diff --git a/x-pack/plugins/cases/common/api/metrics/case.ts b/x-pack/plugins/cases/common/api/metrics/case.ts index 0491eea61e070..06fd487eaa369 100644 --- a/x-pack/plugins/cases/common/api/metrics/case.ts +++ b/x-pack/plugins/cases/common/api/metrics/case.ts @@ -8,6 +8,50 @@ import * as rt from 'io-ts'; export type CaseMetricsResponse = rt.TypeOf; +export type AlertHostsMetrics = rt.TypeOf; +export type AlertUsersMetrics = rt.TypeOf; + +const AlertHostsMetricsRt = rt.type({ + /** + * Total unique hosts represented in the alerts + */ + total: rt.number, + values: rt.array( + rt.type({ + /** + * Host name + */ + name: rt.union([rt.string, rt.undefined]), + /** + * Unique identifier for the host + */ + id: rt.string, + /** + * Number of alerts that have this particular host name + */ + count: rt.number, + }) + ), +}); + +const AlertUsersMetricsRt = rt.type({ + /** + * Total unique users represented in the alerts + */ + total: rt.number, + values: rt.array( + rt.type({ + /** + * Username + */ + name: rt.string, + /** + * Number of alerts that have this particular username + */ + count: rt.number, + }) + ), +}); export const CaseMetricsResponseRt = rt.partial( rt.type({ @@ -20,45 +64,11 @@ export const CaseMetricsResponseRt = rt.partial( /** * Host information represented from the alerts attached to this case */ - hosts: rt.type({ - /** - * Total unique hosts represented in the alerts - */ - total: rt.number, - values: rt.array( - rt.type({ - /** - * Host name - */ - name: rt.string, - /** - * Number of alerts that have this particular host name - */ - count: rt.number, - }) - ), - }), + hosts: AlertHostsMetricsRt, /** * User information represented from the alerts attached to this case */ - users: rt.type({ - /** - * Total unique users represented in the alerts - */ - total: rt.number, - values: rt.array( - rt.type({ - /** - * Username - */ - name: rt.string, - /** - * Number of alerts that have this particular username - */ - count: rt.number, - }) - ), - }), + users: AlertUsersMetricsRt, }).props ), /** diff --git a/x-pack/plugins/cases/public/containers/mock.ts b/x-pack/plugins/cases/public/containers/mock.ts index 3c4b72e93b414..28aeaa0529009 100644 --- a/x-pack/plugins/cases/public/containers/mock.ts +++ b/x-pack/plugins/cases/public/containers/mock.ts @@ -187,8 +187,8 @@ export const basicCaseMetrics: CaseMetrics = { hosts: { total: 2, values: [ - { name: 'foo', count: 2 }, - { name: 'bar', count: 10 }, + { name: 'foo', count: 2, id: 'foo' }, + { name: 'bar', count: 10, id: 'bar' }, ], }, users: { diff --git a/x-pack/plugins/cases/server/client/metrics/alert_details.ts b/x-pack/plugins/cases/server/client/metrics/alert_details.ts deleted file mode 100644 index c17374ee7d2c9..0000000000000 --- a/x-pack/plugins/cases/server/client/metrics/alert_details.ts +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { CaseMetricsResponse } from '../../../common/api'; -import { MetricsHandler } from './types'; - -export class AlertDetails implements MetricsHandler { - /** - * This boolean protects against the metrics being queried multiple times. The applyMetrics function could be called - * once for each feature. All the metrics will be retrieved when the first applyMetrics is called though. - */ - private retrievedMetrics: boolean = false; - - public getFeatures(): Set { - return new Set(['alerts.hosts', 'alerts.users']); - } - - public async compute(): Promise { - // we already retrieved the metrics so just return them as they are - if (this.retrievedMetrics) { - return {}; - } - - this.retrievedMetrics = true; - - return { - alerts: { - hosts: { total: 0, values: [] }, - users: { total: 0, values: [] }, - }, - }; - } -} diff --git a/x-pack/plugins/cases/server/client/metrics/alerts/aggregations/hosts.ts b/x-pack/plugins/cases/server/client/metrics/alerts/aggregations/hosts.ts new file mode 100644 index 0000000000000..31dba0396d50c --- /dev/null +++ b/x-pack/plugins/cases/server/client/metrics/alerts/aggregations/hosts.ts @@ -0,0 +1,103 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { get } from 'lodash'; + +import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import { AggregationBuilder, AggregationResponse } from './types'; + +type HostsAggregate = HostsAggregateResponse | undefined; + +interface HostsAggregateResponse { + hosts_frequency?: { + buckets: FieldAggregateBucket[]; + }; + hosts_total?: { + value: number; + }; +} + +interface FieldAggregateBucket { + key: string; + doc_count: number; + top_fields: estypes.AggregationsTopHitsAggregate; +} + +const hostName = 'host.name'; +const hostId = 'host.id'; + +export class Hosts implements AggregationBuilder { + constructor(private readonly uniqueValuesLimit: number = 10) {} + + build() { + const topHits: estypes.AggregationsAggregationContainer = { + aggs: { + top_fields: { + top_hits: { + docvalue_fields: [hostName], + sort: [ + { + '@timestamp': { + order: 'desc', + }, + }, + ], + size: 1, + }, + }, + }, + }; + + return { + hosts_frequency: { + terms: { + field: hostId, + size: this.uniqueValuesLimit, + }, + ...topHits, + }, + hosts_total: { + cardinality: { + field: hostId, + }, + }, + }; + } + + formatResponse(aggregations: AggregationResponse) { + const aggs = aggregations as HostsAggregate; + + const topFrequentHosts = aggs?.hosts_frequency?.buckets.map((bucket) => ({ + name: Hosts.getName(bucket), + id: bucket.key, + count: bucket.doc_count, + })); + + const totalHosts = aggs?.hosts_total?.value; + + const hostFields = + topFrequentHosts && totalHosts + ? { total: totalHosts, values: topFrequentHosts } + : { total: 0, values: [] }; + + return { alerts: { hosts: hostFields } }; + } + + private static getName(bucket: FieldAggregateBucket): string | undefined { + const unsafeHostName = get(bucket.top_fields.hits.hits[0].fields, hostName); + + if (Array.isArray(unsafeHostName) && unsafeHostName.length > 0) { + return unsafeHostName[0]; + } + + return unsafeHostName; + } + + getName() { + return 'hosts'; + } +} diff --git a/x-pack/plugins/cases/server/client/metrics/alerts/aggregations/index.ts b/x-pack/plugins/cases/server/client/metrics/alerts/aggregations/index.ts new file mode 100644 index 0000000000000..5cfcac022e1d3 --- /dev/null +++ b/x-pack/plugins/cases/server/client/metrics/alerts/aggregations/index.ts @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export * from './hosts'; +export * from './users'; +export * from './types'; diff --git a/x-pack/plugins/cases/server/client/metrics/alerts/aggregations/types.ts b/x-pack/plugins/cases/server/client/metrics/alerts/aggregations/types.ts new file mode 100644 index 0000000000000..8ea5142e5a91b --- /dev/null +++ b/x-pack/plugins/cases/server/client/metrics/alerts/aggregations/types.ts @@ -0,0 +1,17 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import { CaseMetricsResponse } from '../../../../../common/api'; + +export interface AggregationBuilder { + build(): Record; + formatResponse(aggregations: AggregationResponse): CaseMetricsResponse; + getName(): string; +} + +export type AggregationResponse = Record | undefined; diff --git a/x-pack/plugins/cases/server/client/metrics/alerts/aggregations/users.ts b/x-pack/plugins/cases/server/client/metrics/alerts/aggregations/users.ts new file mode 100644 index 0000000000000..856c12df43434 --- /dev/null +++ b/x-pack/plugins/cases/server/client/metrics/alerts/aggregations/users.ts @@ -0,0 +1,66 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { AggregationBuilder, AggregationResponse } from './types'; + +export class Users implements AggregationBuilder { + constructor(private readonly uniqueValuesLimit: number = 10) {} + + build() { + return { + users_frequency: { + terms: { + field: userName, + size: this.uniqueValuesLimit, + }, + }, + users_total: { + cardinality: { + field: userName, + }, + }, + }; + } + + formatResponse(aggregations: AggregationResponse) { + const aggs = aggregations as UsersAggregate; + + const topFrequentUsers = aggs?.users_frequency?.buckets.map((bucket) => ({ + name: bucket.key, + count: bucket.doc_count, + })); + + const totalUsers = aggs?.users_total?.value; + + const usersFields = + topFrequentUsers && totalUsers + ? { total: totalUsers, values: topFrequentUsers } + : { total: 0, values: [] }; + + return { alerts: { users: usersFields } }; + } + + getName() { + return 'users'; + } +} + +const userName = 'user.name'; + +type UsersAggregate = UsersAggregateResponse | undefined; + +interface UsersAggregateResponse { + users_frequency?: { + buckets: Array<{ + key: string; + doc_count: number; + }>; + }; + users_total?: { + value: number; + }; +} diff --git a/x-pack/plugins/cases/server/client/metrics/alerts_count.ts b/x-pack/plugins/cases/server/client/metrics/alerts/count.ts similarity index 83% rename from x-pack/plugins/cases/server/client/metrics/alerts_count.ts rename to x-pack/plugins/cases/server/client/metrics/alerts/count.ts index 786a53310cb88..8113f305ad4ba 100644 --- a/x-pack/plugins/cases/server/client/metrics/alerts_count.ts +++ b/x-pack/plugins/cases/server/client/metrics/alerts/count.ts @@ -5,12 +5,12 @@ * 2.0. */ -import { CaseMetricsResponse } from '../../../common/api'; -import { Operations } from '../../authorization'; -import { createCaseError } from '../../common/error'; -import { CasesClient } from '../client'; -import { CasesClientArgs } from '../types'; -import { MetricsHandler } from './types'; +import { CaseMetricsResponse } from '../../../../common/api'; +import { Operations } from '../../../authorization'; +import { createCaseError } from '../../../common/error'; +import { CasesClient } from '../../client'; +import { CasesClientArgs } from '../../types'; +import { MetricsHandler } from '../types'; export class AlertsCount implements MetricsHandler { constructor( diff --git a/x-pack/plugins/cases/server/client/metrics/alerts/details.test.ts b/x-pack/plugins/cases/server/client/metrics/alerts/details.test.ts new file mode 100644 index 0000000000000..6e72a3ec4fe84 --- /dev/null +++ b/x-pack/plugins/cases/server/client/metrics/alerts/details.test.ts @@ -0,0 +1,221 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { createCasesClientMock } from '../../mocks'; +import { CasesClientArgs } from '../../types'; +import { loggingSystemMock } from '../../../../../../../src/core/server/mocks'; + +import { AlertDetails } from './details'; +import { mockAlertsService } from './test_utils'; + +describe('AlertDetails', () => { + beforeEach(() => { + jest.clearAllMocks(); + }); + + it('returns empty alert details metrics when there are no alerts', async () => { + const client = createCasesClientMock(); + client.attachments.getAllAlertsAttachToCase.mockImplementation(async () => { + return []; + }); + + const handler = new AlertDetails('', client, {} as CasesClientArgs); + expect(await handler.compute()).toEqual({}); + }); + + it('returns the default zero values when there are no alerts but features are requested', async () => { + const client = createCasesClientMock(); + client.attachments.getAllAlertsAttachToCase.mockImplementation(async () => { + return []; + }); + + const handler = new AlertDetails('', client, {} as CasesClientArgs); + handler.setupFeature('alerts.hosts'); + + expect(await handler.compute()).toEqual({ + alerts: { + hosts: { + total: 0, + values: [], + }, + }, + }); + }); + + it('returns the default zero values for hosts when the count aggregation returns undefined', async () => { + const client = createMockClient(); + const { mockServices, clientArgs } = createMockClientArgs(); + mockServices.alertsService.executeAggregations.mockImplementation(async () => ({})); + + const handler = new AlertDetails('', client, clientArgs); + handler.setupFeature('alerts.hosts'); + + expect(await handler.compute()).toEqual({ + alerts: { + hosts: { + total: 0, + values: [], + }, + }, + }); + }); + + it('returns the default zero values for users when the count aggregation returns undefined', async () => { + const client = createMockClient(); + const { mockServices, clientArgs } = createMockClientArgs(); + mockServices.alertsService.executeAggregations.mockImplementation(async () => ({})); + + const handler = new AlertDetails('', client, clientArgs); + handler.setupFeature('alerts.users'); + + expect(await handler.compute()).toEqual({ + alerts: { + users: { + total: 0, + values: [], + }, + }, + }); + }); + + it('returns the default zero values for hosts when the top hits aggregation returns undefined', async () => { + const client = createMockClient(); + const { mockServices, clientArgs } = createMockClientArgs(); + mockServices.alertsService.executeAggregations.mockImplementation(async () => ({})); + + const handler = new AlertDetails('', client, clientArgs); + handler.setupFeature('alerts.hosts'); + + expect(await handler.compute()).toEqual({ + alerts: { + hosts: { + total: 0, + values: [], + }, + }, + }); + }); + + it('returns the default zero values for users when the top hits aggregation returns undefined', async () => { + const client = createMockClient(); + const { mockServices, clientArgs } = createMockClientArgs(); + mockServices.alertsService.executeAggregations.mockImplementation(async () => ({})); + + const handler = new AlertDetails('', client, clientArgs); + handler.setupFeature('alerts.users'); + + expect(await handler.compute()).toEqual({ + alerts: { + users: { + total: 0, + values: [], + }, + }, + }); + }); + + it('returns empty alert details metrics when no features were setup', async () => { + const client = createCasesClientMock(); + client.attachments.getAllAlertsAttachToCase.mockImplementation(async () => { + return [{ id: '1', index: '2', attached_at: '3' }]; + }); + + const handler = new AlertDetails('', client, {} as CasesClientArgs); + expect(await handler.compute()).toEqual({}); + }); + + it('returns empty alert details metrics when no features were setup when called twice', async () => { + const client = createCasesClientMock(); + client.attachments.getAllAlertsAttachToCase.mockImplementation(async () => { + return [{ id: '1', index: '2', attached_at: '3' }]; + }); + + const handler = new AlertDetails('', client, {} as CasesClientArgs); + expect(await handler.compute()).toEqual({}); + expect(await handler.compute()).toEqual({}); + }); + + it('returns host details when the host feature is setup', async () => { + const client = createMockClient(); + const { clientArgs } = createMockClientArgs(); + const handler = new AlertDetails('', client, clientArgs); + + handler.setupFeature('alerts.hosts'); + + expect(await handler.compute()).toEqual({ + alerts: { + hosts: { + total: 2, + values: [{ id: '1', name: 'host1', count: 1 }], + }, + }, + }); + }); + + it('returns user details when the user feature is setup', async () => { + const client = createMockClient(); + const { clientArgs } = createMockClientArgs(); + + const handler = new AlertDetails('', client, clientArgs); + + handler.setupFeature('alerts.users'); + + expect(await handler.compute()).toEqual({ + alerts: { + users: { + total: 2, + values: [{ name: 'user1', count: 1 }], + }, + }, + }); + }); + + it('returns user and host details when the user and host features are setup', async () => { + const client = createMockClient(); + const { clientArgs } = createMockClientArgs(); + + const handler = new AlertDetails('', client, clientArgs); + + handler.setupFeature('alerts.users'); + handler.setupFeature('alerts.hosts'); + + expect(await handler.compute()).toEqual({ + alerts: { + hosts: { + total: 2, + values: [{ id: '1', name: 'host1', count: 1 }], + }, + users: { + total: 2, + values: [{ name: 'user1', count: 1 }], + }, + }, + }); + }); +}); + +function createMockClient() { + const client = createCasesClientMock(); + client.attachments.getAllAlertsAttachToCase.mockImplementation(async () => { + return [{ id: '1', index: '2', attached_at: '3' }]; + }); + + return client; +} + +function createMockClientArgs() { + const alertsService = mockAlertsService(); + + const logger = loggingSystemMock.createLogger(); + + const clientArgs = { + logger, + alertsService, + }; + + return { mockServices: clientArgs, clientArgs: clientArgs as unknown as CasesClientArgs }; +} diff --git a/x-pack/plugins/cases/server/client/metrics/alerts/details.ts b/x-pack/plugins/cases/server/client/metrics/alerts/details.ts new file mode 100644 index 0000000000000..f9f1f90f19fd1 --- /dev/null +++ b/x-pack/plugins/cases/server/client/metrics/alerts/details.ts @@ -0,0 +1,75 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { merge } from 'lodash'; + +import { CaseMetricsResponse } from '../../../../common/api'; +import { createCaseError } from '../../../common/error'; + +import { CasesClient } from '../../client'; +import { CasesClientArgs } from '../../types'; +import { MetricsHandler } from '../types'; +import { Hosts, Users, AggregationBuilder, AggregationResponse } from './aggregations'; + +export class AlertDetails implements MetricsHandler { + private aggregationsToBuild: AggregationBuilder[] = []; + private readonly aggregations = new Map([ + ['alerts.hosts', new Hosts()], + ['alerts.users', new Users()], + ]); + + constructor( + private readonly caseId: string, + private readonly casesClient: CasesClient, + private readonly clientArgs: CasesClientArgs + ) {} + + public getFeatures(): Set { + return new Set(this.aggregations.keys()); + } + + public setupFeature(feature: string) { + const aggregation = this.aggregations.get(feature); + if (aggregation) { + this.aggregationsToBuild.push(aggregation); + } + } + + public async compute(): Promise { + const { alertsService, logger } = this.clientArgs; + + try { + const alerts = await this.casesClient.attachments.getAllAlertsAttachToCase({ + caseId: this.caseId, + }); + + if (alerts.length <= 0 || this.aggregationsToBuild.length <= 0) { + return this.formatResponse(); + } + + const aggregationsResponse = await alertsService.executeAggregations({ + aggregationBuilders: this.aggregationsToBuild, + alerts, + }); + + return this.formatResponse(aggregationsResponse); + } catch (error) { + throw createCaseError({ + message: `Failed to retrieve alerts details attached case id: ${this.caseId}: ${error}`, + error, + logger, + }); + } + } + + private formatResponse(aggregationsResponse?: AggregationResponse): CaseMetricsResponse { + return this.aggregationsToBuild.reduce( + (acc, feature) => merge(acc, feature.formatResponse(aggregationsResponse)), + {} + ); + } +} diff --git a/x-pack/plugins/cases/server/client/metrics/alerts/test_utils.ts b/x-pack/plugins/cases/server/client/metrics/alerts/test_utils.ts new file mode 100644 index 0000000000000..b070182fe048b --- /dev/null +++ b/x-pack/plugins/cases/server/client/metrics/alerts/test_utils.ts @@ -0,0 +1,80 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { createAlertServiceMock } from '../../../services/mocks'; +import { AggregationBuilder, Hosts, Users } from './aggregations'; + +export function mockAlertsService() { + const alertsService = createAlertServiceMock(); + alertsService.executeAggregations.mockImplementation( + async ({ aggregationBuilders }: { aggregationBuilders: AggregationBuilder[] }) => { + let result = {}; + for (const builder of aggregationBuilders) { + switch (builder.constructor) { + case Hosts: + result = { + ...result, + ...createHostsAggsResponse(), + }; + break; + case Users: + result = { + ...result, + ...createUsersAggsResponse(), + }; + break; + } + } + return result; + } + ); + + return alertsService; +} + +function createHostsAggsResponse() { + return { + hosts_total: { + value: 2, + }, + hosts_frequency: { + buckets: [ + { + key: '1', + doc_count: 1, + top_fields: { + hits: { + hits: [ + { + fields: { + 'host.name': ['host1'], + }, + }, + ], + }, + }, + }, + ], + }, + }; +} + +function createUsersAggsResponse() { + return { + users_total: { + value: 2, + }, + users_frequency: { + buckets: [ + { + key: 'user1', + doc_count: 1, + }, + ], + }, + }; +} diff --git a/x-pack/plugins/cases/server/client/metrics/get_case_metrics.test.ts b/x-pack/plugins/cases/server/client/metrics/get_case_metrics.test.ts index b34a4fe4e9d39..97f5d79e43c89 100644 --- a/x-pack/plugins/cases/server/client/metrics/get_case_metrics.test.ts +++ b/x-pack/plugins/cases/server/client/metrics/get_case_metrics.test.ts @@ -13,6 +13,7 @@ import { createAuthorizationMock } from '../../authorization/mock'; import { loggingSystemMock, savedObjectsClientMock } from '../../../../../../src/core/server/mocks'; import { createAttachmentServiceMock, createCaseServiceMock } from '../../services/mocks'; import { SavedObject } from 'kibana/server'; +import { mockAlertsService } from './alerts/test_utils'; describe('getMetrics', () => { const mockCreateCloseInfo = { @@ -20,44 +21,8 @@ describe('getMetrics', () => { closed_at: '2021-11-23T19:59:44Z', }; - const client = createCasesClientMock(); - client.cases.get.mockImplementation(async () => { - return { - created_at: '2021-11-23T19:59:43Z', - closed_at: '2021-11-23T19:59:44Z', - } as unknown as CaseResponse; - }); - - const attachmentService = createAttachmentServiceMock(); - attachmentService.countAlertsAttachedToCase.mockImplementation(async () => { - return 5; - }); - - const authorization = createAuthorizationMock(); - authorization.getAuthorizationFilter.mockImplementation(async () => { - return { filter: undefined, ensureSavedObjectsAreAuthorized: () => {} }; - }); - - const soClient = savedObjectsClientMock.create(); - const caseService = createCaseServiceMock(); - caseService.getCase.mockImplementation(async () => { - return { - id: '1', - attributes: { - owner: 'security', - }, - } as unknown as SavedObject; - }); - - const logger = loggingSystemMock.createLogger(); - - const clientArgs = { - authorization, - unsecuredSavedObjectsClient: soClient, - caseService, - logger, - attachmentService, - } as unknown as CasesClientArgs; + const client = createMockClient(); + const { mockServices, clientArgs } = createMockClientArgs(); beforeEach(() => { jest.clearAllMocks(); @@ -85,8 +50,11 @@ describe('getMetrics', () => { clientArgs ); - expect(metrics.alerts?.hosts).toBeDefined(); - expect(metrics.alerts?.users).toBeDefined(); + expect(metrics.alerts?.hosts).toEqual({ + total: 2, + values: [{ name: 'host1', id: '1', count: 1 }], + }); + expect(metrics.alerts?.users).toEqual({ total: 2, values: [{ count: 1, name: 'user1' }] }); }); it('populates multiple sections at a time', async () => { @@ -100,7 +68,7 @@ describe('getMetrics', () => { creationDate: mockCreateCloseInfo.created_at, closeDate: mockCreateCloseInfo.closed_at, }); - expect(metrics.alerts?.count).toBeDefined(); + expect(metrics.alerts?.count).toEqual(5); }); it('populates multiple alerts sections at a time', async () => { @@ -111,7 +79,10 @@ describe('getMetrics', () => { ); expect(metrics.alerts?.count).toEqual(5); - expect(metrics.alerts?.hosts).toBeDefined(); + expect(metrics.alerts?.hosts).toEqual({ + total: 2, + values: [{ name: 'host1', id: '1', count: 1 }], + }); }); it('throws an error for an invalid feature', async () => { @@ -127,12 +98,82 @@ describe('getMetrics', () => { try { await getCaseMetrics( - { caseId: '', features: ['bananas', 'lifespan', 'alerts.count'] }, + { caseId: '1', features: ['bananas', 'lifespan', 'alerts.count'] }, client, clientArgs ); } catch (error) { - expect(error.message).toContain('invalid features: [bananas]'); + expect(error.message).toMatchInlineSnapshot( + `"Failed to retrieve metrics within client for case id: 1: Error: invalid features: [bananas], please only provide valid features: [alerts.count, alerts.hosts, alerts.users, connectors, lifespan]"` + ); } }); + + it('calls the alert handler once to compute the metrics for both hosts and users', async () => { + expect.assertions(1); + + await getCaseMetrics( + { caseId: '', features: ['alerts.users', 'alerts.hosts'] }, + client, + clientArgs + ); + + expect(mockServices.alertsService.executeAggregations).toBeCalledTimes(1); + }); }); + +function createMockClient() { + const client = createCasesClientMock(); + + client.cases.get.mockImplementation(async () => { + return { + created_at: '2021-11-23T19:59:43Z', + closed_at: '2021-11-23T19:59:44Z', + } as unknown as CaseResponse; + }); + + client.attachments.getAllAlertsAttachToCase.mockImplementation(async () => { + return [{ id: '1', index: '2', attached_at: '3' }]; + }); + + return client; +} + +function createMockClientArgs() { + const attachmentService = createAttachmentServiceMock(); + attachmentService.countAlertsAttachedToCase.mockImplementation(async () => { + return 5; + }); + + const authorization = createAuthorizationMock(); + authorization.getAuthorizationFilter.mockImplementation(async () => { + return { filter: undefined, ensureSavedObjectsAreAuthorized: () => {} }; + }); + + const soClient = savedObjectsClientMock.create(); + + const caseService = createCaseServiceMock(); + caseService.getCase.mockImplementation(async () => { + return { + id: '1', + attributes: { + owner: 'security', + }, + } as unknown as SavedObject; + }); + + const alertsService = mockAlertsService(); + + const logger = loggingSystemMock.createLogger(); + + const clientArgs = { + authorization, + unsecuredSavedObjectsClient: soClient, + caseService, + logger, + attachmentService, + alertsService, + }; + + return { mockServices: clientArgs, clientArgs: clientArgs as unknown as CasesClientArgs }; +} diff --git a/x-pack/plugins/cases/server/client/metrics/get_case_metrics.ts b/x-pack/plugins/cases/server/client/metrics/get_case_metrics.ts index 0cc089a1c0882..2f483c9880a0a 100644 --- a/x-pack/plugins/cases/server/client/metrics/get_case_metrics.ts +++ b/x-pack/plugins/cases/server/client/metrics/get_case_metrics.ts @@ -12,8 +12,8 @@ import { Operations } from '../../authorization'; import { createCaseError } from '../../common/error'; import { CasesClient } from '../client'; import { CasesClientArgs } from '../types'; -import { AlertsCount } from './alerts_count'; -import { AlertDetails } from './alert_details'; +import { AlertsCount } from './alerts/count'; +import { AlertDetails } from './alerts/details'; import { Connectors } from './connectors'; import { Lifespan } from './lifespan'; import { MetricsHandler } from './types'; @@ -37,15 +37,12 @@ export const getCaseMetrics = async ( const { logger } = clientArgs; try { - const handlers = buildHandlers(params, casesClient, clientArgs); await checkAuthorization(params, clientArgs); - checkAndThrowIfInvalidFeatures(params, handlers); + const handlers = buildHandlers(params, casesClient, clientArgs); const computedMetrics = await Promise.all( - params.features.map(async (feature) => { - const handler = handlers.get(feature); - - return handler?.compute(); + Array.from(handlers).map(async (handler) => { + return handler.compute(); }) ); @@ -53,7 +50,7 @@ export const getCaseMetrics = async ( return merge(acc, metric); }, {}); - return CaseMetricsResponseRt.encode(mergedResults ?? {}); + return CaseMetricsResponseRt.encode(mergedResults); } catch (error) { throw createCaseError({ logger, @@ -67,31 +64,41 @@ const buildHandlers = ( params: CaseMetricsParams, casesClient: CasesClient, clientArgs: CasesClientArgs -): Map => { - const handlers = [ +): Set => { + const handlers: MetricsHandler[] = [ new Lifespan(params.caseId, casesClient), new AlertsCount(params.caseId, casesClient, clientArgs), - new AlertDetails(), + new AlertDetails(params.caseId, casesClient, clientArgs), new Connectors(), ]; - const handlersByFeature = new Map(); + const uniqueFeatures = new Set(params.features); + const handlerFeatures = new Set(); + const handlersToExecute = new Set(); for (const handler of handlers) { - // assign each feature to the handler that owns that feature - handler.getFeatures().forEach((value) => handlersByFeature.set(value, handler)); + for (const handlerFeature of handler.getFeatures()) { + if (uniqueFeatures.has(handlerFeature)) { + handler.setupFeature?.(handlerFeature); + handlersToExecute.add(handler); + } + + handlerFeatures.add(handlerFeature); + } } - return handlersByFeature; + checkAndThrowIfInvalidFeatures(params, handlerFeatures); + + return handlersToExecute; }; const checkAndThrowIfInvalidFeatures = ( params: CaseMetricsParams, - handlers: Map + handlerFeatures: Set ) => { - const invalidFeatures = params.features.filter((feature) => !handlers.has(feature)); + const invalidFeatures = params.features.filter((feature) => !handlerFeatures.has(feature)); if (invalidFeatures.length > 0) { const invalidFeaturesAsString = invalidFeatures.join(', '); - const validFeaturesAsString = [...handlers.keys()].join(', '); + const validFeaturesAsString = [...handlerFeatures.keys()].sort().join(', '); throw Boom.badRequest( `invalid features: [${invalidFeaturesAsString}], please only provide valid features: [${validFeaturesAsString}]` diff --git a/x-pack/plugins/cases/server/client/metrics/types.ts b/x-pack/plugins/cases/server/client/metrics/types.ts index 7dd3b22821538..ff0547aa98dcf 100644 --- a/x-pack/plugins/cases/server/client/metrics/types.ts +++ b/x-pack/plugins/cases/server/client/metrics/types.ts @@ -10,4 +10,5 @@ import { CaseMetricsResponse } from '../../../common/api'; export interface MetricsHandler { getFeatures(): Set; compute(): Promise; + setupFeature?(feature: string): void; } diff --git a/x-pack/plugins/cases/server/services/alerts/index.ts b/x-pack/plugins/cases/server/services/alerts/index.ts index 424bbd9814e97..95ead5e0eeac7 100644 --- a/x-pack/plugins/cases/server/services/alerts/index.ts +++ b/x-pack/plugins/cases/server/services/alerts/index.ts @@ -18,20 +18,7 @@ import { ALERT_WORKFLOW_STATUS, STATUS_VALUES, } from '../../../../rule_registry/common/technical_rule_data_field_names'; - -interface Alert { - _id: string; - _index: string; - _source: Record; -} - -interface AlertsResponse { - docs: Alert[]; -} - -function isEmptyAlert(alert: AlertInfo): boolean { - return isEmpty(alert.id) || isEmpty(alert.index); -} +import { AggregationBuilder, AggregationResponse } from '../../client/metrics/alerts/aggregations'; export class AlertService { constructor( @@ -39,6 +26,55 @@ export class AlertService { private readonly logger: Logger ) {} + public async executeAggregations({ + aggregationBuilders, + alerts, + }: { + aggregationBuilders: AggregationBuilder[]; + alerts: AlertIdIndex[]; + }): Promise { + try { + const { ids, indices } = AlertService.getUniqueIdsIndices(alerts); + + const builtAggs = aggregationBuilders.reduce((acc, agg) => { + return { ...acc, ...agg.build() }; + }, {}); + + const res = await this.scopedClusterClient.search({ + index: indices, + query: { ids: { values: ids } }, + size: 0, + aggregations: builtAggs, + }); + + return res.body.aggregations; + } catch (error) { + const aggregationNames = aggregationBuilders.map((agg) => agg.getName()); + + throw createCaseError({ + message: `Failed to execute aggregations [${aggregationNames.join(',')}]: ${error}`, + error, + logger: this.logger, + }); + } + } + + private static getUniqueIdsIndices(alerts: AlertIdIndex[]): { ids: string[]; indices: string[] } { + const { ids, indices } = alerts.reduce( + (acc, alert) => { + acc.ids.add(alert.id); + acc.indices.add(alert.index); + return acc; + }, + { ids: new Set(), indices: new Set() } + ); + + return { + ids: Array.from(ids), + indices: Array.from(indices), + }; + } + public async updateAlertsStatus(alerts: UpdateAlertRequest[]) { try { const bucketedAlerts = this.bucketAlertsByIndexAndStatus(alerts); @@ -65,7 +101,7 @@ export class AlertService { return alerts.reduce>>( (acc, alert) => { // skip any alerts that are empty - if (isEmptyAlert(alert)) { + if (AlertService.isEmptyAlert(alert)) { return acc; } @@ -90,6 +126,10 @@ export class AlertService { ); } + private static isEmptyAlert(alert: AlertInfo): boolean { + return isEmpty(alert.id) || isEmpty(alert.index); + } + private translateStatus(alert: UpdateAlertRequest): STATUS_VALUES { const translatedStatuses: Record = { [CaseStatuses.open]: 'open', @@ -142,7 +182,7 @@ export class AlertService { public async getAlerts(alertsInfo: AlertInfo[]): Promise { try { const docs = alertsInfo - .filter((alert) => !isEmptyAlert(alert)) + .filter((alert) => !AlertService.isEmptyAlert(alert)) .slice(0, MAX_ALERTS_PER_SUB_CASE) .map((alert) => ({ _id: alert.id, _index: alert.index })); @@ -188,3 +228,18 @@ function updateIndexEntryWithStatus( statusBucket.push(alert); } } + +interface Alert { + _id: string; + _index: string; + _source: Record; +} + +interface AlertsResponse { + docs: Alert[]; +} + +interface AlertIdIndex { + id: string; + index: string; +} diff --git a/x-pack/plugins/cases/server/services/mocks.ts b/x-pack/plugins/cases/server/services/mocks.ts index 0c6ea420858aa..51c946d3885f1 100644 --- a/x-pack/plugins/cases/server/services/mocks.ts +++ b/x-pack/plugins/cases/server/services/mocks.ts @@ -102,6 +102,7 @@ export const createAlertServiceMock = (): AlertServiceMock => { const service: PublicMethodsOf = { updateAlertsStatus: jest.fn(), getAlerts: jest.fn(), + executeAggregations: jest.fn(), }; // the cast here is required because jest.Mocked tries to include private members and would throw an error diff --git a/x-pack/test/cases_api_integration/common/lib/validation.ts b/x-pack/test/cases_api_integration/common/lib/validation.ts index 3dcb15c14645d..c09fd67e63d9c 100644 --- a/x-pack/test/cases_api_integration/common/lib/validation.ts +++ b/x-pack/test/cases_api_integration/common/lib/validation.ts @@ -25,3 +25,16 @@ export function validateCasesFromAlertIDResponse( expect(apiResCase.title).to.be(idToTitle.get(apiResCase.id)); } } + +/** + * Compares two arrays to determine if they are sort of equal. This function returns true if the arrays contain the same + * elements but the ordering does not matter. + */ +export function arraysToEqual(array1?: object[], array2?: object[]) { + if (!array1 || !array2 || array1.length !== array2.length) { + return false; + } + + const array1AsSet = new Set(array1); + return array2.every((item) => array1AsSet.has(item)); +} diff --git a/x-pack/test/cases_api_integration/security_and_spaces/tests/common/index.ts b/x-pack/test/cases_api_integration/security_and_spaces/tests/common/index.ts index 18f42e9d54c86..ae29e50f13b28 100644 --- a/x-pack/test/cases_api_integration/security_and_spaces/tests/common/index.ts +++ b/x-pack/test/cases_api_integration/security_and_spaces/tests/common/index.ts @@ -40,6 +40,7 @@ export default ({ loadTestFile }: FtrProviderContext): void => { loadTestFile(require.resolve('./sub_cases/get_sub_case')); loadTestFile(require.resolve('./sub_cases/find_sub_cases')); loadTestFile(require.resolve('./metrics/get_case_metrics')); + loadTestFile(require.resolve('./metrics/get_case_metrics_alerts')); // NOTE: Migrations are not included because they can inadvertently remove the .kibana indices which removes the users and spaces // which causes errors in any tests after them that relies on those diff --git a/x-pack/test/cases_api_integration/security_and_spaces/tests/common/metrics/get_case_metrics.ts b/x-pack/test/cases_api_integration/security_and_spaces/tests/common/metrics/get_case_metrics.ts index 69b0b70512987..5ce12be2a9fed 100644 --- a/x-pack/test/cases_api_integration/security_and_spaces/tests/common/metrics/get_case_metrics.ts +++ b/x-pack/test/cases_api_integration/security_and_spaces/tests/common/metrics/get_case_metrics.ts @@ -6,15 +6,9 @@ */ import expect from '@kbn/expect'; -import { getPostCaseRequest, postCommentAlertReq } from '../../../../common/lib/mock'; import { FtrProviderContext } from '../../../../common/ftr_provider_context'; -import { - createCase, - createComment, - deleteAllCaseItems, - getCaseMetrics, -} from '../../../../common/lib/utils'; +import { deleteAllCaseItems, getCaseMetrics } from '../../../../common/lib/utils'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { @@ -66,65 +60,5 @@ export default ({ getService }: FtrProviderContext): void => { expect(errorResponse.message).to.contain('invalid features'); }); }); - - describe('alerts', () => { - afterEach(async () => { - await deleteAllCaseItems(es); - }); - - it('counts the alerts attached to a case in two different comments', async () => { - const theCase = await createCase(supertest, getPostCaseRequest()); - - await createComment({ supertest, caseId: theCase.id, params: postCommentAlertReq }); - await createComment({ - supertest, - caseId: theCase.id, - params: { - ...postCommentAlertReq, - alertId: ['test-id-2', 'test-id-3'], - index: ['test-index-2', 'test-index-2'], - }, - }); - - const metrics = await getCaseMetrics({ - supertest, - caseId: theCase.id, - features: ['alerts.count'], - }); - - expect(metrics).to.eql({ - alerts: { - count: 3, - }, - }); - }); - - it('counts unique alert ids', async () => { - const theCase = await createCase(supertest, getPostCaseRequest()); - - await createComment({ supertest, caseId: theCase.id, params: postCommentAlertReq }); - await createComment({ - supertest, - caseId: theCase.id, - params: { - ...postCommentAlertReq, - alertId: ['test-id-2', 'test-id-2'], - index: ['test-index-2', 'test-index-2'], - }, - }); - - const metrics = await getCaseMetrics({ - supertest, - caseId: theCase.id, - features: ['alerts.count'], - }); - - expect(metrics).to.eql({ - alerts: { - count: 2, - }, - }); - }); - }); }); }; diff --git a/x-pack/test/cases_api_integration/security_and_spaces/tests/common/metrics/get_case_metrics_alerts.ts b/x-pack/test/cases_api_integration/security_and_spaces/tests/common/metrics/get_case_metrics_alerts.ts new file mode 100644 index 0000000000000..c711dff7b55a0 --- /dev/null +++ b/x-pack/test/cases_api_integration/security_and_spaces/tests/common/metrics/get_case_metrics_alerts.ts @@ -0,0 +1,193 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { getPostCaseRequest, postCommentAlertReq } from '../../../../common/lib/mock'; + +import { FtrProviderContext } from '../../../../common/ftr_provider_context'; +import { + createCase, + createComment, + deleteAllCaseItems, + getCaseMetrics, +} from '../../../../common/lib/utils'; +import { arraysToEqual } from '../../../../common/lib/validation'; + +// eslint-disable-next-line import/no-default-export +export default ({ getService }: FtrProviderContext): void => { + const supertest = getService('supertest'); + const es = getService('es'); + const esArchiver = getService('esArchiver'); + + describe('case alert metrics', () => { + describe('alert details', () => { + let caseId: string; + + before(async () => { + caseId = await createCaseWithAlerts(); + await esArchiver.load('x-pack/test/functional/es_archives/cases/signals/hosts_users'); + }); + + after(async () => { + await esArchiver.unload('x-pack/test/functional/es_archives/cases/signals/hosts_users'); + await deleteAllCaseItems(es); + }); + + it('returns the host metrics', async () => { + const metrics = await getCaseMetrics({ + supertest, + caseId, + features: ['alerts.hosts'], + }); + + expect(metrics.alerts?.hosts?.total).to.be(3); + expect( + arraysToEqual(metrics.alerts?.hosts?.values, [ + { id: '7eb51035-5582-4cb8-9db2-5e71ef09aa5b', name: 'Host-abc', count: 2 }, + { id: '7eb51035-5582-4cb8-9db2-5e71ef09aa5c', name: 'Host-123', count: 2 }, + { id: '7eb51035-5582-4cb8-9db2-5e71ef09aa5d', name: 'Host-100', count: 2 }, + ]) + ); + }); + + it('returns the user metrics', async () => { + const metrics = await getCaseMetrics({ + supertest, + caseId, + features: ['alerts.users'], + }); + + expect(metrics.alerts?.users?.total).to.be(4); + expect( + arraysToEqual(metrics.alerts?.users?.values, [ + { name: 'zpxm4rqnze', count: 2 }, + { name: 'llmtcazvyl', count: 1 }, + { name: '7bgwxrbmcu', count: 1 }, + { name: 'jf9e87gsut', count: 1 }, + ]) + ); + }); + + it('returns both the host and user metrics', async () => { + const metrics = await getCaseMetrics({ + supertest, + caseId, + features: ['alerts.users', 'alerts.hosts'], + }); + + expect(metrics.alerts?.hosts?.total).to.be(3); + expect( + arraysToEqual(metrics.alerts?.hosts?.values, [ + { id: '7eb51035-5582-4cb8-9db2-5e71ef09aa5b', name: 'Host-abc', count: 2 }, + { id: '7eb51035-5582-4cb8-9db2-5e71ef09aa5c', name: 'Host-123', count: 2 }, + { id: '7eb51035-5582-4cb8-9db2-5e71ef09aa5d', name: 'Host-100', count: 2 }, + ]) + ); + + expect(metrics.alerts?.users?.total).to.be(4); + expect( + arraysToEqual(metrics.alerts?.users?.values, [ + { name: 'zpxm4rqnze', count: 2 }, + { name: 'llmtcazvyl', count: 1 }, + { name: '7bgwxrbmcu', count: 1 }, + { name: 'jf9e87gsut', count: 1 }, + ]) + ); + }); + }); + + describe('alert count', () => { + afterEach(async () => { + await deleteAllCaseItems(es); + }); + + it('counts the alerts attached to a case in two different comments', async () => { + const theCase = await createCase(supertest, getPostCaseRequest()); + + await createComment({ supertest, caseId: theCase.id, params: postCommentAlertReq }); + await createComment({ + supertest, + caseId: theCase.id, + params: { + ...postCommentAlertReq, + alertId: ['test-id-2', 'test-id-3'], + index: ['test-index-2', 'test-index-2'], + }, + }); + + const metrics = await getCaseMetrics({ + supertest, + caseId: theCase.id, + features: ['alerts.count'], + }); + + expect(metrics).to.eql({ + alerts: { + count: 3, + }, + }); + }); + + it('counts unique alert ids', async () => { + const theCase = await createCase(supertest, getPostCaseRequest()); + + await createComment({ supertest, caseId: theCase.id, params: postCommentAlertReq }); + await createComment({ + supertest, + caseId: theCase.id, + params: { + ...postCommentAlertReq, + alertId: ['test-id-2', 'test-id-2'], + index: ['test-index-2', 'test-index-2'], + }, + }); + + const metrics = await getCaseMetrics({ + supertest, + caseId: theCase.id, + features: ['alerts.count'], + }); + + expect(metrics).to.eql({ + alerts: { + count: 2, + }, + }); + }); + }); + }); + + const createCaseWithAlerts = async (): Promise => { + const theCase = await createCase(supertest, getPostCaseRequest()); + + await createComment({ + supertest, + caseId: theCase.id, + params: { + ...postCommentAlertReq, + alertId: [ + '4679431ee0ba3209b6fcd60a255a696886fe0a7d18f5375de510ff5b68fa6b78', + '1023bcfea939643c5e51fd8df53797e0ea693cee547db579ab56d96402365c1e', + '9c827a73a3469d036ab0c53f1f9fcc746b4e80f89413e764e7753dd492e2cd2a', + 'b4df9f749c046766d6f6f39ee6a7b8dd86fca575f07c49a87d941d822c91a3a2', + '9aae8e19dade1fa14fdb5ec3bbf9d6dab218dae609f123733b5d0f583c0590f1', + '48bdf505176b47705da896fb58bc2070768c072778f5412f162abec2ff6ca67b', + ], + index: [ + '.siem-signals-default-000001', + '.siem-signals-default-000001', + '.siem-signals-default-000001', + '.siem-signals-default-000001', + '.siem-signals-default-000001', + '.siem-signals-default-000001', + ], + }, + }); + + return theCase.id; + }; +}; diff --git a/x-pack/test/functional/es_archives/cases/signals/hosts_users/data.json.gz b/x-pack/test/functional/es_archives/cases/signals/hosts_users/data.json.gz new file mode 100644 index 0000000000000..a85b74a389209 Binary files /dev/null and b/x-pack/test/functional/es_archives/cases/signals/hosts_users/data.json.gz differ diff --git a/x-pack/test/functional/es_archives/cases/signals/hosts_users/mappings.json b/x-pack/test/functional/es_archives/cases/signals/hosts_users/mappings.json new file mode 100644 index 0000000000000..83d67d913f589 --- /dev/null +++ b/x-pack/test/functional/es_archives/cases/signals/hosts_users/mappings.json @@ -0,0 +1,4997 @@ +{ + "type": "index", + "value": { + "aliases": { + ".alerts-security.alerts-default": { + "is_write_index": false + }, + ".siem-signals-default": { + "is_write_index": true + } + }, + "index": ".siem-signals-default-000001", + "mappings": { + "_meta": { + "aliases_version": 1, + "version": 55 + }, + "dynamic": "false", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "type": "keyword" + }, + "namespace": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "stack_trace": { + "doc_values": false, + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kibana": { + "properties": { + "alert": { + "properties": { + "ancestors": { + "properties": { + "depth": { + "path": "signal.ancestors.depth", + "type": "alias" + }, + "id": { + "path": "signal.ancestors.id", + "type": "alias" + }, + "index": { + "path": "signal.ancestors.index", + "type": "alias" + }, + "type": { + "path": "signal.ancestors.type", + "type": "alias" + } + } + }, + "depth": { + "path": "signal.depth", + "type": "alias" + }, + "original_event": { + "properties": { + "action": { + "path": "signal.original_event.action", + "type": "alias" + }, + "category": { + "path": "signal.original_event.category", + "type": "alias" + }, + "code": { + "path": "signal.original_event.code", + "type": "alias" + }, + "created": { + "path": "signal.original_event.created", + "type": "alias" + }, + "dataset": { + "path": "signal.original_event.dataset", + "type": "alias" + }, + "duration": { + "path": "signal.original_event.duration", + "type": "alias" + }, + "end": { + "path": "signal.original_event.end", + "type": "alias" + }, + "hash": { + "path": "signal.original_event.hash", + "type": "alias" + }, + "id": { + "path": "signal.original_event.id", + "type": "alias" + }, + "kind": { + "path": "signal.original_event.kind", + "type": "alias" + }, + "module": { + "path": "signal.original_event.module", + "type": "alias" + }, + "outcome": { + "path": "signal.original_event.outcome", + "type": "alias" + }, + "provider": { + "path": "signal.original_event.provider", + "type": "alias" + }, + "reason": { + "path": "signal.original_event.reason", + "type": "alias" + }, + "risk_score": { + "path": "signal.original_event.risk_score", + "type": "alias" + }, + "risk_score_norm": { + "path": "signal.original_event.risk_score_norm", + "type": "alias" + }, + "sequence": { + "path": "signal.original_event.sequence", + "type": "alias" + }, + "severity": { + "path": "signal.original_event.severity", + "type": "alias" + }, + "start": { + "path": "signal.original_event.start", + "type": "alias" + }, + "timezone": { + "path": "signal.original_event.timezone", + "type": "alias" + }, + "type": { + "path": "signal.original_event.type", + "type": "alias" + } + } + }, + "original_time": { + "path": "signal.original_time", + "type": "alias" + }, + "reason": { + "path": "signal.reason", + "type": "alias" + }, + "risk_score": { + "path": "signal.rule.risk_score", + "type": "alias" + }, + "rule": { + "properties": { + "author": { + "path": "signal.rule.author", + "type": "alias" + }, + "building_block_type": { + "path": "signal.rule.building_block_type", + "type": "alias" + }, + "consumer": { + "type": "constant_keyword", + "value": "siem" + }, + "created_at": { + "path": "signal.rule.created_at", + "type": "alias" + }, + "created_by": { + "path": "signal.rule.created_by", + "type": "alias" + }, + "description": { + "path": "signal.rule.description", + "type": "alias" + }, + "enabled": { + "path": "signal.rule.enabled", + "type": "alias" + }, + "false_positives": { + "path": "signal.rule.false_positives", + "type": "alias" + }, + "from": { + "path": "signal.rule.from", + "type": "alias" + }, + "id": { + "path": "signal.rule.id", + "type": "alias" + }, + "immutable": { + "path": "signal.rule.immutable", + "type": "alias" + }, + "index": { + "path": "signal.rule.index", + "type": "alias" + }, + "interval": { + "path": "signal.rule.interval", + "type": "alias" + }, + "language": { + "path": "signal.rule.language", + "type": "alias" + }, + "license": { + "path": "signal.rule.license", + "type": "alias" + }, + "max_signals": { + "path": "signal.rule.max_signals", + "type": "alias" + }, + "name": { + "path": "signal.rule.name", + "type": "alias" + }, + "note": { + "path": "signal.rule.note", + "type": "alias" + }, + "producer": { + "type": "constant_keyword", + "value": "siem" + }, + "query": { + "path": "signal.rule.query", + "type": "alias" + }, + "references": { + "path": "signal.rule.references", + "type": "alias" + }, + "risk_score_mapping": { + "properties": { + "field": { + "path": "signal.rule.risk_score_mapping.field", + "type": "alias" + }, + "operator": { + "path": "signal.rule.risk_score_mapping.operator", + "type": "alias" + }, + "value": { + "path": "signal.rule.risk_score_mapping.value", + "type": "alias" + } + } + }, + "rule_id": { + "path": "signal.rule.rule_id", + "type": "alias" + }, + "rule_name_override": { + "path": "signal.rule.rule_name_override", + "type": "alias" + }, + "rule_type_id": { + "type": "constant_keyword", + "value": "siem.signals" + }, + "saved_id": { + "path": "signal.rule.saved_id", + "type": "alias" + }, + "severity_mapping": { + "properties": { + "field": { + "path": "signal.rule.severity_mapping.field", + "type": "alias" + }, + "operator": { + "path": "signal.rule.severity_mapping.operator", + "type": "alias" + }, + "severity": { + "path": "signal.rule.severity_mapping.severity", + "type": "alias" + }, + "value": { + "path": "signal.rule.severity_mapping.value", + "type": "alias" + } + } + }, + "tags": { + "path": "signal.rule.tags", + "type": "alias" + }, + "threat": { + "properties": { + "framework": { + "path": "signal.rule.threat.framework", + "type": "alias" + }, + "tactic": { + "properties": { + "id": { + "path": "signal.rule.threat.tactic.id", + "type": "alias" + }, + "name": { + "path": "signal.rule.threat.tactic.name", + "type": "alias" + }, + "reference": { + "path": "signal.rule.threat.tactic.reference", + "type": "alias" + } + } + }, + "technique": { + "properties": { + "id": { + "path": "signal.rule.threat.technique.id", + "type": "alias" + }, + "name": { + "path": "signal.rule.threat.technique.name", + "type": "alias" + }, + "reference": { + "path": "signal.rule.threat.technique.reference", + "type": "alias" + }, + "subtechnique": { + "properties": { + "id": { + "path": "signal.rule.threat.technique.subtechnique.id", + "type": "alias" + }, + "name": { + "path": "signal.rule.threat.technique.subtechnique.name", + "type": "alias" + }, + "reference": { + "path": "signal.rule.threat.technique.subtechnique.reference", + "type": "alias" + } + } + } + } + } + } + }, + "threat_index": { + "path": "signal.rule.threat_index", + "type": "alias" + }, + "threat_indicator_path": { + "path": "signal.rule.threat_indicator_path", + "type": "alias" + }, + "threat_language": { + "path": "signal.rule.threat_language", + "type": "alias" + }, + "threat_mapping": { + "properties": { + "entries": { + "properties": { + "field": { + "path": "signal.rule.threat_mapping.entries.field", + "type": "alias" + }, + "type": { + "path": "signal.rule.threat_mapping.entries.type", + "type": "alias" + }, + "value": { + "path": "signal.rule.threat_mapping.entries.value", + "type": "alias" + } + } + } + } + }, + "threat_query": { + "path": "signal.rule.threat_query", + "type": "alias" + }, + "threshold": { + "properties": { + "field": { + "path": "signal.rule.threshold.field", + "type": "alias" + }, + "value": { + "path": "signal.rule.threshold.value", + "type": "alias" + } + } + }, + "timeline_id": { + "path": "signal.rule.timeline_id", + "type": "alias" + }, + "timeline_title": { + "path": "signal.rule.timeline_title", + "type": "alias" + }, + "to": { + "path": "signal.rule.to", + "type": "alias" + }, + "type": { + "path": "signal.rule.type", + "type": "alias" + }, + "updated_at": { + "path": "signal.rule.updated_at", + "type": "alias" + }, + "updated_by": { + "path": "signal.rule.updated_by", + "type": "alias" + }, + "version": { + "path": "signal.rule.version", + "type": "alias" + } + } + }, + "severity": { + "path": "signal.rule.severity", + "type": "alias" + }, + "threshold_result": { + "properties": { + "cardinality": { + "properties": { + "field": { + "path": "signal.threshold_result.cardinality.field", + "type": "alias" + }, + "value": { + "path": "signal.threshold_result.cardinality.value", + "type": "alias" + } + } + }, + "count": { + "path": "signal.threshold_result.count", + "type": "alias" + }, + "from": { + "path": "signal.threshold_result.from", + "type": "alias" + }, + "terms": { + "properties": { + "field": { + "path": "signal.threshold_result.terms.field", + "type": "alias" + }, + "value": { + "path": "signal.threshold_result.terms.value", + "type": "alias" + } + } + } + } + }, + "workflow_status": { + "path": "signal.status", + "type": "alias" + } + } + }, + "space_ids": { + "type": "constant_keyword", + "value": "default" + } + } + }, + "labels": { + "type": "object" + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "integer" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "signal": { + "properties": { + "_meta": { + "properties": { + "version": { + "type": "long" + } + } + }, + "ancestors": { + "properties": { + "depth": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "rule": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "depth": { + "type": "integer" + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "index": { + "type": "integer" + } + } + }, + "original_event": { + "properties": { + "action": { + "type": "keyword" + }, + "category": { + "type": "keyword" + }, + "code": { + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "kind": { + "type": "keyword" + }, + "module": { + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "type": "keyword" + }, + "provider": { + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "original_signal": { + "dynamic": "false", + "enabled": false, + "type": "object" + }, + "original_time": { + "type": "date" + }, + "parent": { + "properties": { + "depth": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "rule": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "parents": { + "properties": { + "depth": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "rule": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "reason": { + "type": "keyword" + }, + "rule": { + "properties": { + "author": { + "type": "keyword" + }, + "building_block_type": { + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "created_by": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "enabled": { + "type": "keyword" + }, + "false_positives": { + "type": "keyword" + }, + "filters": { + "type": "object" + }, + "from": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "immutable": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "interval": { + "type": "keyword" + }, + "language": { + "type": "keyword" + }, + "license": { + "type": "keyword" + }, + "max_signals": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "note": { + "type": "text" + }, + "output_index": { + "type": "keyword" + }, + "query": { + "type": "keyword" + }, + "references": { + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_mapping": { + "properties": { + "field": { + "type": "keyword" + }, + "operator": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + }, + "rule_id": { + "type": "keyword" + }, + "rule_name_override": { + "type": "keyword" + }, + "saved_id": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "severity_mapping": { + "properties": { + "field": { + "type": "keyword" + }, + "operator": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + }, + "size": { + "type": "keyword" + }, + "tags": { + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + } + } + } + } + }, + "threat_filters": { + "type": "object" + }, + "threat_index": { + "type": "keyword" + }, + "threat_indicator_path": { + "type": "keyword" + }, + "threat_language": { + "type": "keyword" + }, + "threat_mapping": { + "properties": { + "entries": { + "properties": { + "field": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + } + } + }, + "threat_query": { + "type": "keyword" + }, + "threshold": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "float" + } + } + }, + "timeline_id": { + "type": "keyword" + }, + "timeline_title": { + "type": "keyword" + }, + "timestamp_override": { + "type": "keyword" + }, + "to": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "updated_at": { + "type": "date" + }, + "updated_by": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "status": { + "type": "keyword" + }, + "threshold_count": { + "type": "float" + }, + "threshold_result": { + "properties": { + "cardinality": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "long" + } + } + }, + "count": { + "type": "long" + }, + "from": { + "type": "date" + }, + "terms": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + } + } + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "type": "wildcard" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "settings": { + "index": { + "lifecycle": { + "name": ".siem-signals-default", + "rollover_alias": ".siem-signals-default" + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "number_of_replicas": "1", + "number_of_shards": "1" + } + } + } +} \ No newline at end of file