github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 09:48:58 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security Solution] ECS 1.11 Signal Mappings (#108764)

Browse source 
* Update signals mappings to include ECS 1.11

* Ensures no constant_keyword mappings
* Bumps index version by 1, since it was already bumped by 10 for 7.15
  in #106049

* Remove threat.indicator mappings from signals indices

Until the old, 7.14 enrichment mappings (which define threat.indicator
as nested) are in our rearview, we cannot add the official, non-nested
threat.indicator mappings as they'll conflict.
This commit is contained in:
Ryland Herrick 2021-08-17 13:22:21 -05:00 committed by GitHub
parent e80c093c94
commit d50988443e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 1501 additions and 1362 deletions
Download patch file Download diff file Expand all files Collapse all files

786
x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap generated
View file

@ -14,7 +14,7 @@ Object {
"mappings": Object {
"_meta": Object {
"aliases_version": 1,
"version": 56,
"version": 57,
},
"dynamic": false,
"properties": Object {
@ -769,7 +769,6 @@ Object {
"type": "text",
},
},
"ignore_above": 1024,
"index": false,
"type": "keyword",
},
@ -785,6 +784,10 @@ Object {
"ignore_above": 1024,
"type": "keyword",
},
"agent_id_status": Object {
"ignore_above": 1024,
"type": "keyword",
},
"category": Object {
"ignore_above": 1024,
"type": "keyword",
@ -827,7 +830,6 @@ Object {
},
"original": Object {
"doc_values": false,
"ignore_above": 1024,
"index": false,
"type": "keyword",
},
@ -932,6 +934,123 @@ Object {
"ignore_above": 1,
"type": "keyword",
},
"elf": Object {
"properties": Object {
"architecture": Object {
"ignore_above": 1024,
"type": "keyword",
},
"byte_order": Object {
"ignore_above": 1024,
"type": "keyword",
},
"cpu_type": Object {
"ignore_above": 1024,
"type": "keyword",
},
"creation_date": Object {
"type": "date",
},
"exports": Object {
"type": "flattened",
},
"header": Object {
"properties": Object {
"abi_version": Object {
"ignore_above": 1024,
"type": "keyword",
},
"class": Object {
"ignore_above": 1024,
"type": "keyword",
},
"data": Object {
"ignore_above": 1024,
"type": "keyword",
},
"entrypoint": Object {
"type": "long",
},
"object_version": Object {
"ignore_above": 1024,
"type": "keyword",
},
"os_abi": Object {
"ignore_above": 1024,
"type": "keyword",
},
"type": Object {
"ignore_above": 1024,
"type": "keyword",
},
"version": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
},
"imports": Object {
"type": "flattened",
},
"sections": Object {
"properties": Object {
"chi2": Object {
"type": "long",
},
"entropy": Object {
"type": "long",
},
"flags": Object {
"ignore_above": 1024,
"type": "keyword",
},
"name": Object {
"ignore_above": 1024,
"type": "keyword",
},
"physical_offset": Object {
"ignore_above": 1024,
"type": "keyword",
},
"physical_size": Object {
"type": "long",
},
"type": Object {
"ignore_above": 1024,
"type": "keyword",
},
"virtual_address": Object {
"type": "long",
},
"virtual_size": Object {
"type": "long",
},
},
"type": "nested",
},
"segments": Object {
"properties": Object {
"sections": Object {
"ignore_above": 1024,
"type": "keyword",
},
"type": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
"type": "nested",
},
"shared_libraries": Object {
"ignore_above": 1024,
"type": "keyword",
},
"telfhash": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
},
"extension": Object {
"ignore_above": 1024,
"type": "keyword",
@ -1997,7 +2116,6 @@ Object {
},
"original": Object {
"doc_values": false,
"ignore_above": 1024,
"index": false,
"type": "keyword",
},
@ -2547,6 +2665,123 @@ Object {
"ignore_above": 1024,
"type": "keyword",
},
"elf": Object {
"properties": Object {
"architecture": Object {
"ignore_above": 1024,
"type": "keyword",
},
"byte_order": Object {
"ignore_above": 1024,
"type": "keyword",
},
"cpu_type": Object {
"ignore_above": 1024,
"type": "keyword",
},
"creation_date": Object {
"type": "date",
},
"exports": Object {
"type": "flattened",
},
"header": Object {
"properties": Object {
"abi_version": Object {
"ignore_above": 1024,
"type": "keyword",
},
"class": Object {
"ignore_above": 1024,
"type": "keyword",
},
"data": Object {
"ignore_above": 1024,
"type": "keyword",
},
"entrypoint": Object {
"type": "long",
},
"object_version": Object {
"ignore_above": 1024,
"type": "keyword",
},
"os_abi": Object {
"ignore_above": 1024,
"type": "keyword",
},
"type": Object {
"ignore_above": 1024,
"type": "keyword",
},
"version": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
},
"imports": Object {
"type": "flattened",
},
"sections": Object {
"properties": Object {
"chi2": Object {
"type": "long",
},
"entropy": Object {
"type": "long",
},
"flags": Object {
"ignore_above": 1024,
"type": "keyword",
},
"name": Object {
"ignore_above": 1024,
"type": "keyword",
},
"physical_offset": Object {
"ignore_above": 1024,
"type": "keyword",
},
"physical_size": Object {
"type": "long",
},
"type": Object {
"ignore_above": 1024,
"type": "keyword",
},
"virtual_address": Object {
"type": "long",
},
"virtual_size": Object {
"type": "long",
},
},
"type": "nested",
},
"segments": Object {
"properties": Object {
"sections": Object {
"ignore_above": 1024,
"type": "keyword",
},
"type": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
"type": "nested",
},
"shared_libraries": Object {
"ignore_above": 1024,
"type": "keyword",
},
"telfhash": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
},
"entity_id": Object {
"ignore_above": 1024,
"type": "keyword",
@ -2646,6 +2881,123 @@ Object {
"ignore_above": 1024,
"type": "keyword",
},
"elf": Object {
"properties": Object {
"architecture": Object {
"ignore_above": 1024,
"type": "keyword",
},
"byte_order": Object {
"ignore_above": 1024,
"type": "keyword",
},
"cpu_type": Object {
"ignore_above": 1024,
"type": "keyword",
},
"creation_date": Object {
"type": "date",
},
"exports": Object {
"type": "flattened",
},
"header": Object {
"properties": Object {
"abi_version": Object {
"ignore_above": 1024,
"type": "keyword",
},
"class": Object {
"ignore_above": 1024,
"type": "keyword",
},
"data": Object {
"ignore_above": 1024,
"type": "keyword",
},
"entrypoint": Object {
"type": "long",
},
"object_version": Object {
"ignore_above": 1024,
"type": "keyword",
},
"os_abi": Object {
"ignore_above": 1024,
"type": "keyword",
},
"type": Object {
"ignore_above": 1024,
"type": "keyword",
},
"version": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
},
"imports": Object {
"type": "flattened",
},
"sections": Object {
"properties": Object {
"chi2": Object {
"type": "long",
},
"entropy": Object {
"type": "long",
},
"flags": Object {
"ignore_above": 1024,
"type": "keyword",
},
"name": Object {
"ignore_above": 1024,
"type": "keyword",
},
"physical_offset": Object {
"ignore_above": 1024,
"type": "keyword",
},
"physical_size": Object {
"type": "long",
},
"type": Object {
"ignore_above": 1024,
"type": "keyword",
},
"virtual_address": Object {
"type": "long",
},
"virtual_size": Object {
"type": "long",
},
},
"type": "nested",
},
"segments": Object {
"properties": Object {
"sections": Object {
"ignore_above": 1024,
"type": "keyword",
},
"type": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
"type": "nested",
},
"shared_libraries": Object {
"ignore_above": 1024,
"type": "keyword",
},
"telfhash": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
},
"entity_id": Object {
"ignore_above": 1024,
"type": "keyword",
@ -3809,7 +4161,8 @@ Object {
"type": "text",
},
},
"type": "wildcard",
"ignore_above": 1024,
"type": "keyword",
},
},
},
@ -3880,7 +4233,8 @@ Object {
"type": "keyword",
},
"directory": Object {
"type": "wildcard",
"ignore_above": 1024,
"type": "keyword",
},
"drive_letter": Object {
"ignore_above": 1,
@ -4045,7 +4399,8 @@ Object {
"type": "text",
},
},
"type": "wildcard",
"ignore_above": 1024,
"type": "keyword",
},
"size": Object {
"type": "long",
@ -4057,7 +4412,8 @@ Object {
"type": "text",
},
},
"type": "wildcard",
"ignore_above": 1024,
"type": "keyword",
},
"type": Object {
"ignore_above": 1024,
@ -4098,7 +4454,8 @@ Object {
"type": "geo_point",
},
"name": Object {
"type": "wildcard",
"ignore_above": 1024,
"type": "keyword",
},
"postal_code": Object {
"ignore_above": 1024,
@ -4165,94 +4522,23 @@ Object {
"ignore_above": 1024,
"type": "keyword",
},
"authentihash": Object {
"ignore_above": 1024,
"type": "keyword",
},
"company": Object {
"ignore_above": 1024,
"type": "keyword",
},
"compile_timestamp": Object {
"type": "date",
},
"compiler": Object {
"properties": Object {
"name": Object {
"ignore_above": 1024,
"type": "keyword",
},
"version": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
},
"creation_date": Object {
"type": "date",
},
"debug": Object {
"properties": Object {
"offset": Object {
"ignore_above": 1024,
"type": "keyword",
},
"size": Object {
"type": "long",
},
"timestamp": Object {
"type": "date",
},
"type": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
"type": "nested",
},
"description": Object {
"ignore_above": 1024,
"type": "keyword",
},
"entry_point": Object {
"ignore_above": 1024,
"type": "keyword",
},
"exports": Object {
"ignore_above": 1024,
"type": "keyword",
},
"file_version": Object {
"ignore_above": 1024,
"type": "keyword",
},
"icon": Object {
"properties": Object {
"hash": Object {
"properties": Object {
"dhash": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
},
},
},
"imphash": Object {
"ignore_above": 1024,
"type": "keyword",
},
"imports": Object {
"type": "flattened",
},
"machine_type": Object {
"ignore_above": 1024,
"type": "keyword",
},
"original_file_name": Object {
"type": "wildcard",
},
"packers": Object {
"ignore_above": 1024,
"type": "keyword",
},
@ -4260,70 +4546,6 @@ Object {
"ignore_above": 1024,
"type": "keyword",
},
"resources": Object {
"properties": Object {
"chi2": Object {
"type": "long",
},
"entropy": Object {
"type": "long",
},
"filetype": Object {
"ignore_above": 1024,
"type": "keyword",
},
"language": Object {
"ignore_above": 1024,
"type": "keyword",
},
"sha256": Object {
"ignore_above": 1024,
"type": "keyword",
},
"type": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
"type": "nested",
},
"rich_header": Object {
"properties": Object {
"hash": Object {
"properties": Object {
"md5": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
},
},
},
"sections": Object {
"properties": Object {
"chi2": Object {
"type": "long",
},
"entropy": Object {
"type": "float",
},
"flags": Object {
"ignore_above": 1024,
"type": "keyword",
},
"name": Object {
"ignore_above": 1024,
"type": "keyword",
},
"raw_size": Object {
"type": "long",
},
"virtual_address": Object {
"type": "long",
},
},
"type": "nested",
},
},
},
"port": Object {
@ -4346,7 +4568,8 @@ Object {
"type": "keyword",
},
"strings": Object {
"type": "wildcard",
"ignore_above": 1024,
"type": "keyword",
},
"type": Object {
"ignore_above": 1024,
@ -4359,10 +4582,12 @@ Object {
"type": "keyword",
},
"key": Object {
"type": "wildcard",
"ignore_above": 1024,
"type": "keyword",
},
"path": Object {
"type": "wildcard",
"ignore_above": 1024,
"type": "keyword",
},
"value": Object {
"ignore_above": 1024,
@ -4383,7 +4608,8 @@ Object {
"url": Object {
"properties": Object {
"domain": Object {
"type": "wildcard",
"ignore_above": 1024,
"type": "keyword",
},
"extension": Object {
"ignore_above": 1024,
@ -4400,7 +4626,8 @@ Object {
"type": "text",
},
},
"type": "wildcard",
"ignore_above": 1024,
"type": "keyword",
},
"original": Object {
"fields": Object {
@ -4409,14 +4636,16 @@ Object {
"type": "text",
},
},
"type": "wildcard",
"ignore_above": 1024,
"type": "keyword",
},
"password": Object {
"ignore_above": 1024,
"type": "keyword",
},
"path": Object {
"type": "wildcard",
"ignore_above": 1024,
"type": "keyword",
},
"port": Object {
"type": "long",
@ -4426,7 +4655,8 @@ Object {
"type": "keyword",
},
"registered_domain": Object {
"type": "wildcard",
"ignore_above": 1024,
"type": "keyword",
},
"scheme": Object {
"ignore_above": 1024,
@ -4463,7 +4693,8 @@ Object {
"type": "keyword",
},
"distinguished_name": Object {
"type": "wildcard",
"ignore_above": 1024,
"type": "keyword",
},
"locality": Object {
"ignore_above": 1024,
@ -4524,7 +4755,8 @@ Object {
"type": "keyword",
},
"distinguished_name": Object {
"type": "wildcard",
"ignore_above": 1024,
"type": "keyword",
},
"locality": Object {
"ignore_above": 1024,
@ -4577,206 +4809,6 @@ Object {
},
},
},
"pe": Object {
"properties": Object {
"architecture": Object {
"ignore_above": 1024,
"type": "keyword",
},
"authentihash": Object {
"ignore_above": 1024,
"type": "keyword",
},
"company": Object {
"ignore_above": 1024,
"type": "keyword",
},
"compile_timestamp": Object {
"type": "date",
},
"compiler": Object {
"properties": Object {
"name": Object {
"ignore_above": 1024,
"type": "keyword",
},
"version": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
},
"creation_date": Object {
"type": "date",
},
"debug": Object {
"properties": Object {
"offset": Object {
"ignore_above": 1024,
"type": "keyword",
},
"size": Object {
"type": "long",
},
"timestamp": Object {
"type": "date",
},
"type": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
"type": "nested",
},
"description": Object {
"ignore_above": 1024,
"type": "keyword",
},
"entry_point": Object {
"ignore_above": 1024,
"type": "keyword",
},
"exports": Object {
"ignore_above": 1024,
"type": "keyword",
},
"file_version": Object {
"ignore_above": 1024,
"type": "keyword",
},
"icon": Object {
"properties": Object {
"hash": Object {
"properties": Object {
"dhash": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
},
},
},
"imphash": Object {
"ignore_above": 1024,
"type": "keyword",
},
"imports": Object {
"type": "flattened",
},
"machine_type": Object {
"ignore_above": 1024,
"type": "keyword",
},
"original_file_name": Object {
"type": "wildcard",
},
"packers": Object {
"ignore_above": 1024,
"type": "keyword",
},
"product": Object {
"ignore_above": 1024,
"type": "keyword",
},
"resources": Object {
"properties": Object {
"chi2": Object {
"type": "long",
},
"entropy": Object {
"type": "long",
},
"filetype": Object {
"ignore_above": 1024,
"type": "keyword",
},
"language": Object {
"ignore_above": 1024,
"type": "keyword",
},
"sha256": Object {
"ignore_above": 1024,
"type": "keyword",
},
"type": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
"type": "nested",
},
"rich_header": Object {
"properties": Object {
"hash": Object {
"properties": Object {
"md5": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
},
},
},
"sections": Object {
"properties": Object {
"chi2": Object {
"type": "long",
},
"entropy": Object {
"type": "float",
},
"flags": Object {
"ignore_above": 1024,
"type": "keyword",
},
"name": Object {
"ignore_above": 1024,
"type": "keyword",
},
"raw_size": Object {
"type": "long",
},
"virtual_address": Object {
"type": "long",
},
},
"type": "nested",
},
},
},
"registry": Object {
"properties": Object {
"data": Object {
"properties": Object {
"bytes": Object {
"ignore_above": 1024,
"type": "keyword",
},
"strings": Object {
"type": "wildcard",
},
"type": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
},
"hive": Object {
"ignore_above": 1024,
"type": "keyword",
},
"key": Object {
"type": "wildcard",
},
"path": Object {
"type": "wildcard",
},
"value": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
},
},
"type": "nested",
},
@ -4784,6 +4816,50 @@ Object {
"ignore_above": 1024,
"type": "keyword",
},
"group": Object {
"properties": Object {
"alias": Object {
"ignore_above": 1024,
"type": "keyword",
},
"id": Object {
"ignore_above": 1024,
"type": "keyword",
},
"name": Object {
"ignore_above": 1024,
"type": "keyword",
},
"reference": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
},
"software": Object {
"properties": Object {
"id": Object {
"ignore_above": 1024,
"type": "keyword",
},
"name": Object {
"ignore_above": 1024,
"type": "keyword",
},
"platforms": Object {
"ignore_above": 1024,
"type": "keyword",
},
"reference": Object {
"ignore_above": 1024,
"type": "keyword",
},
"type": Object {
"ignore_above": 1024,
"type": "keyword",
},
},
},
"tactic": Object {
"properties": Object {
"id": Object {
@ -5684,6 +5760,6 @@ Object {
},
},
},
"version": 56,
"version": 57,
}
`;

1073
x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/ecs_mapping.json
View file

File diff suppressed because it is too large Load diff

11
x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
View file

@ -29,7 +29,7 @@ import aadFieldConversion from './signal_aad_mapping.json';
incremented by 10 in order to add "room" for the aforementioned patch
release
*/
export const SIGNALS_TEMPLATE_VERSION = 56;
export const SIGNALS_TEMPLATE_VERSION = 57;
/**
@constant
@type {number}
@ -74,15 +74,6 @@ export const getSignalsTemplate = (index: string, spaceId: string, aadIndexAlias
...fieldAliases,
...getRbacRequiredFields(spaceId),
signal: signalsMapping.mappings.properties.signal,
threat: {
...ecsMapping.mappings.properties.threat,
properties: {
...ecsMapping.mappings.properties.threat.properties,
enrichments: {
...otherMapping.mappings.properties.threat.properties.enrichments,
},
},
},
},
_meta: {
version: SIGNALS_TEMPLATE_VERSION,

993
x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/other_mappings.json
View file

@ -178,999 +178,6 @@
}
}
},
"threat": {
"properties": {
"enrichments": {
"properties": {
"indicator": {
"properties": {
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "wildcard"
}
}
}
}
},
"confidence": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"file": {
"properties": {
"accessed": {
"type": "date"
},
"attributes": {
"ignore_above": 1024,
"type": "keyword"
},
"code_signature": {
"properties": {
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"created": {
"type": "date"
},
"ctime": {
"type": "date"
},
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"directory": {
"type": "wildcard"
},
"drive_letter": {
"ignore_above": 1,
"type": "keyword"
},
"elf": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
},
"creation_date": {
"type": "date"
},
"exports": {
"type": "flattened"
},
"header": {
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword"
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"imports": {
"type": "flattened"
},
"sections": {
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "long"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_address": {
"type": "long"
},
"virtual_size": {
"type": "long"
}
},
"type": "nested"
},
"segments": {
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "nested"
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"gid": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"inode": {
"ignore_above": 1024,
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"mode": {
"ignore_above": 1024,
"type": "keyword"
},
"mtime": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "wildcard"
},
"size": {
"type": "long"
},
"target_path": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "wildcard"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"first_seen": {
"type": "date"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"type": "wildcard"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"last_seen": {
"type": "date"
},
"marking": {
"properties": {
"tlp": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"modified_at": {
"type": "date"
},
"pe": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"authentihash": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"compile_timestamp": {
"type": "date"
},
"compiler": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"creation_date": {
"type": "date"
},
"debug": {
"properties": {
"offset": {
"ignore_above": 1024,
"type": "keyword"
},
"size": {
"type": "long"
},
"timestamp": {
"type": "date"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "nested"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"entry_point": {
"ignore_above": 1024,
"type": "keyword"
},
"exports": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"icon": {
"properties": {
"hash": {
"properties": {
"dhash": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"imports": {
"type": "flattened"
},
"machine_type": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"type": "wildcard"
},
"packers": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"resources": {
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "long"
},
"filetype": {
"ignore_above": 1024,
"type": "keyword"
},
"language": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "nested"
},
"rich_header": {
"properties": {
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"sections": {
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "float"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"raw_size": {
"type": "long"
},
"virtual_address": {
"type": "long"
}
},
"type": "nested"
}
}
},
"port": {
"type": "long"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"registry": {
"properties": {
"data": {
"properties": {
"bytes": {
"ignore_above": 1024,
"type": "keyword"
},
"strings": {
"type": "wildcard"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hive": {
"ignore_above": 1024,
"type": "keyword"
},
"key": {
"type": "wildcard"
},
"path": {
"type": "wildcard"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"scanner_stats": {
"type": "long"
},
"sightings": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"properties": {
"domain": {
"type": "wildcard"
},
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"fragment": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "wildcard"
},
"original": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "wildcard"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"type": "wildcard"
},
"port": {
"type": "long"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"registered_domain": {
"type": "wildcard"
},
"scheme": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"x509": {
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"type": "wildcard"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_exponent": {
"doc_values": false,
"index": false,
"type": "long"
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"type": "wildcard"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"type": "object"
},
"matched": {
"properties": {
"atomic": {
"ignore_above": 1024,
"type": "keyword"
},
"field": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"index": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pe": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"authentihash": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"compile_timestamp": {
"type": "date"
},
"compiler": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"creation_date": {
"type": "date"
},
"debug": {
"properties": {
"offset": {
"ignore_above": 1024,
"type": "keyword"
},
"size": {
"type": "long"
},
"timestamp": {
"type": "date"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "nested"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"entry_point": {
"ignore_above": 1024,
"type": "keyword"
},
"exports": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"icon": {
"properties": {
"hash": {
"properties": {
"dhash": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"imports": {
"type": "flattened"
},
"machine_type": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"type": "wildcard"
},
"packers": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"resources": {
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "long"
},
"filetype": {
"ignore_above": 1024,
"type": "keyword"
},
"language": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "nested"
},
"rich_header": {
"properties": {
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"sections": {
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "float"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"raw_size": {
"type": "long"
},
"virtual_address": {
"type": "long"
}
},
"type": "nested"
}
}
},
"registry": {
"properties": {
"data": {
"properties": {
"bytes": {
"ignore_above": 1024,
"type": "keyword"
},
"strings": {
"type": "wildcard"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hive": {
"ignore_above": 1024,
"type": "keyword"
},
"key": {
"type": "wildcard"
},
"path": {
"type": "wildcard"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"type": "nested"
}
}
},
"vlan": {
"properties": {
"id": {