type": "date"
},
"exports": {
"type": "flattened"
},
"header": {
"type": "object",
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword"
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"imports": {
"type": "flattened"
},
"sections": {
"type": "nested",
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "long"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_address": {
"type": "long"
},
"virtual_size": {
"type": "long"
}
}
},
"segments": {
"type": "nested",
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"fork_name": {
"ignore_above": 1024,
"type": "keyword"
},
"gid": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"type": "object",
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"inode": {
"ignore_above": 1024,
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"mode": {
"ignore_above": 1024,
"type": "keyword"
},
"mtime": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"pe": {
"type": "object",
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"size": {
"type": "long"
},
"target_path": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
},
"x509": {
"type": "object",
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_exponent": {
"index": false,
"type": "long",
"doc_values": false
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"first_seen": {
"type": "date"
},
"geo": {
"type": "object",
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"last_seen": {
"type": "date"
},
"marking": {
"type": "object",
"properties": {
"tlp": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"modified_at": {
"type": "date"
},
"port": {
"type": "long"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"registry": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"bytes": {
"ignore_above": 1024,
"type": "keyword"
},
"strings": {
"type": "wildcard"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hive": {
"ignore_above": 1024,
"type": "keyword"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"scanner_stats": {
"type": "long"
},
"sightings": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"fragment": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"type": "wildcard"
},
"original": {
"type": "wildcard"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"type": "wildcard"
},
"port": {
"type": "long"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"scheme": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"x509": {
"type": "object",
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_exponent": {
"index": false,
"type": "long",
"doc_values": false
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"matched": {
"type": "object",
"properties": {
"atomic": {
"ignore_above": 1024,
"type": "keyword"
},
"field": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"index": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"framework": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"type": "object",
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"indicator": {
"type": "object",
"properties": {
"as": {
"type": "object",
"properties": {
"number": {
"type": "long"
},
"organization": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
}
},
"confidence": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"type": "object",
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"file": {
"type": "object",
"properties": {
"accessed": {
"type": "date"
},
"attributes": {
"ignore_above": 1024,
"type": "keyword"
},
"code_signature": {
"type": "object",
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"created": {
"type": "date"
},
"ctime": {
"type": "date"
},
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"directory": {
"ignore_above": 1024,
"type": "keyword"
},
"drive_letter": {
"ignore_above": 1,
"type": "keyword"
},
"elf": {
"type": "object",
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
},
"creation_date": {
"type": "date"
},
"exports": {
"type": "flattened"
},
"header": {
"type": "object",
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword"
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"imports": {
"type": "flattened"
},
"sections": {
"type": "nested",
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "long"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_address": {
"type": "long"
},
"virtual_size": {
"type": "long"
}
}
},
"segments": {
"type": "nested",
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"fork_name": {
"ignore_above": 1024,
"type": "keyword"
},
"gid": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"type": "object",
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"inode": {
"ignore_above": 1024,
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"mode": {
"ignore_above": 1024,
"type": "keyword"
},
"mtime": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"pe": {
"type": "object",
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"size": {
"type": "long"
},
"target_path": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
},
"x509": {
"type": "object",
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_exponent": {
"index": false,
"type": "long",
"doc_values": false
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"first_seen": {
"type": "date"
},
"geo": {
"type": "object",
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"last_seen": {
"type": "date"
},
"marking": {
"type": "object",
"properties": {
"tlp": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"modified_at": {
"type": "date"
},
"port": {
"type": "long"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"registry": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"bytes": {
"ignore_above": 1024,
"type": "keyword"
},
"strings": {
"type": "wildcard"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hive": {
"ignore_above": 1024,
"type": "keyword"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"scanner_stats": {
"type": "long"
},
"sightings": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"fragment": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"type": "wildcard"
},
"original": {
"type": "wildcard"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"type": "wildcard"
},
"port": {
"type": "long"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"scheme": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"x509": {
"type": "object",
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_exponent": {
"index": false,
"type": "long",
"doc_values": false
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"software": {
"type": "object",
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"platforms": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tactic": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"technique": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"subtechnique": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"timeseries": {
"type": "object",
"properties": {
"instance": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tls": {
"type": "object",
"properties": {
"cipher": {
"ignore_above": 1024,
"type": "keyword"
},
"client": {
"type": "object",
"properties": {
"certificate": {
"ignore_above": 1024,
"type": "keyword"
},
"certificate_chain": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"type": "object",
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"issuer": {
"ignore_above": 1024,
"type": "keyword"
},
"ja3": {
"ignore_above": 1024,
"type": "keyword"
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"server_name": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"supported_ciphers": {
"ignore_above": 1024,
"type": "keyword"
},
"x509": {
"type": "object",
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_exponent": {
"index": false,
"type": "long",
"doc_values": false
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"curve": {
"ignore_above": 1024,
"type": "keyword"
},
"established": {
"type": "boolean"
},
"next_protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"resumed": {
"type": "boolean"
},
"server": {
"type": "object",
"properties": {
"certificate": {
"ignore_above": 1024,
"type": "keyword"
},
"certificate_chain": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"type": "object",
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"issuer": {
"ignore_above": 1024,
"type": "keyword"
},
"ja3s": {
"ignore_above": 1024,
"type": "keyword"
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"x509": {
"type": "object",
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_exponent": {
"index": false,
"type": "long",
"doc_values": false
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"version_protocol": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"trace": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"traefik": {
"type": "object",
"properties": {
"access": {
"type": "object",
"properties": {
"backend_url": {
"ignore_above": 1024,
"type": "keyword"
},
"frontend_name": {
"ignore_above": 1024,
"type": "keyword"
},
"geoip": {
"type": "object",
"properties": {
"city_name": {
"path": "source.geo.city_name",
"type": "alias"
},
"continent_name": {
"path": "source.geo.continent_name",
"type": "alias"
},
"country_iso_code": {
"path": "source.geo.country_iso_code",
"type": "alias"
},
"location": {
"path": "source.geo.location",
"type": "alias"
},
"region_iso_code": {
"path": "source.geo.region_iso_code",
"type": "alias"
},
"region_name": {
"path": "source.geo.region_name",
"type": "alias"
}
}
},
"request_count": {
"type": "long"
},
"user_agent": {
"type": "object",
"properties": {
"name": {
"path": "user_agent.name",
"type": "alias"
},
"original": {
"path": "user_agent.original",
"type": "alias"
},
"os": {
"path": "user_agent.os.full_name",
"type": "alias"
},
"os_name": {
"path": "user_agent.os.name",
"type": "alias"
}
}
},
"user_identifier": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"transaction": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"url": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"fragment": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"type": "wildcard"
},
"original": {
"type": "wildcard"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"type": "wildcard"
},
"port": {
"type": "long"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"scheme": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user": {
"type": "object",
"properties": {
"audit": {
"type": "object",
"properties": {
"group": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"changes": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"group": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"effective": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"group": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"filesystem": {
"type": "object",
"properties": {
"group": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"full_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"group": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"owner": {
"type": "object",
"properties": {
"group": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
},
"saved": {
"type": "object",
"properties": {
"group": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"target": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"group": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"terminal": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user_agent": {
"type": "object",
"properties": {
"device": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"os": {
"type": "object",
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"full_name": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vlan": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vulnerability": {
"type": "object",
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"enumeration": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"report_id": {
"ignore_above": 1024,
"type": "keyword"
},
"scanner": {
"type": "object",
"properties": {
"vendor": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"score": {
"type": "object",
"properties": {
"base": {
"type": "float"
},
"environmental": {
"type": "float"
},
"temporal": {
"type": "float"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"x509": {
"type": "object",
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_exponent": {
"index": false,
"type": "long",
"doc_values": false
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zeek": {
"type": "object",
"properties": {
"capture_loss": {
"type": "object",
"properties": {
"acks": {
"type": "long"
},
"gaps": {
"type": "long"
},
"peer": {
"ignore_above": 1024,
"type": "keyword"
},
"percent_lost": {
"type": "double"
},
"ts_delta": {
"type": "long"
}
}
},
"connection": {
"type": "object",
"properties": {
"history": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp": {
"type": "object",
"properties": {
"code": {
"type": "long"
},
"type": {
"type": "long"
}
}
},
"inner_vlan": {
"type": "long"
},
"local_orig": {
"type": "boolean"
},
"local_resp": {
"type": "boolean"
},
"missed_bytes": {
"type": "long"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"state_message": {
"ignore_above": 1024,
"type": "keyword"
},
"vlan": {
"type": "long"
}
}
},
"dce_rpc": {
"type": "object",
"properties": {
"endpoint": {
"ignore_above": 1024,
"type": "keyword"
},
"named_pipe": {
"ignore_above": 1024,
"type": "keyword"
},
"operation": {
"ignore_above": 1024,
"type": "keyword"
},
"rtt": {
"type": "long"
}
}
},
"dhcp": {
"type": "object",
"properties": {
"address": {
"type": "object",
"properties": {
"assigned": {
"type": "ip"
},
"client": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"requested": {
"type": "ip"
},
"server": {
"type": "ip"
}
}
},
"client_fqdn": {
"ignore_above": 1024,
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"type": "double"
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"type": "object",
"properties": {
"circuit": {
"ignore_above": 1024,
"type": "keyword"
},
"remote_agent": {
"ignore_above": 1024,
"type": "keyword"
},
"subscriber": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"lease_time": {
"type": "long"
},
"msg": {
"type": "object",
"properties": {
"client": {
"ignore_above": 1024,
"type": "keyword"
},
"origin": {
"type": "ip"
},
"server": {
"ignore_above": 1024,
"type": "keyword"
},
"types": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"software": {
"type": "object",
"properties": {
"client": {
"ignore_above": 1024,
"type": "keyword"
},
"server": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"dnp3": {
"type": "object",
"properties": {
"function": {
"type": "object",
"properties": {
"reply": {
"ignore_above": 1024,
"type": "keyword"
},
"request": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"id": {
"type": "long"
}
}
},
"dns": {
"type": "object",
"properties": {
"AA": {
"type": "boolean"
},
"RA": {
"type": "boolean"
},
"RD": {
"type": "boolean"
},
"TC": {
"type": "boolean"
},
"TTLs": {
"type": "double"
},
"answers": {
"ignore_above": 1024,
"type": "keyword"
},
"qclass": {
"type": "long"
},
"qclass_name": {
"ignore_above": 1024,
"type": "keyword"
},
"qtype": {
"type": "long"
},
"qtype_name": {
"ignore_above": 1024,
"type": "keyword"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"rcode": {
"type": "long"
},
"rcode_name": {
"ignore_above": 1024,
"type": "keyword"
},
"rejected": {
"type": "boolean"
},
"rtt": {
"type": "double"
},
"saw_query": {
"type": "boolean"
},
"saw_reply": {
"type": "boolean"
},
"total_answers": {
"type": "long"
},
"total_replies": {
"type": "long"
},
"trans_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"dpd": {
"type": "object",
"properties": {
"analyzer": {
"ignore_above": 1024,
"type": "keyword"
},
"failure_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"packet_segment": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"files": {
"type": "object",
"properties": {
"analyzers": {
"ignore_above": 1024,
"type": "keyword"
},
"depth": {
"type": "long"
},
"duration": {
"type": "double"
},
"entropy": {
"type": "double"
},
"extracted": {
"ignore_above": 1024,
"type": "keyword"
},
"extracted_cutoff": {
"type": "boolean"
},
"extracted_size": {
"type": "long"
},
"filename": {
"ignore_above": 1024,
"type": "keyword"
},
"fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"is_orig": {
"type": "boolean"
},
"local_orig": {
"type": "boolean"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"missing_bytes": {
"type": "long"
},
"overflow_bytes": {
"type": "long"
},
"parent_fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"rx_host": {
"type": "ip"
},
"seen_bytes": {
"type": "long"
},
"session_ids": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"source": {
"ignore_above": 1024,
"type": "keyword"
},
"timedout": {
"type": "boolean"
},
"total_bytes": {
"type": "long"
},
"tx_host": {
"type": "ip"
}
}
},
"ftp": {
"type": "object",
"properties": {
"arg": {
"ignore_above": 1024,
"type": "keyword"
},
"capture_password": {
"type": "boolean"
},
"cmdarg": {
"type": "object",
"properties": {
"arg": {
"ignore_above": 1024,
"type": "keyword"
},
"cmd": {
"ignore_above": 1024,
"type": "keyword"
},
"seq": {
"type": "long"
}
}
},
"command": {
"ignore_above": 1024,
"type": "keyword"
},
"cwd": {
"ignore_above": 1024,
"type": "keyword"
},
"data_channel": {
"type": "object",
"properties": {
"originating_host": {
"type": "ip"
},
"passive": {
"type": "boolean"
},
"response_host": {
"type": "ip"
},
"response_port": {
"type": "long"
}
}
},
"file": {
"type": "object",
"properties": {
"fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"size": {
"type": "long"
}
}
},
"last_auth_requested": {
"ignore_above": 1024,
"type": "keyword"
},
"passive": {
"type": "boolean"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"pending_commands": {
"type": "long"
},
"reply": {
"type": "object",
"properties": {
"code": {
"type": "long"
},
"msg": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"http": {
"type": "object",
"properties": {
"captured_password": {
"type": "boolean"
},
"client_header_names": {
"ignore_above": 1024,
"type": "keyword"
},
"info_code": {
"type": "long"
},
"info_msg": {
"ignore_above": 1024,
"type": "keyword"
},
"orig_filenames": {
"ignore_above": 1024,
"type": "keyword"
},
"orig_fuids": {
"ignore_above": 1024,
"type": "keyword"
},
"orig_mime_depth": {
"type": "long"
},
"orig_mime_types": {
"ignore_above": 1024,
"type": "keyword"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"proxied": {
"ignore_above": 1024,
"type": "keyword"
},
"range_request": {
"type": "boolean"
},
"resp_filenames": {
"ignore_above": 1024,
"type": "keyword"
},
"resp_fuids": {
"ignore_above": 1024,
"type": "keyword"
},
"resp_mime_depth": {
"type": "long"
},
"resp_mime_types": {
"ignore_above": 1024,
"type": "keyword"
},
"server_header_names": {
"ignore_above": 1024,
"type": "keyword"
},
"status_msg": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"trans_depth": {
"type": "long"
}
}
},
"intel": {
"type": "object",
"properties": {
"file_desc": {
"ignore_above": 1024,
"type": "keyword"
},
"file_mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"matched": {
"ignore_above": 1024,
"type": "keyword"
},
"seen": {
"type": "object",
"properties": {
"conn": {
"ignore_above": 1024,
"type": "keyword"
},
"f": {
"type": "object"
},
"fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"host": {
"ignore_above": 1024,
"type": "keyword"
},
"indicator": {
"ignore_above": 1024,
"type": "keyword"
},
"indicator_type": {
"ignore_above": 1024,
"type": "keyword"
},
"node": {
"ignore_above": 1024,
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
},
"where": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sources": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"irc": {
"type": "object",
"properties": {
"addl": {
"ignore_above": 1024,
"type": "keyword"
},
"command": {
"ignore_above": 1024,
"type": "keyword"
},
"dcc": {
"type": "object",
"properties": {
"file": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"size": {
"type": "long"
}
}
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"nick": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"kerberos": {
"type": "object",
"properties": {
"cert": {
"type": "object",
"properties": {
"client": {
"type": "object",
"properties": {
"fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"server": {
"type": "object",
"properties": {
"fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"cipher": {
"ignore_above": 1024,
"type": "keyword"
},
"client": {
"ignore_above": 1024,
"type": "keyword"
},
"error": {
"type": "object",
"properties": {
"code": {
"type": "long"
},
"msg": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"forwardable": {
"type": "boolean"
},
"renewable": {
"type": "boolean"
},
"request_type": {
"ignore_above": 1024,
"type": "keyword"
},
"service": {
"ignore_above": 1024,
"type": "keyword"
},
"success": {
"type": "boolean"
},
"ticket": {
"type": "object",
"properties": {
"auth": {
"ignore_above": 1024,
"type": "keyword"
},
"new": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"valid": {
"type": "object",
"properties": {
"days": {
"type": "long"
},
"from": {
"type": "date"
},
"until": {
"type": "date"
}
}
}
}
},
"modbus": {
"type": "object",
"properties": {
"exception": {
"ignore_above": 1024,
"type": "keyword"
},
"function": {
"ignore_above": 1024,
"type": "keyword"
},
"track_address": {
"type": "long"
}
}
},
"mysql": {
"type": "object",
"properties": {
"arg": {
"ignore_above": 1024,
"type": "keyword"
},
"cmd": {
"ignore_above": 1024,
"type": "keyword"
},
"response": {
"ignore_above": 1024,
"type": "keyword"
},
"rows": {
"type": "long"
},
"success": {
"type": "boolean"
}
}
},
"notice": {
"type": "object",
"properties": {
"actions": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_id": {
"ignore_above": 1024,
"type": "keyword"
},
"dropped": {
"type": "boolean"
},
"email_body_sections": {
"norms": false,
"type": "text"
},
"email_delay_tokens": {
"ignore_above": 1024,
"type": "keyword"
},
"false": {
"type": "long"
},
"ffile": {
"type": "object",
"properties": {
"total_bytes": {
"type": "long"
}
}
},
"file": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"is_orig": {
"type": "boolean"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"missing_bytes": {
"type": "long"
},
"overflow_bytes": {
"type": "long"
},
"parent_id": {
"ignore_above": 1024,
"type": "keyword"
},
"seen_bytes": {
"type": "long"
},
"source": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"fuid": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_id": {
"ignore_above": 1024,
"type": "keyword"
},
"identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"msg": {
"ignore_above": 1024,
"type": "keyword"
},
"note": {
"ignore_above": 1024,
"type": "keyword"
},
"peer_descr": {
"norms": false,
"type": "text"
},
"peer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"sub": {
"ignore_above": 1024,
"type": "keyword"
},
"suppress_for": {
"type": "double"
}
}
},
"ntlm": {
"type": "object",
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"server": {
"type": "object",
"properties": {
"name": {
"type": "object",
"properties": {
"dns": {
"ignore_above": 1024,
"type": "keyword"
},
"netbios": {
"ignore_above": 1024,
"type": "keyword"
},
"tree": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"success": {
"type": "boolean"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ntp": {
"type": "object",
"properties": {
"mode": {
"type": "long"
},
"num_exts": {
"type": "long"
},
"org_time": {
"type": "date"
},
"poll": {
"type": "double"
},
"precision": {
"type": "double"
},
"rec_time": {
"type": "date"
},
"ref_id": {
"ignore_above": 1024,
"type": "keyword"
},
"ref_time": {
"type": "date"
},
"root_delay": {
"type": "double"
},
"root_disp": {
"type": "double"
},
"stratum": {
"type": "long"
},
"version": {
"type": "long"
},
"xmt_time": {
"type": "date"
}
}
},
"ocsp": {
"type": "object",
"properties": {
"file_id": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"type": "object",
"properties": {
"algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"type": "object",
"properties": {
"key": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"revoke": {
"type": "object",
"properties": {
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"time": {
"type": "date"
}
}
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"update": {
"type": "object",
"properties": {
"next": {
"type": "date"
},
"this": {
"type": "date"
}
}
}
}
},
"pe": {
"type": "object",
"properties": {
"client": {
"ignore_above": 1024,
"type": "keyword"
},
"compile_time": {
"type": "date"
},
"has_cert_table": {
"type": "boolean"
},
"has_debug_data": {
"type": "boolean"
},
"has_export_table": {
"type": "boolean"
},
"has_import_table": {
"type": "boolean"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"is_64bit": {
"type": "boolean"
},
"is_exe": {
"type": "boolean"
},
"machine": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"ignore_above": 1024,
"type": "keyword"
},
"section_names": {
"ignore_above": 1024,
"type": "keyword"
},
"subsystem": {
"ignore_above": 1024,
"type": "keyword"
},
"uses_aslr": {
"type": "boolean"
},
"uses_code_integrity": {
"type": "boolean"
},
"uses_dep": {
"type": "boolean"
},
"uses_seh": {
"type": "boolean"
}
}
},
"radius": {
"type": "object",
"properties": {
"connect_info": {
"ignore_above": 1024,
"type": "keyword"
},
"framed_addr": {
"type": "ip"
},
"logged": {
"type": "boolean"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"remote_ip": {
"type": "ip"
},
"reply_msg": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
},
"ttl": {
"type": "long"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"rdp": {
"type": "object",
"properties": {
"cert": {
"type": "object",
"properties": {
"count": {
"type": "long"
},
"permanent": {
"type": "boolean"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"client": {
"type": "object",
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"client_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"cookie": {
"ignore_above": 1024,
"type": "keyword"
},
"desktop": {
"type": "object",
"properties": {
"color_depth": {
"ignore_above": 1024,
"type": "keyword"
},
"height": {
"type": "long"
},
"width": {
"type": "long"
}
}
},
"done": {
"type": "boolean"
},
"encryption": {
"type": "object",
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
},
"method": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"keyboard_layout": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
},
"security_protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl": {
"type": "boolean"
}
}
},
"rfb": {
"type": "object",
"properties": {
"auth": {
"type": "object",
"properties": {
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"success": {
"type": "boolean"
}
}
},
"desktop_name": {
"ignore_above": 1024,
"type": "keyword"
},
"height": {
"type": "long"
},
"share_flag": {
"type": "boolean"
},
"version": {
"type": "object",
"properties": {
"client": {
"type": "object",
"properties": {
"major": {
"ignore_above": 1024,
"type": "keyword"
},
"minor": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"server": {
"type": "object",
"properties": {
"major": {
"ignore_above": 1024,
"type": "keyword"
},
"minor": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"width": {
"type": "long"
}
}
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"signature": {
"type": "object",
"properties": {
"event_msg": {
"ignore_above": 1024,
"type": "keyword"
},
"host_count": {
"type": "long"
},
"note": {
"ignore_above": 1024,
"type": "keyword"
},
"sig_count": {
"type": "long"
},
"sig_id": {
"ignore_above": 1024,
"type": "keyword"
},
"sub_msg": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sip": {
"type": "object",
"properties": {
"call_id": {
"ignore_above": 1024,
"type": "keyword"
},
"content_type": {
"ignore_above": 1024,
"type": "keyword"
},
"date": {
"ignore_above": 1024,
"type": "keyword"
},
"reply_to": {
"ignore_above": 1024,
"type": "keyword"
},
"request": {
"type": "object",
"properties": {
"body_length": {
"type": "long"
},
"from": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"to": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"response": {
"type": "object",
"properties": {
"body_length": {
"type": "long"
},
"from": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"to": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sequence": {
"type": "object",
"properties": {
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"number": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"status": {
"type": "object",
"properties": {
"code": {
"type": "long"
},
"msg": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"transaction_depth": {
"type": "long"
},
"uri": {
"ignore_above": 1024,
"type": "keyword"
},
"user_agent": {
"ignore_above": 1024,
"type": "keyword"
},
"warning": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"smb_cmd": {
"type": "object",
"properties": {
"argument": {
"ignore_above": 1024,
"type": "keyword"
},
"command": {
"ignore_above": 1024,
"type": "keyword"
},
"file": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"host": {
"type": "object",
"properties": {
"rx": {
"type": "ip"
},
"tx": {
"type": "ip"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"rtt": {
"type": "double"
},
"smb1_offered_dialects": {
"ignore_above": 1024,
"type": "keyword"
},
"smb2_offered_dialects": {
"type": "long"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"sub_command": {
"ignore_above": 1024,
"type": "keyword"
},
"tree": {
"ignore_above": 1024,
"type": "keyword"
},
"tree_service": {
"ignore_above": 1024,
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"smb_files": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"fid": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"previous_name": {
"ignore_above": 1024,
"type": "keyword"
},
"size": {
"type": "long"
},
"times": {
"type": "object",
"properties": {
"accessed": {
"type": "date"
},
"changed": {
"type": "date"
},
"created": {
"type": "date"
},
"modified": {
"type": "date"
}
}
},
"uuid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"smb_mapping": {
"type": "object",
"properties": {
"native_file_system": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"service": {
"ignore_above": 1024,
"type": "keyword"
},
"share_type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"smtp": {
"type": "object",
"properties": {
"cc": {
"ignore_above": 1024,
"type": "keyword"
},
"date": {
"type": "date"
},
"first_received": {
"ignore_above": 1024,
"type": "keyword"
},
"from": {
"ignore_above": 1024,
"type": "keyword"
},
"fuids": {
"ignore_above": 1024,
"type": "keyword"
},
"has_client_activity": {
"type": "boolean"
},
"helo": {
"ignore_above": 1024,
"type": "keyword"
},
"in_reply_to": {
"ignore_above": 1024,
"type": "keyword"
},
"is_webmail": {
"type": "boolean"
},
"last_reply": {
"ignore_above": 1024,
"type": "keyword"
},
"mail_from": {
"ignore_above": 1024,
"type": "keyword"
},
"msg_id": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"type": "ip"
},
"process_received_from": {
"type": "boolean"
},
"rcpt_to": {
"ignore_above": 1024,
"type": "keyword"
},
"reply_to": {
"ignore_above": 1024,
"type": "keyword"
},
"second_received": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"tls": {
"type": "boolean"
},
"to": {
"ignore_above": 1024,
"type": "keyword"
},
"transaction_depth": {
"type": "long"
},
"user_agent": {
"ignore_above": 1024,
"type": "keyword"
},
"x_originating_ip": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"snmp": {
"type": "object",
"properties": {
"community": {
"ignore_above": 1024,
"type": "keyword"
},
"display_string": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"type": "double"
},
"get": {
"type": "object",
"properties": {
"bulk_requests": {
"type": "long"
},
"requests": {
"type": "long"
},
"responses": {
"type": "long"
}
}
},
"set": {
"type": "object",
"properties": {
"requests": {
"type": "long"
}
}
},
"up_since": {
"type": "date"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"socks": {
"type": "object",
"properties": {
"bound": {
"type": "object",
"properties": {
"host": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
}
}
},
"capture_password": {
"type": "boolean"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"request": {
"type": "object",
"properties": {
"host": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
}
}
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"type": "long"
}
}
},
"ssh": {
"type": "object",
"properties": {
"algorithm": {
"type": "object",
"properties": {
"cipher": {
"ignore_above": 1024,
"type": "keyword"
},
"compression": {
"ignore_above": 1024,
"type": "keyword"
},
"host_key": {
"ignore_above": 1024,
"type": "keyword"
},
"key_exchange": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"auth": {
"type": "object",
"properties": {
"attempts": {
"type": "long"
},
"success": {
"type": "boolean"
}
}
},
"client": {
"ignore_above": 1024,
"type": "keyword"
},
"direction": {
"ignore_above": 1024,
"type": "keyword"
},
"host_key": {
"ignore_above": 1024,
"type": "keyword"
},
"server": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"type": "long"
}
}
},
"ssl": {
"type": "object",
"properties": {
"cipher": {
"ignore_above": 1024,
"type": "keyword"
},
"client": {
"type": "object",
"properties": {
"cert_chain": {
"ignore_above": 1024,
"type": "keyword"
},
"cert_chain_fuids": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"subject": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"curve": {
"ignore_above": 1024,
"type": "keyword"
},
"established": {
"type": "boolean"
},
"last_alert": {
"ignore_above": 1024,
"type": "keyword"
},
"next_protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"resumed": {
"type": "boolean"
},
"server": {
"type": "object",
"properties": {
"cert_chain": {
"ignore_above": 1024,
"type": "keyword"
},
"cert_chain_fuids": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"validation": {
"type": "object",
"properties": {
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"stats": {
"type": "object",
"properties": {
"bytes": {
"type": "object",
"properties": {
"received": {
"type": "long"
}
}
},
"connections": {
"type": "object",
"properties": {
"icmp": {
"type": "object",
"properties": {
"active": {
"type": "long"
},
"count": {
"type": "long"
}
}
},
"tcp": {
"type": "object",
"properties": {
"active": {
"type": "long"
},
"count": {
"type": "long"
}
}
},
"udp": {
"type": "object",
"properties": {
"active": {
"type": "long"
},
"count": {
"type": "long"
}
}
}
}
},
"dns_requests": {
"type": "object",
"properties": {
"active": {
"type": "long"
},
"count": {
"type": "long"
}
}
},
"events": {
"type": "object",
"properties": {
"processed": {
"type": "long"
},
"queued": {
"type": "long"
}
}
},
"files": {
"type": "object",
"properties": {
"active": {
"type": "long"
},
"count": {
"type": "long"
}
}
},
"memory": {
"type": "long"
},
"packets": {
"type": "object",
"properties": {
"dropped": {
"type": "long"
},
"processed": {
"type": "long"
},
"received": {
"type": "long"
}
}
},
"peer": {
"ignore_above": 1024,
"type": "keyword"
},
"reassembly_size": {
"type": "object",
"properties": {
"file": {
"type": "long"
},
"frag": {
"type": "long"
},
"tcp": {
"type": "long"
},
"unknown": {
"type": "long"
}
}
},
"timers": {
"type": "object",
"properties": {
"active": {
"type": "long"
},
"count": {
"type": "long"
}
}
},
"timestamp_lag": {
"type": "long"
}
}
},
"syslog": {
"type": "object",
"properties": {
"facility": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tunnel": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"weird": {
"type": "object",
"properties": {
"additional_info": {
"ignore_above": 1024,
"type": "keyword"
},
"identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"notice": {
"type": "boolean"
},
"peer": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"x509": {
"type": "object",
"properties": {
"basic_constraints": {
"type": "object",
"properties": {
"certificate_authority": {
"type": "boolean"
},
"path_length": {
"type": "long"
}
}
},
"certificate": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"curve": {
"ignore_above": 1024,
"type": "keyword"
},
"exponent": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"key": {
"type": "object",
"properties": {
"algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"length": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"serial": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"type": "object",
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"valid": {
"type": "object",
"properties": {
"from": {
"type": "date"
},
"until": {
"type": "date"
}
}
},
"version": {
"type": "long"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"log_cert": {
"type": "boolean"
},
"san": {
"type": "object",
"properties": {
"dns": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"other_fields": {
"type": "boolean"
},
"uri": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"zookeeper": {
"type": "object",
"properties": {
"audit": {
"type": "object",
"properties": {
"acl": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
},
"session": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
},
"znode": {
"ignore_above": 1024,
"type": "keyword"
},
"znode_type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"zoom": {
"type": "object",
"properties": {
"account": {
"type": "object",
"properties": {
"account_alias": {
"ignore_above": 1024,
"type": "keyword"
},
"account_name": {
"ignore_above": 1024,
"type": "keyword"
},
"account_support_email": {
"ignore_above": 1024,
"type": "keyword"
},
"account_support_name": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"owner_email": {
"ignore_above": 1024,
"type": "keyword"
},
"owner_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"account_id": {
"ignore_above": 1024,
"type": "keyword"
},
"chat_channel": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"chat_message": {
"type": "object",
"properties": {
"channel_id": {
"ignore_above": 1024,
"type": "keyword"
},
"channel_name": {
"ignore_above": 1024,
"type": "keyword"
},
"contact_email": {
"ignore_above": 1024,
"type": "keyword"
},
"contact_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"creation_type": {
"ignore_above": 1024,
"type": "keyword"
},
"master_account_id": {
"ignore_above": 1024,
"type": "keyword"
},
"meeting": {
"type": "object",
"properties": {
"duration": {
"type": "long"
},
"host_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"issues": {
"ignore_above": 1024,
"type": "keyword"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"start_time": {
"type": "date"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"topic": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uuid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"old_values": {
"type": "flattened"
},
"operator": {
"ignore_above": 1024,
"type": "keyword"
},
"operator_id": {
"ignore_above": 1024,
"type": "keyword"
},
"participant": {
"type": "object",
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"join_time": {
"type": "date"
},
"leave_time": {
"type": "date"
},
"sharing_details": {
"type": "object",
"properties": {
"content": {
"ignore_above": 1024,
"type": "keyword"
},
"date_time": {
"ignore_above": 1024,
"type": "keyword"
},
"file_link": {
"ignore_above": 1024,
"type": "keyword"
},
"link_source": {
"ignore_above": 1024,
"type": "keyword"
},
"source": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user_id": {
"ignore_above": 1024,
"type": "keyword"
},
"user_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"phone": {
"type": "object",
"properties": {
"answer_start_time": {
"type": "date"
},
"call_end_time": {
"type": "date"
},
"call_id": {
"ignore_above": 1024,
"type": "keyword"
},
"callee": {
"type": "object",
"properties": {
"device_type": {
"ignore_above": 1024,
"type": "keyword"
},
"extension_number": {
"ignore_above": 1024,
"type": "keyword"
},
"extension_type": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"number_type": {
"ignore_above": 1024,
"type": "keyword"
},
"phone_number": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"user_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"caller": {
"type": "object",
"properties": {
"device_type": {
"ignore_above": 1024,
"type": "keyword"
},
"extension_number": {
"ignore_above": 1024,
"type": "keyword"
},
"extension_type": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"number_type": {
"ignore_above": 1024,
"type": "keyword"
},
"phone_number": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"user_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"connected_start_time": {
"type": "date"
},
"date_time": {
"type": "date"
},
"download_url": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"type": "long"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ringing_start_time": {
"type": "date"
},
"user_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"recording": {
"type": "object",
"properties": {
"duration": {
"type": "long"
},
"host_email": {
"ignore_above": 1024,
"type": "keyword"
},
"host_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"recording_count": {
"type": "long"
},
"recording_file": {
"type": "object",
"properties": {
"recording_end": {
"type": "date"
},
"recording_start": {
"type": "date"
}
}
},
"share_url": {
"ignore_above": 1024,
"type": "keyword"
},
"start_time": {
"type": "date"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"topic": {
"ignore_above": 1024,
"type": "keyword"
},
"total_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uuid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"registrant": {
"type": "object",
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"city": {
"ignore_above": 1024,
"type": "keyword"
},
"comments": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"first_name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"industry": {
"ignore_above": 1024,
"type": "keyword"
},
"job_title": {
"ignore_above": 1024,
"type": "keyword"
},
"join_url": {
"ignore_above": 1024,
"type": "keyword"
},
"last_name": {
"ignore_above": 1024,
"type": "keyword"
},
"no_of_employees": {
"ignore_above": 1024,
"type": "keyword"
},
"org": {
"ignore_above": 1024,
"type": "keyword"
},
"phone": {
"ignore_above": 1024,
"type": "keyword"
},
"purchasing_time_frame": {
"ignore_above": 1024,
"type": "keyword"
},
"role_in_purchase_process": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"zip": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"settings": {
"type": "flattened"
},
"sub_account_id": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"user": {
"type": "object",
"properties": {
"client_type": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"dept": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"first_name": {
"ignore_above": 1024,
"type": "keyword"
},
"host_key": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"language": {
"ignore_above": 1024,
"type": "keyword"
},
"last_name": {
"ignore_above": 1024,
"type": "keyword"
},
"personal_notes": {
"ignore_above": 1024,
"type": "keyword"
},
"phone_country": {
"ignore_above": 1024,
"type": "keyword"
},
"phone_number": {
"ignore_above": 1024,
"type": "keyword"
},
"pic_url": {
"ignore_above": 1024,
"type": "keyword"
},
"pmi": {
"ignore_above": 1024,
"type": "keyword"
},
"presence_status": {
"ignore_above": 1024,
"type": "keyword"
},
"role": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"use_pmi": {
"type": "boolean"
},
"vanity_name": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"webinar": {
"type": "object",
"properties": {
"agenda": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"type": "long"
},
"host_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"issues": {
"ignore_above": 1024,
"type": "keyword"
},
"join_url": {
"ignore_above": 1024,
"type": "keyword"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"start_time": {
"type": "date"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"topic": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uuid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zoomroom": {
"type": "object",
"properties": {
"alert_kind": {
"ignore_above": 1024,
"type": "keyword"
},
"alert_type": {
"ignore_above": 1024,
"type": "keyword"
},
"calendar_id": {
"ignore_above": 1024,
"type": "keyword"
},
"calendar_name": {
"ignore_above": 1024,
"type": "keyword"
},
"change_key": {
"ignore_above": 1024,
"type": "keyword"
},
"component": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"issue": {
"ignore_above": 1024,
"type": "keyword"
},
"resource_email": {
"ignore_above": 1024,
"type": "keyword"
},
"room_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"aliases": {
"demo": {}
}
},
"index_patterns": [
"demo-*"
]
}
Under logistics, set the name of the index template, the index pattern, and toggle off the Create Data Stream button to DISABLE the creation of data stream.
Also, ensure the priority number, if defined, does not match with the value of the index pattern being cloned.
On Component templates, we will use default settings and just proceed to next page.
For the Index Settings, we will only change the ILM policy and define the Index rollover alias. When you clone Filebeat index template, it will be configured to use the Filebeat ILM policy by default.
For Mappings we will use default settings.
Let’s skip Index Aliases. As much as alias is required for policies that use the rollover action, we will create in the next section.
Review the template and create the template.
Create the Index
To begin using the custom index, you need to bootstrap it and designate it as the write index for the rollover alias specified in the index template. The name of this index must match the template’s index pattern and end with a number. On rollover, this value is incremented to generate a name for the new index.
To create the index, you can execute the API command below from Kibana console, (Kibana > Management > DevTools > Console)
PUT <index-pattern>
{
"aliases": {
"ALIAS_NAME": {
"is_write_index": true
}
}
}
For example, in my setup, am creating an index pattern like demo-{now/d}-00001. This is encoded as shown below;
PUT %3Cdemo-%7Bnow%2Fd%7D-000001%3E
{
"aliases": {
"demo": {
"is_write_index": true
}
}
}
Sample output;
{
"demo-2023.07.01-000001": {
"aliases": {
"demo": {
"is_write_index": true
}
}
}
}
You can also do this from command line as long as you have access to Elasticsearch;
You should now be able to see your index created;
Configuring Filebeat 8 to Write Logs to Specific Index
Now that we have index template created and our custom index bootstrapped, how can you configure Filebeat to be able to write data the specific custom index?
Open the Filebeat configuration file for editing;
vim /etc/filebeat/filebeat.ymlDefine the index name and set the template and template pattern to match what you created under index templates above.
See my config below;
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
hosts: ["elk.kifarunix-demo.com:9200"]
protocol: "https"
ssl.certificate_authorities: ["/etc/filebeat/elastic-ca.crt"]
index: demo
username: "elastic"
password: "ALL16n6Xv5yJclrWt5Sc"
#
setup.template.name: "demo"
setup.template.pattern: "demo-*"
Save and exit the file.
Check Filebeat for any configuration syntax and ensure output is Config OK;
filebeat test config(Re)start/ Filebeat;
systemctl restart filebeatVerify Data Reception on Custom Index
Navigate to Index management > Indices and search for index pattern;
As you can see, the size is now at 356kb, which means, data is being written to our index;
If you keep watching it, the index should be rolled-over as per the ILM policy settings.
As mentioned above, you can explain the ILM for the index;
GET demo-*/_ilm/explain
{
"indices": {
"demo-2023.07.01-000001": {
"index": "demo-2023.07.01-000001",
"managed": true,
"policy": "demo",
"index_creation_date_millis": 1688235705996,
"time_since_index_creation": "18.06m",
"lifecycle_date_millis": 1688236507512,
"age": "4.7m",
"phase": "hot",
"phase_time_millis": 1688235706480,
"action": "complete",
"action_time_millis": 1688236508513,
"step": "complete",
"step_time_millis": 1688236508513,
"phase_execution": {
"policy": "demo",
"phase_definition": {
"min_age": "0ms",
"actions": {
"set_priority": {
"priority": 100
},
"rollover": {
"max_age": "5m",
"max_primary_shard_size": "2mb"
}
}
},
"version": 1,
"modified_date_in_millis": 1688231867049
}
},
"demo-2023.07.01-000002": {
"index": "demo-2023.07.01-000002",
"managed": true,
"policy": "demo",
"index_creation_date_millis": 1688236507494,
"time_since_index_creation": "4.7m",
"lifecycle_date_millis": 1688236507494,
"age": "4.7m",
"phase": "hot",
"phase_time_millis": 1688236507912,
"action": "rollover",
"action_time_millis": 1688236508313,
"step": "check-rollover-ready",
"step_time_millis": 1688236508313,
"phase_execution": {
"policy": "demo",
"phase_definition": {
"min_age": "0ms",
"actions": {
"set_priority": {
"priority": 100
},
"rollover": {
"max_age": "5m",
"max_primary_shard_size": "2mb"
}
}
},
"version": 1,
"modified_date_in_millis": 1688231867049
}
}
}
}
Create Kibana Data View
You can now create Kibana data view for your custom index to allow you visualize the data.
Hence, navigate to Management > Kibana > Data Views > Create Data View.
Save the data view.
Visualize Data on Kibana
You can now visualize the data on Kibana by navigating to Analytics > Discover and select your data view from the drop down;
And there you go!
You can also follow the guide below to configure Filebeat 8 to write logs to specific Data Stream;
Configure Filebeat 8 to Write Logs to Specific Data Stream
