索引模板脚本
编辑索引模板脚本编辑
此代码创建一个新的索引模板,用于在更新检测警报索引的索引映射时临时存储现有检测警报。从之前的次要版本(7.8.x、7.7.x 等)升级到 Elastic Stack 版本 7.9.0 或 7.9.1 后,您需要更新索引映射才能可视化流程关系。
在 Elastic Stack 版本 8.0.0 中,检测警报的系统索引已从 .siem-signals-<Kibana 空间>
重命名为 .alerts-security.alerts-<Kibana 空间>
。
点击此处滚动到页面底部,并使用内置函数将代码粘贴到 Kibana 开发者控制台。您可以点击设置图标更新 Kibana 的 URL。
PUT _template/temp-signals { "order": 0, "index_patterns": ["temp-signals"], "settings": { "index": { "mapping": { "total_fields": { "limit": "10000" } } } }, "mappings": { "dynamic": false, "properties": { "container": { "properties": { "image": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" }, "tag": { "ignore_above": 1024, "type": "keyword" } } }, "name": { "ignore_above": 1024, "type": "keyword" }, "runtime": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "labels": { "type": "object" } } }, "server": { "properties": { "nat": { "properties": { "port": { "type": "long" }, "ip": { "type": "ip" } } }, "address": { "ignore_above": 1024, "type": "keyword" }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" }, "ip": { "type": "ip" }, "mac": { "ignore_above": 1024, "type": "keyword" }, "packets": { "type": "long" }, "geo": { "properties": { "continent_name": { "ignore_above": 1024, "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" }, "city_name": { "ignore_above": 1024, "type": "keyword" }, "country_iso_code": { "ignore_above": 1024, "type": "keyword" }, "country_name": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "location": { "type": "geo_point" }, "region_name": { "ignore_above": 1024, "type": "keyword" } } }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" } } } } }, "registered_domain": { "ignore_above": 1024, "type": "keyword" }, "port": { "type": "long" }, "bytes": { "type": "long" }, "domain": { "ignore_above": 1024, "type": "keyword" }, "user": { "properties": { "full_name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "email": { "ignore_above": 1024, "type": "keyword" }, "hash": { "ignore_above": 1024, "type": "keyword" }, "group": { "properties": { "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } } } } } }, "agent": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "ephemeral_id": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" } } }, "log": { "properties": { "original": { "ignore_above": 1024, "index": false, "type": "keyword", "doc_values": false }, "level": { "ignore_above": 1024, "type": "keyword" }, "logger": { "ignore_above": 1024, "type": "keyword" }, "origin": { "properties": { "file": { "properties": { "line": { "type": "integer" }, "name": { "ignore_above": 1024, "type": "keyword" } } }, "function": { "ignore_above": 1024, "type": "keyword" } } }, "syslog": { "type": "object", "properties": { "severity": { "properties": { "code": { "type": "long" }, "name": { "ignore_above": 1024, "type": "keyword" } } }, "priority": { "type": "long" }, "facility": { "properties": { "code": { "type": "long" }, "name": { "ignore_above": 1024, "type": "keyword" } } } } } } }, "destination": { "properties": { "nat": { "properties": { "port": { "type": "long" }, "ip": { "type": "ip" } } }, "address": { "ignore_above": 1024, "type": "keyword" }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" }, "ip": { "type": "ip" }, "mac": { "ignore_above": 1024, "type": "keyword" }, "packets": { "type": "long" }, "geo": { "properties": { "continent_name": { "ignore_above": 1024, "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" }, "city_name": { "ignore_above": 1024, "type": "keyword" }, "country_iso_code": { "ignore_above": 1024, "type": "keyword" }, "country_name": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "location": { "type": "geo_point" }, "region_name": { "ignore_above": 1024, "type": "keyword" } } }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" } } } } }, "registered_domain": { "ignore_above": 1024, "type": "keyword" }, "port": { "type": "long" }, "bytes": { "type": "long" }, "domain": { "ignore_above": 1024, "type": "keyword" }, "user": { "properties": { "full_name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "email": { "ignore_above": 1024, "type": "keyword" }, "hash": { "ignore_above": 1024, "type": "keyword" }, "group": { "properties": { "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } } } } } }, "rule": { "properties": { "reference": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "ruleset": { "ignore_above": 1024, "type": "keyword" }, "description": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "category": { "ignore_above": 1024, "type": "keyword" }, "uuid": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" } } }, "source": { "properties": { "nat": { "properties": { "port": { "type": "long" }, "ip": { "type": "ip" } } }, "address": { "ignore_above": 1024, "type": "keyword" }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" }, "ip": { "type": "ip" }, "mac": { "ignore_above": 1024, "type": "keyword" }, "packets": { "type": "long" }, "geo": { "properties": { "continent_name": { "ignore_above": 1024, "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" }, "city_name": { "ignore_above": 1024, "type": "keyword" }, "country_iso_code": { "ignore_above": 1024, "type": "keyword" }, "country_name": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "location": { "type": "geo_point" }, "region_name": { "ignore_above": 1024, "type": "keyword" } } }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" } } } } }, "registered_domain": { "ignore_above": 1024, "type": "keyword" }, "port": { "type": "long" }, "bytes": { "type": "long" }, "domain": { "ignore_above": 1024, "type": "keyword" }, "user": { "properties": { "full_name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "email": { "ignore_above": 1024, "type": "keyword" }, "hash": { "ignore_above": 1024, "type": "keyword" }, "group": { "properties": { "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } } } } } }, "error": { "properties": { "code": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "stack_trace": { "ignore_above": 1024, "index": false, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword", "doc_values": false }, "message": { "norms": false, "type": "text" }, "type": { "ignore_above": 1024, "type": "keyword" } } }, "network": { "properties": { "community_id": { "ignore_above": 1024, "type": "keyword" }, "forwarded_ip": { "type": "ip" }, "protocol": { "ignore_above": 1024, "type": "keyword" }, "application": { "ignore_above": 1024, "type": "keyword" }, "bytes": { "type": "long" }, "name": { "ignore_above": 1024, "type": "keyword" }, "transport": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" }, "iana_number": { "ignore_above": 1024, "type": "keyword" }, "packets": { "type": "long" }, "direction": { "ignore_above": 1024, "type": "keyword" } } }, "cloud": { "properties": { "availability_zone": { "ignore_above": 1024, "type": "keyword" }, "instance": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } }, "provider": { "ignore_above": 1024, "type": "keyword" }, "machine": { "properties": { "type": { "ignore_above": 1024, "type": "keyword" } } }, "region": { "ignore_above": 1024, "type": "keyword" }, "account": { "properties": { "id": { "ignore_above": 1024, "type": "keyword" } } } } }, "geo": { "properties": { "continent_name": { "ignore_above": 1024, "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" }, "city_name": { "ignore_above": 1024, "type": "keyword" }, "country_iso_code": { "ignore_above": 1024, "type": "keyword" }, "country_name": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "location": { "type": "geo_point" }, "region_name": { "ignore_above": 1024, "type": "keyword" } } }, "observer": { "properties": { "geo": { "properties": { "continent_name": { "ignore_above": 1024, "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" }, "city_name": { "ignore_above": 1024, "type": "keyword" }, "country_iso_code": { "ignore_above": 1024, "type": "keyword" }, "country_name": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "location": { "type": "geo_point" }, "region_name": { "ignore_above": 1024, "type": "keyword" } } }, "hostname": { "ignore_above": 1024, "type": "keyword" }, "product": { "ignore_above": 1024, "type": "keyword" }, "os": { "properties": { "kernel": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "family": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" }, "platform": { "ignore_above": 1024, "type": "keyword" }, "full": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" } } }, "vendor": { "ignore_above": 1024, "type": "keyword" }, "ip": { "type": "ip" }, "name": { "ignore_above": 1024, "type": "keyword" }, "serial_number": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" }, "mac": { "ignore_above": 1024, "type": "keyword" } } }, "trace": { "properties": { "id": { "ignore_above": 1024, "type": "keyword" } } }, "file": { "properties": { "owner": { "ignore_above": 1024, "type": "keyword" }, "extension": { "ignore_above": 1024, "type": "keyword" }, "gid": { "ignore_above": 1024, "type": "keyword" }, "drive_letter": { "ignore_above": 1, "type": "keyword" }, "created": { "type": "date" }, "accessed": { "type": "date" }, "mtime": { "type": "date" }, "type": { "ignore_above": 1024, "type": "keyword" }, "directory": { "ignore_above": 1024, "type": "keyword" }, "target_path": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "inode": { "ignore_above": 1024, "type": "keyword" }, "mode": { "ignore_above": 1024, "type": "keyword" }, "path": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "uid": { "ignore_above": 1024, "type": "keyword" }, "size": { "type": "long" }, "name": { "ignore_above": 1024, "type": "keyword" }, "ctime": { "type": "date" }, "attributes": { "ignore_above": 1024, "type": "keyword" }, "device": { "ignore_above": 1024, "type": "keyword" }, "hash": { "properties": { "sha1": { "ignore_above": 1024, "type": "keyword" }, "sha256": { "ignore_above": 1024, "type": "keyword" }, "sha512": { "ignore_above": 1024, "type": "keyword" }, "md5": { "ignore_above": 1024, "type": "keyword" } } }, "group": { "ignore_above": 1024, "type": "keyword" } } }, "ecs": { "properties": { "version": { "ignore_above": 1024, "type": "keyword" } } }, "related": { "properties": { "ip": { "type": "ip" }, "user": { "ignore_above": 1024, "type": "keyword" }, "hash": { "ignore_above": 1024, "type": "keyword" } } }, "host": { "properties": { "geo": { "properties": { "continent_name": { "ignore_above": 1024, "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" }, "city_name": { "ignore_above": 1024, "type": "keyword" }, "country_iso_code": { "ignore_above": 1024, "type": "keyword" }, "country_name": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "location": { "type": "geo_point" }, "region_name": { "ignore_above": 1024, "type": "keyword" } } }, "hostname": { "ignore_above": 1024, "type": "keyword" }, "os": { "properties": { "kernel": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "family": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" }, "platform": { "ignore_above": 1024, "type": "keyword" }, "full": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" } } }, "domain": { "ignore_above": 1024, "type": "keyword" }, "ip": { "type": "ip" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" }, "user": { "properties": { "full_name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "email": { "ignore_above": 1024, "type": "keyword" }, "hash": { "ignore_above": 1024, "type": "keyword" }, "group": { "properties": { "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } } } }, "mac": { "ignore_above": 1024, "type": "keyword" }, "architecture": { "ignore_above": 1024, "type": "keyword" }, "uptime": { "type": "long" } } }, "client": { "properties": { "nat": { "properties": { "port": { "type": "long" }, "ip": { "type": "ip" } } }, "address": { "ignore_above": 1024, "type": "keyword" }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" }, "ip": { "type": "ip" }, "mac": { "ignore_above": 1024, "type": "keyword" }, "packets": { "type": "long" }, "geo": { "properties": { "continent_name": { "ignore_above": 1024, "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" }, "city_name": { "ignore_above": 1024, "type": "keyword" }, "country_iso_code": { "ignore_above": 1024, "type": "keyword" }, "country_name": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "location": { "type": "geo_point" }, "region_name": { "ignore_above": 1024, "type": "keyword" } } }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" } } } } }, "registered_domain": { "ignore_above": 1024, "type": "keyword" }, "port": { "type": "long" }, "bytes": { "type": "long" }, "domain": { "ignore_above": 1024, "type": "keyword" }, "user": { "properties": { "full_name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "email": { "ignore_above": 1024, "type": "keyword" }, "hash": { "ignore_above": 1024, "type": "keyword" }, "group": { "properties": { "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } } } } } }, "event": { "properties": { "severity": { "type": "long" }, "code": { "ignore_above": 1024, "type": "keyword" }, "original": { "ignore_above": 1024, "index": false, "type": "keyword", "doc_values": false }, "risk_score": { "type": "float" }, "created": { "type": "date" }, "kind": { "ignore_above": 1024, "type": "keyword" }, "timezone": { "ignore_above": 1024, "type": "keyword" }, "module": { "ignore_above": 1024, "type": "keyword" }, "start": { "type": "date" }, "type": { "ignore_above": 1024, "type": "keyword" }, "duration": { "type": "long" }, "sequence": { "type": "long" }, "ingested": { "type": "date" }, "provider": { "ignore_above": 1024, "type": "keyword" }, "risk_score_norm": { "type": "float" }, "action": { "ignore_above": 1024, "type": "keyword" }, "end": { "type": "date" }, "id": { "ignore_above": 1024, "type": "keyword" }, "category": { "ignore_above": 1024, "type": "keyword" }, "dataset": { "ignore_above": 1024, "type": "keyword" }, "hash": { "ignore_above": 1024, "type": "keyword" }, "outcome": { "ignore_above": 1024, "type": "keyword" } } }, "signal": { "properties": { "parent": { "properties": { "depth": { "type": "long" }, "rule": { "type": "keyword" }, "index": { "type": "keyword" }, "id": { "type": "keyword" }, "type": { "type": "keyword" } } }, "rule": { "properties": { "references": { "type": "keyword" }, "description": { "type": "keyword" }, "created_at": { "type": "date" }, "language": { "type": "keyword" }, "type": { "type": "keyword" }, "enabled": { "type": "keyword" }, "updated_at": { "type": "date" }, "from": { "type": "keyword" }, "id": { "type": "keyword" }, "timeline_id": { "type": "keyword" }, "max_signals": { "type": "keyword" }, "severity": { "type": "keyword" }, "risk_score": { "type": "keyword" }, "query": { "type": "keyword" }, "index": { "type": "keyword" }, "filters": { "type": "object" }, "created_by": { "type": "keyword" }, "version": { "type": "keyword" }, "saved_id": { "type": "keyword" }, "tags": { "type": "keyword" }, "rule_id": { "type": "keyword" }, "immutable": { "type": "keyword" }, "size": { "type": "keyword" }, "timeline_title": { "type": "keyword" }, "name": { "type": "keyword" }, "updated_by": { "type": "keyword" }, "interval": { "type": "keyword" }, "false_positives": { "type": "keyword" }, "threat": { "properties": { "framework": { "type": "keyword" }, "technique": { "properties": { "reference": { "type": "keyword" }, "name": { "type": "keyword" }, "id": { "type": "keyword" } } }, "tactic": { "properties": { "reference": { "type": "keyword" }, "name": { "type": "keyword" }, "id": { "type": "keyword" } } } } }, "to": { "type": "keyword" } } }, "original_time": { "type": "date" }, "ancestors": { "properties": { "depth": { "type": "long" }, "rule": { "type": "keyword" }, "id": { "type": "keyword" }, "type": { "type": "keyword" } } }, "original_event": { "properties": { "severity": { "type": "long" }, "code": { "type": "keyword" }, "original": { "index": false, "type": "keyword", "doc_values": false }, "risk_score": { "type": "float" }, "created": { "type": "date" }, "kind": { "type": "keyword" }, "timezone": { "type": "keyword" }, "module": { "type": "keyword" }, "start": { "type": "date" }, "type": { "type": "keyword" }, "duration": { "type": "long" }, "sequence": { "type": "long" }, "provider": { "type": "keyword" }, "risk_score_norm": { "type": "float" }, "action": { "type": "keyword" }, "end": { "type": "date" }, "id": { "type": "keyword" }, "category": { "type": "keyword" }, "dataset": { "type": "keyword" }, "hash": { "type": "keyword" }, "outcome": { "type": "keyword" } } }, "status": { "type": "keyword" } } }, "user_agent": { "properties": { "original": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "os": { "properties": { "kernel": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "family": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" }, "platform": { "ignore_above": 1024, "type": "keyword" }, "full": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" } } }, "name": { "ignore_above": 1024, "type": "keyword" }, "device": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" } } }, "version": { "ignore_above": 1024, "type": "keyword" } } }, "group": { "properties": { "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } }, "registry": { "properties": { "hive": { "ignore_above": 1024, "type": "keyword" }, "path": { "ignore_above": 1024, "type": "keyword" }, "data": { "properties": { "strings": { "ignore_above": 1024, "type": "keyword" }, "bytes": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" } } }, "value": { "ignore_above": 1024, "type": "keyword" }, "key": { "ignore_above": 1024, "type": "keyword" } } }, "process": { "properties": { "parent": { "properties": { "pgid": { "type": "long" }, "start": { "type": "date" }, "pid": { "type": "long" }, "working_directory": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "thread": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "type": "long" } } }, "title": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "executable": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "ppid": { "type": "long" }, "uptime": { "type": "long" }, "args": { "ignore_above": 1024, "type": "keyword" }, "exit_code": { "type": "long" }, "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "args_count": { "type": "long" }, "command_line": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" } } }, "pgid": { "type": "long" }, "start": { "type": "date" }, "pid": { "type": "long" }, "working_directory": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "thread": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "type": "long" } } }, "title": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "executable": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "ppid": { "type": "long" }, "uptime": { "type": "long" }, "args": { "ignore_above": 1024, "type": "keyword" }, "exit_code": { "type": "long" }, "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "args_count": { "type": "long" }, "command_line": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "hash": { "properties": { "sha1": { "ignore_above": 1024, "type": "keyword" }, "sha256": { "ignore_above": 1024, "type": "keyword" }, "sha512": { "ignore_above": 1024, "type": "keyword" }, "md5": { "ignore_above": 1024, "type": "keyword" } } } } }, "package": { "properties": { "installed": { "type": "date" }, "build_version": { "ignore_above": 1024, "type": "keyword" }, "description": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" }, "reference": { "ignore_above": 1024, "type": "keyword" }, "license": { "ignore_above": 1024, "type": "keyword" }, "path": { "ignore_above": 1024, "type": "keyword" }, "install_scope": { "ignore_above": 1024, "type": "keyword" }, "size": { "type": "long" }, "checksum": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "architecture": { "ignore_above": 1024, "type": "keyword" } } }, "os": { "properties": { "kernel": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "family": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" }, "platform": { "ignore_above": 1024, "type": "keyword" }, "full": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" } } }, "dns": { "properties": { "op_code": { "ignore_above": 1024, "type": "keyword" }, "resolved_ip": { "type": "ip" }, "response_code": { "ignore_above": 1024, "type": "keyword" }, "question": { "properties": { "registered_domain": { "ignore_above": 1024, "type": "keyword" }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "subdomain": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" }, "class": { "ignore_above": 1024, "type": "keyword" } } }, "answers": { "type": "object", "properties": { "data": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" }, "class": { "ignore_above": 1024, "type": "keyword" }, "ttl": { "type": "long" } } }, "header_flags": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" } } }, "vulnerability": { "properties": { "reference": { "ignore_above": 1024, "type": "keyword" }, "severity": { "ignore_above": 1024, "type": "keyword" }, "score": { "properties": { "environmental": { "type": "float" }, "version": { "ignore_above": 1024, "type": "keyword" }, "temporal": { "type": "float" }, "base": { "type": "float" } } }, "report_id": { "ignore_above": 1024, "type": "keyword" }, "scanner": { "properties": { "vendor": { "ignore_above": 1024, "type": "keyword" } } }, "description": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "category": { "ignore_above": 1024, "type": "keyword" }, "classification": { "ignore_above": 1024, "type": "keyword" }, "enumeration": { "ignore_above": 1024, "type": "keyword" } } }, "message": { "norms": false, "type": "text" }, "url": { "properties": { "extension": { "ignore_above": 1024, "type": "keyword" }, "original": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "scheme": { "ignore_above": 1024, "type": "keyword" }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" }, "query": { "ignore_above": 1024, "type": "keyword" }, "path": { "ignore_above": 1024, "type": "keyword" }, "fragment": { "ignore_above": 1024, "type": "keyword" }, "password": { "ignore_above": 1024, "type": "keyword" }, "registered_domain": { "ignore_above": 1024, "type": "keyword" }, "port": { "type": "long" }, "domain": { "ignore_above": 1024, "type": "keyword" }, "full": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "username": { "ignore_above": 1024, "type": "keyword" } } }, "labels": { "type": "object" }, "tags": { "ignore_above": 1024, "type": "keyword" }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" } } } } }, "@timestamp": { "type": "date" }, "service": { "properties": { "node": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" } } }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "state": { "ignore_above": 1024, "type": "keyword" }, "ephemeral_id": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" } } }, "organization": { "properties": { "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } }, "http": { "properties": { "request": { "properties": { "referrer": { "ignore_above": 1024, "type": "keyword" }, "method": { "ignore_above": 1024, "type": "keyword" }, "bytes": { "type": "long" }, "body": { "properties": { "bytes": { "type": "long" }, "content": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" } } } } }, "response": { "properties": { "status_code": { "type": "long" }, "bytes": { "type": "long" }, "body": { "properties": { "bytes": { "type": "long" }, "content": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" } } } } }, "version": { "ignore_above": 1024, "type": "keyword" } } }, "tls": { "properties": { "cipher": { "ignore_above": 1024, "type": "keyword" }, "established": { "type": "boolean" }, "server": { "properties": { "not_after": { "type": "date" }, "ja3s": { "ignore_above": 1024, "type": "keyword" }, "not_before": { "type": "date" }, "subject": { "ignore_above": 1024, "type": "keyword" }, "certificate": { "ignore_above": 1024, "type": "keyword" }, "certificate_chain": { "ignore_above": 1024, "type": "keyword" }, "hash": { "properties": { "sha1": { "ignore_above": 1024, "type": "keyword" }, "sha256": { "ignore_above": 1024, "type": "keyword" }, "md5": { "ignore_above": 1024, "type": "keyword" } } }, "issuer": { "ignore_above": 1024, "type": "keyword" } } }, "curve": { "ignore_above": 1024, "type": "keyword" }, "client": { "properties": { "not_after": { "type": "date" }, "server_name": { "ignore_above": 1024, "type": "keyword" }, "not_before": { "type": "date" }, "subject": { "ignore_above": 1024, "type": "keyword" }, "supported_ciphers": { "ignore_above": 1024, "type": "keyword" }, "certificate": { "ignore_above": 1024, "type": "keyword" }, "ja3": { "ignore_above": 1024, "type": "keyword" }, "certificate_chain": { "ignore_above": 1024, "type": "keyword" }, "hash": { "properties": { "sha1": { "ignore_above": 1024, "type": "keyword" }, "sha256": { "ignore_above": 1024, "type": "keyword" }, "md5": { "ignore_above": 1024, "type": "keyword" } } }, "issuer": { "ignore_above": 1024, "type": "keyword" } } }, "next_protocol": { "ignore_above": 1024, "type": "keyword" }, "resumed": { "type": "boolean" }, "version": { "ignore_above": 1024, "type": "keyword" }, "version_protocol": { "ignore_above": 1024, "type": "keyword" } } }, "threat": { "properties": { "framework": { "ignore_above": 1024, "type": "keyword" }, "technique": { "properties": { "reference": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } }, "tactic": { "properties": { "reference": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } } } }, "user": { "properties": { "full_name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "fields": { "text": { "norms": false, "type": "text" } }, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "email": { "ignore_above": 1024, "type": "keyword" }, "hash": { "ignore_above": 1024, "type": "keyword" }, "group": { "properties": { "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } } } }, "hash": { "properties": { "sha1": { "ignore_above": 1024, "type": "keyword" }, "sha256": { "ignore_above": 1024, "type": "keyword" }, "sha512": { "ignore_above": 1024, "type": "keyword" }, "md5": { "ignore_above": 1024, "type": "keyword" } } }, "transaction": { "properties": { "id": { "ignore_above": 1024, "type": "keyword" } } } } }, "aliases": {} }