diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts index 76e4a8803fd343..a29c1023caf673 100644 --- a/packages/kbn-rule-data-utils/src/technical_field_names.ts +++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts @@ -34,6 +34,7 @@ const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const; const ALERT_ID = `${ALERT_NAMESPACE}.id` as const; const ALERT_OWNER = `${ALERT_NAMESPACE}.owner` as const; +const ALERT_CONSUMERS = `${ALERT_NAMESPACE}.consumers` as const; const ALERT_PRODUCER = `${ALERT_NAMESPACE}.producer` as const; const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const; const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const; @@ -70,6 +71,7 @@ const ALERT_RULE_SEVERITY_MAPPING = `${ALERT_RULE_NAMESPACE}.severity_mapping` a const ALERT_RULE_TAGS = `${ALERT_RULE_NAMESPACE}.tags` as const; const ALERT_RULE_TO = `${ALERT_RULE_NAMESPACE}.to` as const; const ALERT_RULE_TYPE = `${ALERT_RULE_NAMESPACE}.type` as const; +const ALERT_RULE_TYPE_ID = `${ALERT_RULE_NAMESPACE}.rule_type_id` as const; const ALERT_RULE_UPDATED_AT = `${ALERT_RULE_NAMESPACE}.updated_at` as const; const ALERT_RULE_UPDATED_BY = `${ALERT_RULE_NAMESPACE}.updated_by` as const; const ALERT_RULE_VERSION = `${ALERT_RULE_NAMESPACE}.version` as const; @@ -99,6 +101,7 @@ const fields = { ALERT_EVALUATION_VALUE, ALERT_ID, ALERT_OWNER, + ALERT_CONSUMERS, ALERT_PRODUCER, ALERT_REASON, ALERT_RISK_SCORE, @@ -124,6 +127,7 @@ const fields = { ALERT_RULE_TAGS, ALERT_RULE_TO, ALERT_RULE_TYPE, + ALERT_RULE_TYPE_ID, ALERT_RULE_UPDATED_AT, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, @@ -151,6 +155,7 @@ export { ALERT_NAMESPACE, ALERT_RULE_NAMESPACE, ALERT_OWNER, + ALERT_CONSUMERS, ALERT_PRODUCER, ALERT_REASON, ALERT_RISK_SCORE, @@ -179,6 +184,7 @@ export { ALERT_RULE_TAGS, ALERT_RULE_TO, ALERT_RULE_TYPE, + ALERT_RULE_TYPE_ID, ALERT_RULE_UPDATED_AT, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, diff --git a/x-pack/plugins/rule_registry/server/index.ts b/x-pack/plugins/rule_registry/server/index.ts index af086abadbb728..cbd8145a44fe78 100644 --- a/x-pack/plugins/rule_registry/server/index.ts +++ b/x-pack/plugins/rule_registry/server/index.ts @@ -11,11 +11,11 @@ import { RuleRegistryPlugin } from './plugin'; export * from './config'; export type { RuleRegistryPluginSetupContract, RuleRegistryPluginStartContract } from './plugin'; export type { RacRequestHandlerContext, RacApiRequestHandlerContext } from './types'; +export { RuleDataPluginService } from './rule_data_plugin_service'; export { RuleDataClient } from './rule_data_client'; export { IRuleDataClient } from './rule_data_client/types'; export { getRuleData, RuleExecutorData } from './utils/get_rule_executor_data'; export { createLifecycleRuleTypeFactory } from './utils/create_lifecycle_rule_type_factory'; -export { RuleDataPluginService } from './rule_data_plugin_service'; export { LifecycleRuleExecutor, LifecycleAlertService, diff --git a/x-pack/plugins/rule_registry/server/rule_data_client/index.ts b/x-pack/plugins/rule_registry/server/rule_data_client/index.ts index a9e559a6b19325..94427eee2e2e5d 100644 --- a/x-pack/plugins/rule_registry/server/rule_data_client/index.ts +++ b/x-pack/plugins/rule_registry/server/rule_data_client/index.ts @@ -96,10 +96,20 @@ export class RuleDataClient implements IRuleDataClient { if (response.body.errors) { if ( response.body.items.length > 0 && - response.body.items?.[0]?.index?.error?.type === 'index_not_found_exception' + (response.body.items.every( + (item) => item.index?.error?.type === 'index_not_found_exception' + ) || + response.body.items.every( + (item) => item.index?.error?.type === 'illegal_argument_exception' + )) ) { return this.createWriteTargetIfNeeded({ namespace }).then(() => { - return clusterClient.bulk(requestWithDefaultParameters); + return clusterClient.bulk(requestWithDefaultParameters).then((retryResponse) => { + if (retryResponse.body.errors) { + throw new ResponseError(retryResponse); + } + return retryResponse; + }); }); } const error = new ResponseError(response); @@ -116,13 +126,14 @@ export class RuleDataClient implements IRuleDataClient { const clusterClient = await this.getClusterClient(); - const { body: aliasExists } = await clusterClient.indices.existsAlias({ - name: alias, + const { body: indicesExist } = await clusterClient.indices.exists({ + index: `${alias}-*`, + allow_no_indices: false, }); const concreteIndexName = `${alias}-000001`; - if (!aliasExists) { + if (!indicesExist) { try { await clusterClient.indices.create({ index: concreteIndexName, @@ -135,11 +146,37 @@ export class RuleDataClient implements IRuleDataClient { }, }); } catch (err) { - // something might have created the index already, that sounds OK - if (err?.meta?.body?.error?.type !== 'resource_already_exists_exception') { + // If the index already exists and it's the write index for the alias, + // something else created it so suppress the error. If it's not the write + // index, that's bad, throw an error. + if (err?.meta?.body?.error?.type === 'resource_already_exists_exception') { + const { body: existingIndices } = await clusterClient.indices.get({ + index: concreteIndexName, + }); + if (!existingIndices[concreteIndexName]?.aliases?.[alias]?.is_write_index) { + throw Error( + `Attempted to create index: ${concreteIndexName} as the write index for alias: ${alias}, but the index already exists and is not the write index for the alias` + ); + } + } else { throw err; } } + } else { + // If we find indices matching the pattern, then we expect one of them to be the write index for the alias. + // Throw an error if none of them are the write index. + const { body: aliasesResponse } = await clusterClient.indices.getAlias({ + index: `${alias}-*`, + }); + if ( + !Object.entries(aliasesResponse).some( + ([_, aliasesObject]) => aliasesObject.aliases[alias]?.is_write_index + ) + ) { + throw Error( + `Indices matching pattern ${alias}-* exist but none are set as the write index for alias ${alias}` + ); + } } } } diff --git a/x-pack/plugins/security_solution/cypress/ccs_integration/detection_alerts/alerts_details.spec.ts b/x-pack/plugins/security_solution/cypress/ccs_integration/detection_alerts/alerts_details.spec.ts index 3c96e4583e32a3..26f2385d94f1fd 100644 --- a/x-pack/plugins/security_solution/cypress/ccs_integration/detection_alerts/alerts_details.spec.ts +++ b/x-pack/plugins/security_solution/cypress/ccs_integration/detection_alerts/alerts_details.spec.ts @@ -58,7 +58,7 @@ describe('Alert details with unmapped fields', () => { it('Displays the unmapped field on the table', () => { const expectedUnmmappedField = { - row: 55, + row: 88, field: 'unmapped', text: 'This is the unmapped field', }; diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts index c1cfe321777bbb..10ebae84365f56 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts @@ -54,7 +54,7 @@ describe('Alert details with unmapped fields', () => { it('Displays the unmapped field on the table', () => { const expectedUnmmappedField = { - row: 55, + row: 88, field: 'unmapped', text: 'This is the unmapped field', }; diff --git a/x-pack/plugins/security_solution/server/client/client.ts b/x-pack/plugins/security_solution/server/client/client.ts index ffab9a1cbdfbff..a94a0fa920c651 100644 --- a/x-pack/plugins/security_solution/server/client/client.ts +++ b/x-pack/plugins/security_solution/server/client/client.ts @@ -9,12 +9,15 @@ import { ConfigType } from '../config'; export class AppClient { private readonly signalsIndex: string; + private readonly spaceId: string; - constructor(private spaceId: string, private config: ConfigType) { + constructor(_spaceId: string, private config: ConfigType) { const configuredSignalsIndex = this.config.signalsIndex; - this.signalsIndex = `${configuredSignalsIndex}-${this.spaceId}`; + this.signalsIndex = `${configuredSignalsIndex}-${_spaceId}`; + this.spaceId = _spaceId; } public getSignalsIndex = (): string => this.signalsIndex; + public getSpaceId = (): string => this.spaceId; } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap index 4f060746b92b0c..80ae8b9309f1f2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap @@ -5,4529 +5,4917 @@ Object { "index_patterns": Array [ "test-index-*", ], - "mappings": Object { - "_meta": Object { - "version": 45, + "template": Object { + "aliases": Object { + ".alerts-security.alerts-space-id": Object { + "is_write_index": false, + }, }, - "dynamic": false, - "properties": Object { - "@timestamp": Object { - "type": "date", + "mappings": Object { + "_meta": Object { + "aliases_version": 1, + "version": 55, }, - "agent": Object { - "properties": Object { - "build": Object { - "properties": Object { - "original": Object { - "ignore_above": 1024, - "type": "keyword", + "dynamic": false, + "properties": Object { + "@timestamp": Object { + "type": "date", + }, + "agent": Object { + "properties": Object { + "build": Object { + "properties": Object { + "original": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "ephemeral_id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "version": Object { - "ignore_above": 1024, - "type": "keyword", + "ephemeral_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "as": Object { - "properties": Object { - "number": Object { - "type": "long", - }, - "organization": Object { - "properties": Object { - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "as": Object { + "properties": Object { + "number": Object { + "type": "long", + }, + "organization": Object { + "properties": Object { + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", }, }, }, }, - }, - "client": Object { - "properties": Object { - "address": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "as": Object { - "properties": Object { - "number": Object { - "type": "long", - }, - "organization": Object { - "properties": Object { - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "client": Object { + "properties": Object { + "address": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "as": Object { + "properties": Object { + "number": Object { + "type": "long", + }, + "organization": Object { + "properties": Object { + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", }, }, }, }, - }, - "bytes": Object { - "type": "long", - }, - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "geo": Object { - "properties": Object { - "city_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "continent_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "continent_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country_iso_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "location": Object { - "type": "geo_point", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "postal_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region_iso_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "timezone": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "bytes": Object { + "type": "long", }, - }, - "ip": Object { - "type": "ip", - }, - "mac": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "nat": Object { - "properties": Object { - "ip": Object { - "type": "ip", - }, - "port": Object { - "type": "long", - }, + "domain": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "packets": Object { - "type": "long", - }, - "port": Object { - "type": "long", - }, - "registered_domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "subdomain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "top_level_domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "user": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "email": Object { - "ignore_above": 1024, - "type": "keyword", + "geo": Object { + "properties": Object { + "city_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "location": Object { + "type": "geo_point", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "postal_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "timezone": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "full_name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + }, + "ip": Object { + "type": "ip", + }, + "mac": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "nat": Object { + "properties": Object { + "ip": Object { + "type": "ip", + }, + "port": Object { + "type": "long", }, - "ignore_above": 1024, - "type": "keyword", }, - "group": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "packets": Object { + "type": "long", + }, + "port": Object { + "type": "long", + }, + "registered_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subdomain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "top_level_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "user": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "hash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "roles": Object { - "ignore_above": 1024, - "type": "keyword", }, }, }, }, - }, - "cloud": Object { - "properties": Object { - "account": Object { - "properties": Object { - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + "cloud": Object { + "properties": Object { + "account": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "availability_zone": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "instance": Object { - "properties": Object { - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "availability_zone": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "machine": Object { - "properties": Object { - "type": Object { - "ignore_above": 1024, - "type": "keyword", + "instance": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "project": Object { - "properties": Object { - "id": Object { - "ignore_above": 1024, - "type": "keyword", + "machine": Object { + "properties": Object { + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "project": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "provider": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "service": Object { - "properties": Object { - "name": Object { - "ignore_above": 1024, - "type": "keyword", + "provider": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "service": Object { + "properties": Object { + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, }, }, - }, - "code_signature": Object { - "properties": Object { - "exists": Object { - "type": "boolean", - }, - "status": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "subject_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "trusted": Object { - "type": "boolean", - }, - "valid": Object { - "type": "boolean", + "code_signature": Object { + "properties": Object { + "exists": Object { + "type": "boolean", + }, + "status": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "trusted": Object { + "type": "boolean", + }, + "valid": Object { + "type": "boolean", + }, }, }, - }, - "container": Object { - "properties": Object { - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "image": Object { - "properties": Object { - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "tag": Object { - "ignore_above": 1024, - "type": "keyword", + "container": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "image": Object { + "properties": Object { + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "tag": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "labels": Object { - "type": "object", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "runtime": Object { - "ignore_above": 1024, - "type": "keyword", + "labels": Object { + "type": "object", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "runtime": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "data_stream": Object { - "properties": Object { - "dataset": Object { - "type": "keyword", - }, - "namespace": Object { - "type": "keyword", - }, - "type": Object { - "type": "keyword", + "data_stream": Object { + "properties": Object { + "dataset": Object { + "type": "keyword", + }, + "namespace": Object { + "type": "keyword", + }, + "type": Object { + "type": "keyword", + }, }, }, - }, - "destination": Object { - "properties": Object { - "address": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "as": Object { - "properties": Object { - "number": Object { - "type": "long", - }, - "organization": Object { - "properties": Object { - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "destination": Object { + "properties": Object { + "address": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "as": Object { + "properties": Object { + "number": Object { + "type": "long", + }, + "organization": Object { + "properties": Object { + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", }, }, }, }, - }, - "bytes": Object { - "type": "long", - }, - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "geo": Object { - "properties": Object { - "city_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "continent_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "continent_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country_iso_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "location": Object { - "type": "geo_point", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "postal_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region_iso_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "timezone": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "bytes": Object { + "type": "long", }, - }, - "ip": Object { - "type": "ip", - }, - "mac": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "nat": Object { - "properties": Object { - "ip": Object { - "type": "ip", - }, - "port": Object { - "type": "long", - }, + "domain": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "packets": Object { - "type": "long", - }, - "port": Object { - "type": "long", - }, - "registered_domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "subdomain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "top_level_domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "user": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "email": Object { - "ignore_above": 1024, - "type": "keyword", + "geo": Object { + "properties": Object { + "city_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "location": Object { + "type": "geo_point", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "postal_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "timezone": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "full_name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + }, + "ip": Object { + "type": "ip", + }, + "mac": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "nat": Object { + "properties": Object { + "ip": Object { + "type": "ip", + }, + "port": Object { + "type": "long", }, - "ignore_above": 1024, - "type": "keyword", }, - "group": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "packets": Object { + "type": "long", + }, + "port": Object { + "type": "long", + }, + "registered_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subdomain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "top_level_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "user": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "hash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "roles": Object { - "ignore_above": 1024, - "type": "keyword", }, }, }, }, - }, - "dll": Object { - "properties": Object { - "code_signature": Object { - "properties": Object { - "exists": Object { - "type": "boolean", - }, - "signing_id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "status": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "subject_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "team_id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "trusted": Object { - "type": "boolean", - }, - "valid": Object { - "type": "boolean", + "dll": Object { + "properties": Object { + "code_signature": Object { + "properties": Object { + "exists": Object { + "type": "boolean", + }, + "signing_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "status": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "team_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "trusted": Object { + "type": "boolean", + }, + "valid": Object { + "type": "boolean", + }, }, }, - }, - "hash": Object { - "properties": Object { - "md5": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha1": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha256": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha512": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "ssdeep": Object { - "ignore_above": 1024, - "type": "keyword", + "hash": Object { + "properties": Object { + "md5": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha1": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha256": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha512": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ssdeep": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "path": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "pe": Object { - "properties": Object { - "architecture": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "company": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "description": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "file_version": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "imphash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "original_file_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "product": Object { - "ignore_above": 1024, - "type": "keyword", + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "path": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "pe": Object { + "properties": Object { + "architecture": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "company": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "description": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "file_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "imphash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "original_file_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "product": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, }, }, - }, - "dns": Object { - "properties": Object { - "answers": Object { - "properties": Object { - "class": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "data": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "ttl": Object { - "type": "long", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", + "dns": Object { + "properties": Object { + "answers": Object { + "properties": Object { + "class": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "data": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ttl": Object { + "type": "long", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, + "type": "object", }, - "type": "object", - }, - "header_flags": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "op_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "question": Object { - "properties": Object { - "class": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "registered_domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "subdomain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "top_level_domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", + "header_flags": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "op_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "question": Object { + "properties": Object { + "class": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "registered_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subdomain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "top_level_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "resolved_ip": Object { - "type": "ip", - }, - "response_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", + "resolved_ip": Object { + "type": "ip", + }, + "response_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "ecs": Object { - "properties": Object { - "version": Object { - "ignore_above": 1024, - "type": "keyword", + "ecs": Object { + "properties": Object { + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "error": Object { - "properties": Object { - "code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "message": Object { - "norms": false, - "type": "text", - }, - "stack_trace": Object { - "doc_values": false, - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "error": Object { + "properties": Object { + "code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "message": Object { + "norms": false, + "type": "text", + }, + "stack_trace": Object { + "doc_values": false, + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "index": false, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "index": false, - "type": "keyword", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", }, }, - }, - "event": Object { - "properties": Object { - "action": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "category": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "created": Object { - "type": "date", - }, - "dataset": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "duration": Object { - "type": "long", - }, - "end": Object { - "type": "date", - }, - "hash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "ingested": Object { - "type": "date", - }, - "kind": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "module": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "original": Object { - "doc_values": false, - "ignore_above": 1024, - "index": false, - "type": "keyword", - }, - "outcome": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "provider": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "reason": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "reference": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "risk_score": Object { - "type": "float", - }, - "risk_score_norm": Object { - "type": "float", - }, - "sequence": Object { - "type": "long", - }, - "severity": Object { - "type": "long", - }, - "start": Object { - "type": "date", - }, - "timezone": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "url": Object { - "ignore_above": 1024, - "type": "keyword", + "event": Object { + "properties": Object { + "action": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "category": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "created": Object { + "type": "date", + }, + "dataset": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "duration": Object { + "type": "long", + }, + "end": Object { + "type": "date", + }, + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ingested": Object { + "type": "date", + }, + "kind": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "module": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "original": Object { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword", + }, + "outcome": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "provider": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reason": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "risk_score": Object { + "type": "float", + }, + "risk_score_norm": Object { + "type": "float", + }, + "sequence": Object { + "type": "long", + }, + "severity": Object { + "type": "long", + }, + "start": Object { + "type": "date", + }, + "timezone": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "url": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "file": Object { - "properties": Object { - "accessed": Object { - "type": "date", - }, - "attributes": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "code_signature": Object { - "properties": Object { - "exists": Object { - "type": "boolean", - }, - "signing_id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "status": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "subject_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "team_id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "trusted": Object { - "type": "boolean", - }, - "valid": Object { - "type": "boolean", - }, + "file": Object { + "properties": Object { + "accessed": Object { + "type": "date", }, - }, - "created": Object { - "type": "date", - }, - "ctime": Object { - "type": "date", - }, - "device": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "directory": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "drive_letter": Object { - "ignore_above": 1, - "type": "keyword", - }, - "extension": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "gid": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "group": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "hash": Object { - "properties": Object { - "md5": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha1": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha256": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha512": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "ssdeep": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "attributes": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "inode": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "mime_type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "mode": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "mtime": Object { - "type": "date", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "owner": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "path": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "code_signature": Object { + "properties": Object { + "exists": Object { + "type": "boolean", + }, + "signing_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "status": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "team_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "trusted": Object { + "type": "boolean", + }, + "valid": Object { + "type": "boolean", + }, }, }, - "ignore_above": 1024, - "type": "keyword", - }, - "pe": Object { - "properties": Object { - "architecture": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "company": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "description": Object { - "ignore_above": 1024, - "type": "keyword", + "created": Object { + "type": "date", + }, + "ctime": Object { + "type": "date", + }, + "device": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "directory": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "drive_letter": Object { + "ignore_above": 1, + "type": "keyword", + }, + "extension": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "gid": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "hash": Object { + "properties": Object { + "md5": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha1": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha256": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha512": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ssdeep": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "file_version": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "inode": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "mime_type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "mode": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "mtime": Object { + "type": "date", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "owner": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "path": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "imphash": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "pe": Object { + "properties": Object { + "architecture": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "company": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "description": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "file_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "imphash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "original_file_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "product": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "original_file_name": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "size": Object { + "type": "long", + }, + "target_path": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "product": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "uid": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "x509": Object { + "properties": Object { + "alternative_names": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "issuer": Object { + "properties": Object { + "common_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "distinguished_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "locality": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organization": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organizational_unit": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "state_or_province": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "not_after": Object { + "type": "date", + }, + "not_before": Object { + "type": "date", + }, + "public_key_algorithm": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "public_key_curve": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "public_key_exponent": Object { + "doc_values": false, + "index": false, + "type": "long", + }, + "public_key_size": Object { + "type": "long", + }, + "serial_number": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "signature_algorithm": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject": Object { + "properties": Object { + "common_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "distinguished_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "locality": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organization": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organizational_unit": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "state_or_province": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "version_number": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, }, - "size": Object { - "type": "long", - }, - "target_path": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + }, + "geo": Object { + "properties": Object { + "city_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "location": Object { + "type": "geo_point", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_name": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "uid": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "hash": Object { + "properties": Object { + "md5": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha1": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha256": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha512": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "x509": Object { - "properties": Object { - "alternative_names": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "host": Object { + "properties": Object { + "architecture": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "cpu": Object { + "properties": Object { + "usage": Object { + "scaling_factor": 1000, + "type": "scaled_float", + }, }, - "issuer": Object { - "properties": Object { - "common_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "distinguished_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "locality": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "organization": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "organizational_unit": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "disk": Object { + "properties": Object { + "read": Object { + "properties": Object { + "bytes": Object { + "type": "long", + }, }, - "state_or_province": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "write": Object { + "properties": Object { + "bytes": Object { + "type": "long", + }, }, }, }, - "not_after": Object { - "type": "date", - }, - "not_before": Object { - "type": "date", - }, - "public_key_algorithm": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "public_key_curve": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "public_key_exponent": Object { - "doc_values": false, - "index": false, - "type": "long", - }, - "public_key_size": Object { - "type": "long", - }, - "serial_number": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "signature_algorithm": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "geo": Object { + "properties": Object { + "city_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "location": Object { + "type": "geo_point", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "postal_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "timezone": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "subject": Object { - "properties": Object { - "common_name": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "hostname": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ip": Object { + "type": "ip", + }, + "mac": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "network": Object { + "properties": Object { + "egress": Object { + "properties": Object { + "bytes": Object { + "type": "long", + }, + "packets": Object { + "type": "long", + }, }, - "country": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "ingress": Object { + "properties": Object { + "bytes": Object { + "type": "long", + }, + "packets": Object { + "type": "long", + }, }, - "distinguished_name": Object { - "ignore_above": 1024, - "type": "keyword", + }, + }, + }, + "os": Object { + "properties": Object { + "family": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "locality": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "kernel": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "organization": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "platform": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "uptime": Object { + "type": "long", + }, + "user": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "organizational_unit": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "state_or_province": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "version_number": Object { - "ignore_above": 1024, - "type": "keyword", }, }, }, }, - }, - "geo": Object { - "properties": Object { - "city_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "continent_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country_iso_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "location": Object { - "type": "geo_point", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region_iso_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - }, - "group": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - }, - "hash": Object { - "properties": Object { - "md5": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha1": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha256": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha512": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - }, - "host": Object { - "properties": Object { - "architecture": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "cpu": Object { - "properties": Object { - "usage": Object { - "scaling_factor": 1000, - "type": "scaled_float", - }, - }, - }, - "disk": Object { - "properties": Object { - "read": Object { - "properties": Object { - "bytes": Object { - "type": "long", + "http": Object { + "properties": Object { + "request": Object { + "properties": Object { + "body": Object { + "properties": Object { + "bytes": Object { + "type": "long", + }, + "content": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, }, }, + "bytes": Object { + "type": "long", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "method": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "mime_type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "referrer": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "write": Object { - "properties": Object { - "bytes": Object { - "type": "long", + }, + "response": Object { + "properties": Object { + "body": Object { + "properties": Object { + "bytes": Object { + "type": "long", + }, + "content": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, }, }, + "bytes": Object { + "type": "long", + }, + "mime_type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "status_code": Object { + "type": "long", + }, }, }, - }, - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "geo": Object { - "properties": Object { - "city_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "continent_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "continent_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country_iso_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "location": Object { - "type": "geo_point", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "postal_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region_iso_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "timezone": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", }, }, - "hostname": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "ip": Object { - "type": "ip", - }, - "mac": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "interface": Object { + "properties": Object { + "alias": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "network": Object { - "properties": Object { - "egress": Object { - "properties": Object { - "bytes": Object { - "type": "long", - }, - "packets": Object { - "type": "long", - }, - }, - }, - "ingress": Object { - "properties": Object { - "bytes": Object { - "type": "long", - }, - "packets": Object { - "type": "long", - }, + }, + "kibana.alert.ancestors.depth": Object { + "path": "signal.ancestors.depth", + "type": "alias", + }, + "kibana.alert.ancestors.id": Object { + "path": "signal.ancestors.id", + "type": "alias", + }, + "kibana.alert.ancestors.index": Object { + "path": "signal.ancestors.index", + "type": "alias", + }, + "kibana.alert.ancestors.type": Object { + "path": "signal.ancestors.type", + "type": "alias", + }, + "kibana.alert.consumers": Object { + "type": "constant_keyword", + "value": "siem", + }, + "kibana.alert.depth": Object { + "path": "signal.depth", + "type": "alias", + }, + "kibana.alert.original_event.action": Object { + "path": "signal.original_event.action", + "type": "alias", + }, + "kibana.alert.original_event.category": Object { + "path": "signal.original_event.category", + "type": "alias", + }, + "kibana.alert.original_event.code": Object { + "path": "signal.original_event.code", + "type": "alias", + }, + "kibana.alert.original_event.created": Object { + "path": "signal.original_event.created", + "type": "alias", + }, + "kibana.alert.original_event.dataset": Object { + "path": "signal.original_event.dataset", + "type": "alias", + }, + "kibana.alert.original_event.duration": Object { + "path": "signal.original_event.duration", + "type": "alias", + }, + "kibana.alert.original_event.end": Object { + "path": "signal.original_event.end", + "type": "alias", + }, + "kibana.alert.original_event.hash": Object { + "path": "signal.original_event.hash", + "type": "alias", + }, + "kibana.alert.original_event.id": Object { + "path": "signal.original_event.id", + "type": "alias", + }, + "kibana.alert.original_event.kind": Object { + "path": "signal.original_event.kind", + "type": "alias", + }, + "kibana.alert.original_event.module": Object { + "path": "signal.original_event.module", + "type": "alias", + }, + "kibana.alert.original_event.outcome": Object { + "path": "signal.original_event.outcome", + "type": "alias", + }, + "kibana.alert.original_event.provider": Object { + "path": "signal.original_event.provider", + "type": "alias", + }, + "kibana.alert.original_event.risk_score": Object { + "path": "signal.original_event.risk_score", + "type": "alias", + }, + "kibana.alert.original_event.risk_score_norm": Object { + "path": "signal.original_event.risk_score_norm", + "type": "alias", + }, + "kibana.alert.original_event.sequence": Object { + "path": "signal.original_event.sequence", + "type": "alias", + }, + "kibana.alert.original_event.severity": Object { + "path": "signal.original_event.severity", + "type": "alias", + }, + "kibana.alert.original_event.start": Object { + "path": "signal.original_event.start", + "type": "alias", + }, + "kibana.alert.original_event.timezone": Object { + "path": "signal.original_event.timezone", + "type": "alias", + }, + "kibana.alert.original_event.type": Object { + "path": "signal.original_event.type", + "type": "alias", + }, + "kibana.alert.original_time": Object { + "path": "signal.original_time", + "type": "alias", + }, + "kibana.alert.producer": Object { + "type": "constant_keyword", + "value": "siem", + }, + "kibana.alert.risk_score": Object { + "path": "signal.rule.risk_score", + "type": "alias", + }, + "kibana.alert.rule.author": Object { + "path": "signal.rule.author", + "type": "alias", + }, + "kibana.alert.rule.building_block_type": Object { + "path": "signal.rule.building_block_type", + "type": "alias", + }, + "kibana.alert.rule.created_at": Object { + "path": "signal.rule.created_at", + "type": "alias", + }, + "kibana.alert.rule.created_by": Object { + "path": "signal.rule.created_by", + "type": "alias", + }, + "kibana.alert.rule.description": Object { + "path": "signal.rule.description", + "type": "alias", + }, + "kibana.alert.rule.enabled": Object { + "path": "signal.rule.enabled", + "type": "alias", + }, + "kibana.alert.rule.false_positives": Object { + "path": "signal.rule.false_positives", + "type": "alias", + }, + "kibana.alert.rule.from": Object { + "path": "signal.rule.from", + "type": "alias", + }, + "kibana.alert.rule.id": Object { + "path": "signal.rule.id", + "type": "alias", + }, + "kibana.alert.rule.immutable": Object { + "path": "signal.rule.immutable", + "type": "alias", + }, + "kibana.alert.rule.index": Object { + "path": "signal.rule.index", + "type": "alias", + }, + "kibana.alert.rule.interval": Object { + "path": "signal.rule.interval", + "type": "alias", + }, + "kibana.alert.rule.language": Object { + "path": "signal.rule.language", + "type": "alias", + }, + "kibana.alert.rule.license": Object { + "path": "signal.rule.license", + "type": "alias", + }, + "kibana.alert.rule.max_signals": Object { + "path": "signal.rule.max_signals", + "type": "alias", + }, + "kibana.alert.rule.name": Object { + "path": "signal.rule.name", + "type": "alias", + }, + "kibana.alert.rule.note": Object { + "path": "signal.rule.note", + "type": "alias", + }, + "kibana.alert.rule.query": Object { + "path": "signal.rule.query", + "type": "alias", + }, + "kibana.alert.rule.references": Object { + "path": "signal.rule.references", + "type": "alias", + }, + "kibana.alert.rule.risk_score_mapping.field": Object { + "path": "signal.rule.risk_score_mapping.field", + "type": "alias", + }, + "kibana.alert.rule.risk_score_mapping.operator": Object { + "path": "signal.rule.risk_score_mapping.operator", + "type": "alias", + }, + "kibana.alert.rule.risk_score_mapping.value": Object { + "path": "signal.rule.risk_score_mapping.value", + "type": "alias", + }, + "kibana.alert.rule.rule_id": Object { + "path": "signal.rule.rule_id", + "type": "alias", + }, + "kibana.alert.rule.rule_name_override": Object { + "path": "signal.rule.rule_name_override", + "type": "alias", + }, + "kibana.alert.rule.rule_type_id": Object { + "type": "constant_keyword", + "value": "siem.signals", + }, + "kibana.alert.rule.saved_id": Object { + "path": "signal.rule.saved_id", + "type": "alias", + }, + "kibana.alert.rule.severity_mapping.field": Object { + "path": "signal.rule.severity_mapping.field", + "type": "alias", + }, + "kibana.alert.rule.severity_mapping.operator": Object { + "path": "signal.rule.severity_mapping.operator", + "type": "alias", + }, + "kibana.alert.rule.severity_mapping.severity": Object { + "path": "signal.rule.severity_mapping.severity", + "type": "alias", + }, + "kibana.alert.rule.severity_mapping.value": Object { + "path": "signal.rule.severity_mapping.value", + "type": "alias", + }, + "kibana.alert.rule.tags": Object { + "path": "signal.rule.tags", + "type": "alias", + }, + "kibana.alert.rule.threat.framework": Object { + "path": "signal.rule.threat.framework", + "type": "alias", + }, + "kibana.alert.rule.threat.tactic.id": Object { + "path": "signal.rule.threat.tactic.id", + "type": "alias", + }, + "kibana.alert.rule.threat.tactic.name": Object { + "path": "signal.rule.threat.tactic.name", + "type": "alias", + }, + "kibana.alert.rule.threat.tactic.reference": Object { + "path": "signal.rule.threat.tactic.reference", + "type": "alias", + }, + "kibana.alert.rule.threat.technique.id": Object { + "path": "signal.rule.threat.technique.id", + "type": "alias", + }, + "kibana.alert.rule.threat.technique.name": Object { + "path": "signal.rule.threat.technique.name", + "type": "alias", + }, + "kibana.alert.rule.threat.technique.reference": Object { + "path": "signal.rule.threat.technique.reference", + "type": "alias", + }, + "kibana.alert.rule.threat.technique.subtechnique.id": Object { + "path": "signal.rule.threat.technique.subtechnique.id", + "type": "alias", + }, + "kibana.alert.rule.threat.technique.subtechnique.name": Object { + "path": "signal.rule.threat.technique.subtechnique.name", + "type": "alias", + }, + "kibana.alert.rule.threat.technique.subtechnique.reference": Object { + "path": "signal.rule.threat.technique.subtechnique.reference", + "type": "alias", + }, + "kibana.alert.rule.threat_index": Object { + "path": "signal.rule.threat_index", + "type": "alias", + }, + "kibana.alert.rule.threat_indicator_path": Object { + "path": "signal.rule.threat_indicator_path", + "type": "alias", + }, + "kibana.alert.rule.threat_language": Object { + "path": "signal.rule.threat_language", + "type": "alias", + }, + "kibana.alert.rule.threat_mapping.entries.field": Object { + "path": "signal.rule.threat_mapping.entries.field", + "type": "alias", + }, + "kibana.alert.rule.threat_mapping.entries.type": Object { + "path": "signal.rule.threat_mapping.entries.type", + "type": "alias", + }, + "kibana.alert.rule.threat_mapping.entries.value": Object { + "path": "signal.rule.threat_mapping.entries.value", + "type": "alias", + }, + "kibana.alert.rule.threat_query": Object { + "path": "signal.rule.threat_query", + "type": "alias", + }, + "kibana.alert.rule.threshold.field": Object { + "path": "signal.rule.threshold.field", + "type": "alias", + }, + "kibana.alert.rule.threshold.value": Object { + "path": "signal.rule.threshold.value", + "type": "alias", + }, + "kibana.alert.rule.timeline_id": Object { + "path": "signal.rule.timeline_id", + "type": "alias", + }, + "kibana.alert.rule.timeline_title": Object { + "path": "signal.rule.timeline_title", + "type": "alias", + }, + "kibana.alert.rule.to": Object { + "path": "signal.rule.to", + "type": "alias", + }, + "kibana.alert.rule.type": Object { + "path": "signal.rule.type", + "type": "alias", + }, + "kibana.alert.rule.updated_at": Object { + "path": "signal.rule.updated_at", + "type": "alias", + }, + "kibana.alert.rule.updated_by": Object { + "path": "signal.rule.updated_by", + "type": "alias", + }, + "kibana.alert.rule.version": Object { + "path": "signal.rule.version", + "type": "alias", + }, + "kibana.alert.severity": Object { + "path": "signal.rule.severity", + "type": "alias", + }, + "kibana.alert.threshold_result.cardinality.field": Object { + "path": "signal.threshold_result.cardinality.field", + "type": "alias", + }, + "kibana.alert.threshold_result.cardinality.value": Object { + "path": "signal.threshold_result.cardinality.value", + "type": "alias", + }, + "kibana.alert.threshold_result.count": Object { + "path": "signal.threshold_result.count", + "type": "alias", + }, + "kibana.alert.threshold_result.from": Object { + "path": "signal.threshold_result.from", + "type": "alias", + }, + "kibana.alert.threshold_result.terms.field": Object { + "path": "signal.threshold_result.terms.field", + "type": "alias", + }, + "kibana.alert.threshold_result.terms.value": Object { + "path": "signal.threshold_result.terms.value", + "type": "alias", + }, + "kibana.alert.workflow_status": Object { + "path": "signal.status", + "type": "alias", + }, + "kibana.space_ids": Object { + "type": "constant_keyword", + "value": "space-id", + }, + "labels": Object { + "type": "object", + }, + "log": Object { + "properties": Object { + "file": Object { + "properties": Object { + "path": Object { + "ignore_above": 1024, + "type": "keyword", }, }, }, - }, - "os": Object { - "properties": Object { - "family": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "full": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "level": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "logger": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "origin": Object { + "properties": Object { + "file": Object { + "properties": Object { + "line": Object { + "type": "integer", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - "ignore_above": 1024, - "type": "keyword", - }, - "kernel": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "function": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "platform": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "version": Object { - "ignore_above": 1024, - "type": "keyword", }, }, - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "uptime": Object { - "type": "long", - }, - "user": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "email": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "full_name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "original": Object { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword", + }, + "syslog": Object { + "properties": Object { + "facility": Object { + "properties": Object { + "code": Object { + "type": "long", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - "ignore_above": 1024, - "type": "keyword", - }, - "group": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "priority": Object { + "type": "long", }, - }, - "hash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "severity": Object { + "properties": Object { + "code": Object { + "type": "long", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - "ignore_above": 1024, - "type": "keyword", - }, - "roles": Object { - "ignore_above": 1024, - "type": "keyword", }, + "type": "object", }, }, }, - }, - "http": Object { - "properties": Object { - "request": Object { - "properties": Object { - "body": Object { - "properties": Object { - "bytes": Object { - "type": "long", - }, - "content": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "message": Object { + "norms": false, + "type": "text", + }, + "network": Object { + "properties": Object { + "application": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "bytes": Object { + "type": "long", + }, + "community_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "direction": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "forwarded_ip": Object { + "type": "ip", + }, + "iana_number": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "inner": Object { + "properties": Object { + "vlan": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", }, }, }, - "bytes": Object { - "type": "long", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "method": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "mime_type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "referrer": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "type": "object", }, - }, - "response": Object { - "properties": Object { - "body": Object { - "properties": Object { - "bytes": Object { - "type": "long", - }, - "content": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, - }, - "ignore_above": 1024, - "type": "keyword", - }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "packets": Object { + "type": "long", + }, + "protocol": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "transport": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "vlan": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "bytes": Object { - "type": "long", - }, - "mime_type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "status_code": Object { - "type": "long", }, }, }, - "version": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - }, - "interface": Object { - "properties": Object { - "alias": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, }, - }, - "labels": Object { - "type": "object", - }, - "log": Object { - "properties": Object { - "file": Object { - "properties": Object { - "path": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - }, - "level": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "logger": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "origin": Object { - "properties": Object { - "file": Object { - "properties": Object { - "line": Object { - "type": "integer", + "observer": Object { + "properties": Object { + "egress": Object { + "properties": Object { + "interface": Object { + "properties": Object { + "alias": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "vlan": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, + "zone": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "function": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "type": "object", }, - }, - "original": Object { - "doc_values": false, - "ignore_above": 1024, - "index": false, - "type": "keyword", - }, - "syslog": Object { - "properties": Object { - "facility": Object { - "properties": Object { - "code": Object { - "type": "long", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "geo": Object { + "properties": Object { + "city_name": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "priority": Object { - "type": "long", - }, - "severity": Object { - "properties": Object { - "code": Object { - "type": "long", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "continent_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "location": Object { + "type": "geo_point", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "postal_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "timezone": Object { + "ignore_above": 1024, + "type": "keyword", }, }, }, - "type": "object", - }, - }, - }, - "message": Object { - "norms": false, - "type": "text", - }, - "network": Object { - "properties": Object { - "application": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "bytes": Object { - "type": "long", - }, - "community_id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "direction": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "forwarded_ip": Object { - "type": "ip", - }, - "iana_number": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "inner": Object { - "properties": Object { - "vlan": Object { - "properties": Object { - "id": Object { - "ignore_above": 1024, - "type": "keyword", + "hostname": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ingress": Object { + "properties": Object { + "interface": Object { + "properties": Object { + "alias": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "vlan": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, + "zone": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, + "type": "object", }, - "type": "object", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "packets": Object { - "type": "long", - }, - "protocol": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "transport": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "vlan": Object { - "properties": Object { - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "ip": Object { + "type": "ip", }, - }, - }, - }, - "observer": Object { - "properties": Object { - "egress": Object { - "properties": Object { - "interface": Object { - "properties": Object { - "alias": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "mac": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "os": Object { + "properties": Object { + "family": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "vlan": Object { - "properties": Object { - "id": Object { - "ignore_above": 1024, - "type": "keyword", + "full": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "kernel": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", + }, + "platform": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "zone": Object { - "ignore_above": 1024, - "type": "keyword", }, }, - "type": "object", - }, - "geo": Object { - "properties": Object { - "city_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "continent_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "continent_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country_iso_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "location": Object { - "type": "geo_point", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "postal_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region_iso_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "timezone": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "product": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "serial_number": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "vendor": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", }, }, - "hostname": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "ingress": Object { - "properties": Object { - "interface": Object { - "properties": Object { - "alias": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, + }, + "orchestrator": Object { + "properties": Object { + "api_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "cluster": Object { + "properties": Object { + "name": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "vlan": Object { - "properties": Object { - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "url": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "zone": Object { - "ignore_above": 1024, - "type": "keyword", }, }, - "type": "object", - }, - "ip": Object { - "type": "ip", - }, - "mac": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "os": Object { - "properties": Object { - "family": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "full": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "namespace": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organization": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "resource": Object { + "properties": Object { + "name": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "kernel": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "platform": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "version": Object { - "ignore_above": 1024, - "type": "keyword", }, }, - }, - "product": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "serial_number": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "vendor": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "version": Object { - "ignore_above": 1024, - "type": "keyword", + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "orchestrator": Object { - "properties": Object { - "api_version": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "cluster": Object { - "properties": Object { - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "url": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "version": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "organization": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "namespace": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "organization": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "resource": Object { - "properties": Object { - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", }, }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, }, - }, - "organization": Object { - "properties": Object { - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "os": Object { + "properties": Object { + "family": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - }, - }, - "os": Object { - "properties": Object { - "family": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "full": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "full": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "kernel": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "kernel": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", + }, + "platform": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "platform": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "version": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - }, - "package": Object { - "properties": Object { - "architecture": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "build_version": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "checksum": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "description": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "install_scope": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "installed": Object { - "type": "date", - }, - "license": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "path": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "reference": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "size": Object { - "type": "long", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "version": Object { - "ignore_above": 1024, - "type": "keyword", }, }, - }, - "pe": Object { - "properties": Object { - "company": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "description": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "file_version": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "original_file_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "product": Object { - "ignore_above": 1024, - "type": "keyword", + "package": Object { + "properties": Object { + "architecture": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "build_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "checksum": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "description": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "install_scope": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "installed": Object { + "type": "date", + }, + "license": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "path": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "size": Object { + "type": "long", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "process": Object { - "properties": Object { - "args": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "args_count": Object { - "type": "long", - }, - "code_signature": Object { - "properties": Object { - "exists": Object { - "type": "boolean", - }, - "signing_id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "status": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "subject_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "team_id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "trusted": Object { - "type": "boolean", - }, - "valid": Object { - "type": "boolean", - }, + "pe": Object { + "properties": Object { + "company": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "command_line": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "description": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "entity_id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "executable": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "file_version": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "exit_code": Object { - "type": "long", - }, - "hash": Object { - "properties": Object { - "md5": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha1": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha256": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha512": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "ssdeep": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "original_file_name": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "product": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", }, - "parent": Object { - "properties": Object { - "args": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "args_count": Object { - "type": "long", - }, - "code_signature": Object { - "properties": Object { - "exists": Object { - "type": "boolean", - }, - "signing_id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "status": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "subject_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "team_id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "trusted": Object { - "type": "boolean", - }, - "valid": Object { - "type": "boolean", - }, + }, + "process": Object { + "properties": Object { + "args": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "args_count": Object { + "type": "long", + }, + "code_signature": Object { + "properties": Object { + "exists": Object { + "type": "boolean", }, - }, - "command_line": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "signing_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "status": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "team_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "trusted": Object { + "type": "boolean", + }, + "valid": Object { + "type": "boolean", }, - "ignore_above": 1024, - "type": "keyword", - }, - "entity_id": Object { - "ignore_above": 1024, - "type": "keyword", }, - "executable": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + }, + "command_line": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", }, - "ignore_above": 1024, - "type": "keyword", }, - "exit_code": Object { - "type": "long", + "ignore_above": 1024, + "type": "keyword", + }, + "entity_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "executable": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "hash": Object { - "properties": Object { - "md5": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha1": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha256": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha512": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "ssdeep": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "ignore_above": 1024, + "type": "keyword", + }, + "exit_code": Object { + "type": "long", + }, + "hash": Object { + "properties": Object { + "md5": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha1": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha256": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha512": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ssdeep": Object { + "ignore_above": 1024, + "type": "keyword", }, }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", }, - "ignore_above": 1024, - "type": "keyword", }, - "pe": Object { - "properties": Object { - "architecture": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "company": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "description": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "parent": Object { + "properties": Object { + "args": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "args_count": Object { + "type": "long", + }, + "code_signature": Object { + "properties": Object { + "exists": Object { + "type": "boolean", + }, + "signing_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "status": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "team_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "trusted": Object { + "type": "boolean", + }, + "valid": Object { + "type": "boolean", + }, }, - "file_version": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "command_line": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "imphash": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "entity_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "executable": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "original_file_name": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "exit_code": Object { + "type": "long", + }, + "hash": Object { + "properties": Object { + "md5": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha1": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha256": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha512": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ssdeep": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "product": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", }, - }, - "pgid": Object { - "type": "long", - }, - "pid": Object { - "type": "long", - }, - "ppid": Object { - "type": "long", - }, - "start": Object { - "type": "date", - }, - "thread": Object { - "properties": Object { - "id": Object { - "type": "long", + "pe": Object { + "properties": Object { + "architecture": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "company": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "description": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "file_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "imphash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "original_file_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "product": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "pgid": Object { + "type": "long", + }, + "pid": Object { + "type": "long", + }, + "ppid": Object { + "type": "long", + }, + "start": Object { + "type": "date", + }, + "thread": Object { + "properties": Object { + "id": Object { + "type": "long", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "title": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "title": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "uptime": Object { - "type": "long", - }, - "working_directory": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "uptime": Object { + "type": "long", + }, + "working_directory": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", }, }, - }, - "pe": Object { - "properties": Object { - "architecture": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "company": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "description": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "file_version": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "imphash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "original_file_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "product": Object { - "ignore_above": 1024, - "type": "keyword", + "pe": Object { + "properties": Object { + "architecture": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "company": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "description": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "file_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "imphash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "original_file_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "product": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "pgid": Object { - "type": "long", - }, - "pid": Object { - "type": "long", - }, - "ppid": Object { - "type": "long", - }, - "start": Object { - "type": "date", - }, - "thread": Object { - "properties": Object { - "id": Object { - "type": "long", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + "pgid": Object { + "type": "long", + }, + "pid": Object { + "type": "long", + }, + "ppid": Object { + "type": "long", + }, + "start": Object { + "type": "date", + }, + "thread": Object { + "properties": Object { + "id": Object { + "type": "long", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "title": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "title": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "uptime": Object { - "type": "long", - }, - "working_directory": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "uptime": Object { + "type": "long", + }, + "working_directory": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", }, }, - }, - "registry": Object { - "properties": Object { - "data": Object { - "properties": Object { - "bytes": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "strings": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", + "registry": Object { + "properties": Object { + "data": Object { + "properties": Object { + "bytes": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "strings": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "hive": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "key": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "path": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "value": Object { - "ignore_above": 1024, - "type": "keyword", + "hive": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "key": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "path": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "value": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "related": Object { - "properties": Object { - "hash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "hosts": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "ip": Object { - "type": "ip", - }, - "user": Object { - "ignore_above": 1024, - "type": "keyword", + "related": Object { + "properties": Object { + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "hosts": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ip": Object { + "type": "ip", + }, + "user": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "rule": Object { - "properties": Object { - "author": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "category": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "description": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "license": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "reference": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "ruleset": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "uuid": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "version": Object { - "ignore_above": 1024, - "type": "keyword", + "rule": Object { + "properties": Object { + "author": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "category": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "description": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "license": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ruleset": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "uuid": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "server": Object { - "properties": Object { - "address": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "as": Object { - "properties": Object { - "number": Object { - "type": "long", - }, - "organization": Object { - "properties": Object { - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "server": Object { + "properties": Object { + "address": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "as": Object { + "properties": Object { + "number": Object { + "type": "long", + }, + "organization": Object { + "properties": Object { + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", }, }, }, }, - }, - "bytes": Object { - "type": "long", - }, - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "geo": Object { - "properties": Object { - "city_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "continent_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "continent_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country_iso_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "location": Object { - "type": "geo_point", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "postal_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region_iso_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "timezone": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "bytes": Object { + "type": "long", }, - }, - "ip": Object { - "type": "ip", - }, - "mac": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "nat": Object { - "properties": Object { - "ip": Object { - "type": "ip", - }, - "port": Object { - "type": "long", - }, + "domain": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "packets": Object { - "type": "long", - }, - "port": Object { - "type": "long", - }, - "registered_domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "subdomain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "top_level_domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "user": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "email": Object { - "ignore_above": 1024, - "type": "keyword", + "geo": Object { + "properties": Object { + "city_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "location": Object { + "type": "geo_point", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "postal_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "timezone": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "full_name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + }, + "ip": Object { + "type": "ip", + }, + "mac": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "nat": Object { + "properties": Object { + "ip": Object { + "type": "ip", + }, + "port": Object { + "type": "long", }, - "ignore_above": 1024, - "type": "keyword", }, - "group": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "packets": Object { + "type": "long", + }, + "port": Object { + "type": "long", + }, + "registered_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subdomain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "top_level_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "user": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "hash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "roles": Object { - "ignore_above": 1024, - "type": "keyword", }, }, }, }, - }, - "service": Object { - "properties": Object { - "ephemeral_id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "node": Object { - "properties": Object { - "name": Object { - "ignore_above": 1024, - "type": "keyword", + "service": Object { + "properties": Object { + "ephemeral_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "node": Object { + "properties": Object { + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "state": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "version": Object { - "ignore_above": 1024, - "type": "keyword", + "state": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "signal": Object { - "properties": Object { - "_meta": Object { - "properties": Object { - "version": Object { - "type": "long", + "signal": Object { + "properties": Object { + "_meta": Object { + "properties": Object { + "version": Object { + "type": "long", + }, }, }, - }, - "ancestors": Object { - "properties": Object { - "depth": Object { - "type": "long", - }, - "id": Object { - "type": "keyword", - }, - "index": Object { - "type": "keyword", - }, - "rule": Object { - "type": "keyword", - }, - "type": Object { - "type": "keyword", + "ancestors": Object { + "properties": Object { + "depth": Object { + "type": "long", + }, + "id": Object { + "type": "keyword", + }, + "index": Object { + "type": "keyword", + }, + "rule": Object { + "type": "keyword", + }, + "type": Object { + "type": "keyword", + }, }, }, - }, - "depth": Object { - "type": "integer", - }, - "group": Object { - "properties": Object { - "id": Object { - "type": "keyword", - }, - "index": Object { - "type": "integer", - }, + "depth": Object { + "type": "integer", }, - }, - "original_event": Object { - "properties": Object { - "action": Object { - "type": "keyword", - }, - "category": Object { - "type": "keyword", - }, - "code": Object { - "type": "keyword", - }, - "created": Object { - "type": "date", - }, - "dataset": Object { - "type": "keyword", - }, - "duration": Object { - "type": "long", - }, - "end": Object { - "type": "date", - }, - "hash": Object { - "type": "keyword", - }, - "id": Object { - "type": "keyword", - }, - "kind": Object { - "type": "keyword", - }, - "module": Object { - "type": "keyword", - }, - "original": Object { - "doc_values": false, - "index": false, - "type": "keyword", - }, - "outcome": Object { - "type": "keyword", - }, - "provider": Object { - "type": "keyword", - }, - "risk_score": Object { - "type": "float", - }, - "risk_score_norm": Object { - "type": "float", - }, - "sequence": Object { - "type": "long", - }, - "severity": Object { - "type": "long", - }, - "start": Object { - "type": "date", - }, - "timezone": Object { - "type": "keyword", - }, - "type": Object { - "type": "keyword", + "group": Object { + "properties": Object { + "id": Object { + "type": "keyword", + }, + "index": Object { + "type": "integer", + }, }, }, - }, - "original_signal": Object { - "dynamic": false, - "enabled": false, - "type": "object", - }, - "original_time": Object { - "type": "date", - }, - "parent": Object { - "properties": Object { - "depth": Object { - "type": "long", - }, - "id": Object { - "type": "keyword", - }, - "index": Object { - "type": "keyword", - }, - "rule": Object { - "type": "keyword", - }, - "type": Object { - "type": "keyword", + "original_event": Object { + "properties": Object { + "action": Object { + "type": "keyword", + }, + "category": Object { + "type": "keyword", + }, + "code": Object { + "type": "keyword", + }, + "created": Object { + "type": "date", + }, + "dataset": Object { + "type": "keyword", + }, + "duration": Object { + "type": "long", + }, + "end": Object { + "type": "date", + }, + "hash": Object { + "type": "keyword", + }, + "id": Object { + "type": "keyword", + }, + "kind": Object { + "type": "keyword", + }, + "module": Object { + "type": "keyword", + }, + "original": Object { + "doc_values": false, + "index": false, + "type": "keyword", + }, + "outcome": Object { + "type": "keyword", + }, + "provider": Object { + "type": "keyword", + }, + "risk_score": Object { + "type": "float", + }, + "risk_score_norm": Object { + "type": "float", + }, + "sequence": Object { + "type": "long", + }, + "severity": Object { + "type": "long", + }, + "start": Object { + "type": "date", + }, + "timezone": Object { + "type": "keyword", + }, + "type": Object { + "type": "keyword", + }, }, }, - }, - "parents": Object { - "properties": Object { - "depth": Object { - "type": "long", - }, - "id": Object { - "type": "keyword", - }, - "index": Object { - "type": "keyword", - }, - "rule": Object { - "type": "keyword", - }, - "type": Object { - "type": "keyword", - }, + "original_signal": Object { + "dynamic": false, + "enabled": false, + "type": "object", }, - }, - "rule": Object { - "properties": Object { - "author": Object { - "type": "keyword", - }, - "building_block_type": Object { - "type": "keyword", - }, - "created_at": Object { - "type": "date", - }, - "created_by": Object { - "type": "keyword", - }, - "description": Object { - "type": "keyword", - }, - "enabled": Object { - "type": "keyword", - }, - "false_positives": Object { - "type": "keyword", - }, - "filters": Object { - "type": "object", - }, - "from": Object { - "type": "keyword", - }, - "id": Object { - "type": "keyword", - }, - "immutable": Object { - "type": "keyword", - }, - "index": Object { - "type": "keyword", - }, - "interval": Object { - "type": "keyword", - }, - "language": Object { - "type": "keyword", - }, - "license": Object { - "type": "keyword", - }, - "max_signals": Object { - "type": "keyword", - }, - "name": Object { - "type": "keyword", - }, - "note": Object { - "type": "text", - }, - "output_index": Object { - "type": "keyword", - }, - "query": Object { - "type": "keyword", - }, - "references": Object { - "type": "keyword", - }, - "risk_score": Object { - "type": "float", - }, - "risk_score_mapping": Object { - "properties": Object { - "field": Object { - "type": "keyword", - }, - "operator": Object { - "type": "keyword", - }, - "value": Object { - "type": "keyword", - }, + "original_time": Object { + "type": "date", + }, + "parent": Object { + "properties": Object { + "depth": Object { + "type": "long", }, - }, - "rule_id": Object { - "type": "keyword", - }, - "rule_name_override": Object { - "type": "keyword", - }, - "saved_id": Object { - "type": "keyword", - }, - "severity": Object { - "type": "keyword", - }, - "severity_mapping": Object { - "properties": Object { - "field": Object { - "type": "keyword", - }, - "operator": Object { - "type": "keyword", - }, - "severity": Object { - "type": "keyword", - }, - "value": Object { - "type": "keyword", - }, + "id": Object { + "type": "keyword", + }, + "index": Object { + "type": "keyword", + }, + "rule": Object { + "type": "keyword", + }, + "type": Object { + "type": "keyword", }, }, - "size": Object { - "type": "keyword", - }, - "tags": Object { - "type": "keyword", + }, + "parents": Object { + "properties": Object { + "depth": Object { + "type": "long", + }, + "id": Object { + "type": "keyword", + }, + "index": Object { + "type": "keyword", + }, + "rule": Object { + "type": "keyword", + }, + "type": Object { + "type": "keyword", + }, }, - "threat": Object { - "properties": Object { - "framework": Object { - "type": "keyword", + }, + "rule": Object { + "properties": Object { + "author": Object { + "type": "keyword", + }, + "building_block_type": Object { + "type": "keyword", + }, + "created_at": Object { + "type": "date", + }, + "created_by": Object { + "type": "keyword", + }, + "description": Object { + "type": "keyword", + }, + "enabled": Object { + "type": "keyword", + }, + "false_positives": Object { + "type": "keyword", + }, + "filters": Object { + "type": "object", + }, + "from": Object { + "type": "keyword", + }, + "id": Object { + "type": "keyword", + }, + "immutable": Object { + "type": "keyword", + }, + "index": Object { + "type": "keyword", + }, + "interval": Object { + "type": "keyword", + }, + "language": Object { + "type": "keyword", + }, + "license": Object { + "type": "keyword", + }, + "max_signals": Object { + "type": "keyword", + }, + "name": Object { + "type": "keyword", + }, + "note": Object { + "type": "text", + }, + "output_index": Object { + "type": "keyword", + }, + "query": Object { + "type": "keyword", + }, + "references": Object { + "type": "keyword", + }, + "risk_score": Object { + "type": "float", + }, + "risk_score_mapping": Object { + "properties": Object { + "field": Object { + "type": "keyword", + }, + "operator": Object { + "type": "keyword", + }, + "value": Object { + "type": "keyword", + }, }, - "tactic": Object { - "properties": Object { - "id": Object { - "type": "keyword", - }, - "name": Object { - "type": "keyword", - }, - "reference": Object { - "type": "keyword", - }, + }, + "rule_id": Object { + "type": "keyword", + }, + "rule_name_override": Object { + "type": "keyword", + }, + "saved_id": Object { + "type": "keyword", + }, + "severity": Object { + "type": "keyword", + }, + "severity_mapping": Object { + "properties": Object { + "field": Object { + "type": "keyword", + }, + "operator": Object { + "type": "keyword", + }, + "severity": Object { + "type": "keyword", + }, + "value": Object { + "type": "keyword", }, }, - "technique": Object { - "properties": Object { - "id": Object { - "type": "keyword", - }, - "name": Object { - "type": "keyword", - }, - "reference": Object { - "type": "keyword", + }, + "size": Object { + "type": "keyword", + }, + "tags": Object { + "type": "keyword", + }, + "threat": Object { + "properties": Object { + "framework": Object { + "type": "keyword", + }, + "tactic": Object { + "properties": Object { + "id": Object { + "type": "keyword", + }, + "name": Object { + "type": "keyword", + }, + "reference": Object { + "type": "keyword", + }, }, - "subtechnique": Object { - "properties": Object { - "id": Object { - "type": "keyword", - }, - "name": Object { - "type": "keyword", - }, - "reference": Object { - "type": "keyword", + }, + "technique": Object { + "properties": Object { + "id": Object { + "type": "keyword", + }, + "name": Object { + "type": "keyword", + }, + "reference": Object { + "type": "keyword", + }, + "subtechnique": Object { + "properties": Object { + "id": Object { + "type": "keyword", + }, + "name": Object { + "type": "keyword", + }, + "reference": Object { + "type": "keyword", + }, }, }, }, }, }, }, - }, - "threat_filters": Object { - "type": "object", - }, - "threat_index": Object { - "type": "keyword", - }, - "threat_indicator_path": Object { - "type": "keyword", - }, - "threat_language": Object { - "type": "keyword", - }, - "threat_mapping": Object { - "properties": Object { - "entries": Object { - "properties": Object { - "field": Object { - "type": "keyword", - }, - "type": Object { - "type": "keyword", - }, - "value": Object { - "type": "keyword", + "threat_filters": Object { + "type": "object", + }, + "threat_index": Object { + "type": "keyword", + }, + "threat_indicator_path": Object { + "type": "keyword", + }, + "threat_language": Object { + "type": "keyword", + }, + "threat_mapping": Object { + "properties": Object { + "entries": Object { + "properties": Object { + "field": Object { + "type": "keyword", + }, + "type": Object { + "type": "keyword", + }, + "value": Object { + "type": "keyword", + }, }, }, }, }, + "threat_query": Object { + "type": "keyword", + }, + "threshold": Object { + "properties": Object { + "field": Object { + "type": "keyword", + }, + "value": Object { + "type": "float", + }, + }, + }, + "timeline_id": Object { + "type": "keyword", + }, + "timeline_title": Object { + "type": "keyword", + }, + "timestamp_override": Object { + "type": "keyword", + }, + "to": Object { + "type": "keyword", + }, + "type": Object { + "type": "keyword", + }, + "updated_at": Object { + "type": "date", + }, + "updated_by": Object { + "type": "keyword", + }, + "version": Object { + "type": "keyword", + }, }, - "threat_query": Object { - "type": "keyword", - }, - "threshold": Object { - "properties": Object { - "field": Object { - "type": "keyword", + }, + "status": Object { + "type": "keyword", + }, + "threshold_count": Object { + "type": "float", + }, + "threshold_result": Object { + "properties": Object { + "cardinality": Object { + "properties": Object { + "field": Object { + "type": "keyword", + }, + "value": Object { + "type": "long", + }, }, - "value": Object { - "type": "float", + }, + "count": Object { + "type": "long", + }, + "from": Object { + "type": "date", + }, + "terms": Object { + "properties": Object { + "field": Object { + "type": "keyword", + }, + "value": Object { + "type": "keyword", + }, }, }, }, - "timeline_id": Object { - "type": "keyword", - }, - "timeline_title": Object { - "type": "keyword", - }, - "timestamp_override": Object { - "type": "keyword", - }, - "to": Object { - "type": "keyword", - }, - "type": Object { - "type": "keyword", - }, - "updated_at": Object { - "type": "date", - }, - "updated_by": Object { - "type": "keyword", - }, - "version": Object { - "type": "keyword", - }, }, }, - "status": Object { - "type": "keyword", - }, - "threshold_count": Object { - "type": "float", - }, - "threshold_result": Object { - "properties": Object { - "cardinality": Object { - "properties": Object { - "field": Object { - "type": "keyword", - }, - "value": Object { - "type": "long", + }, + "source": Object { + "properties": Object { + "address": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "as": Object { + "properties": Object { + "number": Object { + "type": "long", + }, + "organization": Object { + "properties": Object { + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, }, }, }, - "count": Object { - "type": "long", - }, - "from": Object { - "type": "date", - }, - "terms": Object { - "properties": Object { - "field": Object { - "type": "keyword", - }, - "value": Object { - "type": "keyword", - }, + }, + "bytes": Object { + "type": "long", + }, + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "geo": Object { + "properties": Object { + "city_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "location": Object { + "type": "geo_point", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "postal_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "timezone": Object { + "ignore_above": 1024, + "type": "keyword", }, }, }, - }, - }, - }, - "source": Object { - "properties": Object { - "address": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "as": Object { - "properties": Object { - "number": Object { - "type": "long", - }, - "organization": Object { - "properties": Object { - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, - }, - "ignore_above": 1024, - "type": "keyword", - }, + "ip": Object { + "type": "ip", + }, + "mac": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "nat": Object { + "properties": Object { + "ip": Object { + "type": "ip", + }, + "port": Object { + "type": "long", }, }, }, - }, - "bytes": Object { - "type": "long", - }, - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "geo": Object { - "properties": Object { - "city_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "continent_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "continent_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country_iso_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "location": Object { - "type": "geo_point", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "postal_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region_iso_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "timezone": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "packets": Object { + "type": "long", }, - }, - "ip": Object { - "type": "ip", - }, - "mac": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "nat": Object { - "properties": Object { - "ip": Object { - "type": "ip", - }, - "port": Object { - "type": "long", - }, + "port": Object { + "type": "long", }, - }, - "packets": Object { - "type": "long", - }, - "port": Object { - "type": "long", - }, - "registered_domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "subdomain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "top_level_domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "user": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "email": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "full_name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "registered_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subdomain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "top_level_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "user": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "group": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "hash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "roles": Object { - "ignore_above": 1024, - "type": "keyword", }, }, }, }, - }, - "span": Object { - "properties": Object { - "id": Object { - "ignore_above": 1024, - "type": "keyword", + "span": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "tags": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "threat": Object { - "properties": Object { - "framework": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "indicator": Object { - "properties": Object { - "as": Object { - "properties": Object { - "number": Object { - "type": "long", - }, - "organization": Object { - "properties": Object { - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "tags": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "threat": Object { + "properties": Object { + "framework": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "indicator": Object { + "properties": Object { + "as": Object { + "properties": Object { + "number": Object { + "type": "long", + }, + "organization": Object { + "properties": Object { + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", }, }, }, }, - }, - "confidence": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "dataset": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "description": Object { - "type": "wildcard", - }, - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "email": Object { - "properties": Object { - "address": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "confidence": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "event": Object { - "properties": Object { - "action": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "category": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "created": Object { - "type": "date", - }, - "dataset": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "duration": Object { - "type": "long", - }, - "end": Object { - "type": "date", - }, - "hash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "ingested": Object { - "type": "date", - }, - "kind": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "module": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "original": Object { - "doc_values": false, - "ignore_above": 1024, - "index": false, - "type": "keyword", - }, - "outcome": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "provider": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "reason": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "reference": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "risk_score": Object { - "type": "float", - }, - "risk_score_norm": Object { - "type": "float", - }, - "sequence": Object { - "type": "long", - }, - "severity": Object { - "type": "long", - }, - "start": Object { - "type": "date", - }, - "timezone": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "url": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "dataset": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "first_seen": Object { - "type": "date", - }, - "geo": Object { - "properties": Object { - "city_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "continent_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country_iso_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "location": Object { - "type": "geo_point", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region_iso_code": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "region_name": Object { - "ignore_above": 1024, - "type": "keyword", + "description": Object { + "type": "wildcard", + }, + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "email": Object { + "properties": Object { + "address": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "ip": Object { - "type": "ip", - }, - "last_seen": Object { - "type": "date", - }, - "marking": Object { - "properties": Object { - "tlp": Object { - "ignore_above": 1024, - "type": "keyword", + "event": Object { + "properties": Object { + "action": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "category": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "created": Object { + "type": "date", + }, + "dataset": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "duration": Object { + "type": "long", + }, + "end": Object { + "type": "date", + }, + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ingested": Object { + "type": "date", + }, + "kind": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "module": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "original": Object { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword", + }, + "outcome": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "provider": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reason": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "risk_score": Object { + "type": "float", + }, + "risk_score_norm": Object { + "type": "float", + }, + "sequence": Object { + "type": "long", + }, + "severity": Object { + "type": "long", + }, + "start": Object { + "type": "date", + }, + "timezone": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "url": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "matched": Object { - "properties": Object { - "atomic": Object { - "ignore_above": 1024, - "type": "keyword", + "first_seen": Object { + "type": "date", + }, + "geo": Object { + "properties": Object { + "city_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "location": Object { + "type": "geo_point", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "field": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "ip": Object { + "type": "ip", + }, + "last_seen": Object { + "type": "date", + }, + "marking": Object { + "properties": Object { + "tlp": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "matched": Object { + "properties": Object { + "atomic": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "field": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, + "module": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "port": Object { + "type": "long", + }, + "provider": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "scanner_stats": Object { + "type": "long", + }, + "sightings": Object { + "type": "long", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "module": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "port": Object { - "type": "long", - }, - "provider": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "scanner_stats": Object { - "type": "long", - }, - "sightings": Object { - "type": "long", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "type": "nested", }, - "type": "nested", - }, - "tactic": Object { - "properties": Object { - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "reference": Object { - "ignore_above": 1024, - "type": "keyword", + "tactic": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "technique": Object { - "properties": Object { - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "technique": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "reference": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "subtechnique": Object { - "properties": Object { - "id": Object { - "ignore_above": 1024, - "type": "keyword", + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subtechnique": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "reference": Object { - "ignore_above": 1024, - "type": "keyword", }, }, }, }, }, }, - }, - "tls": Object { - "properties": Object { - "cipher": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "client": Object { - "properties": Object { - "certificate": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "certificate_chain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "hash": Object { - "properties": Object { - "md5": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha1": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha256": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "tls": Object { + "properties": Object { + "cipher": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "client": Object { + "properties": Object { + "certificate": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "issuer": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "ja3": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "not_after": Object { - "type": "date", - }, - "not_before": Object { - "type": "date", - }, - "server_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "subject": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "supported_ciphers": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "x509": Object { - "properties": Object { - "alternative_names": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "issuer": Object { - "properties": Object { - "common_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "distinguished_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "locality": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "organization": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "organizational_unit": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "state_or_province": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "certificate_chain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "hash": Object { + "properties": Object { + "md5": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha1": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha256": Object { + "ignore_above": 1024, + "type": "keyword", }, }, - "not_after": Object { - "type": "date", - }, - "not_before": Object { - "type": "date", - }, - "public_key_algorithm": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "public_key_curve": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "public_key_exponent": Object { - "doc_values": false, - "index": false, - "type": "long", - }, - "public_key_size": Object { - "type": "long", - }, - "serial_number": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "signature_algorithm": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "subject": Object { - "properties": Object { - "common_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "distinguished_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "locality": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "organization": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "organizational_unit": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "issuer": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ja3": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "not_after": Object { + "type": "date", + }, + "not_before": Object { + "type": "date", + }, + "server_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "supported_ciphers": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "x509": Object { + "properties": Object { + "alternative_names": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "issuer": Object { + "properties": Object { + "common_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "distinguished_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "locality": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organization": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organizational_unit": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "state_or_province": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "state_or_province": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "not_after": Object { + "type": "date", + }, + "not_before": Object { + "type": "date", + }, + "public_key_algorithm": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "public_key_curve": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "public_key_exponent": Object { + "doc_values": false, + "index": false, + "type": "long", + }, + "public_key_size": Object { + "type": "long", + }, + "serial_number": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "signature_algorithm": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject": Object { + "properties": Object { + "common_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "distinguished_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "locality": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organization": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organizational_unit": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "state_or_province": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "version_number": Object { - "ignore_above": 1024, - "type": "keyword", + "version_number": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, }, }, - }, - "curve": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "established": Object { - "type": "boolean", - }, - "next_protocol": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "resumed": Object { - "type": "boolean", - }, - "server": Object { - "properties": Object { - "certificate": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "certificate_chain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "hash": Object { - "properties": Object { - "md5": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha1": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha256": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "curve": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "established": Object { + "type": "boolean", + }, + "next_protocol": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "resumed": Object { + "type": "boolean", + }, + "server": Object { + "properties": Object { + "certificate": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "issuer": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "ja3s": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "not_after": Object { - "type": "date", - }, - "not_before": Object { - "type": "date", - }, - "subject": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "x509": Object { - "properties": Object { - "alternative_names": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "issuer": Object { - "properties": Object { - "common_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "distinguished_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "locality": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "organization": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "organizational_unit": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "state_or_province": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "certificate_chain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "hash": Object { + "properties": Object { + "md5": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha1": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha256": Object { + "ignore_above": 1024, + "type": "keyword", }, }, - "not_after": Object { - "type": "date", - }, - "not_before": Object { - "type": "date", - }, - "public_key_algorithm": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "public_key_curve": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "public_key_exponent": Object { - "doc_values": false, - "index": false, - "type": "long", - }, - "public_key_size": Object { - "type": "long", - }, - "serial_number": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "signature_algorithm": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "subject": Object { - "properties": Object { - "common_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "country": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "distinguished_name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "locality": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "organization": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "organizational_unit": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "issuer": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ja3s": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "not_after": Object { + "type": "date", + }, + "not_before": Object { + "type": "date", + }, + "subject": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "x509": Object { + "properties": Object { + "alternative_names": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "issuer": Object { + "properties": Object { + "common_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "distinguished_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "locality": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organization": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organizational_unit": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "state_or_province": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "state_or_province": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "not_after": Object { + "type": "date", + }, + "not_before": Object { + "type": "date", + }, + "public_key_algorithm": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "public_key_curve": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "public_key_exponent": Object { + "doc_values": false, + "index": false, + "type": "long", + }, + "public_key_size": Object { + "type": "long", + }, + "serial_number": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "signature_algorithm": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject": Object { + "properties": Object { + "common_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "distinguished_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "locality": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organization": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organizational_unit": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "state_or_province": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "version_number": Object { - "ignore_above": 1024, - "type": "keyword", + "version_number": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, }, }, - }, - "version": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "version_protocol": Object { - "ignore_above": 1024, - "type": "keyword", + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version_protocol": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "trace": Object { - "properties": Object { - "id": Object { - "ignore_above": 1024, - "type": "keyword", + "trace": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "transaction": Object { - "properties": Object { - "id": Object { - "ignore_above": 1024, - "type": "keyword", + "transaction": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "url": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "extension": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "fragment": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "full": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "url": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "extension": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "fragment": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "original": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "original": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", + }, + "password": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "path": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "port": Object { + "type": "long", + }, + "query": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "registered_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "scheme": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subdomain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "top_level_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "username": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "password": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "path": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "port": Object { - "type": "long", - }, - "query": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "registered_domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "scheme": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "subdomain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "top_level_domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "username": Object { - "ignore_above": 1024, - "type": "keyword", }, }, - }, - "user": Object { - "properties": Object { - "changes": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "email": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "full_name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "user": Object { + "properties": Object { + "changes": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "group": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "hash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "roles": Object { - "ignore_above": 1024, - "type": "keyword", }, }, - }, - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "effective": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "email": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "full_name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "effective": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "group": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "hash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "roles": Object { - "ignore_above": 1024, - "type": "keyword", }, }, - }, - "email": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "full_name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "email": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "group": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", }, - }, - "hash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - "ignore_above": 1024, - "type": "keyword", - }, - "roles": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "target": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "email": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "full_name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", }, - "ignore_above": 1024, - "type": "keyword", }, - "group": Object { - "properties": Object { - "domain": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "target": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "hash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "roles": Object { - "ignore_above": 1024, - "type": "keyword", }, }, }, }, - }, - "user_agent": Object { - "properties": Object { - "device": Object { - "properties": Object { - "name": Object { - "ignore_above": 1024, - "type": "keyword", + "user_agent": Object { + "properties": Object { + "device": Object { + "properties": Object { + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "original": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "os": Object { - "properties": Object { - "family": Object { - "ignore_above": 1024, - "type": "keyword", + "original": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "full": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "ignore_above": 1024, + "type": "keyword", + }, + "os": Object { + "properties": Object { + "family": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "kernel": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", + "kernel": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, + "ignore_above": 1024, + "type": "keyword", + }, + "platform": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "platform": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "version": Object { - "ignore_above": 1024, - "type": "keyword", }, }, - }, - "version": Object { - "ignore_above": 1024, - "type": "keyword", + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "vlan": Object { - "properties": Object { - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", + "vlan": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "vulnerability": Object { - "properties": Object { - "category": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "classification": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "description": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, + "vulnerability": Object { + "properties": Object { + "category": Object { + "ignore_above": 1024, + "type": "keyword", }, - "ignore_above": 1024, - "type": "keyword", - }, - "enumeration": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "reference": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "report_id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "scanner": Object { - "properties": Object { - "vendor": Object { - "ignore_above": 1024, - "type": "keyword", - }, + "classification": Object { + "ignore_above": 1024, + "type": "keyword", }, - }, - "score": Object { - "properties": Object { - "base": Object { - "type": "float", - }, - "environmental": Object { - "type": "float", + "description": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, }, - "temporal": Object { - "type": "float", + "ignore_above": 1024, + "type": "keyword", + }, + "enumeration": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "report_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "scanner": Object { + "properties": Object { + "vendor": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, - "version": Object { - "ignore_above": 1024, - "type": "keyword", + }, + "score": Object { + "properties": Object { + "base": Object { + "type": "float", + }, + "environmental": Object { + "type": "float", + }, + "temporal": Object { + "type": "float", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, - }, - "severity": Object { - "ignore_above": 1024, - "type": "keyword", + "severity": Object { + "ignore_above": 1024, + "type": "keyword", + }, }, }, }, }, - }, - "settings": Object { - "index": Object { - "lifecycle": Object { - "name": "test-index", - "rollover_alias": "test-index", + "settings": Object { + "index": Object { + "lifecycle": Object { + "name": "test-index", + "rollover_alias": "test-index", + }, }, - }, - "mapping": Object { - "total_fields": Object { - "limit": 10000, + "mapping": Object { + "total_fields": Object { + "limit": 10000, + }, }, }, }, - "version": 45, + "version": 55, } `; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts index 164c8644acaa9d..974d18292a078c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts @@ -5,9 +5,14 @@ * 2.0. */ +import { get } from 'lodash'; import { ElasticsearchClient } from 'src/core/server'; import { isOutdated } from '../../migrations/helpers'; -import { SIGNALS_TEMPLATE_VERSION } from './get_signals_template'; +import { + ALIAS_VERSION_FIELD, + SIGNALS_FIELD_ALIASES_VERSION, + SIGNALS_TEMPLATE_VERSION, +} from './get_signals_template'; export const getTemplateVersion = async ({ alias, @@ -17,10 +22,8 @@ export const getTemplateVersion = async ({ alias: string; }): Promise => { try { - const response = await esClient.indices.getTemplate<{ - [templateName: string]: { version: number }; - }>({ name: alias }); - return response.body[alias].version ?? 0; + const response = await esClient.indices.getIndexTemplate({ name: alias }); + return response.body.index_templates[0].index_template.version ?? 0; } catch (e) { return 0; } @@ -37,3 +40,14 @@ export const templateNeedsUpdate = async ({ return isOutdated({ current: templateVersion, target: SIGNALS_TEMPLATE_VERSION }); }; + +export const fieldAliasesOutdated = async (esClient: ElasticsearchClient, index: string) => { + const { body: indexMappings } = await esClient.indices.get({ index }); + for (const [_, mapping] of Object.entries(indexMappings)) { + const aliasesVersion = get(mapping.mappings?._meta, ALIAS_VERSION_FIELD) ?? 0; + if (aliasesVersion < SIGNALS_FIELD_ALIASES_VERSION) { + return true; + } + } + return false; +}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts index d98cd7cea0f2b7..c6635eec520b22 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts @@ -5,12 +5,14 @@ * 2.0. */ +import { get } from 'lodash'; +import { estypes } from '@elastic/elasticsearch'; +import { ElasticsearchClient } from 'src/core/server'; import { transformError, getIndexExists, getPolicyExists, setPolicy, - setTemplate, createBootstrapIndex, } from '@kbn/securitysolution-es-utils'; import type { @@ -20,14 +22,29 @@ import type { } from '../../../../types'; import { DETECTION_ENGINE_INDEX_URL } from '../../../../../common/constants'; import { buildSiemResponse } from '../utils'; -import { getSignalsTemplate, SIGNALS_TEMPLATE_VERSION } from './get_signals_template'; +import { + createSignalsFieldAliases, + getSignalsTemplate, + getRbacRequiredFields, + SIGNALS_TEMPLATE_VERSION, + SIGNALS_FIELD_ALIASES_VERSION, + ALIAS_VERSION_FIELD, +} from './get_signals_template'; import { ensureMigrationCleanupPolicy } from '../../migrations/migration_cleanup'; import signalsPolicy from './signals_policy.json'; import { templateNeedsUpdate } from './check_template_version'; import { getIndexVersion } from './get_index_version'; import { isOutdated } from '../../migrations/helpers'; +import { RuleDataPluginService } from '../../../../../../rule_registry/server'; +import signalExtraFields from './signal_extra_fields.json'; +import { ConfigType } from '../../../../config'; +import { parseExperimentalConfigValue } from '../../../../../common/experimental_features'; -export const createIndexRoute = (router: SecuritySolutionPluginRouter) => { +export const createIndexRoute = ( + router: SecuritySolutionPluginRouter, + ruleDataService: RuleDataPluginService, + config: ConfigType +) => { router.post( { path: DETECTION_ENGINE_INDEX_URL, @@ -38,13 +55,14 @@ export const createIndexRoute = (router: SecuritySolutionPluginRouter) => { }, async (context, request, response) => { const siemResponse = buildSiemResponse(response); + const { ruleRegistryEnabled } = parseExperimentalConfigValue(config.enableExperimental); try { const siemClient = context.securitySolution?.getAppClient(); if (!siemClient) { return siemResponse.error({ statusCode: 404 }); } - await createDetectionIndex(context, siemClient!); + await createDetectionIndex(context, siemClient!, ruleDataService, ruleRegistryEnabled); return response.ok({ body: { acknowledged: true } }); } catch (err) { const error = transformError(err); @@ -67,25 +85,58 @@ class CreateIndexError extends Error { export const createDetectionIndex = async ( context: SecuritySolutionRequestHandlerContext, - siemClient: AppClient + siemClient: AppClient, + ruleDataService: RuleDataPluginService, + ruleRegistryEnabled: boolean ): Promise => { const esClient = context.core.elasticsearch.client.asCurrentUser; + const spaceId = siemClient.getSpaceId(); if (!siemClient) { throw new CreateIndexError('', 404); } const index = siemClient.getSignalsIndex(); + + const indexExists = await getIndexExists(esClient, index); + // If using the rule registry implementation, we don't want to create new .siem-signals indices - + // only create/update resources if there are existing indices + if (ruleRegistryEnabled && !indexExists) { + return; + } + await ensureMigrationCleanupPolicy({ alias: index, esClient }); const policyExists = await getPolicyExists(esClient, index); if (!policyExists) { await setPolicy(esClient, index, signalsPolicy); } + const aadIndexAliasName = `${ruleDataService.getFullAssetName('security.alerts')}-${spaceId}`; if (await templateNeedsUpdate({ alias: index, esClient })) { - await setTemplate(esClient, index, getSignalsTemplate(index)); + await esClient.indices.putIndexTemplate({ + name: index, + body: getSignalsTemplate(index, spaceId, aadIndexAliasName) as Record, + }); } - const indexExists = await getIndexExists(esClient, index); + // Check if the old legacy siem signals template exists and remove it + try { + await esClient.indices.deleteTemplate({ name: index }); + } catch (err) { + if (err.statusCode !== 404) { + throw err; + } + } + if (indexExists) { + await addFieldAliasesToIndices({ esClient, index, spaceId }); + // The internal user is used here because Elasticsearch requires the PUT alias requestor to have 'manage' permissions + // for BOTH the index AND alias name. However, through 7.14 admins only needed permissions for .siem-signals (the index) + // and not .alerts-security.alerts (the alias). From the security solution perspective, all .siem-signals--* + // indices should have an alias to .alerts-security.alerts- so it's safe to add those aliases as the internal user. + await addIndexAliases({ + esClient: context.core.elasticsearch.client.asInternalUser, + index, + aadIndexAliasName, + }); const indexVersion = await getIndexVersion(esClient, index); if (isOutdated({ current: indexVersion, target: SIGNALS_TEMPLATE_VERSION })) { await esClient.indices.rollover({ alias: index }); @@ -94,3 +145,62 @@ export const createDetectionIndex = async ( await createBootstrapIndex(esClient, index); } }; + +const addFieldAliasesToIndices = async ({ + esClient, + index, + spaceId, +}: { + esClient: ElasticsearchClient; + index: string; + spaceId: string; +}) => { + const { body: indexMappings } = await esClient.indices.get({ index }); + // Make sure that all signal fields we add aliases for are guaranteed to exist in the mapping for ALL historical + // signals indices (either by adding them to signalExtraFields or ensuring they exist in the original signals + // mapping) or else this call will fail and not update ANY signals indices + const fieldAliases = createSignalsFieldAliases(); + for (const [indexName, mapping] of Object.entries(indexMappings)) { + const currentVersion: number | undefined = get(mapping.mappings?._meta, 'version'); + const newMapping = { + properties: { + ...signalExtraFields, + ...fieldAliases, + ...getRbacRequiredFields(spaceId), + }, + _meta: { + version: currentVersion, + [ALIAS_VERSION_FIELD]: SIGNALS_FIELD_ALIASES_VERSION, + }, + }; + await esClient.indices.putMapping({ + index: indexName, + body: newMapping, + allow_no_indices: true, + } as estypes.IndicesPutMappingRequest); + } +}; + +const addIndexAliases = async ({ + esClient, + index, + aadIndexAliasName, +}: { + esClient: ElasticsearchClient; + index: string; + aadIndexAliasName: string; +}) => { + const { body: indices } = await esClient.indices.getAlias({ name: index }); + const aliasActions = { + actions: Object.keys(indices).map((concreteIndexName) => { + return { + add: { + index: concreteIndexName, + alias: aadIndexAliasName, + is_write_index: false, + }, + }; + }), + }; + await esClient.indices.updateAliases({ body: aliasActions }); +}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/delete_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/delete_index_route.ts index 5260c9487de8a5..6d1422a660abca 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/delete_index_route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/delete_index_route.ts @@ -10,9 +10,7 @@ import { getIndexExists, getPolicyExists, deletePolicy, - getTemplateExists, deleteAllIndex, - deleteTemplate, } from '@kbn/securitysolution-es-utils'; import type { SecuritySolutionPluginRouter } from '../../../../types'; import { DETECTION_ENGINE_INDEX_URL } from '../../../../../common/constants'; @@ -22,6 +20,7 @@ import { buildSiemResponse } from '../utils'; * Deletes all of the indexes, template, ilm policies, and aliases. You can check * this by looking at each of these settings from ES after a deletion: * GET /_template/.siem-signals-default + * GET /_index_template/.siem-signals-default * GET /.siem-signals-default-000001/ * GET /_ilm/policy/.signals-default * GET /_alias/.siem-signals-default @@ -63,9 +62,13 @@ export const deleteIndexRoute = (router: SecuritySolutionPluginRouter) => { if (policyExists) { await deletePolicy(esClient, index); } - const templateExists = await getTemplateExists(esClient, index); + const templateExists = await esClient.indices.existsIndexTemplate({ name: index }); if (templateExists) { - await deleteTemplate(esClient, index); + await esClient.indices.deleteIndexTemplate({ name: index }); + } + const legacyTemplateExists = await esClient.indices.existsTemplate({ name: index }); + if (legacyTemplateExists) { + await esClient.indices.deleteTemplate({ name: index }); } return response.ok({ body: { acknowledged: true } }); } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts index 4691db1b19595e..88c549cec55797 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts @@ -9,8 +9,12 @@ import { getSignalsTemplate } from './get_signals_template'; describe('get_signals_template', () => { test('it should set the lifecycle "name" and "rollover_alias" to be the name of the index passed in', () => { - const template = getSignalsTemplate('test-index'); - expect(template.settings).toEqual({ + const template = getSignalsTemplate( + 'test-index', + 'space-id', + '.alerts-security.alerts-space-id' + ); + expect(template.template.settings).toEqual({ index: { lifecycle: { name: 'test-index', @@ -24,23 +28,39 @@ describe('get_signals_template', () => { }); test('it should set have the index patterns with an ending glob in it', () => { - const template = getSignalsTemplate('test-index'); + const template = getSignalsTemplate( + 'test-index', + 'space-id', + '.alerts-security.alerts-space-id' + ); expect(template.index_patterns).toEqual(['test-index-*']); }); test('it should have a mappings section which is an object type', () => { - const template = getSignalsTemplate('test-index'); - expect(typeof template.mappings).toEqual('object'); + const template = getSignalsTemplate( + 'test-index', + 'space-id', + '.alerts-security.alerts-space-id' + ); + expect(typeof template.template.mappings).toEqual('object'); }); test('it should have a signals section which is an object type', () => { - const template = getSignalsTemplate('test-index'); - expect(typeof template.mappings.properties.signal).toEqual('object'); + const template = getSignalsTemplate( + 'test-index', + 'space-id', + '.alerts-security.alerts-space-id' + ); + expect(typeof template.template.mappings.properties.signal).toEqual('object'); }); test('it should have a "total_fields" section that is at least 10k in size', () => { - const template = getSignalsTemplate('test-index'); - expect(template.settings.mapping.total_fields.limit).toBeGreaterThanOrEqual(10000); + const template = getSignalsTemplate( + 'test-index', + 'space-id', + '.alerts-security.alerts-space-id' + ); + expect(template.template.settings.mapping.total_fields.limit).toBeGreaterThanOrEqual(10000); }); // If you see this test fail, you should track down any and all "constant_keyword" in your ecs_mapping.json and replace @@ -62,7 +82,11 @@ describe('get_signals_template', () => { // Instead you have to use "keyword". This test was first introduced when ECS 1.10 came out and data_stream.* values which had // "constant_keyword" fields and we needed to change those to be "keyword" instead. test('it should NOT have any "constant_keyword" and instead those should be replaced with regular "keyword" in the mapping', () => { - const template = getSignalsTemplate('test-index'); + const template = getSignalsTemplate( + 'test-index', + 'space-id', + '.alerts-security.alerts-space-id' + ); // Small recursive function to find any values of "constant_keyword" and mark which fields it was found on and then error on those fields // The matchers from jest such as jest.toMatchObject do not support recursion, so I have to write it here: @@ -83,11 +107,20 @@ describe('get_signals_template', () => { } }, []); const constantKeywordsFound = recursiveConstantKeywordFound('', template); - expect(constantKeywordsFound).toEqual([]); + expect(constantKeywordsFound).toEqual([ + 'template.mappings.properties.kibana.space_ids', + 'template.mappings.properties.kibana.alert.consumers', + 'template.mappings.properties.kibana.alert.producer', + 'template.mappings.properties.kibana.alert.rule.rule_type_id', + ]); }); test('it should match snapshot', () => { - const template = getSignalsTemplate('test-index'); + const template = getSignalsTemplate( + 'test-index', + 'space-id', + '.alerts-security.alerts-space-id' + ); expect(template).toMatchSnapshot(); }); }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts index 53035ebf28cd78..bc41441e1a1179 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts @@ -5,9 +5,16 @@ * 2.0. */ +import { + SPACE_IDS, + ALERT_CONSUMERS, + ALERT_PRODUCER, + ALERT_RULE_TYPE_ID, +} from '@kbn/rule-data-utils'; import signalsMapping from './signals_mapping.json'; import ecsMapping from './ecs_mapping.json'; import otherMapping from './other_mappings.json'; +import aadFieldConversion from './signal_aad_mapping.json'; /** @constant @@ -22,50 +29,107 @@ import otherMapping from './other_mappings.json'; incremented by 10 in order to add "room" for the aforementioned patch release */ -export const SIGNALS_TEMPLATE_VERSION = 45; +export const SIGNALS_TEMPLATE_VERSION = 55; +/** + @constant + @type {number} + @description This value represents the version of the field aliases that map the new field names + used for alerts-as-data to the old signal.* field names. If any .siem-signals- indices + have an aliases_version less than this value, the detections UI will call create_index_route and + and go through the index update process. Increment this number if making changes to the field + aliases we use to make signals forwards-compatible. +*/ +export const SIGNALS_FIELD_ALIASES_VERSION = 1; export const MIN_EQL_RULE_INDEX_VERSION = 2; +export const ALIAS_VERSION_FIELD = 'aliases_version'; -export const getSignalsTemplate = (index: string) => { +export const getSignalsTemplate = (index: string, spaceId: string, aadIndexAliasName: string) => { + const fieldAliases = createSignalsFieldAliases(); const template = { - settings: { - index: { - lifecycle: { - name: index, - rollover_alias: index, + index_patterns: [`${index}-*`], + template: { + aliases: { + [aadIndexAliasName]: { + is_write_index: false, }, }, - mapping: { - total_fields: { - limit: 10000, + settings: { + index: { + lifecycle: { + name: index, + rollover_alias: index, + }, + }, + mapping: { + total_fields: { + limit: 10000, + }, }, }, - }, - index_patterns: [`${index}-*`], - mappings: { - dynamic: false, - properties: { - ...ecsMapping.mappings.properties, - ...otherMapping.mappings.properties, - signal: signalsMapping.mappings.properties.signal, - threat: { - ...ecsMapping.mappings.properties.threat, - properties: { - ...ecsMapping.mappings.properties.threat.properties, - indicator: { - ...otherMapping.mappings.properties.threat.properties.indicator, - properties: { - ...otherMapping.mappings.properties.threat.properties.indicator.properties, - event: ecsMapping.mappings.properties.event, + mappings: { + dynamic: false, + properties: { + ...ecsMapping.mappings.properties, + ...otherMapping.mappings.properties, + ...fieldAliases, + ...getRbacRequiredFields(spaceId), + signal: signalsMapping.mappings.properties.signal, + threat: { + ...ecsMapping.mappings.properties.threat, + properties: { + ...ecsMapping.mappings.properties.threat.properties, + indicator: { + ...otherMapping.mappings.properties.threat.properties.indicator, + properties: { + ...otherMapping.mappings.properties.threat.properties.indicator.properties, + event: ecsMapping.mappings.properties.event, + }, }, }, }, }, - }, - _meta: { - version: SIGNALS_TEMPLATE_VERSION, + _meta: { + version: SIGNALS_TEMPLATE_VERSION, + [ALIAS_VERSION_FIELD]: SIGNALS_FIELD_ALIASES_VERSION, + }, }, }, version: SIGNALS_TEMPLATE_VERSION, }; return template; }; + +export const createSignalsFieldAliases = () => { + const fieldAliases: Record = {}; + Object.entries(aadFieldConversion).forEach(([key, value]) => { + fieldAliases[value] = { + type: 'alias', + path: key, + }; + }); + return fieldAliases; +}; + +export const getRbacRequiredFields = (spaceId: string) => { + return { + [SPACE_IDS]: { + type: 'constant_keyword', + value: spaceId, + }, + [ALERT_CONSUMERS]: { + type: 'constant_keyword', + value: 'siem', + }, + [ALERT_PRODUCER]: { + type: 'constant_keyword', + value: 'siem', + }, + // TODO: discuss naming of this field and what the value will be for legacy signals. + // Can we leave it as 'siem.signals' or do we need a runtime field that will map signal.rule.type + // to the new ruleTypeId? + [ALERT_RULE_TYPE_ID]: { + type: 'constant_keyword', + value: 'siem.signals', + }, + }; +}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts index 3527e43c03d52b..4cfedd5dcaa011 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts @@ -15,6 +15,7 @@ import { buildSiemResponse } from '../utils'; import { SIGNALS_TEMPLATE_VERSION } from './get_signals_template'; import { getIndexVersion } from './get_index_version'; import { isOutdated } from '../../migrations/helpers'; +import { fieldAliasesOutdated } from './check_template_version'; export const readIndexRoute = (router: SecuritySolutionPluginRouter, config: ConfigType) => { router.get( @@ -38,23 +39,20 @@ export const readIndexRoute = (router: SecuritySolutionPluginRouter, config: Con // TODO: Once we are past experimental phase this code should be removed const { ruleRegistryEnabled } = parseExperimentalConfigValue(config.enableExperimental); - if (ruleRegistryEnabled) { - return response.ok({ - body: { name: DEFAULT_ALERTS_INDEX, index_mapping_outdated: false }, - }); - } const index = siemClient.getSignalsIndex(); - const indexExists = ruleRegistryEnabled ? true : await getIndexExists(esClient, index); + const indexExists = await getIndexExists(esClient, index); if (indexExists) { let mappingOutdated: boolean | null = null; + let aliasesOutdated: boolean | null = null; try { const indexVersion = await getIndexVersion(esClient, index); mappingOutdated = isOutdated({ current: indexVersion, target: SIGNALS_TEMPLATE_VERSION, }); + aliasesOutdated = await fieldAliasesOutdated(esClient, index); } catch (err) { const error = transformError(err); // Some users may not have the view_index_metadata permission necessary to check the index mapping version @@ -66,12 +64,26 @@ export const readIndexRoute = (router: SecuritySolutionPluginRouter, config: Con }); } } - return response.ok({ body: { name: index, index_mapping_outdated: mappingOutdated } }); - } else { - return siemResponse.error({ - statusCode: 404, - body: 'index for this space does not exist', + return response.ok({ + body: { + name: ruleRegistryEnabled ? DEFAULT_ALERTS_INDEX : index, + index_mapping_outdated: mappingOutdated || aliasesOutdated, + }, }); + } else { + if (ruleRegistryEnabled) { + return response.ok({ + body: { + name: DEFAULT_ALERTS_INDEX, + index_mapping_outdated: false, + }, + }); + } else { + return siemResponse.error({ + statusCode: 404, + body: 'index for this space does not exist', + }); + } } } catch (err) { const error = transformError(err); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json new file mode 100644 index 00000000000000..066fdbc87f9066 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json @@ -0,0 +1,93 @@ +{ + "signal.ancestors.depth": "kibana.alert.ancestors.depth", + "signal.ancestors.id": "kibana.alert.ancestors.id", + "signal.ancestors.index": "kibana.alert.ancestors.index", + "signal.ancestors.type": "kibana.alert.ancestors.type", + "signal.depth": "kibana.alert.depth", + "signal.original_event.action": "kibana.alert.original_event.action", + "signal.original_event.category": "kibana.alert.original_event.category", + "signal.original_event.code": "kibana.alert.original_event.code", + "signal.original_event.created": "kibana.alert.original_event.created", + "signal.original_event.dataset": "kibana.alert.original_event.dataset", + "signal.original_event.duration": "kibana.alert.original_event.duration", + "signal.original_event.end": "kibana.alert.original_event.end", + "signal.original_event.hash": "kibana.alert.original_event.hash", + "signal.original_event.id": "kibana.alert.original_event.id", + "signal.original_event.kind": "kibana.alert.original_event.kind", + "signal.original_event.module": "kibana.alert.original_event.module", + "signal.original_event.outcome": "kibana.alert.original_event.outcome", + "signal.original_event.provider": "kibana.alert.original_event.provider", + "signal.original_event.risk_score": "kibana.alert.original_event.risk_score", + "signal.original_event.risk_score_norm": "kibana.alert.original_event.risk_score_norm", + "signal.original_event.sequence": "kibana.alert.original_event.sequence", + "signal.original_event.severity": "kibana.alert.original_event.severity", + "signal.original_event.start": "kibana.alert.original_event.start", + "signal.original_event.timezone": "kibana.alert.original_event.timezone", + "signal.original_event.type": "kibana.alert.original_event.type", + "signal.original_time": "kibana.alert.original_time", + "signal.rule.author": "kibana.alert.rule.author", + "signal.rule.building_block_type": "kibana.alert.rule.building_block_type", + "signal.rule.created_at": "kibana.alert.rule.created_at", + "signal.rule.created_by": "kibana.alert.rule.created_by", + "signal.rule.description": "kibana.alert.rule.description", + "signal.rule.enabled": "kibana.alert.rule.enabled", + "signal.rule.false_positives": "kibana.alert.rule.false_positives", + "signal.rule.from": "kibana.alert.rule.from", + "signal.rule.id": "kibana.alert.rule.id", + "signal.rule.immutable": "kibana.alert.rule.immutable", + "signal.rule.index": "kibana.alert.rule.index", + "signal.rule.interval": "kibana.alert.rule.interval", + "signal.rule.language": "kibana.alert.rule.language", + "signal.rule.license": "kibana.alert.rule.license", + "signal.rule.max_signals": "kibana.alert.rule.max_signals", + "signal.rule.name": "kibana.alert.rule.name", + "signal.rule.note": "kibana.alert.rule.note", + "signal.rule.query": "kibana.alert.rule.query", + "signal.rule.references": "kibana.alert.rule.references", + "signal.rule.risk_score": "kibana.alert.risk_score", + "signal.rule.risk_score_mapping.field": "kibana.alert.rule.risk_score_mapping.field", + "signal.rule.risk_score_mapping.operator": "kibana.alert.rule.risk_score_mapping.operator", + "signal.rule.risk_score_mapping.value": "kibana.alert.rule.risk_score_mapping.value", + "signal.rule.rule_id": "kibana.alert.rule.rule_id", + "signal.rule.rule_name_override": "kibana.alert.rule.rule_name_override", + "signal.rule.saved_id": "kibana.alert.rule.saved_id", + "signal.rule.severity": "kibana.alert.severity", + "signal.rule.severity_mapping.field": "kibana.alert.rule.severity_mapping.field", + "signal.rule.severity_mapping.operator": "kibana.alert.rule.severity_mapping.operator", + "signal.rule.severity_mapping.value": "kibana.alert.rule.severity_mapping.value", + "signal.rule.severity_mapping.severity": "kibana.alert.rule.severity_mapping.severity", + "signal.rule.tags": "kibana.alert.rule.tags", + "signal.rule.threat.framework": "kibana.alert.rule.threat.framework", + "signal.rule.threat.tactic.id": "kibana.alert.rule.threat.tactic.id", + "signal.rule.threat.tactic.name": "kibana.alert.rule.threat.tactic.name", + "signal.rule.threat.tactic.reference": "kibana.alert.rule.threat.tactic.reference", + "signal.rule.threat.technique.id": "kibana.alert.rule.threat.technique.id", + "signal.rule.threat.technique.name": "kibana.alert.rule.threat.technique.name", + "signal.rule.threat.technique.reference": "kibana.alert.rule.threat.technique.reference", + "signal.rule.threat.technique.subtechnique.id": "kibana.alert.rule.threat.technique.subtechnique.id", + "signal.rule.threat.technique.subtechnique.name": "kibana.alert.rule.threat.technique.subtechnique.name", + "signal.rule.threat.technique.subtechnique.reference": "kibana.alert.rule.threat.technique.subtechnique.reference", + "signal.rule.threat_index": "kibana.alert.rule.threat_index", + "signal.rule.threat_indicator_path": "kibana.alert.rule.threat_indicator_path", + "signal.rule.threat_language": "kibana.alert.rule.threat_language", + "signal.rule.threat_mapping.entries.field": "kibana.alert.rule.threat_mapping.entries.field", + "signal.rule.threat_mapping.entries.value": "kibana.alert.rule.threat_mapping.entries.value", + "signal.rule.threat_mapping.entries.type": "kibana.alert.rule.threat_mapping.entries.type", + "signal.rule.threat_query": "kibana.alert.rule.threat_query", + "signal.rule.threshold.field": "kibana.alert.rule.threshold.field", + "signal.rule.threshold.value": "kibana.alert.rule.threshold.value", + "signal.rule.timeline_id": "kibana.alert.rule.timeline_id", + "signal.rule.timeline_title": "kibana.alert.rule.timeline_title", + "signal.rule.to": "kibana.alert.rule.to", + "signal.rule.type": "kibana.alert.rule.type", + "signal.rule.updated_at": "kibana.alert.rule.updated_at", + "signal.rule.updated_by": "kibana.alert.rule.updated_by", + "signal.rule.version": "kibana.alert.rule.version", + "signal.status": "kibana.alert.workflow_status", + "signal.threshold_result.from": "kibana.alert.threshold_result.from", + "signal.threshold_result.terms.field": "kibana.alert.threshold_result.terms.field", + "signal.threshold_result.terms.value": "kibana.alert.threshold_result.terms.value", + "signal.threshold_result.cardinality.field": "kibana.alert.threshold_result.cardinality.field", + "signal.threshold_result.cardinality.value": "kibana.alert.threshold_result.cardinality.value", + "signal.threshold_result.count": "kibana.alert.threshold_result.count" +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_extra_fields.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_extra_fields.json new file mode 100644 index 00000000000000..e20aa0ef16df43 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_extra_fields.json @@ -0,0 +1,195 @@ +{ + "signal": { + "type": "object", + "properties": { + "_meta": { + "type": "object", + "properties": { + "version": { + "type": "long" + } + } + }, + "ancestors": { + "properties": { + "rule": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "depth": { + "type": "long" + } + } + }, + "depth": { + "type": "integer" + }, + "group": { + "type": "object", + "properties": { + "id": { + "type": "keyword" + }, + "index": { + "type": "integer" + } + } + }, + "rule": { + "type": "object", + "properties": { + "author": { + "type": "keyword" + }, + "building_block_type": { + "type": "keyword" + }, + "license": { + "type": "keyword" + }, + "note": { + "type": "text" + }, + "risk_score_mapping": { + "type": "object", + "properties": { + "field": { + "type": "keyword" + }, + "operator": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + }, + "rule_name_override": { + "type": "keyword" + }, + "severity_mapping": { + "type": "object", + "properties": { + "field": { + "type": "keyword" + }, + "operator": { + "type": "keyword" + }, + "value": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + } + } + }, + "threat": { + "type": "object", + "properties": { + "technique": { + "type": "object", + "properties": { + "subtechnique": { + "type": "object", + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + } + } + } + } + }, + "threat_index": { + "type": "keyword" + }, + "threat_indicator_path": { + "type": "keyword" + }, + "threat_language": { + "type": "keyword" + }, + "threat_mapping": { + "type": "object", + "properties": { + "entries": { + "type": "object", + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + } + } + }, + "threat_query": { + "type": "keyword" + }, + "threshold": { + "type": "object", + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "float" + } + } + } + } + }, + "threshold_result": { + "properties": { + "from": { + "type": "date" + }, + "terms": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + }, + "cardinality": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "long" + } + } + }, + "count": { + "type": "long" + } + } + } + } + } +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts index 2e6f4b9303d897..54a41be5cbadeb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts @@ -44,7 +44,10 @@ export const buildBulkBody = ( ...additionalSignalFields(mergedDoc), }; const event = buildEventTypeSignal(mergedDoc); - const { threshold_result: thresholdResult, ...filteredSource } = mergedDoc._source || { + // Filter out any kibana.* fields from the generated signal - kibana.* fields are aliases + // in siem-signals so we can't write to them, but for signals-on-signals they'll be returned + // in the fields API response and merged into the mergedDoc source + const { threshold_result: thresholdResult, kibana, ...filteredSource } = mergedDoc._source || { threshold_result: null, }; const signalHit: SignalHit = { @@ -145,9 +148,13 @@ export const buildSignalFromEvent = ( ...additionalSignalFields(mergedEvent), }; const eventFields = buildEventTypeSignal(mergedEvent); + // Filter out any kibana.* fields from the generated signal - kibana.* fields are aliases + // in siem-signals so we can't write to them, but for signals-on-signals they'll be returned + // in the fields API response and merged into the mergedDoc source + const { kibana, ...filteredSource } = mergedEvent._source || {}; // TODO: better naming for SignalHit - it's really a new signal to be inserted const signalHit: SignalHit = { - ...mergedEvent._source, + ...filteredSource, '@timestamp': new Date().toISOString(), event: eventFields, signal, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts index 48d372853e6d04..6cbe0d1a527047 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts @@ -121,6 +121,7 @@ export interface SignalSource { original_time?: string; threshold_result?: ThresholdResult; }; + kibana?: SearchTypes; } export interface BulkItem { diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts index fd3a32a2fa689d..e67c9fbfd8327d 100644 --- a/x-pack/plugins/security_solution/server/plugin.ts +++ b/x-pack/plugins/security_solution/server/plugin.ts @@ -8,6 +8,7 @@ import { once } from 'lodash'; import { Observable } from 'rxjs'; import LRU from 'lru-cache'; +import { estypes } from '@elastic/elasticsearch'; import { CoreSetup, @@ -87,6 +88,7 @@ import { licenseService } from './lib/license'; import { PolicyWatcher } from './endpoint/lib/policy/license_watch'; import { parseExperimentalConfigValue } from '../common/experimental_features'; import { migrateArtifactsToFleet } from './endpoint/lib/artifacts/migrate_artifacts_to_fleet'; +import aadFieldConversion from './lib/detection_engine/routes/index/signal_aad_mapping.json'; import { alertsFieldMap } from './lib/detection_engine/rule_types/field_maps/alerts'; import { rulesFieldMap } from './lib/detection_engine/rule_types/field_maps/rules'; import { RuleExecutionLogClient } from './lib/detection_engine/rule_execution_log/rule_execution_log_client'; @@ -201,17 +203,27 @@ export class Plugin implements IPlugin { if (!ruleDataService.isWriteEnabled()) { return; } - const componentTemplateName = ruleDataService.getFullAssetName('security.alerts-mappings'); + // TODO: convert the aliases to FieldMaps. Requires enhancing FieldMap to support alias path. + // Split aliases by component template since we need to alias some fields in technical field mappings, + // some fields in security solution specific component template. + const aliases: Record = {}; + Object.entries(aadFieldConversion).forEach(([key, value]) => { + aliases[key] = { + type: 'alias', + path: value, + }; + }); + + const componentTemplateName = ruleDataService.getFullAssetName('security.alerts-mappings'); await ruleDataService.createOrUpdateComponentTemplate({ name: componentTemplateName, body: { @@ -273,6 +285,7 @@ export class Plugin implements IPlugin { // Detection Engine Rule routes that have the REST endpoints of /api/detection_engine/rules @@ -117,7 +118,7 @@ export const initRoutes = ( // Detection Engine index routes that have the REST endpoints of /api/detection_engine/index // All REST index creation, policy management for spaces - createIndexRoute(router); + createIndexRoute(router, ruleDataService, config); readIndexRoute(router, config); deleteIndexRoute(router);