From 100964235ba19fa9d98045c2f5881728239b2a9f Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Thu, 13 Jan 2022 18:21:03 -0600 Subject: [PATCH] Generate ECS fieldmap from ECS 8.0 This is the result of running the generate_ecs_fieldmap script against ECS' 8.0 branch. --- .../common/assets/field_maps/ecs_field_map.ts | 3220 ++++++++++++++--- 1 file changed, 2735 insertions(+), 485 deletions(-) diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts index 114d54eb7b4bb5..2da6ec1f9ecf50 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts @@ -75,6 +75,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'client.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, 'client.geo.continent_name': { type: 'keyword', array: false, @@ -100,6 +105,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'client.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, 'client.geo.region_iso_code': { type: 'keyword', array: false, @@ -110,6 +120,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'client.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, 'client.ip': { type: 'ip', array: false, @@ -235,6 +250,61 @@ export const ecsFieldMap = { array: false, required: false, }, + 'cloud.origin.account.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.account.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.availability_zone': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.instance.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.instance.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.machine.type': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.project.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.project.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.provider': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.region': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.service.name': { + type: 'keyword', + array: false, + required: false, + }, 'cloud.project.id': { type: 'keyword', array: false, @@ -255,6 +325,66 @@ export const ecsFieldMap = { array: false, required: false, }, + 'cloud.service.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.account.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.account.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.availability_zone': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.instance.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.instance.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.machine.type': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.project.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.project.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.provider': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.region': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.service.name': { + type: 'keyword', + array: false, + required: false, + }, 'container.id': { type: 'keyword', array: false, @@ -285,6 +415,21 @@ export const ecsFieldMap = { array: false, required: false, }, + 'data_stream.dataset': { + type: 'constant_keyword', + array: false, + required: false, + }, + 'data_stream.namespace': { + type: 'constant_keyword', + array: false, + required: false, + }, + 'data_stream.type': { + type: 'constant_keyword', + array: false, + required: false, + }, 'destination.address': { type: 'keyword', array: false, @@ -315,6 +460,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'destination.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, 'destination.geo.continent_name': { type: 'keyword', array: false, @@ -340,6 +490,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'destination.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, 'destination.geo.region_iso_code': { type: 'keyword', array: false, @@ -350,6 +505,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'destination.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, 'destination.ip': { type: 'ip', array: false, @@ -445,11 +605,21 @@ export const ecsFieldMap = { array: true, required: false, }, + 'dll.code_signature.digest_algorithm': { + type: 'keyword', + array: false, + required: false, + }, 'dll.code_signature.exists': { type: 'boolean', array: false, required: false, }, + 'dll.code_signature.signing_id': { + type: 'keyword', + array: false, + required: false, + }, 'dll.code_signature.status': { type: 'keyword', array: false, @@ -460,6 +630,16 @@ export const ecsFieldMap = { array: false, required: false, }, + 'dll.code_signature.team_id': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.code_signature.timestamp': { + type: 'date', + array: false, + required: false, + }, 'dll.code_signature.trusted': { type: 'boolean', array: false, @@ -490,6 +670,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'dll.hash.ssdeep': { + type: 'keyword', + array: false, + required: false, + }, 'dll.name': { type: 'keyword', array: false, @@ -641,12 +826,12 @@ export const ecsFieldMap = { required: false, }, 'error.message': { - type: 'text', + type: 'match_only_text', array: false, required: false, }, 'error.stack_trace': { - type: 'keyword', + type: 'wildcard', array: false, required: false, }, @@ -785,6 +970,31 @@ export const ecsFieldMap = { array: false, required: false, }, + 'faas.coldstart': { + type: 'boolean', + array: false, + required: false, + }, + 'faas.execution': { + type: 'keyword', + array: false, + required: false, + }, + 'faas.trigger': { + type: 'nested', + array: false, + required: false, + }, + 'faas.trigger.request_id': { + type: 'keyword', + array: false, + required: false, + }, + 'faas.trigger.type': { + type: 'keyword', + array: false, + required: false, + }, 'file.accessed': { type: 'date', array: false, @@ -795,11 +1005,21 @@ export const ecsFieldMap = { array: true, required: false, }, + 'file.code_signature.digest_algorithm': { + type: 'keyword', + array: false, + required: false, + }, 'file.code_signature.exists': { type: 'boolean', array: false, required: false, }, + 'file.code_signature.signing_id': { + type: 'keyword', + array: false, + required: false, + }, 'file.code_signature.status': { type: 'keyword', array: false, @@ -810,6 +1030,16 @@ export const ecsFieldMap = { array: false, required: false, }, + 'file.code_signature.team_id': { + type: 'keyword', + array: false, + required: false, + }, + 'file.code_signature.timestamp': { + type: 'date', + array: false, + required: false, + }, 'file.code_signature.trusted': { type: 'boolean', array: false, @@ -845,164 +1075,319 @@ export const ecsFieldMap = { array: false, required: false, }, - 'file.extension': { + 'file.elf.architecture': { type: 'keyword', array: false, required: false, }, - 'file.gid': { + 'file.elf.byte_order': { type: 'keyword', array: false, required: false, }, - 'file.group': { + 'file.elf.cpu_type': { type: 'keyword', array: false, required: false, }, - 'file.hash.md5': { - type: 'keyword', + 'file.elf.creation_date': { + type: 'date', array: false, required: false, }, - 'file.hash.sha1': { - type: 'keyword', - array: false, + 'file.elf.exports': { + type: 'flattened', + array: true, required: false, }, - 'file.hash.sha256': { + 'file.elf.header.abi_version': { type: 'keyword', array: false, required: false, }, - 'file.hash.sha512': { + 'file.elf.header.class': { type: 'keyword', array: false, required: false, }, - 'file.inode': { + 'file.elf.header.data': { type: 'keyword', array: false, required: false, }, - 'file.mime_type': { - type: 'keyword', + 'file.elf.header.entrypoint': { + type: 'long', array: false, required: false, }, - 'file.mode': { + 'file.elf.header.object_version': { type: 'keyword', array: false, required: false, }, - 'file.mtime': { - type: 'date', + 'file.elf.header.os_abi': { + type: 'keyword', array: false, required: false, }, - 'file.name': { + 'file.elf.header.type': { type: 'keyword', array: false, required: false, }, - 'file.owner': { + 'file.elf.header.version': { type: 'keyword', array: false, required: false, }, - 'file.path': { - type: 'keyword', - array: false, + 'file.elf.imports': { + type: 'flattened', + array: true, required: false, }, - 'file.pe.architecture': { - type: 'keyword', + 'file.elf.sections': { + type: 'nested', + array: true, + required: false, + }, + 'file.elf.sections.chi2': { + type: 'long', array: false, required: false, }, - 'file.pe.company': { - type: 'keyword', + 'file.elf.sections.entropy': { + type: 'long', array: false, required: false, }, - 'file.pe.description': { + 'file.elf.sections.flags': { type: 'keyword', array: false, required: false, }, - 'file.pe.file_version': { + 'file.elf.sections.name': { type: 'keyword', array: false, required: false, }, - 'file.pe.imphash': { + 'file.elf.sections.physical_offset': { type: 'keyword', array: false, required: false, }, - 'file.pe.original_file_name': { - type: 'keyword', + 'file.elf.sections.physical_size': { + type: 'long', array: false, required: false, }, - 'file.pe.product': { + 'file.elf.sections.type': { type: 'keyword', array: false, required: false, }, - 'file.size': { + 'file.elf.sections.virtual_address': { type: 'long', array: false, required: false, }, - 'file.target_path': { - type: 'keyword', + 'file.elf.sections.virtual_size': { + type: 'long', array: false, required: false, }, - 'file.type': { - type: 'keyword', - array: false, + 'file.elf.segments': { + type: 'nested', + array: true, required: false, }, - 'file.uid': { + 'file.elf.segments.sections': { type: 'keyword', array: false, required: false, }, - 'file.x509.alternative_names': { + 'file.elf.segments.type': { type: 'keyword', - array: true, + array: false, required: false, }, - 'file.x509.issuer.common_name': { + 'file.elf.shared_libraries': { type: 'keyword', array: true, required: false, }, - 'file.x509.issuer.country': { + 'file.elf.telfhash': { type: 'keyword', - array: true, + array: false, required: false, }, - 'file.x509.issuer.distinguished_name': { + 'file.extension': { type: 'keyword', array: false, required: false, }, - 'file.x509.issuer.locality': { + 'file.fork_name': { type: 'keyword', - array: true, + array: false, required: false, }, - 'file.x509.issuer.organization': { + 'file.gid': { type: 'keyword', - array: true, + array: false, required: false, }, - 'file.x509.issuer.organizational_unit': { + 'file.group': { type: 'keyword', - array: true, + array: false, + required: false, + }, + 'file.hash.md5': { + type: 'keyword', + array: false, + required: false, + }, + 'file.hash.sha1': { + type: 'keyword', + array: false, + required: false, + }, + 'file.hash.sha256': { + type: 'keyword', + array: false, + required: false, + }, + 'file.hash.sha512': { + type: 'keyword', + array: false, + required: false, + }, + 'file.hash.ssdeep': { + type: 'keyword', + array: false, + required: false, + }, + 'file.inode': { + type: 'keyword', + array: false, + required: false, + }, + 'file.mime_type': { + type: 'keyword', + array: false, + required: false, + }, + 'file.mode': { + type: 'keyword', + array: false, + required: false, + }, + 'file.mtime': { + type: 'date', + array: false, + required: false, + }, + 'file.name': { + type: 'keyword', + array: false, + required: false, + }, + 'file.owner': { + type: 'keyword', + array: false, + required: false, + }, + 'file.path': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.company': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.description': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.file_version': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.imphash': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.original_file_name': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.product': { + type: 'keyword', + array: false, + required: false, + }, + 'file.size': { + type: 'long', + array: false, + required: false, + }, + 'file.target_path': { + type: 'keyword', + array: false, + required: false, + }, + 'file.type': { + type: 'keyword', + array: false, + required: false, + }, + 'file.uid': { + type: 'keyword', + array: false, + required: false, + }, + 'file.x509.alternative_names': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.issuer.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.issuer.country': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.issuer.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'file.x509.issuer.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.issuer.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.issuer.organizational_unit': { + type: 'keyword', + array: true, required: false, }, 'file.x509.issuer.state_or_province': { @@ -1110,6 +1495,21 @@ export const ecsFieldMap = { array: false, required: false, }, + 'host.cpu.usage': { + type: 'scaled_float', + array: false, + required: false, + }, + 'host.disk.read.bytes': { + type: 'long', + array: false, + required: false, + }, + 'host.disk.write.bytes': { + type: 'long', + array: false, + required: false, + }, 'host.domain': { type: 'keyword', array: false, @@ -1120,6 +1520,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'host.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, 'host.geo.continent_name': { type: 'keyword', array: false, @@ -1145,6 +1550,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'host.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, 'host.geo.region_iso_code': { type: 'keyword', array: false, @@ -1155,6 +1565,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'host.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, 'host.hostname': { type: 'keyword', array: false, @@ -1180,108 +1595,78 @@ export const ecsFieldMap = { array: false, required: false, }, - 'host.os.family': { - type: 'keyword', - array: false, - required: false, - }, - 'host.os.full': { - type: 'keyword', - array: false, - required: false, - }, - 'host.os.kernel': { - type: 'keyword', - array: false, - required: false, - }, - 'host.os.name': { - type: 'keyword', - array: false, - required: false, - }, - 'host.os.platform': { - type: 'keyword', - array: false, - required: false, - }, - 'host.os.type': { - type: 'keyword', + 'host.network.egress.bytes': { + type: 'long', array: false, required: false, }, - 'host.os.version': { - type: 'keyword', + 'host.network.egress.packets': { + type: 'long', array: false, required: false, }, - 'host.type': { - type: 'keyword', + 'host.network.ingress.bytes': { + type: 'long', array: false, required: false, }, - 'host.uptime': { + 'host.network.ingress.packets': { type: 'long', array: false, required: false, }, - 'host.user.domain': { + 'host.os.family': { type: 'keyword', array: false, required: false, }, - 'host.user.email': { + 'host.os.full': { type: 'keyword', array: false, required: false, }, - 'host.user.full_name': { + 'host.os.kernel': { type: 'keyword', array: false, required: false, }, - 'host.user.group.domain': { + 'host.os.name': { type: 'keyword', array: false, required: false, }, - 'host.user.group.id': { + 'host.os.platform': { type: 'keyword', array: false, required: false, }, - 'host.user.group.name': { + 'host.os.type': { type: 'keyword', array: false, required: false, }, - 'host.user.hash': { + 'host.os.version': { type: 'keyword', array: false, required: false, }, - 'host.user.id': { + 'host.type': { type: 'keyword', array: false, required: false, }, - 'host.user.name': { - type: 'keyword', + 'host.uptime': { + type: 'long', array: false, required: false, }, - 'host.user.roles': { - type: 'keyword', - array: true, - required: false, - }, 'http.request.body.bytes': { type: 'long', array: false, required: false, }, 'http.request.body.content': { - type: 'keyword', + type: 'wildcard', array: false, required: false, }, @@ -1290,6 +1675,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'http.request.id': { + type: 'keyword', + array: false, + required: false, + }, 'http.request.method': { type: 'keyword', array: false, @@ -1311,7 +1701,7 @@ export const ecsFieldMap = { required: false, }, 'http.response.body.content': { - type: 'keyword', + type: 'wildcard', array: false, required: false, }, @@ -1356,7 +1746,7 @@ export const ecsFieldMap = { required: false, }, 'log.origin.file.line': { - type: 'integer', + type: 'long', array: false, required: false, }, @@ -1370,11 +1760,6 @@ export const ecsFieldMap = { array: false, required: false, }, - 'log.original': { - type: 'keyword', - array: false, - required: false, - }, 'log.syslog': { type: 'object', array: false, @@ -1406,7 +1791,7 @@ export const ecsFieldMap = { required: false, }, message: { - type: 'text', + type: 'match_only_text', array: false, required: false, }, @@ -1530,6 +1915,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'observer.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, 'observer.geo.continent_name': { type: 'keyword', array: false, @@ -1555,6 +1945,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'observer.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, 'observer.geo.region_iso_code': { type: 'keyword', array: false, @@ -1565,6 +1960,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'observer.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, 'observer.hostname': { type: 'keyword', array: false, @@ -1680,43 +2080,88 @@ export const ecsFieldMap = { array: false, required: false, }, - 'organization.id': { + 'orchestrator.api_version': { type: 'keyword', array: false, required: false, }, - 'organization.name': { + 'orchestrator.cluster.name': { type: 'keyword', array: false, required: false, }, - 'package.architecture': { + 'orchestrator.cluster.url': { type: 'keyword', array: false, required: false, }, - 'package.build_version': { + 'orchestrator.cluster.version': { type: 'keyword', array: false, required: false, }, - 'package.checksum': { + 'orchestrator.namespace': { type: 'keyword', array: false, required: false, }, - 'package.description': { + 'orchestrator.organization': { type: 'keyword', array: false, required: false, }, - 'package.install_scope': { + 'orchestrator.resource.name': { type: 'keyword', array: false, required: false, }, - 'package.installed': { - type: 'date', + 'orchestrator.resource.type': { + type: 'keyword', + array: false, + required: false, + }, + 'orchestrator.type': { + type: 'keyword', + array: false, + required: false, + }, + 'organization.id': { + type: 'keyword', + array: false, + required: false, + }, + 'organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'package.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'package.build_version': { + type: 'keyword', + array: false, + required: false, + }, + 'package.checksum': { + type: 'keyword', + array: false, + required: false, + }, + 'package.description': { + type: 'keyword', + array: false, + required: false, + }, + 'package.install_scope': { + type: 'keyword', + array: false, + required: false, + }, + 'package.installed': { + type: 'date', array: false, required: false, }, @@ -1765,11 +2210,21 @@ export const ecsFieldMap = { array: false, required: false, }, + 'process.code_signature.digest_algorithm': { + type: 'keyword', + array: false, + required: false, + }, 'process.code_signature.exists': { type: 'boolean', array: false, required: false, }, + 'process.code_signature.signing_id': { + type: 'keyword', + array: false, + required: false, + }, 'process.code_signature.status': { type: 'keyword', array: false, @@ -1780,6 +2235,16 @@ export const ecsFieldMap = { array: false, required: false, }, + 'process.code_signature.team_id': { + type: 'keyword', + array: false, + required: false, + }, + 'process.code_signature.timestamp': { + type: 'date', + array: false, + required: false, + }, 'process.code_signature.trusted': { type: 'boolean', array: false, @@ -1791,10 +2256,160 @@ export const ecsFieldMap = { required: false, }, 'process.command_line': { + type: 'wildcard', + array: false, + required: false, + }, + 'process.elf.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.byte_order': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.cpu_type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.creation_date': { + type: 'date', + array: false, + required: false, + }, + 'process.elf.exports': { + type: 'flattened', + array: true, + required: false, + }, + 'process.elf.header.abi_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.class': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.data': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.entrypoint': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.header.object_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.os_abi': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.imports': { + type: 'flattened', + array: true, + required: false, + }, + 'process.elf.sections': { + type: 'nested', + array: true, + required: false, + }, + 'process.elf.sections.chi2': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.sections.entropy': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.sections.flags': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.sections.name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.sections.physical_offset': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.sections.physical_size': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.sections.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.sections.virtual_address': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.sections.virtual_size': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.segments': { + type: 'nested', + array: true, + required: false, + }, + 'process.elf.segments.sections': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.segments.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.shared_libraries': { + type: 'keyword', + array: true, + required: false, + }, + 'process.elf.telfhash': { type: 'keyword', array: false, required: false, }, + 'process.end': { + type: 'date', + array: false, + required: false, + }, 'process.entity_id': { type: 'keyword', array: false, @@ -1830,6 +2445,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'process.hash.ssdeep': { + type: 'keyword', + array: false, + required: false, + }, 'process.name': { type: 'keyword', array: false, @@ -1845,11 +2465,21 @@ export const ecsFieldMap = { array: false, required: false, }, + 'process.parent.code_signature.digest_algorithm': { + type: 'keyword', + array: false, + required: false, + }, 'process.parent.code_signature.exists': { type: 'boolean', array: false, required: false, }, + 'process.parent.code_signature.signing_id': { + type: 'keyword', + array: false, + required: false, + }, 'process.parent.code_signature.status': { type: 'keyword', array: false, @@ -1860,6 +2490,16 @@ export const ecsFieldMap = { array: false, required: false, }, + 'process.parent.code_signature.team_id': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.code_signature.timestamp': { + type: 'date', + array: false, + required: false, + }, 'process.parent.code_signature.trusted': { type: 'boolean', array: false, @@ -1870,1112 +2510,2722 @@ export const ecsFieldMap = { array: false, required: false, }, - 'process.parent.command_line': { - type: 'keyword', + 'process.parent.command_line': { + type: 'wildcard', + array: false, + required: false, + }, + 'process.parent.elf.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.byte_order': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.cpu_type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.creation_date': { + type: 'date', + array: false, + required: false, + }, + 'process.parent.elf.exports': { + type: 'flattened', + array: true, + required: false, + }, + 'process.parent.elf.header.abi_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.class': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.data': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.entrypoint': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.header.object_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.os_abi': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.imports': { + type: 'flattened', + array: true, + required: false, + }, + 'process.parent.elf.sections': { + type: 'nested', + array: true, + required: false, + }, + 'process.parent.elf.sections.chi2': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.sections.entropy': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.sections.flags': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.sections.name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.sections.physical_offset': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.sections.physical_size': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.sections.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.sections.virtual_address': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.sections.virtual_size': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.segments': { + type: 'nested', + array: true, + required: false, + }, + 'process.parent.elf.segments.sections': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.segments.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.shared_libraries': { + type: 'keyword', + array: true, + required: false, + }, + 'process.parent.elf.telfhash': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.end': { + type: 'date', + array: false, + required: false, + }, + 'process.parent.entity_id': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.executable': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.exit_code': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.hash.md5': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.hash.sha1': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.hash.sha256': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.hash.sha512': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.hash.ssdeep': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.company': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.description': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.file_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.imphash': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.original_file_name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.product': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pgid': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.pid': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.start': { + type: 'date', + array: false, + required: false, + }, + 'process.parent.thread.id': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.thread.name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.title': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.uptime': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.working_directory': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.company': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.description': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.file_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.imphash': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.original_file_name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.product': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pgid': { + type: 'long', + array: false, + required: false, + }, + 'process.pid': { + type: 'long', + array: false, + required: false, + }, + 'process.start': { + type: 'date', + array: false, + required: false, + }, + 'process.thread.id': { + type: 'long', + array: false, + required: false, + }, + 'process.thread.name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.title': { + type: 'keyword', + array: false, + required: false, + }, + 'process.uptime': { + type: 'long', + array: false, + required: false, + }, + 'process.working_directory': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.data.bytes': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.data.strings': { + type: 'wildcard', + array: true, + required: false, + }, + 'registry.data.type': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.hive': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.key': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.path': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.value': { + type: 'keyword', + array: false, + required: false, + }, + 'related.hash': { + type: 'keyword', + array: true, + required: false, + }, + 'related.hosts': { + type: 'keyword', + array: true, + required: false, + }, + 'related.ip': { + type: 'ip', + array: true, + required: false, + }, + 'related.user': { + type: 'keyword', + array: true, + required: false, + }, + 'rule.author': { + type: 'keyword', + array: true, + required: false, + }, + 'rule.category': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.description': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.id': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.license': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.name': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.reference': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.ruleset': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.uuid': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.version': { + type: 'keyword', + array: false, + required: false, + }, + 'server.address': { + type: 'keyword', + array: false, + required: false, + }, + 'server.as.number': { + type: 'long', + array: false, + required: false, + }, + 'server.as.organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.bytes': { + type: 'long', + array: false, + required: false, + }, + 'server.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.city_name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.continent_name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.country_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.country_name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.location': { + type: 'geo_point', + array: false, + required: false, + }, + 'server.geo.name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.region_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.region_name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, + 'server.ip': { + type: 'ip', + array: false, + required: false, + }, + 'server.mac': { + type: 'keyword', + array: false, + required: false, + }, + 'server.nat.ip': { + type: 'ip', + array: false, + required: false, + }, + 'server.nat.port': { + type: 'long', + array: false, + required: false, + }, + 'server.packets': { + type: 'long', + array: false, + required: false, + }, + 'server.port': { + type: 'long', + array: false, + required: false, + }, + 'server.registered_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.subdomain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.top_level_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.email': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.full_name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.group.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.group.id': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.group.name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.hash': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.id': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.roles': { + type: 'keyword', + array: true, + required: false, + }, + 'service.address': { + type: 'keyword', + array: false, + required: false, + }, + 'service.environment': { + type: 'keyword', + array: false, + required: false, + }, + 'service.ephemeral_id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.node.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.address': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.environment': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.ephemeral_id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.node.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.state': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.type': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.version': { + type: 'keyword', + array: false, + required: false, + }, + 'service.state': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.address': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.environment': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.ephemeral_id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.node.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.state': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.type': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.version': { + type: 'keyword', + array: false, + required: false, + }, + 'service.type': { + type: 'keyword', + array: false, + required: false, + }, + 'service.version': { + type: 'keyword', + array: false, + required: false, + }, + 'source.address': { + type: 'keyword', + array: false, + required: false, + }, + 'source.as.number': { + type: 'long', + array: false, + required: false, + }, + 'source.as.organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.bytes': { + type: 'long', + array: false, + required: false, + }, + 'source.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.city_name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.continent_name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.country_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.country_name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.location': { + type: 'geo_point', + array: false, + required: false, + }, + 'source.geo.name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.region_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.region_name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, + 'source.ip': { + type: 'ip', + array: false, + required: false, + }, + 'source.mac': { + type: 'keyword', + array: false, + required: false, + }, + 'source.nat.ip': { + type: 'ip', + array: false, + required: false, + }, + 'source.nat.port': { + type: 'long', + array: false, + required: false, + }, + 'source.packets': { + type: 'long', + array: false, + required: false, + }, + 'source.port': { + type: 'long', + array: false, + required: false, + }, + 'source.registered_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.subdomain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.top_level_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.email': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.full_name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.group.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.group.id': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.group.name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.hash': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.id': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.roles': { + type: 'keyword', + array: true, + required: false, + }, + 'span.id': { + type: 'keyword', + array: false, + required: false, + }, + tags: { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments': { + type: 'nested', + array: true, + required: false, + }, + 'threat.enrichments.indicator': { + type: 'object', + array: false, + required: false, + }, + 'threat.enrichments.indicator.as.number': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.as.organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.confidence': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.description': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.email.address': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.accessed': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.attributes': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.digest_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.exists': { + type: 'boolean', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.signing_id': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.status': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.subject_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.team_id': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.timestamp': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.trusted': { + type: 'boolean', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.valid': { + type: 'boolean', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.created': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.ctime': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.device': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.directory': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.drive_letter': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.byte_order': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.cpu_type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.creation_date': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.exports': { + type: 'flattened', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.abi_version': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.class': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.data': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.entrypoint': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.object_version': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.os_abi': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.version': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.imports': { + type: 'flattened', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections': { + type: 'nested', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.chi2': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.entropy': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.flags': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.physical_offset': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.physical_size': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.virtual_address': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.virtual_size': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.segments': { + type: 'nested', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.elf.segments.sections': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.segments.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.shared_libraries': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.elf.telfhash': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.extension': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.fork_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.gid': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.group': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.hash.md5': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.hash.sha1': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.hash.sha256': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.hash.sha512': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.hash.ssdeep': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.inode': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.mime_type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.mode': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.mtime': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.owner': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.path': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.company': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.description': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.file_version': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.imphash': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.original_file_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.product': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.size': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.target_path': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.uid': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.alternative_names': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.country': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.not_after': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.not_before': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.public_key_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.public_key_curve': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.public_key_exponent': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.public_key_size': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.serial_number': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.signature_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.country': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.version_number': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.first_seen': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.city_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.continent_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.country_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.country_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.location': { + type: 'geo_point', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.region_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.region_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.ip': { + type: 'ip', + array: false, + required: false, + }, + 'threat.enrichments.indicator.last_seen': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.marking.tlp': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.modified_at': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.port': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.provider': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.reference': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.data.bytes': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.data.strings': { + type: 'wildcard', + array: true, + required: false, + }, + 'threat.enrichments.indicator.registry.data.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.hive': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.key': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.path': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.value': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.scanner_stats': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.sightings': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.extension': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.fragment': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.full': { + type: 'wildcard', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.original': { + type: 'wildcard', array: false, required: false, }, - 'process.parent.entity_id': { + 'threat.enrichments.indicator.url.password': { type: 'keyword', array: false, required: false, }, - 'process.parent.executable': { - type: 'keyword', + 'threat.enrichments.indicator.url.path': { + type: 'wildcard', array: false, required: false, }, - 'process.parent.exit_code': { + 'threat.enrichments.indicator.url.port': { type: 'long', array: false, required: false, }, - 'process.parent.hash.md5': { + 'threat.enrichments.indicator.url.query': { type: 'keyword', array: false, required: false, }, - 'process.parent.hash.sha1': { + 'threat.enrichments.indicator.url.registered_domain': { type: 'keyword', array: false, required: false, }, - 'process.parent.hash.sha256': { + 'threat.enrichments.indicator.url.scheme': { type: 'keyword', array: false, required: false, }, - 'process.parent.hash.sha512': { + 'threat.enrichments.indicator.url.subdomain': { type: 'keyword', array: false, required: false, }, - 'process.parent.name': { + 'threat.enrichments.indicator.url.top_level_domain': { type: 'keyword', array: false, required: false, }, - 'process.parent.pe.architecture': { + 'threat.enrichments.indicator.url.username': { type: 'keyword', array: false, required: false, }, - 'process.parent.pe.company': { + 'threat.enrichments.indicator.x509.alternative_names': { type: 'keyword', - array: false, + array: true, required: false, }, - 'process.parent.pe.description': { + 'threat.enrichments.indicator.x509.issuer.common_name': { type: 'keyword', - array: false, + array: true, required: false, }, - 'process.parent.pe.file_version': { + 'threat.enrichments.indicator.x509.issuer.country': { type: 'keyword', - array: false, + array: true, required: false, }, - 'process.parent.pe.imphash': { + 'threat.enrichments.indicator.x509.issuer.distinguished_name': { type: 'keyword', array: false, required: false, }, - 'process.parent.pe.original_file_name': { + 'threat.enrichments.indicator.x509.issuer.locality': { type: 'keyword', - array: false, + array: true, required: false, }, - 'process.parent.pe.product': { + 'threat.enrichments.indicator.x509.issuer.organization': { type: 'keyword', - array: false, - required: false, - }, - 'process.parent.pgid': { - type: 'long', - array: false, + array: true, required: false, }, - 'process.parent.pid': { - type: 'long', - array: false, + 'threat.enrichments.indicator.x509.issuer.organizational_unit': { + type: 'keyword', + array: true, required: false, }, - 'process.parent.ppid': { - type: 'long', - array: false, + 'threat.enrichments.indicator.x509.issuer.state_or_province': { + type: 'keyword', + array: true, required: false, }, - 'process.parent.start': { + 'threat.enrichments.indicator.x509.not_after': { type: 'date', array: false, required: false, }, - 'process.parent.thread.id': { - type: 'long', + 'threat.enrichments.indicator.x509.not_before': { + type: 'date', array: false, required: false, }, - 'process.parent.thread.name': { + 'threat.enrichments.indicator.x509.public_key_algorithm': { type: 'keyword', array: false, required: false, }, - 'process.parent.title': { + 'threat.enrichments.indicator.x509.public_key_curve': { type: 'keyword', array: false, required: false, }, - 'process.parent.uptime': { + 'threat.enrichments.indicator.x509.public_key_exponent': { type: 'long', array: false, required: false, }, - 'process.parent.working_directory': { - type: 'keyword', + 'threat.enrichments.indicator.x509.public_key_size': { + type: 'long', array: false, required: false, }, - 'process.pe.architecture': { + 'threat.enrichments.indicator.x509.serial_number': { type: 'keyword', array: false, required: false, }, - 'process.pe.company': { + 'threat.enrichments.indicator.x509.signature_algorithm': { type: 'keyword', array: false, required: false, }, - 'process.pe.description': { + 'threat.enrichments.indicator.x509.subject.common_name': { type: 'keyword', - array: false, + array: true, required: false, }, - 'process.pe.file_version': { + 'threat.enrichments.indicator.x509.subject.country': { type: 'keyword', - array: false, + array: true, required: false, }, - 'process.pe.imphash': { + 'threat.enrichments.indicator.x509.subject.distinguished_name': { type: 'keyword', array: false, required: false, }, - 'process.pe.original_file_name': { + 'threat.enrichments.indicator.x509.subject.locality': { type: 'keyword', - array: false, + array: true, required: false, }, - 'process.pe.product': { + 'threat.enrichments.indicator.x509.subject.organization': { type: 'keyword', - array: false, - required: false, - }, - 'process.pgid': { - type: 'long', - array: false, + array: true, required: false, }, - 'process.pid': { - type: 'long', - array: false, + 'threat.enrichments.indicator.x509.subject.organizational_unit': { + type: 'keyword', + array: true, required: false, }, - 'process.ppid': { - type: 'long', - array: false, + 'threat.enrichments.indicator.x509.subject.state_or_province': { + type: 'keyword', + array: true, required: false, }, - 'process.start': { - type: 'date', + 'threat.enrichments.indicator.x509.version_number': { + type: 'keyword', array: false, required: false, }, - 'process.thread.id': { - type: 'long', + 'threat.enrichments.matched.atomic': { + type: 'keyword', array: false, required: false, }, - 'process.thread.name': { + 'threat.enrichments.matched.field': { type: 'keyword', array: false, required: false, }, - 'process.title': { + 'threat.enrichments.matched.id': { type: 'keyword', array: false, required: false, }, - 'process.uptime': { - type: 'long', + 'threat.enrichments.matched.index': { + type: 'keyword', array: false, required: false, }, - 'process.working_directory': { + 'threat.enrichments.matched.type': { type: 'keyword', array: false, required: false, }, - 'registry.data.bytes': { + 'threat.framework': { type: 'keyword', array: false, required: false, }, - 'registry.data.strings': { + 'threat.group.alias': { type: 'keyword', array: true, required: false, }, - 'registry.data.type': { + 'threat.group.id': { type: 'keyword', array: false, required: false, }, - 'registry.hive': { + 'threat.group.name': { type: 'keyword', array: false, required: false, }, - 'registry.key': { + 'threat.group.reference': { type: 'keyword', array: false, required: false, }, - 'registry.path': { - type: 'keyword', + 'threat.indicator.as.number': { + type: 'long', array: false, required: false, }, - 'registry.value': { + 'threat.indicator.as.organization.name': { type: 'keyword', array: false, required: false, }, - 'related.hash': { + 'threat.indicator.confidence': { type: 'keyword', - array: true, + array: false, required: false, }, - 'related.hosts': { + 'threat.indicator.description': { type: 'keyword', - array: true, + array: false, required: false, }, - 'related.ip': { - type: 'ip', - array: true, + 'threat.indicator.email.address': { + type: 'keyword', + array: false, required: false, }, - 'related.user': { - type: 'keyword', - array: true, + 'threat.indicator.file.accessed': { + type: 'date', + array: false, required: false, }, - 'rule.author': { + 'threat.indicator.file.attributes': { type: 'keyword', array: true, required: false, }, - 'rule.category': { + 'threat.indicator.file.code_signature.digest_algorithm': { type: 'keyword', array: false, required: false, }, - 'rule.description': { - type: 'keyword', + 'threat.indicator.file.code_signature.exists': { + type: 'boolean', array: false, required: false, }, - 'rule.id': { - type: 'keyword', - array: false, - required: true, - }, - 'rule.license': { + 'threat.indicator.file.code_signature.signing_id': { type: 'keyword', array: false, required: false, }, - 'rule.name': { + 'threat.indicator.file.code_signature.status': { type: 'keyword', array: false, required: false, }, - 'rule.reference': { + 'threat.indicator.file.code_signature.subject_name': { type: 'keyword', array: false, required: false, }, - 'rule.ruleset': { + 'threat.indicator.file.code_signature.team_id': { type: 'keyword', array: false, required: false, }, - 'rule.uuid': { - type: 'keyword', + 'threat.indicator.file.code_signature.timestamp': { + type: 'date', array: false, required: false, }, - 'rule.version': { - type: 'keyword', + 'threat.indicator.file.code_signature.trusted': { + type: 'boolean', array: false, required: false, }, - 'server.address': { - type: 'keyword', + 'threat.indicator.file.code_signature.valid': { + type: 'boolean', array: false, required: false, }, - 'server.as.number': { - type: 'long', + 'threat.indicator.file.created': { + type: 'date', array: false, required: false, }, - 'server.as.organization.name': { - type: 'keyword', + 'threat.indicator.file.ctime': { + type: 'date', array: false, required: false, }, - 'server.bytes': { - type: 'long', + 'threat.indicator.file.device': { + type: 'keyword', array: false, required: false, }, - 'server.domain': { + 'threat.indicator.file.directory': { type: 'keyword', array: false, required: false, }, - 'server.geo.city_name': { + 'threat.indicator.file.drive_letter': { type: 'keyword', array: false, required: false, }, - 'server.geo.continent_name': { + 'threat.indicator.file.elf.architecture': { type: 'keyword', array: false, required: false, }, - 'server.geo.country_iso_code': { + 'threat.indicator.file.elf.byte_order': { type: 'keyword', array: false, required: false, }, - 'server.geo.country_name': { + 'threat.indicator.file.elf.cpu_type': { type: 'keyword', array: false, required: false, }, - 'server.geo.location': { - type: 'geo_point', + 'threat.indicator.file.elf.creation_date': { + type: 'date', array: false, required: false, }, - 'server.geo.name': { - type: 'keyword', - array: false, + 'threat.indicator.file.elf.exports': { + type: 'flattened', + array: true, required: false, }, - 'server.geo.region_iso_code': { + 'threat.indicator.file.elf.header.abi_version': { type: 'keyword', array: false, required: false, }, - 'server.geo.region_name': { + 'threat.indicator.file.elf.header.class': { type: 'keyword', array: false, required: false, }, - 'server.ip': { - type: 'ip', - array: false, - required: false, - }, - 'server.mac': { + 'threat.indicator.file.elf.header.data': { type: 'keyword', array: false, required: false, }, - 'server.nat.ip': { - type: 'ip', - array: false, - required: false, - }, - 'server.nat.port': { + 'threat.indicator.file.elf.header.entrypoint': { type: 'long', array: false, required: false, }, - 'server.packets': { - type: 'long', + 'threat.indicator.file.elf.header.object_version': { + type: 'keyword', array: false, required: false, }, - 'server.port': { - type: 'long', + 'threat.indicator.file.elf.header.os_abi': { + type: 'keyword', array: false, required: false, }, - 'server.registered_domain': { + 'threat.indicator.file.elf.header.type': { type: 'keyword', array: false, required: false, }, - 'server.subdomain': { + 'threat.indicator.file.elf.header.version': { type: 'keyword', array: false, required: false, }, - 'server.top_level_domain': { - type: 'keyword', - array: false, + 'threat.indicator.file.elf.imports': { + type: 'flattened', + array: true, required: false, }, - 'server.user.domain': { - type: 'keyword', + 'threat.indicator.file.elf.sections': { + type: 'nested', + array: true, + required: false, + }, + 'threat.indicator.file.elf.sections.chi2': { + type: 'long', array: false, required: false, }, - 'server.user.email': { - type: 'keyword', + 'threat.indicator.file.elf.sections.entropy': { + type: 'long', array: false, required: false, }, - 'server.user.full_name': { + 'threat.indicator.file.elf.sections.flags': { type: 'keyword', array: false, required: false, }, - 'server.user.group.domain': { + 'threat.indicator.file.elf.sections.name': { type: 'keyword', array: false, required: false, }, - 'server.user.group.id': { + 'threat.indicator.file.elf.sections.physical_offset': { type: 'keyword', array: false, required: false, }, - 'server.user.group.name': { - type: 'keyword', + 'threat.indicator.file.elf.sections.physical_size': { + type: 'long', array: false, required: false, }, - 'server.user.hash': { + 'threat.indicator.file.elf.sections.type': { type: 'keyword', array: false, required: false, }, - 'server.user.id': { - type: 'keyword', + 'threat.indicator.file.elf.sections.virtual_address': { + type: 'long', array: false, required: false, }, - 'server.user.name': { - type: 'keyword', + 'threat.indicator.file.elf.sections.virtual_size': { + type: 'long', array: false, required: false, }, - 'server.user.roles': { - type: 'keyword', + 'threat.indicator.file.elf.segments': { + type: 'nested', array: true, required: false, }, - 'service.ephemeral_id': { + 'threat.indicator.file.elf.segments.sections': { type: 'keyword', array: false, required: false, }, - 'service.id': { + 'threat.indicator.file.elf.segments.type': { type: 'keyword', array: false, required: false, }, - 'service.name': { + 'threat.indicator.file.elf.shared_libraries': { type: 'keyword', - array: false, + array: true, required: false, }, - 'service.node.name': { + 'threat.indicator.file.elf.telfhash': { type: 'keyword', array: false, required: false, }, - 'service.state': { + 'threat.indicator.file.extension': { type: 'keyword', array: false, required: false, }, - 'service.type': { + 'threat.indicator.file.fork_name': { type: 'keyword', array: false, required: false, }, - 'service.version': { + 'threat.indicator.file.gid': { type: 'keyword', array: false, required: false, }, - 'source.address': { + 'threat.indicator.file.group': { type: 'keyword', array: false, required: false, }, - 'source.as.number': { - type: 'long', + 'threat.indicator.file.hash.md5': { + type: 'keyword', array: false, required: false, }, - 'source.as.organization.name': { + 'threat.indicator.file.hash.sha1': { type: 'keyword', array: false, required: false, }, - 'source.bytes': { - type: 'long', + 'threat.indicator.file.hash.sha256': { + type: 'keyword', array: false, required: false, }, - 'source.domain': { + 'threat.indicator.file.hash.sha512': { type: 'keyword', array: false, required: false, }, - 'source.geo.city_name': { + 'threat.indicator.file.hash.ssdeep': { type: 'keyword', array: false, required: false, }, - 'source.geo.continent_name': { + 'threat.indicator.file.inode': { type: 'keyword', array: false, required: false, }, - 'source.geo.country_iso_code': { + 'threat.indicator.file.mime_type': { type: 'keyword', array: false, required: false, }, - 'source.geo.country_name': { + 'threat.indicator.file.mode': { type: 'keyword', array: false, required: false, }, - 'source.geo.location': { - type: 'geo_point', + 'threat.indicator.file.mtime': { + type: 'date', array: false, required: false, }, - 'source.geo.name': { + 'threat.indicator.file.name': { type: 'keyword', array: false, required: false, }, - 'source.geo.region_iso_code': { + 'threat.indicator.file.owner': { type: 'keyword', array: false, required: false, }, - 'source.geo.region_name': { + 'threat.indicator.file.path': { type: 'keyword', array: false, required: false, }, - 'source.ip': { - type: 'ip', + 'threat.indicator.file.pe.architecture': { + type: 'keyword', array: false, required: false, }, - 'source.mac': { + 'threat.indicator.file.pe.company': { type: 'keyword', array: false, required: false, }, - 'source.nat.ip': { - type: 'ip', + 'threat.indicator.file.pe.description': { + type: 'keyword', array: false, required: false, }, - 'source.nat.port': { - type: 'long', + 'threat.indicator.file.pe.file_version': { + type: 'keyword', array: false, required: false, }, - 'source.packets': { - type: 'long', + 'threat.indicator.file.pe.imphash': { + type: 'keyword', array: false, required: false, }, - 'source.port': { - type: 'long', + 'threat.indicator.file.pe.original_file_name': { + type: 'keyword', array: false, required: false, }, - 'source.registered_domain': { + 'threat.indicator.file.pe.product': { type: 'keyword', array: false, required: false, }, - 'source.subdomain': { - type: 'keyword', + 'threat.indicator.file.size': { + type: 'long', array: false, required: false, }, - 'source.top_level_domain': { + 'threat.indicator.file.target_path': { type: 'keyword', array: false, required: false, }, - 'source.user.domain': { + 'threat.indicator.file.type': { type: 'keyword', array: false, required: false, }, - 'source.user.email': { + 'threat.indicator.file.uid': { type: 'keyword', array: false, required: false, }, - 'source.user.full_name': { + 'threat.indicator.file.x509.alternative_names': { type: 'keyword', - array: false, + array: true, required: false, }, - 'source.user.group.domain': { + 'threat.indicator.file.x509.issuer.common_name': { type: 'keyword', - array: false, + array: true, required: false, }, - 'source.user.group.id': { + 'threat.indicator.file.x509.issuer.country': { type: 'keyword', - array: false, + array: true, required: false, }, - 'source.user.group.name': { + 'threat.indicator.file.x509.issuer.distinguished_name': { type: 'keyword', array: false, required: false, }, - 'source.user.hash': { + 'threat.indicator.file.x509.issuer.locality': { type: 'keyword', - array: false, + array: true, required: false, }, - 'source.user.id': { + 'threat.indicator.file.x509.issuer.organization': { type: 'keyword', - array: false, + array: true, required: false, }, - 'source.user.name': { + 'threat.indicator.file.x509.issuer.organizational_unit': { type: 'keyword', - array: false, + array: true, required: false, }, - 'source.user.roles': { + 'threat.indicator.file.x509.issuer.state_or_province': { type: 'keyword', array: true, required: false, }, - 'span.id': { - type: 'keyword', + 'threat.indicator.file.x509.not_after': { + type: 'date', array: false, required: false, }, - tags: { - type: 'keyword', - array: true, + 'threat.indicator.file.x509.not_before': { + type: 'date', + array: false, required: false, }, - 'threat.framework': { + 'threat.indicator.file.x509.public_key_algorithm': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments': { - type: 'nested', - array: true, + 'threat.indicator.file.x509.public_key_curve': { + type: 'keyword', + array: false, required: false, }, - 'threat.enrichments.indicator': { - type: 'object', + 'threat.indicator.file.x509.public_key_exponent': { + type: 'long', array: false, required: false, }, - 'threat.enrichments.indicator.as.number': { + 'threat.indicator.file.x509.public_key_size': { type: 'long', array: false, required: false, }, - 'threat.enrichments.indicator.as.organization.name': { + 'threat.indicator.file.x509.serial_number': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.confidence': { + 'threat.indicator.file.x509.signature_algorithm': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.description': { + 'threat.indicator.file.x509.subject.common_name': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.email.address': { + 'threat.indicator.file.x509.subject.country': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.file.accessed': { - type: 'date', + 'threat.indicator.file.x509.subject.distinguished_name': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.attributes': { + 'threat.indicator.file.x509.subject.locality': { type: 'keyword', array: true, required: false, }, - 'threat.enrichments.indicator.file.code_signature.digest_algorithm': { + 'threat.indicator.file.x509.subject.organization': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.file.code_signature.exists': { - type: 'boolean', - array: false, + 'threat.indicator.file.x509.subject.organizational_unit': { + type: 'keyword', + array: true, required: false, }, - 'threat.enrichments.indicator.file.code_signature.signing_id': { + 'threat.indicator.file.x509.subject.state_or_province': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.file.code_signature.status': { + 'threat.indicator.file.x509.version_number': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.code_signature.subject_name': { - type: 'keyword', + 'threat.indicator.first_seen': { + type: 'date', array: false, required: false, }, - 'threat.enrichments.indicator.file.code_signature.team_id': { + 'threat.indicator.geo.city_name': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.code_signature.timestamp': { - type: 'date', + 'threat.indicator.geo.continent_code': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.code_signature.trusted': { - type: 'boolean', + 'threat.indicator.geo.continent_name': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.code_signature.valid': { - type: 'boolean', + 'threat.indicator.geo.country_iso_code': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.created': { - type: 'date', + 'threat.indicator.geo.country_name': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.ctime': { - type: 'date', + 'threat.indicator.geo.location': { + type: 'geo_point', array: false, required: false, }, - 'threat.enrichments.indicator.file.device': { + 'threat.indicator.geo.name': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.directory': { + 'threat.indicator.geo.postal_code': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.drive_letter': { + 'threat.indicator.geo.region_iso_code': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.extension': { + 'threat.indicator.geo.region_name': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.fork_name': { + 'threat.indicator.geo.timezone': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.gid': { - type: 'keyword', + 'threat.indicator.ip': { + type: 'ip', array: false, required: false, }, - 'threat.enrichments.indicator.file.group': { - type: 'keyword', + 'threat.indicator.last_seen': { + type: 'date', array: false, required: false, }, - 'threat.enrichments.indicator.file.hash.md5': { + 'threat.indicator.marking.tlp': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.hash.sha1': { - type: 'keyword', + 'threat.indicator.modified_at': { + type: 'date', array: false, required: false, }, - 'threat.enrichments.indicator.file.hash.sha256': { - type: 'keyword', + 'threat.indicator.port': { + type: 'long', array: false, required: false, }, - 'threat.enrichments.indicator.file.hash.sha512': { + 'threat.indicator.provider': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.hash.ssdeep': { + 'threat.indicator.reference': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.inode': { + 'threat.indicator.registry.data.bytes': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.mime_type': { + 'threat.indicator.registry.data.strings': { + type: 'wildcard', + array: true, + required: false, + }, + 'threat.indicator.registry.data.type': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.mode': { + 'threat.indicator.registry.hive': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.mtime': { - type: 'date', + 'threat.indicator.registry.key': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.name': { + 'threat.indicator.registry.path': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.owner': { + 'threat.indicator.registry.value': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.path': { - type: 'keyword', + 'threat.indicator.scanner_stats': { + type: 'long', array: false, required: false, }, - 'threat.enrichments.indicator.file.size': { + 'threat.indicator.sightings': { type: 'long', array: false, required: false, }, - 'threat.enrichments.indicator.file.target_path': { + 'threat.indicator.type': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.type': { + 'threat.indicator.url.domain': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.uid': { + 'threat.indicator.url.extension': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.first_seen': { - type: 'date', + 'threat.indicator.url.fragment': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.ip': { - type: 'ip', + 'threat.indicator.url.full': { + type: 'wildcard', array: false, required: false, }, - 'threat.enrichments.indicator.last_seen': { - type: 'date', + 'threat.indicator.url.original': { + type: 'wildcard', array: false, required: false, }, - 'threat.enrichments.indicator.marking.tlp': { + 'threat.indicator.url.password': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.modified_at': { - type: 'date', + 'threat.indicator.url.path': { + type: 'wildcard', array: false, required: false, }, - 'threat.enrichments.indicator.port': { + 'threat.indicator.url.port': { type: 'long', array: false, required: false, }, - 'threat.enrichments.indicator.provider': { + 'threat.indicator.url.query': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.reference': { + 'threat.indicator.url.registered_domain': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.registry.data.bytes': { + 'threat.indicator.url.scheme': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.registry.data.strings': { - type: 'wildcard', - array: true, - required: false, - }, - 'threat.enrichments.indicator.registry.data.type': { + 'threat.indicator.url.subdomain': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.registry.hive': { + 'threat.indicator.url.top_level_domain': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.registry.key': { + 'threat.indicator.url.username': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.registry.path': { + 'threat.indicator.x509.alternative_names': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.registry.value': { + 'threat.indicator.x509.issuer.common_name': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.scanner_stats': { - type: 'long', - array: false, + 'threat.indicator.x509.issuer.country': { + type: 'keyword', + array: true, required: false, }, - 'threat.enrichments.indicator.sightings': { - type: 'long', + 'threat.indicator.x509.issuer.distinguished_name': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.type': { + 'threat.indicator.x509.issuer.locality': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.url.domain': { + 'threat.indicator.x509.issuer.organization': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.url.extension': { + 'threat.indicator.x509.issuer.organizational_unit': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.url.fragment': { + 'threat.indicator.x509.issuer.state_or_province': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.url.full': { - type: 'wildcard', + 'threat.indicator.x509.not_after': { + type: 'date', array: false, required: false, }, - 'threat.enrichments.indicator.url.original': { - type: 'wildcard', + 'threat.indicator.x509.not_before': { + type: 'date', array: false, required: false, }, - 'threat.enrichments.indicator.url.password': { + 'threat.indicator.x509.public_key_algorithm': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.url.path': { - type: 'wildcard', + 'threat.indicator.x509.public_key_curve': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.url.port': { + 'threat.indicator.x509.public_key_exponent': { type: 'long', array: false, required: false, }, - 'threat.enrichments.indicator.url.query': { - type: 'keyword', + 'threat.indicator.x509.public_key_size': { + type: 'long', array: false, required: false, }, - 'threat.enrichments.indicator.url.registered_domain': { + 'threat.indicator.x509.serial_number': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.url.scheme': { + 'threat.indicator.x509.signature_algorithm': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.url.subdomain': { + 'threat.indicator.x509.subject.common_name': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.url.top_level_domain': { + 'threat.indicator.x509.subject.country': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.url.username': { + 'threat.indicator.x509.subject.distinguished_name': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.feed': { - type: 'object', - array: false, + 'threat.indicator.x509.subject.locality': { + type: 'keyword', + array: true, required: false, }, - 'threat.enrichments.feed.name': { + 'threat.indicator.x509.subject.organization': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.matched.atomic': { + 'threat.indicator.x509.subject.organizational_unit': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.matched.field': { + 'threat.indicator.x509.subject.state_or_province': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.matched.id': { + 'threat.indicator.x509.version_number': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.matched.index': { + 'threat.software.alias': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.matched.type': { + 'threat.software.id': { type: 'keyword', array: false, required: false, }, - 'threat.group.alias': { + 'threat.software.name': { type: 'keyword', - array: true, + array: false, required: false, }, - 'threat.group.id': { + 'threat.software.platforms': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.group.name': { + 'threat.software.reference': { type: 'keyword', array: false, required: false, }, - 'threat.group.reference': { + 'threat.software.type': { type: 'keyword', array: false, required: false, @@ -3436,12 +5686,12 @@ export const ecsFieldMap = { required: false, }, 'url.full': { - type: 'keyword', + type: 'wildcard', array: false, required: false, }, 'url.original': { - type: 'keyword', + type: 'wildcard', array: false, required: false, }, @@ -3451,7 +5701,7 @@ export const ecsFieldMap = { required: false, }, 'url.path': { - type: 'keyword', + type: 'wildcard', array: false, required: false, },