索引模板脚本

编辑

此代码创建了一个新的索引模板,用于在更新检测告警索引的索引映射时临时存储现有的检测告警。您需要更新索引映射才能在从之前的次要版本(7.8.x、7.7.x 等)升级到 Elastic Stack 7.9.0 或 7.9.1 后可视化进程关系。

在 Elastic Stack 8.0.0 版本中,检测告警的系统索引已从 .siem-signals-<Kibana 空间> 重命名为 .alerts-security.alerts-<Kibana 空间>

点击此处滚动到页面底部,并使用内置函数将代码粘贴到 Kibana 开发控制台中。您可以点击设置图标来更新 Kibana 的 URL。

PUT _template/temp-signals
{
  "order": 0,
  "index_patterns": ["temp-signals"],
  "settings": {
    "index": {
      "mapping": {
        "total_fields": {
          "limit": "10000"
        }
      }
    }
  },
  "mappings": {
    "dynamic": false,
    "properties": {
      "container": {
        "properties": {
          "image": {
            "properties": {
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "tag": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "name": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "runtime": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "labels": {
            "type": "object"
          }
        }
      },
      "server": {
        "properties": {
          "nat": {
            "properties": {
              "port": {
                "type": "long"
              },
              "ip": {
                "type": "ip"
              }
            }
          },
          "address": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "top_level_domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "ip": {
            "type": "ip"
          },
          "mac": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "packets": {
            "type": "long"
          },
          "geo": {
            "properties": {
              "continent_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "region_iso_code": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "city_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "country_iso_code": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "country_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "location": {
                "type": "geo_point"
              },
              "region_name": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "as": {
            "properties": {
              "number": {
                "type": "long"
              },
              "organization": {
                "properties": {
                  "name": {
                    "ignore_above": 1024,
                    "fields": {
                      "text": {
                        "norms": false,
                        "type": "text"
                      }
                    },
                    "type": "keyword"
                  }
                }
              }
            }
          },
          "registered_domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "port": {
            "type": "long"
          },
          "bytes": {
            "type": "long"
          },
          "domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "user": {
            "properties": {
              "full_name": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "domain": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "id": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "email": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "hash": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "group": {
                "properties": {
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              }
            }
          }
        }
      },
      "agent": {
        "properties": {
          "name": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "ephemeral_id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "type": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "version": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "log": {
        "properties": {
          "original": {
            "ignore_above": 1024,
            "index": false,
            "type": "keyword",
            "doc_values": false
          },
          "level": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "logger": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "origin": {
            "properties": {
              "file": {
                "properties": {
                  "line": {
                    "type": "integer"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "function": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "syslog": {
            "type": "object",
            "properties": {
              "severity": {
                "properties": {
                  "code": {
                    "type": "long"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "priority": {
                "type": "long"
              },
              "facility": {
                "properties": {
                  "code": {
                    "type": "long"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              }
            }
          }
        }
      },
      "destination": {
        "properties": {
          "nat": {
            "properties": {
              "port": {
                "type": "long"
              },
              "ip": {
                "type": "ip"
              }
            }
          },
          "address": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "top_level_domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "ip": {
            "type": "ip"
          },
          "mac": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "packets": {
            "type": "long"
          },
          "geo": {
            "properties": {
              "continent_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "region_iso_code": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "city_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "country_iso_code": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "country_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "location": {
                "type": "geo_point"
              },
              "region_name": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "as": {
            "properties": {
              "number": {
                "type": "long"
              },
              "organization": {
                "properties": {
                  "name": {
                    "ignore_above": 1024,
                    "fields": {
                      "text": {
                        "norms": false,
                        "type": "text"
                      }
                    },
                    "type": "keyword"
                  }
                }
              }
            }
          },
          "registered_domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "port": {
            "type": "long"
          },
          "bytes": {
            "type": "long"
          },
          "domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "user": {
            "properties": {
              "full_name": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "domain": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "id": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "email": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "hash": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "group": {
                "properties": {
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              }
            }
          }
        }
      },
      "rule": {
        "properties": {
          "reference": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "name": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "ruleset": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "description": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "category": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "uuid": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "version": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "source": {
        "properties": {
          "nat": {
            "properties": {
              "port": {
                "type": "long"
              },
              "ip": {
                "type": "ip"
              }
            }
          },
          "address": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "top_level_domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "ip": {
            "type": "ip"
          },
          "mac": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "packets": {
            "type": "long"
          },
          "geo": {
            "properties": {
              "continent_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "region_iso_code": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "city_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "country_iso_code": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "country_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "location": {
                "type": "geo_point"
              },
              "region_name": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "as": {
            "properties": {
              "number": {
                "type": "long"
              },
              "organization": {
                "properties": {
                  "name": {
                    "ignore_above": 1024,
                    "fields": {
                      "text": {
                        "norms": false,
                        "type": "text"
                      }
                    },
                    "type": "keyword"
                  }
                }
              }
            }
          },
          "registered_domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "port": {
            "type": "long"
          },
          "bytes": {
            "type": "long"
          },
          "domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "user": {
            "properties": {
              "full_name": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "domain": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "id": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "email": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "hash": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "group": {
                "properties": {
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              }
            }
          }
        }
      },
      "error": {
        "properties": {
          "code": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "stack_trace": {
            "ignore_above": 1024,
            "index": false,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword",
            "doc_values": false
          },
          "message": {
            "norms": false,
            "type": "text"
          },
          "type": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "network": {
        "properties": {
          "community_id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "forwarded_ip": {
            "type": "ip"
          },
          "protocol": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "application": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "bytes": {
            "type": "long"
          },
          "name": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "transport": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "type": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "iana_number": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "packets": {
            "type": "long"
          },
          "direction": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "cloud": {
        "properties": {
          "availability_zone": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "instance": {
            "properties": {
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "id": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "provider": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "machine": {
            "properties": {
              "type": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "region": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "account": {
            "properties": {
              "id": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          }
        }
      },
      "geo": {
        "properties": {
          "continent_name": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "region_iso_code": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "city_name": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "country_iso_code": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "country_name": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "name": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "location": {
            "type": "geo_point"
          },
          "region_name": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "observer": {
        "properties": {
          "geo": {
            "properties": {
              "continent_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "region_iso_code": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "city_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "country_iso_code": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "country_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "location": {
                "type": "geo_point"
              },
              "region_name": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "hostname": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "product": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "os": {
            "properties": {
              "kernel": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "family": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "version": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "platform": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "full": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              }
            }
          },
          "vendor": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "ip": {
            "type": "ip"
          },
          "name": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "serial_number": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "type": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "version": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "mac": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "trace": {
        "properties": {
          "id": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "file": {
        "properties": {
          "owner": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "extension": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "gid": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "drive_letter": {
            "ignore_above": 1,
            "type": "keyword"
          },
          "created": {
            "type": "date"
          },
          "accessed": {
            "type": "date"
          },
          "mtime": {
            "type": "date"
          },
          "type": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "directory": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "target_path": {
            "ignore_above": 1024,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword"
          },
          "inode": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "mode": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "path": {
            "ignore_above": 1024,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword"
          },
          "uid": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "size": {
            "type": "long"
          },
          "name": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "ctime": {
            "type": "date"
          },
          "attributes": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "device": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "hash": {
            "properties": {
              "sha1": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "sha256": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "sha512": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "md5": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "group": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "ecs": {
        "properties": {
          "version": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "related": {
        "properties": {
          "ip": {
            "type": "ip"
          },
          "user": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "hash": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "host": {
        "properties": {
          "geo": {
            "properties": {
              "continent_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "region_iso_code": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "city_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "country_iso_code": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "country_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "location": {
                "type": "geo_point"
              },
              "region_name": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "hostname": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "os": {
            "properties": {
              "kernel": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "family": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "version": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "platform": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "full": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              }
            }
          },
          "domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "ip": {
            "type": "ip"
          },
          "name": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "type": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "user": {
            "properties": {
              "full_name": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "domain": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "id": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "email": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "hash": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "group": {
                "properties": {
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              }
            }
          },
          "mac": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "architecture": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "uptime": {
            "type": "long"
          }
        }
      },
      "client": {
        "properties": {
          "nat": {
            "properties": {
              "port": {
                "type": "long"
              },
              "ip": {
                "type": "ip"
              }
            }
          },
          "address": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "top_level_domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "ip": {
            "type": "ip"
          },
          "mac": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "packets": {
            "type": "long"
          },
          "geo": {
            "properties": {
              "continent_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "region_iso_code": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "city_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "country_iso_code": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "country_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "location": {
                "type": "geo_point"
              },
              "region_name": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "as": {
            "properties": {
              "number": {
                "type": "long"
              },
              "organization": {
                "properties": {
                  "name": {
                    "ignore_above": 1024,
                    "fields": {
                      "text": {
                        "norms": false,
                        "type": "text"
                      }
                    },
                    "type": "keyword"
                  }
                }
              }
            }
          },
          "registered_domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "port": {
            "type": "long"
          },
          "bytes": {
            "type": "long"
          },
          "domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "user": {
            "properties": {
              "full_name": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "domain": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "id": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "email": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "hash": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "group": {
                "properties": {
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              }
            }
          }
        }
      },
      "event": {
        "properties": {
          "severity": {
            "type": "long"
          },
          "code": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "original": {
            "ignore_above": 1024,
            "index": false,
            "type": "keyword",
            "doc_values": false
          },
          "risk_score": {
            "type": "float"
          },
          "created": {
            "type": "date"
          },
          "kind": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "timezone": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "module": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "start": {
            "type": "date"
          },
          "type": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "duration": {
            "type": "long"
          },
          "sequence": {
            "type": "long"
          },
          "ingested": {
            "type": "date"
          },
          "provider": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "risk_score_norm": {
            "type": "float"
          },
          "action": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "end": {
            "type": "date"
          },
          "id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "category": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "dataset": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "hash": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "outcome": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "signal": {
        "properties": {
          "parent": {
            "properties": {
              "depth": {
                "type": "long"
              },
              "rule": {
                "type": "keyword"
              },
              "index": {
                "type": "keyword"
              },
              "id": {
                "type": "keyword"
              },
              "type": {
                "type": "keyword"
              }
            }
          },
          "rule": {
            "properties": {
              "references": {
                "type": "keyword"
              },
              "description": {
                "type": "keyword"
              },
              "created_at": {
                "type": "date"
              },
              "language": {
                "type": "keyword"
              },
              "type": {
                "type": "keyword"
              },
              "enabled": {
                "type": "keyword"
              },
              "updated_at": {
                "type": "date"
              },
              "from": {
                "type": "keyword"
              },
              "id": {
                "type": "keyword"
              },
              "timeline_id": {
                "type": "keyword"
              },
              "max_signals": {
                "type": "keyword"
              },
              "severity": {
                "type": "keyword"
              },
              "risk_score": {
                "type": "keyword"
              },
              "query": {
                "type": "keyword"
              },
              "index": {
                "type": "keyword"
              },
              "filters": {
                "type": "object"
              },
              "created_by": {
                "type": "keyword"
              },
              "version": {
                "type": "keyword"
              },
              "saved_id": {
                "type": "keyword"
              },
              "tags": {
                "type": "keyword"
              },
              "rule_id": {
                "type": "keyword"
              },
              "immutable": {
                "type": "keyword"
              },
              "size": {
                "type": "keyword"
              },
              "timeline_title": {
                "type": "keyword"
              },
              "name": {
                "type": "keyword"
              },
              "updated_by": {
                "type": "keyword"
              },
              "interval": {
                "type": "keyword"
              },
              "false_positives": {
                "type": "keyword"
              },
              "threat": {
                "properties": {
                  "framework": {
                    "type": "keyword"
                  },
                  "technique": {
                    "properties": {
                      "reference": {
                        "type": "keyword"
                      },
                      "name": {
                        "type": "keyword"
                      },
                      "id": {
                        "type": "keyword"
                      }
                    }
                  },
                  "tactic": {
                    "properties": {
                      "reference": {
                        "type": "keyword"
                      },
                      "name": {
                        "type": "keyword"
                      },
                      "id": {
                        "type": "keyword"
                      }
                    }
                  }
                }
              },
              "to": {
                "type": "keyword"
              }
            }
          },
          "original_time": {
            "type": "date"
          },
          "ancestors": {
            "properties": {
              "depth": {
                "type": "long"
              },
              "rule": {
                "type": "keyword"
              },
              "id": {
                "type": "keyword"
              },
              "type": {
                "type": "keyword"
              }
            }
          },
          "original_event": {
            "properties": {
              "severity": {
                "type": "long"
              },
              "code": {
                "type": "keyword"
              },
              "original": {
                "index": false,
                "type": "keyword",
                "doc_values": false
              },
              "risk_score": {
                "type": "float"
              },
              "created": {
                "type": "date"
              },
              "kind": {
                "type": "keyword"
              },
              "timezone": {
                "type": "keyword"
              },
              "module": {
                "type": "keyword"
              },
              "start": {
                "type": "date"
              },
              "type": {
                "type": "keyword"
              },
              "duration": {
                "type": "long"
              },
              "sequence": {
                "type": "long"
              },
              "provider": {
                "type": "keyword"
              },
              "risk_score_norm": {
                "type": "float"
              },
              "action": {
                "type": "keyword"
              },
              "end": {
                "type": "date"
              },
              "id": {
                "type": "keyword"
              },
              "category": {
                "type": "keyword"
              },
              "dataset": {
                "type": "keyword"
              },
              "hash": {
                "type": "keyword"
              },
              "outcome": {
                "type": "keyword"
              }
            }
          },
          "status": {
            "type": "keyword"
          }
        }
      },
      "user_agent": {
        "properties": {
          "original": {
            "ignore_above": 1024,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword"
          },
          "os": {
            "properties": {
              "kernel": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "family": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "version": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "platform": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "full": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              }
            }
          },
          "name": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "device": {
            "properties": {
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "version": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "group": {
        "properties": {
          "domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "name": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "id": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "registry": {
        "properties": {
          "hive": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "path": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "data": {
            "properties": {
              "strings": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "bytes": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "type": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "value": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "key": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "process": {
        "properties": {
          "parent": {
            "properties": {
              "pgid": {
                "type": "long"
              },
              "start": {
                "type": "date"
              },
              "pid": {
                "type": "long"
              },
              "working_directory": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "thread": {
                "properties": {
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "type": "long"
                  }
                }
              },
              "title": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "executable": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "ppid": {
                "type": "long"
              },
              "uptime": {
                "type": "long"
              },
              "args": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "exit_code": {
                "type": "long"
              },
              "name": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "args_count": {
                "type": "long"
              },
              "command_line": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              }
            }
          },
          "pgid": {
            "type": "long"
          },
          "start": {
            "type": "date"
          },
          "pid": {
            "type": "long"
          },
          "working_directory": {
            "ignore_above": 1024,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword"
          },
          "thread": {
            "properties": {
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "id": {
                "type": "long"
              }
            }
          },
          "title": {
            "ignore_above": 1024,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword"
          },
          "executable": {
            "ignore_above": 1024,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword"
          },
          "ppid": {
            "type": "long"
          },
          "uptime": {
            "type": "long"
          },
          "args": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "exit_code": {
            "type": "long"
          },
          "name": {
            "ignore_above": 1024,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword"
          },
          "args_count": {
            "type": "long"
          },
          "command_line": {
            "ignore_above": 1024,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword"
          },
          "hash": {
            "properties": {
              "sha1": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "sha256": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "sha512": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "md5": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          }
        }
      },
      "package": {
        "properties": {
          "installed": {
            "type": "date"
          },
          "build_version": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "description": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "type": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "version": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "reference": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "license": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "path": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "install_scope": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "size": {
            "type": "long"
          },
          "checksum": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "name": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "architecture": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "os": {
        "properties": {
          "kernel": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "name": {
            "ignore_above": 1024,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword"
          },
          "family": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "version": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "platform": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "full": {
            "ignore_above": 1024,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword"
          }
        }
      },
      "dns": {
        "properties": {
          "op_code": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "resolved_ip": {
            "type": "ip"
          },
          "response_code": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "question": {
            "properties": {
              "registered_domain": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "top_level_domain": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "subdomain": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "type": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "class": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "answers": {
            "type": "object",
            "properties": {
              "data": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "type": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "class": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "ttl": {
                "type": "long"
              }
            }
          },
          "header_flags": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "type": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "vulnerability": {
        "properties": {
          "reference": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "severity": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "score": {
            "properties": {
              "environmental": {
                "type": "float"
              },
              "version": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "temporal": {
                "type": "float"
              },
              "base": {
                "type": "float"
              }
            }
          },
          "report_id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "scanner": {
            "properties": {
              "vendor": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "description": {
            "ignore_above": 1024,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword"
          },
          "id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "category": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "classification": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "enumeration": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "message": {
        "norms": false,
        "type": "text"
      },
      "url": {
        "properties": {
          "extension": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "original": {
            "ignore_above": 1024,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword"
          },
          "scheme": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "top_level_domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "query": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "path": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "fragment": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "password": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "registered_domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "port": {
            "type": "long"
          },
          "domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "full": {
            "ignore_above": 1024,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword"
          },
          "username": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "labels": {
        "type": "object"
      },
      "tags": {
        "ignore_above": 1024,
        "type": "keyword"
      },
      "as": {
        "properties": {
          "number": {
            "type": "long"
          },
          "organization": {
            "properties": {
              "name": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              }
            }
          }
        }
      },
      "@timestamp": {
        "type": "date"
      },
      "service": {
        "properties": {
          "node": {
            "properties": {
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "name": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "state": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "ephemeral_id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "type": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "version": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "organization": {
        "properties": {
          "name": {
            "ignore_above": 1024,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword"
          },
          "id": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "http": {
        "properties": {
          "request": {
            "properties": {
              "referrer": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "method": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "bytes": {
                "type": "long"
              },
              "body": {
                "properties": {
                  "bytes": {
                    "type": "long"
                  },
                  "content": {
                    "ignore_above": 1024,
                    "fields": {
                      "text": {
                        "norms": false,
                        "type": "text"
                      }
                    },
                    "type": "keyword"
                  }
                }
              }
            }
          },
          "response": {
            "properties": {
              "status_code": {
                "type": "long"
              },
              "bytes": {
                "type": "long"
              },
              "body": {
                "properties": {
                  "bytes": {
                    "type": "long"
                  },
                  "content": {
                    "ignore_above": 1024,
                    "fields": {
                      "text": {
                        "norms": false,
                        "type": "text"
                      }
                    },
                    "type": "keyword"
                  }
                }
              }
            }
          },
          "version": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "tls": {
        "properties": {
          "cipher": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "established": {
            "type": "boolean"
          },
          "server": {
            "properties": {
              "not_after": {
                "type": "date"
              },
              "ja3s": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "not_before": {
                "type": "date"
              },
              "subject": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "certificate": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "certificate_chain": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "hash": {
                "properties": {
                  "sha1": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "sha256": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "md5": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "issuer": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "curve": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "client": {
            "properties": {
              "not_after": {
                "type": "date"
              },
              "server_name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "not_before": {
                "type": "date"
              },
              "subject": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "supported_ciphers": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "certificate": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "ja3": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "certificate_chain": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "hash": {
                "properties": {
                  "sha1": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "sha256": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "md5": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "issuer": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "next_protocol": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "resumed": {
            "type": "boolean"
          },
          "version": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "version_protocol": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "threat": {
        "properties": {
          "framework": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "technique": {
            "properties": {
              "reference": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  }
                },
                "type": "keyword"
              },
              "id": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "tactic": {
            "properties": {
              "reference": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "id": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          }
        }
      },
      "user": {
        "properties": {
          "full_name": {
            "ignore_above": 1024,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword"
          },
          "domain": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "name": {
            "ignore_above": 1024,
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "type": "keyword"
          },
          "id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "email": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "hash": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "group": {
            "properties": {
              "domain": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "id": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          }
        }
      },
      "hash": {
        "properties": {
          "sha1": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "sha256": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "sha512": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "md5": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "transaction": {
        "properties": {
          "id": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      }
    }
  },
  "aliases": {}
}

返回顶部