diff --git a/.travis.yml b/.travis.yml index 81ec975b5c..cf2a1de10b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,10 +5,12 @@ language: go os: - linux +dist: bionic + go: - 1.13.x -before_install: +install: - make setup addons: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 4af30cc385..856f370cac 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -9,7 +9,7 @@ happen through Pull Requests submitted through Git. You need these tools to contribute to ECS: * [Git](https://git-scm.com/) -* [Python 2.7](https://www.python.org/) +* [Python 3.6+](https://www.python.org/) * [Go 1.13](https://golang.org/) ## Steps to contribute diff --git a/Makefile b/Makefile index cae2901776..7fce7deb60 100644 --- a/Makefile +++ b/Makefile @@ -56,6 +56,7 @@ fmt: ve # Alias to generate everything. .PHONY: generate generate: legacy_use_cases codegen generator + $(PYTHON) --version # Run the new generator .PHONY: generator @@ -107,7 +108,7 @@ test: .PHONY: ve ve: build/ve/bin/activate build/ve/bin/activate: scripts/requirements.txt - @test -d build/ve || virtualenv build/ve + @test -d build/ve || virtualenv -p python3 build/ve @build/ve/bin/pip install -Ur scripts/requirements.txt @touch build/ve/bin/activate diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index beab45f6cf..dad2b1b150 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1180,7 +1180,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: `2016-05-23 08:05:34.857000` +example: `2016-05-23T08:05:34.857Z` | core @@ -1256,7 +1256,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: `2016-05-23 08:05:35.101000` +example: `2016-05-23T08:05:35.101Z` | core diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 2c74f21235..674804e87e 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -981,7 +981,7 @@ your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' - example: 2016-05-23 08:05:34.857000 + example: '2016-05-23T08:05:34.857Z' - name: dataset level: core type: keyword @@ -1035,7 +1035,7 @@ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: 2016-05-23 08:05:35.101000 + example: '2016-05-23T08:05:35.101Z' default_field: false - name: kind level: core diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 5c4b19571c..abccb966e9 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -118,13 +118,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description 1.5.0-dev,true,event,event.action,keyword,core,user-password-change,The action captured by the event. 1.5.0-dev,true,event,event.category,keyword,core,authentication,Event category. The second categorization field in the hierarchy. 1.5.0-dev,true,event,event.code,keyword,extended,4648,Identification code for this event. -1.5.0-dev,true,event,event.created,date,core,2016-05-23 08:05:34.857000,Time when the event was first read by an agent or by your pipeline. +1.5.0-dev,true,event,event.created,date,core,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. 1.5.0-dev,true,event,event.dataset,keyword,core,apache.access,Name of the dataset. 1.5.0-dev,true,event,event.duration,long,core,,Duration of the event in nanoseconds. 1.5.0-dev,true,event,event.end,date,extended,,event.end contains the date when the event ended or when the activity was last observed. 1.5.0-dev,true,event,event.hash,keyword,extended,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. 1.5.0-dev,true,event,event.id,keyword,core,8a4f500d,Unique ID to describe the event. -1.5.0-dev,true,event,event.ingested,date,core,2016-05-23 08:05:35.101000,Timestamp when an event arrived in the central data store. +1.5.0-dev,true,event,event.ingested,date,core,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. 1.5.0-dev,true,event,event.kind,keyword,core,alert,The kind of the event. The highest categorization field in the hierarchy. 1.5.0-dev,true,event,event.module,keyword,core,apache,Name of the module this data is coming from. 1.5.0-dev,false,event,event.original,keyword,core,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 3779dfe3e7..761c918ae9 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1543,7 +1543,7 @@ event.created: agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' - example: 2016-05-23 08:05:34.857000 + example: '2016-05-23T08:05:34.857Z' flat_name: event.created level: core name: created @@ -1628,7 +1628,7 @@ event.ingested: In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: 2016-05-23 08:05:35.101000 + example: '2016-05-23T08:05:35.101Z' flat_name: event.ingested level: core name: ingested diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 57cb4d8a90..c41a762a28 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -615,8 +615,8 @@ client: group: 2 name: client nestings: - - geo - as + - geo - user prefix: client. short: Fields about the client side of a network connection, used with server. @@ -1183,8 +1183,8 @@ destination: group: 2 name: destination nestings: - - geo - as + - geo - user prefix: destination. short: Fields about the destination side of a network connection, used with source. @@ -1759,7 +1759,7 @@ event: your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' - example: 2016-05-23 08:05:34.857000 + example: '2016-05-23T08:05:34.857Z' flat_name: event.created level: core name: created @@ -1845,7 +1845,7 @@ event: In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: 2016-05-23 08:05:35.101000 + example: '2016-05-23T08:05:35.101Z' flat_name: event.ingested level: core name: ingested @@ -5335,8 +5335,8 @@ server: group: 2 name: server nestings: - - geo - as + - geo - user prefix: server. short: Fields about the server side of a network connection, used with client. @@ -5861,8 +5861,8 @@ source: group: 2 name: source nestings: - - geo - as + - geo - user prefix: source. short: Fields about the source side of a network connection, used with destination. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 1cf1a9e8bf..c36c59f28e 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1,1018 +1,1019 @@ { "index_patterns": [ "ecs-*" - ], + ], "mappings": { "_doc": { "_meta": { "version": "1.5.0-dev" - }, - "date_detection": false, + }, + "date_detection": false, "dynamic_templates": [ { "strings_as_keyword": { "mapping": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "match_mapping_type": "string" } } - ], + ], "properties": { "@timestamp": { "type": "date" - }, + }, "agent": { "properties": { "ephemeral_id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "as": { "properties": { "number": { "type": "long" - }, + }, "organization": { "properties": { "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "client": { "properties": { "address": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "as": { "properties": { "number": { "type": "long" - }, + }, "organization": { "properties": { "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "bytes": { "type": "long" - }, + }, "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "geo": { "properties": { "city_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "continent_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "location": { "type": "geo_point" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "ip": { "type": "ip" - }, + }, "mac": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "nat": { "properties": { "ip": { "type": "ip" - }, + }, "port": { "type": "long" } } - }, + }, "packets": { "type": "long" - }, + }, "port": { "type": "long" - }, + }, "registered_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "top_level_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "user": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "email": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full_name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "group": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hash": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "cloud": { "properties": { "account": { "properties": { "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "availability_zone": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "instance": { "properties": { "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "machine": { "properties": { "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "provider": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "container": { "properties": { "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "image": { "properties": { "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "tag": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "labels": { "type": "object" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "runtime": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "destination": { "properties": { "address": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "as": { "properties": { "number": { "type": "long" - }, + }, "organization": { "properties": { "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "bytes": { "type": "long" - }, + }, "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "geo": { "properties": { "city_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "continent_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "location": { "type": "geo_point" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "ip": { "type": "ip" - }, + }, "mac": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "nat": { "properties": { "ip": { "type": "ip" - }, + }, "port": { "type": "long" } } - }, + }, "packets": { "type": "long" - }, + }, "port": { "type": "long" - }, + }, "registered_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "top_level_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "user": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "email": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full_name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "group": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hash": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "dns": { "properties": { "answers": { "properties": { "class": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "data": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "ttl": { "type": "long" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } - } - }, + }, + "type": "object" + }, "header_flags": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "op_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "question": { "properties": { "class": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "registered_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "subdomain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "top_level_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "resolved_ip": { "type": "ip" - }, + }, "response_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "ecs": { "properties": { "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "error": { "properties": { "code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "message": { - "norms": false, + "norms": false, "type": "text" - }, + }, "stack_trace": { - "doc_values": false, + "doc_values": false, "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, - "index": false, + }, + "ignore_above": 1024, + "index": false, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "event": { "properties": { "action": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "category": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "created": { "type": "date" - }, + }, "dataset": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "duration": { "type": "long" - }, + }, "end": { "type": "date" - }, + }, "hash": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "ingested": { "type": "date" - }, + }, "kind": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "module": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "original": { - "doc_values": false, - "ignore_above": 1024, - "index": false, + "doc_values": false, + "ignore_above": 1024, + "index": false, "type": "keyword" - }, + }, "outcome": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "provider": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "risk_score": { "type": "float" - }, + }, "risk_score_norm": { "type": "float" - }, + }, "sequence": { "type": "long" - }, + }, "severity": { "type": "long" - }, + }, "start": { "type": "date" - }, + }, "timezone": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "file": { "properties": { "accessed": { "type": "date" - }, + }, "attributes": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "created": { "type": "date" - }, + }, "ctime": { "type": "date" - }, + }, "device": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "directory": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "drive_letter": { - "ignore_above": 1, + "ignore_above": 1, "type": "keyword" - }, + }, "extension": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "gid": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "group": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "hash": { "properties": { "md5": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha1": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha256": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha512": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "inode": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "mode": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "mtime": { "type": "date" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "owner": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "path": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "size": { "type": "long" - }, + }, "target_path": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "uid": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "geo": { "properties": { "city_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "continent_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "location": { "type": "geo_point" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "group": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hash": { "properties": { "md5": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha1": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha256": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha512": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "host": { "properties": { "architecture": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "geo": { "properties": { "city_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "continent_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "location": { "type": "geo_point" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hostname": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "ip": { "type": "ip" - }, + }, "mac": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "os": { "properties": { "family": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "kernel": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "platform": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "uptime": { "type": "long" - }, + }, "user": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "email": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full_name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "group": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hash": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "http": { "properties": { "request": { @@ -1021,1511 +1022,1512 @@ "properties": { "bytes": { "type": "long" - }, + }, "content": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "bytes": { "type": "long" - }, + }, "method": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "referrer": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "response": { "properties": { "body": { "properties": { "bytes": { "type": "long" - }, + }, "content": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "bytes": { "type": "long" - }, + }, "status_code": { "type": "long" } } - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "labels": { "type": "object" - }, + }, "log": { "properties": { "level": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "logger": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "origin": { "properties": { "file": { "properties": { "line": { "type": "integer" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "function": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "original": { - "doc_values": false, - "ignore_above": 1024, - "index": false, + "doc_values": false, + "ignore_above": 1024, + "index": false, "type": "keyword" - }, + }, "syslog": { "properties": { "facility": { "properties": { "code": { "type": "long" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "priority": { "type": "long" - }, + }, "severity": { "properties": { "code": { "type": "long" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } } - } + }, + "type": "object" } } - }, + }, "message": { - "norms": false, + "norms": false, "type": "text" - }, + }, "network": { "properties": { "application": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "bytes": { "type": "long" - }, + }, "community_id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "direction": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "forwarded_ip": { "type": "ip" - }, + }, "iana_number": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "packets": { "type": "long" - }, + }, "protocol": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "transport": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "observer": { "properties": { "geo": { "properties": { "city_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "continent_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "location": { "type": "geo_point" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hostname": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "ip": { "type": "ip" - }, + }, "mac": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "os": { "properties": { "family": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "kernel": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "platform": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "product": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "serial_number": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "vendor": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "organization": { "properties": { "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "os": { "properties": { "family": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "kernel": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "platform": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "package": { "properties": { "architecture": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "build_version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "checksum": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "description": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "install_scope": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "installed": { "type": "date" - }, + }, "license": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "path": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "reference": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "size": { "type": "long" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "process": { "properties": { "args": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "args_count": { "type": "long" - }, + }, "command_line": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "executable": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "exit_code": { "type": "long" - }, + }, "hash": { "properties": { "md5": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha1": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha256": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha512": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "parent": { "properties": { "args": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "args_count": { "type": "long" - }, + }, "command_line": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "executable": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "exit_code": { "type": "long" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "pgid": { "type": "long" - }, + }, "pid": { "type": "long" - }, + }, "ppid": { "type": "long" - }, + }, "start": { "type": "date" - }, + }, "thread": { "properties": { "id": { "type": "long" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "title": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "uptime": { "type": "long" - }, + }, "working_directory": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "pgid": { "type": "long" - }, + }, "pid": { "type": "long" - }, + }, "ppid": { "type": "long" - }, + }, "start": { "type": "date" - }, + }, "thread": { "properties": { "id": { "type": "long" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "title": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "uptime": { "type": "long" - }, + }, "working_directory": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "registry": { "properties": { "data": { "properties": { "bytes": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "strings": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hive": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "key": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "path": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "value": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "related": { "properties": { "ip": { "type": "ip" - }, + }, "user": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "rule": { "properties": { "category": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "description": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "reference": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "ruleset": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "uuid": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "server": { "properties": { "address": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "as": { "properties": { "number": { "type": "long" - }, + }, "organization": { "properties": { "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "bytes": { "type": "long" - }, + }, "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "geo": { "properties": { "city_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "continent_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "location": { "type": "geo_point" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "ip": { "type": "ip" - }, + }, "mac": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "nat": { "properties": { "ip": { "type": "ip" - }, + }, "port": { "type": "long" } } - }, + }, "packets": { "type": "long" - }, + }, "port": { "type": "long" - }, + }, "registered_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "top_level_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "user": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "email": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full_name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "group": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hash": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "service": { "properties": { "ephemeral_id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "node": { "properties": { "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "state": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "source": { "properties": { "address": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "as": { "properties": { "number": { "type": "long" - }, + }, "organization": { "properties": { "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "bytes": { "type": "long" - }, + }, "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "geo": { "properties": { "city_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "continent_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "location": { "type": "geo_point" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "ip": { "type": "ip" - }, + }, "mac": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "nat": { "properties": { "ip": { "type": "ip" - }, + }, "port": { "type": "long" } } - }, + }, "packets": { "type": "long" - }, + }, "port": { "type": "long" - }, + }, "registered_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "top_level_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "user": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "email": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full_name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "group": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hash": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "tags": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "threat": { "properties": { "framework": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "tactic": { "properties": { "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "reference": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "technique": { "properties": { "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "reference": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "tls": { "properties": { "cipher": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "client": { "properties": { "certificate": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "certificate_chain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "hash": { "properties": { "md5": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha1": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha256": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "issuer": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "ja3": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "not_after": { "type": "date" - }, + }, "not_before": { "type": "date" - }, + }, "server_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "subject": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "supported_ciphers": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "curve": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "established": { "type": "boolean" - }, + }, "next_protocol": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "resumed": { "type": "boolean" - }, + }, "server": { "properties": { "certificate": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "certificate_chain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "hash": { "properties": { "md5": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha1": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha256": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "issuer": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "ja3s": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "not_after": { "type": "date" - }, + }, "not_before": { "type": "date" - }, + }, "subject": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version_protocol": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "trace": { "properties": { "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "transaction": { "properties": { "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "url": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "extension": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "fragment": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "original": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "password": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "path": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "port": { "type": "long" - }, + }, "query": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "registered_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "scheme": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "top_level_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "username": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "user": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "email": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full_name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "group": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hash": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "user_agent": { "properties": { "device": { "properties": { "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "original": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "os": { "properties": { "family": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "kernel": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "platform": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "vulnerability": { "properties": { "category": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "classification": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "description": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "enumeration": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "reference": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "report_id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "scanner": { "properties": { "vendor": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "score": { "properties": { "base": { "type": "float" - }, + }, "environmental": { "type": "float" - }, + }, "temporal": { "type": "float" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "severity": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } } } } - }, - "order": 1, + }, + "order": 1, "settings": { "index": { "mapping": { "total_fields": { "limit": 10000 } - }, + }, "refresh_interval": "5s" } } diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index d2fb9ef1fa..19bf0ceb8f 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1,1017 +1,1018 @@ { "index_patterns": [ "ecs-*" - ], + ], "mappings": { "_meta": { "version": "1.5.0-dev" - }, - "date_detection": false, + }, + "date_detection": false, "dynamic_templates": [ { "strings_as_keyword": { "mapping": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "match_mapping_type": "string" } } - ], + ], "properties": { "@timestamp": { "type": "date" - }, + }, "agent": { "properties": { "ephemeral_id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "as": { "properties": { "number": { "type": "long" - }, + }, "organization": { "properties": { "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "client": { "properties": { "address": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "as": { "properties": { "number": { "type": "long" - }, + }, "organization": { "properties": { "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "bytes": { "type": "long" - }, + }, "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "geo": { "properties": { "city_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "continent_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "location": { "type": "geo_point" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "ip": { "type": "ip" - }, + }, "mac": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "nat": { "properties": { "ip": { "type": "ip" - }, + }, "port": { "type": "long" } } - }, + }, "packets": { "type": "long" - }, + }, "port": { "type": "long" - }, + }, "registered_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "top_level_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "user": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "email": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full_name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "group": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hash": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "cloud": { "properties": { "account": { "properties": { "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "availability_zone": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "instance": { "properties": { "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "machine": { "properties": { "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "provider": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "container": { "properties": { "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "image": { "properties": { "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "tag": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "labels": { "type": "object" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "runtime": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "destination": { "properties": { "address": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "as": { "properties": { "number": { "type": "long" - }, + }, "organization": { "properties": { "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "bytes": { "type": "long" - }, + }, "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "geo": { "properties": { "city_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "continent_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "location": { "type": "geo_point" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "ip": { "type": "ip" - }, + }, "mac": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "nat": { "properties": { "ip": { "type": "ip" - }, + }, "port": { "type": "long" } } - }, + }, "packets": { "type": "long" - }, + }, "port": { "type": "long" - }, + }, "registered_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "top_level_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "user": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "email": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full_name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "group": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hash": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "dns": { "properties": { "answers": { "properties": { "class": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "data": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "ttl": { "type": "long" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } - } - }, + }, + "type": "object" + }, "header_flags": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "op_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "question": { "properties": { "class": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "registered_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "subdomain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "top_level_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "resolved_ip": { "type": "ip" - }, + }, "response_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "ecs": { "properties": { "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "error": { "properties": { "code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "message": { - "norms": false, + "norms": false, "type": "text" - }, + }, "stack_trace": { - "doc_values": false, + "doc_values": false, "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, - "index": false, + }, + "ignore_above": 1024, + "index": false, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "event": { "properties": { "action": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "category": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "created": { "type": "date" - }, + }, "dataset": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "duration": { "type": "long" - }, + }, "end": { "type": "date" - }, + }, "hash": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "ingested": { "type": "date" - }, + }, "kind": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "module": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "original": { - "doc_values": false, - "ignore_above": 1024, - "index": false, + "doc_values": false, + "ignore_above": 1024, + "index": false, "type": "keyword" - }, + }, "outcome": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "provider": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "risk_score": { "type": "float" - }, + }, "risk_score_norm": { "type": "float" - }, + }, "sequence": { "type": "long" - }, + }, "severity": { "type": "long" - }, + }, "start": { "type": "date" - }, + }, "timezone": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "file": { "properties": { "accessed": { "type": "date" - }, + }, "attributes": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "created": { "type": "date" - }, + }, "ctime": { "type": "date" - }, + }, "device": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "directory": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "drive_letter": { - "ignore_above": 1, + "ignore_above": 1, "type": "keyword" - }, + }, "extension": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "gid": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "group": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "hash": { "properties": { "md5": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha1": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha256": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha512": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "inode": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "mode": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "mtime": { "type": "date" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "owner": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "path": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "size": { "type": "long" - }, + }, "target_path": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "uid": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "geo": { "properties": { "city_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "continent_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "location": { "type": "geo_point" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "group": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hash": { "properties": { "md5": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha1": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha256": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha512": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "host": { "properties": { "architecture": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "geo": { "properties": { "city_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "continent_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "location": { "type": "geo_point" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hostname": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "ip": { "type": "ip" - }, + }, "mac": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "os": { "properties": { "family": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "kernel": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "platform": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "uptime": { "type": "long" - }, + }, "user": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "email": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full_name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "group": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hash": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "http": { "properties": { "request": { @@ -1020,1510 +1021,1511 @@ "properties": { "bytes": { "type": "long" - }, + }, "content": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "bytes": { "type": "long" - }, + }, "method": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "referrer": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "response": { "properties": { "body": { "properties": { "bytes": { "type": "long" - }, + }, "content": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "bytes": { "type": "long" - }, + }, "status_code": { "type": "long" } } - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "labels": { "type": "object" - }, + }, "log": { "properties": { "level": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "logger": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "origin": { "properties": { "file": { "properties": { "line": { "type": "integer" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "function": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "original": { - "doc_values": false, - "ignore_above": 1024, - "index": false, + "doc_values": false, + "ignore_above": 1024, + "index": false, "type": "keyword" - }, + }, "syslog": { "properties": { "facility": { "properties": { "code": { "type": "long" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "priority": { "type": "long" - }, + }, "severity": { "properties": { "code": { "type": "long" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } } - } + }, + "type": "object" } } - }, + }, "message": { - "norms": false, + "norms": false, "type": "text" - }, + }, "network": { "properties": { "application": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "bytes": { "type": "long" - }, + }, "community_id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "direction": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "forwarded_ip": { "type": "ip" - }, + }, "iana_number": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "packets": { "type": "long" - }, + }, "protocol": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "transport": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "observer": { "properties": { "geo": { "properties": { "city_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "continent_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "location": { "type": "geo_point" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hostname": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "ip": { "type": "ip" - }, + }, "mac": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "os": { "properties": { "family": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "kernel": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "platform": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "product": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "serial_number": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "vendor": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "organization": { "properties": { "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "os": { "properties": { "family": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "kernel": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "platform": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "package": { "properties": { "architecture": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "build_version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "checksum": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "description": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "install_scope": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "installed": { "type": "date" - }, + }, "license": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "path": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "reference": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "size": { "type": "long" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "process": { "properties": { "args": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "args_count": { "type": "long" - }, + }, "command_line": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "executable": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "exit_code": { "type": "long" - }, + }, "hash": { "properties": { "md5": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha1": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha256": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha512": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "parent": { "properties": { "args": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "args_count": { "type": "long" - }, + }, "command_line": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "executable": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "exit_code": { "type": "long" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "pgid": { "type": "long" - }, + }, "pid": { "type": "long" - }, + }, "ppid": { "type": "long" - }, + }, "start": { "type": "date" - }, + }, "thread": { "properties": { "id": { "type": "long" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "title": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "uptime": { "type": "long" - }, + }, "working_directory": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "pgid": { "type": "long" - }, + }, "pid": { "type": "long" - }, + }, "ppid": { "type": "long" - }, + }, "start": { "type": "date" - }, + }, "thread": { "properties": { "id": { "type": "long" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "title": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "uptime": { "type": "long" - }, + }, "working_directory": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "registry": { "properties": { "data": { "properties": { "bytes": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "strings": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hive": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "key": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "path": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "value": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "related": { "properties": { "ip": { "type": "ip" - }, + }, "user": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "rule": { "properties": { "category": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "description": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "reference": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "ruleset": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "uuid": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "server": { "properties": { "address": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "as": { "properties": { "number": { "type": "long" - }, + }, "organization": { "properties": { "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "bytes": { "type": "long" - }, + }, "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "geo": { "properties": { "city_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "continent_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "location": { "type": "geo_point" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "ip": { "type": "ip" - }, + }, "mac": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "nat": { "properties": { "ip": { "type": "ip" - }, + }, "port": { "type": "long" } } - }, + }, "packets": { "type": "long" - }, + }, "port": { "type": "long" - }, + }, "registered_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "top_level_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "user": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "email": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full_name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "group": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hash": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "service": { "properties": { "ephemeral_id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "node": { "properties": { "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "state": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "type": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "source": { "properties": { "address": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "as": { "properties": { "number": { "type": "long" - }, + }, "organization": { "properties": { "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "bytes": { "type": "long" - }, + }, "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "geo": { "properties": { "city_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "continent_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "country_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "location": { "type": "geo_point" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_iso_code": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "region_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "ip": { "type": "ip" - }, + }, "mac": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "nat": { "properties": { "ip": { "type": "ip" - }, + }, "port": { "type": "long" } } - }, + }, "packets": { "type": "long" - }, + }, "port": { "type": "long" - }, + }, "registered_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "top_level_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "user": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "email": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full_name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "group": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hash": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "tags": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "threat": { "properties": { "framework": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "tactic": { "properties": { "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "reference": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "technique": { "properties": { "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "reference": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } } } - }, + }, "tls": { "properties": { "cipher": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "client": { "properties": { "certificate": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "certificate_chain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "hash": { "properties": { "md5": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha1": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha256": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "issuer": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "ja3": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "not_after": { "type": "date" - }, + }, "not_before": { "type": "date" - }, + }, "server_name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "subject": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "supported_ciphers": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "curve": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "established": { "type": "boolean" - }, + }, "next_protocol": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "resumed": { "type": "boolean" - }, + }, "server": { "properties": { "certificate": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "certificate_chain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "hash": { "properties": { "md5": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha1": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "sha256": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "issuer": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "ja3s": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "not_after": { "type": "date" - }, + }, "not_before": { "type": "date" - }, + }, "subject": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version_protocol": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "trace": { "properties": { "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "transaction": { "properties": { "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "url": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "extension": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "fragment": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "original": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "password": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "path": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "port": { "type": "long" - }, + }, "query": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "registered_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "scheme": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "top_level_domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "username": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "user": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "email": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full_name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "group": { "properties": { "domain": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "hash": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "user_agent": { "properties": { "device": { "properties": { "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "name": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "original": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "os": { "properties": { "family": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "full": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "kernel": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "name": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "platform": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "vulnerability": { "properties": { "category": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "classification": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "description": { "fields": { "text": { - "norms": false, + "norms": false, "type": "text" } - }, - "ignore_above": 1024, + }, + "ignore_above": 1024, "type": "keyword" - }, + }, "enumeration": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "reference": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "report_id": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" - }, + }, "scanner": { "properties": { "vendor": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "score": { "properties": { "base": { "type": "float" - }, + }, "environmental": { "type": "float" - }, + }, "temporal": { "type": "float" - }, + }, "version": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } - }, + }, "severity": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" } } } } - }, - "order": 1, + }, + "order": 1, "settings": { "index": { "mapping": { "total_fields": { "limit": 10000 } - }, + }, "refresh_interval": "5s" } } diff --git a/schemas/base.yml b/schemas/base.yml index 630255284e..75e17bcd86 100644 --- a/schemas/base.yml +++ b/schemas/base.yml @@ -37,7 +37,7 @@ level: core type: object object_type: keyword - example: {env: production, application: foo-bar} + example: {application: foo-bar, env: production} short: Custom key/value pairs. description: > Custom key/value pairs. diff --git a/schemas/event.yml b/schemas/event.yml index 323e99f509..139d534538 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -476,7 +476,7 @@ level: core type: date short: Time when the event was first read by an agent or by your pipeline. - example: 2016-05-23T08:05:34.857Z + example: '2016-05-23T08:05:34.857Z' description: > event.created contains the date/time when the event was first read by an agent, or by your pipeline. @@ -527,7 +527,7 @@ level: core type: date short: Timestamp when an event arrived in the central data store. - example: 2016-05-23T08:05:35.101Z + example: '2016-05-23T08:05:35.101Z' description: > Timestamp when an event arrived in the central data store. diff --git a/scripts/generator.py b/scripts/generator.py index 8ef8e192ce..0bf57851b9 100644 --- a/scripts/generator.py +++ b/scripts/generator.py @@ -14,17 +14,17 @@ def main(): args = argument_parser() ecs_version = read_version() - print 'Running generator. ECS version ' + ecs_version + print('Running generator. ECS version ' + ecs_version) # Load the default schemas - print 'Loading default schemas' + print('Loading default schemas') (nested, flat) = schema_reader.load_schemas() # Maybe load user specified directory of schemas if args.include: include_glob = os.path.join(args.include, '*.yml') - print 'Loading user defined schemas: {0}'.format(include_glob) + print('Loading user defined schemas: {0}'.format(include_glob)) (custom_nested, custom_flat) = schema_reader.load_schemas(sorted(glob.glob(include_glob))) @@ -34,7 +34,7 @@ def main(): intermediate_files.generate(nested, flat) if args.intermediate_only: - exit + exit() csv_generator.generate(flat, ecs_version) es_template.generate(flat, ecs_version) diff --git a/scripts/generators/asciidoc_fields.py b/scripts/generators/asciidoc_fields.py index e6747fa8bd..9f252de684 100644 --- a/scripts/generators/asciidoc_fields.py +++ b/scripts/generators/asciidoc_fields.py @@ -12,10 +12,7 @@ def generate(ecs_nested, ecs_flat, ecs_version): def save_asciidoc(file, text): - open_mode = "wb" - if sys.version_info >= (3, 0): - open_mode = "w" - with open(file, open_mode) as outfile: + with open(file, "w") as outfile: outfile.write(text) @@ -121,7 +118,7 @@ def render_fieldset_reuse_section(fieldset, ecs_nested): fieldset_name=fieldset['name'], fieldset_title=fieldset['title'] ) - nestings = [] + for nested_fs_name in sorted(fieldset['nestings']): text += render_nesting_row({ 'flat_nesting': "{}.{}.*".format(fieldset['name'], nested_fs_name), diff --git a/scripts/generators/beats.py b/scripts/generators/beats.py index 2926fe5570..25617077a1 100644 --- a/scripts/generators/beats.py +++ b/scripts/generators/beats.py @@ -56,7 +56,7 @@ def fieldset_field_array(source_fields, df_whitelist): beats_field['default_field'] = False fields.append(beats_field) - return sorted(fields, lambda x, y: cmp(x['name'], y['name'])) + return sorted(fields, key=lambda x: x['name']) # Helpers diff --git a/scripts/generators/ecs_helpers.py b/scripts/generators/ecs_helpers.py index ff2f33baa1..aff9965b8f 100644 --- a/scripts/generators/ecs_helpers.py +++ b/scripts/generators/ecs_helpers.py @@ -6,11 +6,11 @@ # Dictionary helpers -def dict_copy_keys_ordered(dict, copied_keys): +def dict_copy_keys_ordered(dct, copied_keys): ordered_dict = OrderedDict() for key in copied_keys: - if key in dict: - ordered_dict[key] = dict[key] + if key in dct: + ordered_dict[key] = dct[key] return ordered_dict @@ -20,12 +20,14 @@ def dict_copy_existing_keys(source, destination, keys): destination[key] = source[key] -def dict_sorted_by_keys(dict, sort_keys): +def dict_sorted_by_keys(dct, sort_keys): if not isinstance(sort_keys, list): sort_keys = [sort_keys] + tuples = [] - for key in dict: - nested = dict[key] + + for key in dct: + nested = dct[key] sort_criteria = [] for sort_key in sort_keys: @@ -81,7 +83,7 @@ def yaml_dump(filename, data, preamble=None): def yaml_load(filename): with open(filename) as f: - return yaml.load(f.read()) + return yaml.safe_load(f.read()) # List helpers diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py index 2e43cfd37b..0ac6a296c8 100644 --- a/scripts/generators/es_template.py +++ b/scripts/generators/es_template.py @@ -6,7 +6,7 @@ def generate(ecs_flat, ecs_version): field_mappings = {} - for flat_name in ecs_flat: + for flat_name in sorted(ecs_flat): field = ecs_flat[flat_name] nestings = flat_name.split('.') dict_add_nested(field_mappings, nestings, entry_for(field)) @@ -20,25 +20,22 @@ def generate(ecs_flat, ecs_version): # Field mappings -def dict_add_nested(dict, nestings, value): +def dict_add_nested(dct, nestings, value): current_nesting = nestings[0] rest_nestings = nestings[1:] if len(rest_nestings) > 0: - if current_nesting not in dict: - dict[current_nesting] = {'properties': {}} - elif 'type' in dict[current_nesting] and 'object' == dict[current_nesting]['type']: - dict[current_nesting] = {'type': dict[current_nesting]['type'], 'properties': {}} + dct.setdefault(current_nesting, {}) + dct[current_nesting].setdefault('properties', {}) - if 'properties' in dict[current_nesting]: - dict_add_nested( - dict[current_nesting]['properties'], - rest_nestings, - value) + dict_add_nested( + dct[current_nesting]['properties'], + rest_nestings, + value) else: - if current_nesting in dict and 'type' in value and 'object' == value['type']: + if current_nesting in dct and 'type' in value and 'object' == value['type']: return - dict[current_nesting] = value + dct[current_nesting] = value def entry_for(field): @@ -61,7 +58,7 @@ def entry_for(field): field_entry['fields'][mf['name']] = mf_entry except KeyError as ex: - print ex, field + print("Exception {} occurred for field {}".format(ex, field)) raise ex return field_entry diff --git a/scripts/helper.py b/scripts/helper.py index 5ef3aeb1f2..f9bfa05756 100644 --- a/scripts/helper.py +++ b/scripts/helper.py @@ -7,7 +7,7 @@ def read_schema_file(path): """ fields = [] with open(path) as f: - fields = yaml.load(f.read()) + fields = yaml.safe_load(f.read()) clean_namespace_fields(fields) return fields @@ -17,7 +17,7 @@ def read_use_case_file(path): """Read a use-case.yml file and cleans up the fields """ with open(path) as f: - use_case = yaml.load(f.read()) + use_case = yaml.safe_load(f.read()) fields = use_case["fields"] clean_namespace_fields(fields) diff --git a/scripts/requirements.txt b/scripts/requirements.txt index 917e8d8256..ccd7ccd657 100644 --- a/scripts/requirements.txt +++ b/scripts/requirements.txt @@ -1,4 +1,4 @@ pip -PyYAML==4.2b1 -autopep8==1.4.3 -yamllint==1.13.0 +PyYAML==5.3b1 +autopep8==1.4.4 +yamllint==1.19.0 diff --git a/scripts/schema_reader.py b/scripts/schema_reader.py index 2d1e84be93..9b4571bfd9 100644 --- a/scripts/schema_reader.py +++ b/scripts/schema_reader.py @@ -14,7 +14,7 @@ def ecs_files(): def read_schema_file(file): """Read a raw schema yml into a map, removing the wrapping array in each file""" with open(file) as f: - raw = yaml.load(f.read()) + raw = yaml.safe_load(f.read()) fields = {} for field_set in raw: fields[field_set['name']] = field_set @@ -35,7 +35,7 @@ def dict_clean_string_values(dict): """Remove superfluous spacing in all field values of a dict""" for key in dict: value = dict[key] - if isinstance(value, basestring): + if isinstance(value, str): dict[key] = value.strip() @@ -128,20 +128,20 @@ def duplicate_reusable_fieldsets(schema, fields_flat, fields_nested): # Here it simplifies the nesting of 'group' under 'user', # which is in turn reusable in a few places. if 'reusable' in schema: - for new_nesting in schema['reusable']['expected']: + for new_nesting in sorted(schema['reusable']['expected']): # List field set names expected under another field set. # E.g. host.nestings = [ 'geo', 'os', 'user' ] - if 'nestings' not in fields_nested[new_nesting]: - fields_nested[new_nesting]['nestings'] = [] - fields_nested[new_nesting]['nestings'].append(schema['name']) + nestings = fields_nested[new_nesting].setdefault('nestings', []) + nestings.append(schema['name']) + nestings.sort() # Explicitly list all leaf fields coming from field set reuse. for (name, field) in schema['fields'].items(): # Poor folks deepcopy, sorry -- A Rubyist copied_field = field.copy() if 'multi_fields' in copied_field: - copied_field['multi_fields'] = map(lambda mf: mf.copy(), copied_field['multi_fields']) + copied_field['multi_fields'] = list(map(lambda mf: mf.copy(), copied_field['multi_fields'])) destination_name = new_nesting + '.' + field['flat_name'] copied_field['flat_name'] = destination_name diff --git a/scripts/tests/test_ecs_helpers.py b/scripts/tests/test_ecs_helpers.py index c31a189ffd..5a7788f100 100644 --- a/scripts/tests/test_ecs_helpers.py +++ b/scripts/tests/test_ecs_helpers.py @@ -65,12 +65,12 @@ def test_merge_dicts(self): result = ecs_helpers.safe_merge_dicts(a, b) - self.assertEquals(result, - { - 'cloud': {'group': 2, 'name': 'cloud'}, - 'agent': {'group': 2, 'name': 'agent'}, - 'base': {'group': 1, 'name': 'base'} - }) + self.assertEqual(result, + { + 'cloud': {'group': 2, 'name': 'cloud'}, + 'agent': {'group': 2, 'name': 'agent'}, + 'base': {'group': 1, 'name': 'base'} + }) def test_merge_dicts_raises_if_duplicate_key_added(self): a = {'cloud': {'group': 2, 'name': 'cloud'}} @@ -82,7 +82,7 @@ def test_merge_dicts_raises_if_duplicate_key_added(self): def test_list_slit_by(self): lst = ['ecs', 'has', 'a', 'meme', 'now'] split_list = ecs_helpers.list_split_by(lst, 3) - self.assertEquals(split_list, [['ecs', 'has', 'a'], ['meme', 'now']]) + self.assertEqual(split_list, [['ecs', 'has', 'a'], ['meme', 'now']]) if __name__ == '__main__':