From 8737691bce68eec3f780c07c260fd1e2c9bfa9fe Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Tue, 18 Jan 2022 19:47:44 -0600 Subject: [PATCH] [RAC][Rule Registry] Generate ECS fieldmap from ECS 8.0 (#123012) * Generate ECS fieldmap from ECS 8.0 This is the result of running the generate_ecs_fieldmap script against ECS' 8.0 branch. * Account for scaling_factor property from ECS This is a required field for e.g. scaled_float fields, so we need to reflect its value in our field map. * Remove unused, unset property from FieldMap It does not appear that this value was ever being set, nor does this value appear in ECS' flat output, so I'm removing it for now to keep our types as accurate as possible. * Add path back to FieldMap definition This is a required field for type: alias fields. * Try upping the fields limit on our ECS component template This now exceeds the default of 1000. * Bump our field limit a bit more Apparently 1300 wasn't enough, either. * Fix type error Makes this field optional, since the technical component template doesn't currently use it. * Bump the field limit of our composed template Including the newest ECS fields, this index now exceeds 1600 fields. This value should probably be derived from the composed template's limits, but for now this allows the template to be created. Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- .../ecs_component_template.ts | 1 + .../common/assets/field_maps/ecs_field_map.ts | 3221 ++++++++++++++--- .../rule_registry/common/field_map/types.ts | 1 + x-pack/plugins/rule_registry/common/types.ts | 1 + .../scripts/generate_ecs_fieldmap/index.js | 8 +- .../resource_installer.ts | 2 +- 6 files changed, 2747 insertions(+), 487 deletions(-) diff --git a/x-pack/plugins/rule_registry/common/assets/component_templates/ecs_component_template.ts b/x-pack/plugins/rule_registry/common/assets/component_templates/ecs_component_template.ts index 81a3a76fc65f64..05ff64a2b753e9 100644 --- a/x-pack/plugins/rule_registry/common/assets/component_templates/ecs_component_template.ts +++ b/x-pack/plugins/rule_registry/common/assets/component_templates/ecs_component_template.ts @@ -14,6 +14,7 @@ export const ecsComponentTemplate: ClusterPutComponentTemplateBody = { template: { settings: { number_of_shards: 1, + 'index.mapping.total_fields.limit': 1500, }, mappings: merge( {}, diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts index 114d54eb7b4bb5..7c4095cca039fd 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts @@ -75,6 +75,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'client.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, 'client.geo.continent_name': { type: 'keyword', array: false, @@ -100,6 +105,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'client.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, 'client.geo.region_iso_code': { type: 'keyword', array: false, @@ -110,6 +120,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'client.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, 'client.ip': { type: 'ip', array: false, @@ -235,6 +250,61 @@ export const ecsFieldMap = { array: false, required: false, }, + 'cloud.origin.account.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.account.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.availability_zone': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.instance.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.instance.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.machine.type': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.project.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.project.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.provider': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.region': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.origin.service.name': { + type: 'keyword', + array: false, + required: false, + }, 'cloud.project.id': { type: 'keyword', array: false, @@ -255,6 +325,66 @@ export const ecsFieldMap = { array: false, required: false, }, + 'cloud.service.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.account.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.account.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.availability_zone': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.instance.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.instance.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.machine.type': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.project.id': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.project.name': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.provider': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.region': { + type: 'keyword', + array: false, + required: false, + }, + 'cloud.target.service.name': { + type: 'keyword', + array: false, + required: false, + }, 'container.id': { type: 'keyword', array: false, @@ -285,6 +415,21 @@ export const ecsFieldMap = { array: false, required: false, }, + 'data_stream.dataset': { + type: 'constant_keyword', + array: false, + required: false, + }, + 'data_stream.namespace': { + type: 'constant_keyword', + array: false, + required: false, + }, + 'data_stream.type': { + type: 'constant_keyword', + array: false, + required: false, + }, 'destination.address': { type: 'keyword', array: false, @@ -315,6 +460,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'destination.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, 'destination.geo.continent_name': { type: 'keyword', array: false, @@ -340,6 +490,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'destination.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, 'destination.geo.region_iso_code': { type: 'keyword', array: false, @@ -350,6 +505,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'destination.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, 'destination.ip': { type: 'ip', array: false, @@ -445,11 +605,21 @@ export const ecsFieldMap = { array: true, required: false, }, + 'dll.code_signature.digest_algorithm': { + type: 'keyword', + array: false, + required: false, + }, 'dll.code_signature.exists': { type: 'boolean', array: false, required: false, }, + 'dll.code_signature.signing_id': { + type: 'keyword', + array: false, + required: false, + }, 'dll.code_signature.status': { type: 'keyword', array: false, @@ -460,6 +630,16 @@ export const ecsFieldMap = { array: false, required: false, }, + 'dll.code_signature.team_id': { + type: 'keyword', + array: false, + required: false, + }, + 'dll.code_signature.timestamp': { + type: 'date', + array: false, + required: false, + }, 'dll.code_signature.trusted': { type: 'boolean', array: false, @@ -490,6 +670,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'dll.hash.ssdeep': { + type: 'keyword', + array: false, + required: false, + }, 'dll.name': { type: 'keyword', array: false, @@ -641,12 +826,12 @@ export const ecsFieldMap = { required: false, }, 'error.message': { - type: 'text', + type: 'match_only_text', array: false, required: false, }, 'error.stack_trace': { - type: 'keyword', + type: 'wildcard', array: false, required: false, }, @@ -785,6 +970,31 @@ export const ecsFieldMap = { array: false, required: false, }, + 'faas.coldstart': { + type: 'boolean', + array: false, + required: false, + }, + 'faas.execution': { + type: 'keyword', + array: false, + required: false, + }, + 'faas.trigger': { + type: 'nested', + array: false, + required: false, + }, + 'faas.trigger.request_id': { + type: 'keyword', + array: false, + required: false, + }, + 'faas.trigger.type': { + type: 'keyword', + array: false, + required: false, + }, 'file.accessed': { type: 'date', array: false, @@ -795,11 +1005,21 @@ export const ecsFieldMap = { array: true, required: false, }, + 'file.code_signature.digest_algorithm': { + type: 'keyword', + array: false, + required: false, + }, 'file.code_signature.exists': { type: 'boolean', array: false, required: false, }, + 'file.code_signature.signing_id': { + type: 'keyword', + array: false, + required: false, + }, 'file.code_signature.status': { type: 'keyword', array: false, @@ -810,6 +1030,16 @@ export const ecsFieldMap = { array: false, required: false, }, + 'file.code_signature.team_id': { + type: 'keyword', + array: false, + required: false, + }, + 'file.code_signature.timestamp': { + type: 'date', + array: false, + required: false, + }, 'file.code_signature.trusted': { type: 'boolean', array: false, @@ -845,164 +1075,319 @@ export const ecsFieldMap = { array: false, required: false, }, - 'file.extension': { + 'file.elf.architecture': { type: 'keyword', array: false, required: false, }, - 'file.gid': { + 'file.elf.byte_order': { type: 'keyword', array: false, required: false, }, - 'file.group': { + 'file.elf.cpu_type': { type: 'keyword', array: false, required: false, }, - 'file.hash.md5': { - type: 'keyword', + 'file.elf.creation_date': { + type: 'date', array: false, required: false, }, - 'file.hash.sha1': { - type: 'keyword', - array: false, + 'file.elf.exports': { + type: 'flattened', + array: true, required: false, }, - 'file.hash.sha256': { + 'file.elf.header.abi_version': { type: 'keyword', array: false, required: false, }, - 'file.hash.sha512': { + 'file.elf.header.class': { type: 'keyword', array: false, required: false, }, - 'file.inode': { + 'file.elf.header.data': { type: 'keyword', array: false, required: false, }, - 'file.mime_type': { - type: 'keyword', + 'file.elf.header.entrypoint': { + type: 'long', array: false, required: false, }, - 'file.mode': { + 'file.elf.header.object_version': { type: 'keyword', array: false, required: false, }, - 'file.mtime': { - type: 'date', + 'file.elf.header.os_abi': { + type: 'keyword', array: false, required: false, }, - 'file.name': { + 'file.elf.header.type': { type: 'keyword', array: false, required: false, }, - 'file.owner': { + 'file.elf.header.version': { type: 'keyword', array: false, required: false, }, - 'file.path': { - type: 'keyword', - array: false, + 'file.elf.imports': { + type: 'flattened', + array: true, required: false, }, - 'file.pe.architecture': { - type: 'keyword', + 'file.elf.sections': { + type: 'nested', + array: true, + required: false, + }, + 'file.elf.sections.chi2': { + type: 'long', array: false, required: false, }, - 'file.pe.company': { - type: 'keyword', + 'file.elf.sections.entropy': { + type: 'long', array: false, required: false, }, - 'file.pe.description': { + 'file.elf.sections.flags': { type: 'keyword', array: false, required: false, }, - 'file.pe.file_version': { + 'file.elf.sections.name': { type: 'keyword', array: false, required: false, }, - 'file.pe.imphash': { + 'file.elf.sections.physical_offset': { type: 'keyword', array: false, required: false, }, - 'file.pe.original_file_name': { - type: 'keyword', + 'file.elf.sections.physical_size': { + type: 'long', array: false, required: false, }, - 'file.pe.product': { + 'file.elf.sections.type': { type: 'keyword', array: false, required: false, }, - 'file.size': { + 'file.elf.sections.virtual_address': { type: 'long', array: false, required: false, }, - 'file.target_path': { - type: 'keyword', + 'file.elf.sections.virtual_size': { + type: 'long', array: false, required: false, }, - 'file.type': { - type: 'keyword', - array: false, + 'file.elf.segments': { + type: 'nested', + array: true, required: false, }, - 'file.uid': { + 'file.elf.segments.sections': { type: 'keyword', array: false, required: false, }, - 'file.x509.alternative_names': { + 'file.elf.segments.type': { type: 'keyword', - array: true, + array: false, required: false, }, - 'file.x509.issuer.common_name': { + 'file.elf.shared_libraries': { type: 'keyword', array: true, required: false, }, - 'file.x509.issuer.country': { + 'file.elf.telfhash': { type: 'keyword', - array: true, + array: false, required: false, }, - 'file.x509.issuer.distinguished_name': { + 'file.extension': { type: 'keyword', array: false, required: false, }, - 'file.x509.issuer.locality': { + 'file.fork_name': { type: 'keyword', - array: true, + array: false, required: false, }, - 'file.x509.issuer.organization': { + 'file.gid': { type: 'keyword', - array: true, + array: false, required: false, }, - 'file.x509.issuer.organizational_unit': { + 'file.group': { type: 'keyword', - array: true, + array: false, + required: false, + }, + 'file.hash.md5': { + type: 'keyword', + array: false, + required: false, + }, + 'file.hash.sha1': { + type: 'keyword', + array: false, + required: false, + }, + 'file.hash.sha256': { + type: 'keyword', + array: false, + required: false, + }, + 'file.hash.sha512': { + type: 'keyword', + array: false, + required: false, + }, + 'file.hash.ssdeep': { + type: 'keyword', + array: false, + required: false, + }, + 'file.inode': { + type: 'keyword', + array: false, + required: false, + }, + 'file.mime_type': { + type: 'keyword', + array: false, + required: false, + }, + 'file.mode': { + type: 'keyword', + array: false, + required: false, + }, + 'file.mtime': { + type: 'date', + array: false, + required: false, + }, + 'file.name': { + type: 'keyword', + array: false, + required: false, + }, + 'file.owner': { + type: 'keyword', + array: false, + required: false, + }, + 'file.path': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.company': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.description': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.file_version': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.imphash': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.original_file_name': { + type: 'keyword', + array: false, + required: false, + }, + 'file.pe.product': { + type: 'keyword', + array: false, + required: false, + }, + 'file.size': { + type: 'long', + array: false, + required: false, + }, + 'file.target_path': { + type: 'keyword', + array: false, + required: false, + }, + 'file.type': { + type: 'keyword', + array: false, + required: false, + }, + 'file.uid': { + type: 'keyword', + array: false, + required: false, + }, + 'file.x509.alternative_names': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.issuer.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.issuer.country': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.issuer.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'file.x509.issuer.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.issuer.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'file.x509.issuer.organizational_unit': { + type: 'keyword', + array: true, required: false, }, 'file.x509.issuer.state_or_province': { @@ -1110,6 +1495,22 @@ export const ecsFieldMap = { array: false, required: false, }, + 'host.cpu.usage': { + type: 'scaled_float', + array: false, + required: false, + scaling_factor: 1000, + }, + 'host.disk.read.bytes': { + type: 'long', + array: false, + required: false, + }, + 'host.disk.write.bytes': { + type: 'long', + array: false, + required: false, + }, 'host.domain': { type: 'keyword', array: false, @@ -1120,6 +1521,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'host.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, 'host.geo.continent_name': { type: 'keyword', array: false, @@ -1145,6 +1551,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'host.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, 'host.geo.region_iso_code': { type: 'keyword', array: false, @@ -1155,6 +1566,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'host.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, 'host.hostname': { type: 'keyword', array: false, @@ -1180,108 +1596,78 @@ export const ecsFieldMap = { array: false, required: false, }, - 'host.os.family': { - type: 'keyword', - array: false, - required: false, - }, - 'host.os.full': { - type: 'keyword', - array: false, - required: false, - }, - 'host.os.kernel': { - type: 'keyword', - array: false, - required: false, - }, - 'host.os.name': { - type: 'keyword', - array: false, - required: false, - }, - 'host.os.platform': { - type: 'keyword', - array: false, - required: false, - }, - 'host.os.type': { - type: 'keyword', + 'host.network.egress.bytes': { + type: 'long', array: false, required: false, }, - 'host.os.version': { - type: 'keyword', + 'host.network.egress.packets': { + type: 'long', array: false, required: false, }, - 'host.type': { - type: 'keyword', + 'host.network.ingress.bytes': { + type: 'long', array: false, required: false, }, - 'host.uptime': { + 'host.network.ingress.packets': { type: 'long', array: false, required: false, }, - 'host.user.domain': { + 'host.os.family': { type: 'keyword', array: false, required: false, }, - 'host.user.email': { + 'host.os.full': { type: 'keyword', array: false, required: false, }, - 'host.user.full_name': { + 'host.os.kernel': { type: 'keyword', array: false, required: false, }, - 'host.user.group.domain': { + 'host.os.name': { type: 'keyword', array: false, required: false, }, - 'host.user.group.id': { + 'host.os.platform': { type: 'keyword', array: false, required: false, }, - 'host.user.group.name': { + 'host.os.type': { type: 'keyword', array: false, required: false, }, - 'host.user.hash': { + 'host.os.version': { type: 'keyword', array: false, required: false, }, - 'host.user.id': { + 'host.type': { type: 'keyword', array: false, required: false, }, - 'host.user.name': { - type: 'keyword', + 'host.uptime': { + type: 'long', array: false, required: false, }, - 'host.user.roles': { - type: 'keyword', - array: true, - required: false, - }, 'http.request.body.bytes': { type: 'long', array: false, required: false, }, 'http.request.body.content': { - type: 'keyword', + type: 'wildcard', array: false, required: false, }, @@ -1290,6 +1676,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'http.request.id': { + type: 'keyword', + array: false, + required: false, + }, 'http.request.method': { type: 'keyword', array: false, @@ -1311,7 +1702,7 @@ export const ecsFieldMap = { required: false, }, 'http.response.body.content': { - type: 'keyword', + type: 'wildcard', array: false, required: false, }, @@ -1356,7 +1747,7 @@ export const ecsFieldMap = { required: false, }, 'log.origin.file.line': { - type: 'integer', + type: 'long', array: false, required: false, }, @@ -1370,11 +1761,6 @@ export const ecsFieldMap = { array: false, required: false, }, - 'log.original': { - type: 'keyword', - array: false, - required: false, - }, 'log.syslog': { type: 'object', array: false, @@ -1406,7 +1792,7 @@ export const ecsFieldMap = { required: false, }, message: { - type: 'text', + type: 'match_only_text', array: false, required: false, }, @@ -1530,6 +1916,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'observer.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, 'observer.geo.continent_name': { type: 'keyword', array: false, @@ -1555,6 +1946,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'observer.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, 'observer.geo.region_iso_code': { type: 'keyword', array: false, @@ -1565,6 +1961,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'observer.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, 'observer.hostname': { type: 'keyword', array: false, @@ -1680,43 +2081,88 @@ export const ecsFieldMap = { array: false, required: false, }, - 'organization.id': { + 'orchestrator.api_version': { type: 'keyword', array: false, required: false, }, - 'organization.name': { + 'orchestrator.cluster.name': { type: 'keyword', array: false, required: false, }, - 'package.architecture': { + 'orchestrator.cluster.url': { type: 'keyword', array: false, required: false, }, - 'package.build_version': { + 'orchestrator.cluster.version': { type: 'keyword', array: false, required: false, }, - 'package.checksum': { + 'orchestrator.namespace': { type: 'keyword', array: false, required: false, }, - 'package.description': { + 'orchestrator.organization': { type: 'keyword', array: false, required: false, }, - 'package.install_scope': { + 'orchestrator.resource.name': { type: 'keyword', array: false, required: false, }, - 'package.installed': { - type: 'date', + 'orchestrator.resource.type': { + type: 'keyword', + array: false, + required: false, + }, + 'orchestrator.type': { + type: 'keyword', + array: false, + required: false, + }, + 'organization.id': { + type: 'keyword', + array: false, + required: false, + }, + 'organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'package.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'package.build_version': { + type: 'keyword', + array: false, + required: false, + }, + 'package.checksum': { + type: 'keyword', + array: false, + required: false, + }, + 'package.description': { + type: 'keyword', + array: false, + required: false, + }, + 'package.install_scope': { + type: 'keyword', + array: false, + required: false, + }, + 'package.installed': { + type: 'date', array: false, required: false, }, @@ -1765,11 +2211,21 @@ export const ecsFieldMap = { array: false, required: false, }, + 'process.code_signature.digest_algorithm': { + type: 'keyword', + array: false, + required: false, + }, 'process.code_signature.exists': { type: 'boolean', array: false, required: false, }, + 'process.code_signature.signing_id': { + type: 'keyword', + array: false, + required: false, + }, 'process.code_signature.status': { type: 'keyword', array: false, @@ -1780,6 +2236,16 @@ export const ecsFieldMap = { array: false, required: false, }, + 'process.code_signature.team_id': { + type: 'keyword', + array: false, + required: false, + }, + 'process.code_signature.timestamp': { + type: 'date', + array: false, + required: false, + }, 'process.code_signature.trusted': { type: 'boolean', array: false, @@ -1791,10 +2257,160 @@ export const ecsFieldMap = { required: false, }, 'process.command_line': { + type: 'wildcard', + array: false, + required: false, + }, + 'process.elf.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.byte_order': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.cpu_type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.creation_date': { + type: 'date', + array: false, + required: false, + }, + 'process.elf.exports': { + type: 'flattened', + array: true, + required: false, + }, + 'process.elf.header.abi_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.class': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.data': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.entrypoint': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.header.object_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.os_abi': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.header.version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.imports': { + type: 'flattened', + array: true, + required: false, + }, + 'process.elf.sections': { + type: 'nested', + array: true, + required: false, + }, + 'process.elf.sections.chi2': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.sections.entropy': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.sections.flags': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.sections.name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.sections.physical_offset': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.sections.physical_size': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.sections.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.sections.virtual_address': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.sections.virtual_size': { + type: 'long', + array: false, + required: false, + }, + 'process.elf.segments': { + type: 'nested', + array: true, + required: false, + }, + 'process.elf.segments.sections': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.segments.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.elf.shared_libraries': { + type: 'keyword', + array: true, + required: false, + }, + 'process.elf.telfhash': { type: 'keyword', array: false, required: false, }, + 'process.end': { + type: 'date', + array: false, + required: false, + }, 'process.entity_id': { type: 'keyword', array: false, @@ -1830,6 +2446,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'process.hash.ssdeep': { + type: 'keyword', + array: false, + required: false, + }, 'process.name': { type: 'keyword', array: false, @@ -1845,11 +2466,21 @@ export const ecsFieldMap = { array: false, required: false, }, + 'process.parent.code_signature.digest_algorithm': { + type: 'keyword', + array: false, + required: false, + }, 'process.parent.code_signature.exists': { type: 'boolean', array: false, required: false, }, + 'process.parent.code_signature.signing_id': { + type: 'keyword', + array: false, + required: false, + }, 'process.parent.code_signature.status': { type: 'keyword', array: false, @@ -1860,6 +2491,16 @@ export const ecsFieldMap = { array: false, required: false, }, + 'process.parent.code_signature.team_id': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.code_signature.timestamp': { + type: 'date', + array: false, + required: false, + }, 'process.parent.code_signature.trusted': { type: 'boolean', array: false, @@ -1870,1112 +2511,2722 @@ export const ecsFieldMap = { array: false, required: false, }, - 'process.parent.command_line': { - type: 'keyword', + 'process.parent.command_line': { + type: 'wildcard', + array: false, + required: false, + }, + 'process.parent.elf.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.byte_order': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.cpu_type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.creation_date': { + type: 'date', + array: false, + required: false, + }, + 'process.parent.elf.exports': { + type: 'flattened', + array: true, + required: false, + }, + 'process.parent.elf.header.abi_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.class': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.data': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.entrypoint': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.header.object_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.os_abi': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.header.version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.imports': { + type: 'flattened', + array: true, + required: false, + }, + 'process.parent.elf.sections': { + type: 'nested', + array: true, + required: false, + }, + 'process.parent.elf.sections.chi2': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.sections.entropy': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.sections.flags': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.sections.name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.sections.physical_offset': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.sections.physical_size': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.sections.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.sections.virtual_address': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.sections.virtual_size': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.elf.segments': { + type: 'nested', + array: true, + required: false, + }, + 'process.parent.elf.segments.sections': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.segments.type': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.elf.shared_libraries': { + type: 'keyword', + array: true, + required: false, + }, + 'process.parent.elf.telfhash': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.end': { + type: 'date', + array: false, + required: false, + }, + 'process.parent.entity_id': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.executable': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.exit_code': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.hash.md5': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.hash.sha1': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.hash.sha256': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.hash.sha512': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.hash.ssdeep': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.company': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.description': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.file_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.imphash': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.original_file_name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pe.product': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.pgid': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.pid': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.start': { + type: 'date', + array: false, + required: false, + }, + 'process.parent.thread.id': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.thread.name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.title': { + type: 'keyword', + array: false, + required: false, + }, + 'process.parent.uptime': { + type: 'long', + array: false, + required: false, + }, + 'process.parent.working_directory': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.company': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.description': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.file_version': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.imphash': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.original_file_name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pe.product': { + type: 'keyword', + array: false, + required: false, + }, + 'process.pgid': { + type: 'long', + array: false, + required: false, + }, + 'process.pid': { + type: 'long', + array: false, + required: false, + }, + 'process.start': { + type: 'date', + array: false, + required: false, + }, + 'process.thread.id': { + type: 'long', + array: false, + required: false, + }, + 'process.thread.name': { + type: 'keyword', + array: false, + required: false, + }, + 'process.title': { + type: 'keyword', + array: false, + required: false, + }, + 'process.uptime': { + type: 'long', + array: false, + required: false, + }, + 'process.working_directory': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.data.bytes': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.data.strings': { + type: 'wildcard', + array: true, + required: false, + }, + 'registry.data.type': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.hive': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.key': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.path': { + type: 'keyword', + array: false, + required: false, + }, + 'registry.value': { + type: 'keyword', + array: false, + required: false, + }, + 'related.hash': { + type: 'keyword', + array: true, + required: false, + }, + 'related.hosts': { + type: 'keyword', + array: true, + required: false, + }, + 'related.ip': { + type: 'ip', + array: true, + required: false, + }, + 'related.user': { + type: 'keyword', + array: true, + required: false, + }, + 'rule.author': { + type: 'keyword', + array: true, + required: false, + }, + 'rule.category': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.description': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.id': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.license': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.name': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.reference': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.ruleset': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.uuid': { + type: 'keyword', + array: false, + required: false, + }, + 'rule.version': { + type: 'keyword', + array: false, + required: false, + }, + 'server.address': { + type: 'keyword', + array: false, + required: false, + }, + 'server.as.number': { + type: 'long', + array: false, + required: false, + }, + 'server.as.organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.bytes': { + type: 'long', + array: false, + required: false, + }, + 'server.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.city_name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.continent_name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.country_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.country_name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.location': { + type: 'geo_point', + array: false, + required: false, + }, + 'server.geo.name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.region_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.region_name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, + 'server.ip': { + type: 'ip', + array: false, + required: false, + }, + 'server.mac': { + type: 'keyword', + array: false, + required: false, + }, + 'server.nat.ip': { + type: 'ip', + array: false, + required: false, + }, + 'server.nat.port': { + type: 'long', + array: false, + required: false, + }, + 'server.packets': { + type: 'long', + array: false, + required: false, + }, + 'server.port': { + type: 'long', + array: false, + required: false, + }, + 'server.registered_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.subdomain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.top_level_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.email': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.full_name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.group.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.group.id': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.group.name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.hash': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.id': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.name': { + type: 'keyword', + array: false, + required: false, + }, + 'server.user.roles': { + type: 'keyword', + array: true, + required: false, + }, + 'service.address': { + type: 'keyword', + array: false, + required: false, + }, + 'service.environment': { + type: 'keyword', + array: false, + required: false, + }, + 'service.ephemeral_id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.node.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.address': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.environment': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.ephemeral_id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.node.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.state': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.type': { + type: 'keyword', + array: false, + required: false, + }, + 'service.origin.version': { + type: 'keyword', + array: false, + required: false, + }, + 'service.state': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.address': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.environment': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.ephemeral_id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.id': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.node.name': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.state': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.type': { + type: 'keyword', + array: false, + required: false, + }, + 'service.target.version': { + type: 'keyword', + array: false, + required: false, + }, + 'service.type': { + type: 'keyword', + array: false, + required: false, + }, + 'service.version': { + type: 'keyword', + array: false, + required: false, + }, + 'source.address': { + type: 'keyword', + array: false, + required: false, + }, + 'source.as.number': { + type: 'long', + array: false, + required: false, + }, + 'source.as.organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.bytes': { + type: 'long', + array: false, + required: false, + }, + 'source.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.city_name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.continent_name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.country_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.country_name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.location': { + type: 'geo_point', + array: false, + required: false, + }, + 'source.geo.name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.region_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.region_name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, + 'source.ip': { + type: 'ip', + array: false, + required: false, + }, + 'source.mac': { + type: 'keyword', + array: false, + required: false, + }, + 'source.nat.ip': { + type: 'ip', + array: false, + required: false, + }, + 'source.nat.port': { + type: 'long', + array: false, + required: false, + }, + 'source.packets': { + type: 'long', + array: false, + required: false, + }, + 'source.port': { + type: 'long', + array: false, + required: false, + }, + 'source.registered_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.subdomain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.top_level_domain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.email': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.full_name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.group.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.group.id': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.group.name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.hash': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.id': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.name': { + type: 'keyword', + array: false, + required: false, + }, + 'source.user.roles': { + type: 'keyword', + array: true, + required: false, + }, + 'span.id': { + type: 'keyword', + array: false, + required: false, + }, + tags: { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments': { + type: 'nested', + array: true, + required: false, + }, + 'threat.enrichments.indicator': { + type: 'object', + array: false, + required: false, + }, + 'threat.enrichments.indicator.as.number': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.as.organization.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.confidence': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.description': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.email.address': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.accessed': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.attributes': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.digest_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.exists': { + type: 'boolean', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.signing_id': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.status': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.subject_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.team_id': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.timestamp': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.trusted': { + type: 'boolean', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.code_signature.valid': { + type: 'boolean', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.created': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.ctime': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.device': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.directory': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.drive_letter': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.byte_order': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.cpu_type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.creation_date': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.exports': { + type: 'flattened', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.abi_version': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.class': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.data': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.entrypoint': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.object_version': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.os_abi': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.header.version': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.imports': { + type: 'flattened', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections': { + type: 'nested', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.chi2': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.entropy': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.flags': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.physical_offset': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.physical_size': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.virtual_address': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.sections.virtual_size': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.segments': { + type: 'nested', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.elf.segments.sections': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.segments.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.elf.shared_libraries': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.elf.telfhash': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.extension': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.fork_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.gid': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.group': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.hash.md5': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.hash.sha1': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.hash.sha256': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.hash.sha512': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.hash.ssdeep': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.inode': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.mime_type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.mode': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.mtime': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.owner': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.path': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.architecture': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.company': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.description': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.file_version': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.imphash': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.original_file_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.pe.product': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.size': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.target_path': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.uid': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.alternative_names': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.country': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.issuer.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.not_after': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.not_before': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.public_key_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.public_key_curve': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.public_key_exponent': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.public_key_size': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.serial_number': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.signature_algorithm': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.common_name': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.country': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.distinguished_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.locality': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.organization': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.organizational_unit': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.subject.state_or_province': { + type: 'keyword', + array: true, + required: false, + }, + 'threat.enrichments.indicator.file.x509.version_number': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.first_seen': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.city_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.continent_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.continent_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.country_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.country_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.location': { + type: 'geo_point', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.postal_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.region_iso_code': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.region_name': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.geo.timezone': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.ip': { + type: 'ip', + array: false, + required: false, + }, + 'threat.enrichments.indicator.last_seen': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.marking.tlp': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.modified_at': { + type: 'date', + array: false, + required: false, + }, + 'threat.enrichments.indicator.port': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.provider': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.reference': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.data.bytes': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.data.strings': { + type: 'wildcard', + array: true, + required: false, + }, + 'threat.enrichments.indicator.registry.data.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.hive': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.key': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.path': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.registry.value': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.scanner_stats': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.sightings': { + type: 'long', + array: false, + required: false, + }, + 'threat.enrichments.indicator.type': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.domain': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.extension': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.fragment': { + type: 'keyword', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.full': { + type: 'wildcard', + array: false, + required: false, + }, + 'threat.enrichments.indicator.url.original': { + type: 'wildcard', array: false, required: false, }, - 'process.parent.entity_id': { + 'threat.enrichments.indicator.url.password': { type: 'keyword', array: false, required: false, }, - 'process.parent.executable': { - type: 'keyword', + 'threat.enrichments.indicator.url.path': { + type: 'wildcard', array: false, required: false, }, - 'process.parent.exit_code': { + 'threat.enrichments.indicator.url.port': { type: 'long', array: false, required: false, }, - 'process.parent.hash.md5': { + 'threat.enrichments.indicator.url.query': { type: 'keyword', array: false, required: false, }, - 'process.parent.hash.sha1': { + 'threat.enrichments.indicator.url.registered_domain': { type: 'keyword', array: false, required: false, }, - 'process.parent.hash.sha256': { + 'threat.enrichments.indicator.url.scheme': { type: 'keyword', array: false, required: false, }, - 'process.parent.hash.sha512': { + 'threat.enrichments.indicator.url.subdomain': { type: 'keyword', array: false, required: false, }, - 'process.parent.name': { + 'threat.enrichments.indicator.url.top_level_domain': { type: 'keyword', array: false, required: false, }, - 'process.parent.pe.architecture': { + 'threat.enrichments.indicator.url.username': { type: 'keyword', array: false, required: false, }, - 'process.parent.pe.company': { + 'threat.enrichments.indicator.x509.alternative_names': { type: 'keyword', - array: false, + array: true, required: false, }, - 'process.parent.pe.description': { + 'threat.enrichments.indicator.x509.issuer.common_name': { type: 'keyword', - array: false, + array: true, required: false, }, - 'process.parent.pe.file_version': { + 'threat.enrichments.indicator.x509.issuer.country': { type: 'keyword', - array: false, + array: true, required: false, }, - 'process.parent.pe.imphash': { + 'threat.enrichments.indicator.x509.issuer.distinguished_name': { type: 'keyword', array: false, required: false, }, - 'process.parent.pe.original_file_name': { + 'threat.enrichments.indicator.x509.issuer.locality': { type: 'keyword', - array: false, + array: true, required: false, }, - 'process.parent.pe.product': { + 'threat.enrichments.indicator.x509.issuer.organization': { type: 'keyword', - array: false, - required: false, - }, - 'process.parent.pgid': { - type: 'long', - array: false, + array: true, required: false, }, - 'process.parent.pid': { - type: 'long', - array: false, + 'threat.enrichments.indicator.x509.issuer.organizational_unit': { + type: 'keyword', + array: true, required: false, }, - 'process.parent.ppid': { - type: 'long', - array: false, + 'threat.enrichments.indicator.x509.issuer.state_or_province': { + type: 'keyword', + array: true, required: false, }, - 'process.parent.start': { + 'threat.enrichments.indicator.x509.not_after': { type: 'date', array: false, required: false, }, - 'process.parent.thread.id': { - type: 'long', + 'threat.enrichments.indicator.x509.not_before': { + type: 'date', array: false, required: false, }, - 'process.parent.thread.name': { + 'threat.enrichments.indicator.x509.public_key_algorithm': { type: 'keyword', array: false, required: false, }, - 'process.parent.title': { + 'threat.enrichments.indicator.x509.public_key_curve': { type: 'keyword', array: false, required: false, }, - 'process.parent.uptime': { + 'threat.enrichments.indicator.x509.public_key_exponent': { type: 'long', array: false, required: false, }, - 'process.parent.working_directory': { - type: 'keyword', + 'threat.enrichments.indicator.x509.public_key_size': { + type: 'long', array: false, required: false, }, - 'process.pe.architecture': { + 'threat.enrichments.indicator.x509.serial_number': { type: 'keyword', array: false, required: false, }, - 'process.pe.company': { + 'threat.enrichments.indicator.x509.signature_algorithm': { type: 'keyword', array: false, required: false, }, - 'process.pe.description': { + 'threat.enrichments.indicator.x509.subject.common_name': { type: 'keyword', - array: false, + array: true, required: false, }, - 'process.pe.file_version': { + 'threat.enrichments.indicator.x509.subject.country': { type: 'keyword', - array: false, + array: true, required: false, }, - 'process.pe.imphash': { + 'threat.enrichments.indicator.x509.subject.distinguished_name': { type: 'keyword', array: false, required: false, }, - 'process.pe.original_file_name': { + 'threat.enrichments.indicator.x509.subject.locality': { type: 'keyword', - array: false, + array: true, required: false, }, - 'process.pe.product': { + 'threat.enrichments.indicator.x509.subject.organization': { type: 'keyword', - array: false, - required: false, - }, - 'process.pgid': { - type: 'long', - array: false, + array: true, required: false, }, - 'process.pid': { - type: 'long', - array: false, + 'threat.enrichments.indicator.x509.subject.organizational_unit': { + type: 'keyword', + array: true, required: false, }, - 'process.ppid': { - type: 'long', - array: false, + 'threat.enrichments.indicator.x509.subject.state_or_province': { + type: 'keyword', + array: true, required: false, }, - 'process.start': { - type: 'date', + 'threat.enrichments.indicator.x509.version_number': { + type: 'keyword', array: false, required: false, }, - 'process.thread.id': { - type: 'long', + 'threat.enrichments.matched.atomic': { + type: 'keyword', array: false, required: false, }, - 'process.thread.name': { + 'threat.enrichments.matched.field': { type: 'keyword', array: false, required: false, }, - 'process.title': { + 'threat.enrichments.matched.id': { type: 'keyword', array: false, required: false, }, - 'process.uptime': { - type: 'long', + 'threat.enrichments.matched.index': { + type: 'keyword', array: false, required: false, }, - 'process.working_directory': { + 'threat.enrichments.matched.type': { type: 'keyword', array: false, required: false, }, - 'registry.data.bytes': { + 'threat.framework': { type: 'keyword', array: false, required: false, }, - 'registry.data.strings': { + 'threat.group.alias': { type: 'keyword', array: true, required: false, }, - 'registry.data.type': { + 'threat.group.id': { type: 'keyword', array: false, required: false, }, - 'registry.hive': { + 'threat.group.name': { type: 'keyword', array: false, required: false, }, - 'registry.key': { + 'threat.group.reference': { type: 'keyword', array: false, required: false, }, - 'registry.path': { - type: 'keyword', + 'threat.indicator.as.number': { + type: 'long', array: false, required: false, }, - 'registry.value': { + 'threat.indicator.as.organization.name': { type: 'keyword', array: false, required: false, }, - 'related.hash': { + 'threat.indicator.confidence': { type: 'keyword', - array: true, + array: false, required: false, }, - 'related.hosts': { + 'threat.indicator.description': { type: 'keyword', - array: true, + array: false, required: false, }, - 'related.ip': { - type: 'ip', - array: true, + 'threat.indicator.email.address': { + type: 'keyword', + array: false, required: false, }, - 'related.user': { - type: 'keyword', - array: true, + 'threat.indicator.file.accessed': { + type: 'date', + array: false, required: false, }, - 'rule.author': { + 'threat.indicator.file.attributes': { type: 'keyword', array: true, required: false, }, - 'rule.category': { + 'threat.indicator.file.code_signature.digest_algorithm': { type: 'keyword', array: false, required: false, }, - 'rule.description': { - type: 'keyword', + 'threat.indicator.file.code_signature.exists': { + type: 'boolean', array: false, required: false, }, - 'rule.id': { - type: 'keyword', - array: false, - required: true, - }, - 'rule.license': { + 'threat.indicator.file.code_signature.signing_id': { type: 'keyword', array: false, required: false, }, - 'rule.name': { + 'threat.indicator.file.code_signature.status': { type: 'keyword', array: false, required: false, }, - 'rule.reference': { + 'threat.indicator.file.code_signature.subject_name': { type: 'keyword', array: false, required: false, }, - 'rule.ruleset': { + 'threat.indicator.file.code_signature.team_id': { type: 'keyword', array: false, required: false, }, - 'rule.uuid': { - type: 'keyword', + 'threat.indicator.file.code_signature.timestamp': { + type: 'date', array: false, required: false, }, - 'rule.version': { - type: 'keyword', + 'threat.indicator.file.code_signature.trusted': { + type: 'boolean', array: false, required: false, }, - 'server.address': { - type: 'keyword', + 'threat.indicator.file.code_signature.valid': { + type: 'boolean', array: false, required: false, }, - 'server.as.number': { - type: 'long', + 'threat.indicator.file.created': { + type: 'date', array: false, required: false, }, - 'server.as.organization.name': { - type: 'keyword', + 'threat.indicator.file.ctime': { + type: 'date', array: false, required: false, }, - 'server.bytes': { - type: 'long', + 'threat.indicator.file.device': { + type: 'keyword', array: false, required: false, }, - 'server.domain': { + 'threat.indicator.file.directory': { type: 'keyword', array: false, required: false, }, - 'server.geo.city_name': { + 'threat.indicator.file.drive_letter': { type: 'keyword', array: false, required: false, }, - 'server.geo.continent_name': { + 'threat.indicator.file.elf.architecture': { type: 'keyword', array: false, required: false, }, - 'server.geo.country_iso_code': { + 'threat.indicator.file.elf.byte_order': { type: 'keyword', array: false, required: false, }, - 'server.geo.country_name': { + 'threat.indicator.file.elf.cpu_type': { type: 'keyword', array: false, required: false, }, - 'server.geo.location': { - type: 'geo_point', + 'threat.indicator.file.elf.creation_date': { + type: 'date', array: false, required: false, }, - 'server.geo.name': { - type: 'keyword', - array: false, + 'threat.indicator.file.elf.exports': { + type: 'flattened', + array: true, required: false, }, - 'server.geo.region_iso_code': { + 'threat.indicator.file.elf.header.abi_version': { type: 'keyword', array: false, required: false, }, - 'server.geo.region_name': { + 'threat.indicator.file.elf.header.class': { type: 'keyword', array: false, required: false, }, - 'server.ip': { - type: 'ip', - array: false, - required: false, - }, - 'server.mac': { + 'threat.indicator.file.elf.header.data': { type: 'keyword', array: false, required: false, }, - 'server.nat.ip': { - type: 'ip', - array: false, - required: false, - }, - 'server.nat.port': { + 'threat.indicator.file.elf.header.entrypoint': { type: 'long', array: false, required: false, }, - 'server.packets': { - type: 'long', + 'threat.indicator.file.elf.header.object_version': { + type: 'keyword', array: false, required: false, }, - 'server.port': { - type: 'long', + 'threat.indicator.file.elf.header.os_abi': { + type: 'keyword', array: false, required: false, }, - 'server.registered_domain': { + 'threat.indicator.file.elf.header.type': { type: 'keyword', array: false, required: false, }, - 'server.subdomain': { + 'threat.indicator.file.elf.header.version': { type: 'keyword', array: false, required: false, }, - 'server.top_level_domain': { - type: 'keyword', - array: false, + 'threat.indicator.file.elf.imports': { + type: 'flattened', + array: true, required: false, }, - 'server.user.domain': { - type: 'keyword', + 'threat.indicator.file.elf.sections': { + type: 'nested', + array: true, + required: false, + }, + 'threat.indicator.file.elf.sections.chi2': { + type: 'long', array: false, required: false, }, - 'server.user.email': { - type: 'keyword', + 'threat.indicator.file.elf.sections.entropy': { + type: 'long', array: false, required: false, }, - 'server.user.full_name': { + 'threat.indicator.file.elf.sections.flags': { type: 'keyword', array: false, required: false, }, - 'server.user.group.domain': { + 'threat.indicator.file.elf.sections.name': { type: 'keyword', array: false, required: false, }, - 'server.user.group.id': { + 'threat.indicator.file.elf.sections.physical_offset': { type: 'keyword', array: false, required: false, }, - 'server.user.group.name': { - type: 'keyword', + 'threat.indicator.file.elf.sections.physical_size': { + type: 'long', array: false, required: false, }, - 'server.user.hash': { + 'threat.indicator.file.elf.sections.type': { type: 'keyword', array: false, required: false, }, - 'server.user.id': { - type: 'keyword', + 'threat.indicator.file.elf.sections.virtual_address': { + type: 'long', array: false, required: false, }, - 'server.user.name': { - type: 'keyword', + 'threat.indicator.file.elf.sections.virtual_size': { + type: 'long', array: false, required: false, }, - 'server.user.roles': { - type: 'keyword', + 'threat.indicator.file.elf.segments': { + type: 'nested', array: true, required: false, }, - 'service.ephemeral_id': { + 'threat.indicator.file.elf.segments.sections': { type: 'keyword', array: false, required: false, }, - 'service.id': { + 'threat.indicator.file.elf.segments.type': { type: 'keyword', array: false, required: false, }, - 'service.name': { + 'threat.indicator.file.elf.shared_libraries': { type: 'keyword', - array: false, + array: true, required: false, }, - 'service.node.name': { + 'threat.indicator.file.elf.telfhash': { type: 'keyword', array: false, required: false, }, - 'service.state': { + 'threat.indicator.file.extension': { type: 'keyword', array: false, required: false, }, - 'service.type': { + 'threat.indicator.file.fork_name': { type: 'keyword', array: false, required: false, }, - 'service.version': { + 'threat.indicator.file.gid': { type: 'keyword', array: false, required: false, }, - 'source.address': { + 'threat.indicator.file.group': { type: 'keyword', array: false, required: false, }, - 'source.as.number': { - type: 'long', + 'threat.indicator.file.hash.md5': { + type: 'keyword', array: false, required: false, }, - 'source.as.organization.name': { + 'threat.indicator.file.hash.sha1': { type: 'keyword', array: false, required: false, }, - 'source.bytes': { - type: 'long', + 'threat.indicator.file.hash.sha256': { + type: 'keyword', array: false, required: false, }, - 'source.domain': { + 'threat.indicator.file.hash.sha512': { type: 'keyword', array: false, required: false, }, - 'source.geo.city_name': { + 'threat.indicator.file.hash.ssdeep': { type: 'keyword', array: false, required: false, }, - 'source.geo.continent_name': { + 'threat.indicator.file.inode': { type: 'keyword', array: false, required: false, }, - 'source.geo.country_iso_code': { + 'threat.indicator.file.mime_type': { type: 'keyword', array: false, required: false, }, - 'source.geo.country_name': { + 'threat.indicator.file.mode': { type: 'keyword', array: false, required: false, }, - 'source.geo.location': { - type: 'geo_point', + 'threat.indicator.file.mtime': { + type: 'date', array: false, required: false, }, - 'source.geo.name': { + 'threat.indicator.file.name': { type: 'keyword', array: false, required: false, }, - 'source.geo.region_iso_code': { + 'threat.indicator.file.owner': { type: 'keyword', array: false, required: false, }, - 'source.geo.region_name': { + 'threat.indicator.file.path': { type: 'keyword', array: false, required: false, }, - 'source.ip': { - type: 'ip', + 'threat.indicator.file.pe.architecture': { + type: 'keyword', array: false, required: false, }, - 'source.mac': { + 'threat.indicator.file.pe.company': { type: 'keyword', array: false, required: false, }, - 'source.nat.ip': { - type: 'ip', + 'threat.indicator.file.pe.description': { + type: 'keyword', array: false, required: false, }, - 'source.nat.port': { - type: 'long', + 'threat.indicator.file.pe.file_version': { + type: 'keyword', array: false, required: false, }, - 'source.packets': { - type: 'long', + 'threat.indicator.file.pe.imphash': { + type: 'keyword', array: false, required: false, }, - 'source.port': { - type: 'long', + 'threat.indicator.file.pe.original_file_name': { + type: 'keyword', array: false, required: false, }, - 'source.registered_domain': { + 'threat.indicator.file.pe.product': { type: 'keyword', array: false, required: false, }, - 'source.subdomain': { - type: 'keyword', + 'threat.indicator.file.size': { + type: 'long', array: false, required: false, }, - 'source.top_level_domain': { + 'threat.indicator.file.target_path': { type: 'keyword', array: false, required: false, }, - 'source.user.domain': { + 'threat.indicator.file.type': { type: 'keyword', array: false, required: false, }, - 'source.user.email': { + 'threat.indicator.file.uid': { type: 'keyword', array: false, required: false, }, - 'source.user.full_name': { + 'threat.indicator.file.x509.alternative_names': { type: 'keyword', - array: false, + array: true, required: false, }, - 'source.user.group.domain': { + 'threat.indicator.file.x509.issuer.common_name': { type: 'keyword', - array: false, + array: true, required: false, }, - 'source.user.group.id': { + 'threat.indicator.file.x509.issuer.country': { type: 'keyword', - array: false, + array: true, required: false, }, - 'source.user.group.name': { + 'threat.indicator.file.x509.issuer.distinguished_name': { type: 'keyword', array: false, required: false, }, - 'source.user.hash': { + 'threat.indicator.file.x509.issuer.locality': { type: 'keyword', - array: false, + array: true, required: false, }, - 'source.user.id': { + 'threat.indicator.file.x509.issuer.organization': { type: 'keyword', - array: false, + array: true, required: false, }, - 'source.user.name': { + 'threat.indicator.file.x509.issuer.organizational_unit': { type: 'keyword', - array: false, + array: true, required: false, }, - 'source.user.roles': { + 'threat.indicator.file.x509.issuer.state_or_province': { type: 'keyword', array: true, required: false, }, - 'span.id': { - type: 'keyword', + 'threat.indicator.file.x509.not_after': { + type: 'date', array: false, required: false, }, - tags: { - type: 'keyword', - array: true, + 'threat.indicator.file.x509.not_before': { + type: 'date', + array: false, required: false, }, - 'threat.framework': { + 'threat.indicator.file.x509.public_key_algorithm': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments': { - type: 'nested', - array: true, + 'threat.indicator.file.x509.public_key_curve': { + type: 'keyword', + array: false, required: false, }, - 'threat.enrichments.indicator': { - type: 'object', + 'threat.indicator.file.x509.public_key_exponent': { + type: 'long', array: false, required: false, }, - 'threat.enrichments.indicator.as.number': { + 'threat.indicator.file.x509.public_key_size': { type: 'long', array: false, required: false, }, - 'threat.enrichments.indicator.as.organization.name': { + 'threat.indicator.file.x509.serial_number': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.confidence': { + 'threat.indicator.file.x509.signature_algorithm': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.description': { + 'threat.indicator.file.x509.subject.common_name': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.email.address': { + 'threat.indicator.file.x509.subject.country': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.file.accessed': { - type: 'date', + 'threat.indicator.file.x509.subject.distinguished_name': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.attributes': { + 'threat.indicator.file.x509.subject.locality': { type: 'keyword', array: true, required: false, }, - 'threat.enrichments.indicator.file.code_signature.digest_algorithm': { + 'threat.indicator.file.x509.subject.organization': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.file.code_signature.exists': { - type: 'boolean', - array: false, + 'threat.indicator.file.x509.subject.organizational_unit': { + type: 'keyword', + array: true, required: false, }, - 'threat.enrichments.indicator.file.code_signature.signing_id': { + 'threat.indicator.file.x509.subject.state_or_province': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.file.code_signature.status': { + 'threat.indicator.file.x509.version_number': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.code_signature.subject_name': { - type: 'keyword', + 'threat.indicator.first_seen': { + type: 'date', array: false, required: false, }, - 'threat.enrichments.indicator.file.code_signature.team_id': { + 'threat.indicator.geo.city_name': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.code_signature.timestamp': { - type: 'date', + 'threat.indicator.geo.continent_code': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.code_signature.trusted': { - type: 'boolean', + 'threat.indicator.geo.continent_name': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.code_signature.valid': { - type: 'boolean', + 'threat.indicator.geo.country_iso_code': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.created': { - type: 'date', + 'threat.indicator.geo.country_name': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.ctime': { - type: 'date', + 'threat.indicator.geo.location': { + type: 'geo_point', array: false, required: false, }, - 'threat.enrichments.indicator.file.device': { + 'threat.indicator.geo.name': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.directory': { + 'threat.indicator.geo.postal_code': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.drive_letter': { + 'threat.indicator.geo.region_iso_code': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.extension': { + 'threat.indicator.geo.region_name': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.fork_name': { + 'threat.indicator.geo.timezone': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.gid': { - type: 'keyword', + 'threat.indicator.ip': { + type: 'ip', array: false, required: false, }, - 'threat.enrichments.indicator.file.group': { - type: 'keyword', + 'threat.indicator.last_seen': { + type: 'date', array: false, required: false, }, - 'threat.enrichments.indicator.file.hash.md5': { + 'threat.indicator.marking.tlp': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.hash.sha1': { - type: 'keyword', + 'threat.indicator.modified_at': { + type: 'date', array: false, required: false, }, - 'threat.enrichments.indicator.file.hash.sha256': { - type: 'keyword', + 'threat.indicator.port': { + type: 'long', array: false, required: false, }, - 'threat.enrichments.indicator.file.hash.sha512': { + 'threat.indicator.provider': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.hash.ssdeep': { + 'threat.indicator.reference': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.inode': { + 'threat.indicator.registry.data.bytes': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.mime_type': { + 'threat.indicator.registry.data.strings': { + type: 'wildcard', + array: true, + required: false, + }, + 'threat.indicator.registry.data.type': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.mode': { + 'threat.indicator.registry.hive': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.mtime': { - type: 'date', + 'threat.indicator.registry.key': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.name': { + 'threat.indicator.registry.path': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.owner': { + 'threat.indicator.registry.value': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.path': { - type: 'keyword', + 'threat.indicator.scanner_stats': { + type: 'long', array: false, required: false, }, - 'threat.enrichments.indicator.file.size': { + 'threat.indicator.sightings': { type: 'long', array: false, required: false, }, - 'threat.enrichments.indicator.file.target_path': { + 'threat.indicator.type': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.type': { + 'threat.indicator.url.domain': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.file.uid': { + 'threat.indicator.url.extension': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.first_seen': { - type: 'date', + 'threat.indicator.url.fragment': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.ip': { - type: 'ip', + 'threat.indicator.url.full': { + type: 'wildcard', array: false, required: false, }, - 'threat.enrichments.indicator.last_seen': { - type: 'date', + 'threat.indicator.url.original': { + type: 'wildcard', array: false, required: false, }, - 'threat.enrichments.indicator.marking.tlp': { + 'threat.indicator.url.password': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.modified_at': { - type: 'date', + 'threat.indicator.url.path': { + type: 'wildcard', array: false, required: false, }, - 'threat.enrichments.indicator.port': { + 'threat.indicator.url.port': { type: 'long', array: false, required: false, }, - 'threat.enrichments.indicator.provider': { + 'threat.indicator.url.query': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.reference': { + 'threat.indicator.url.registered_domain': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.registry.data.bytes': { + 'threat.indicator.url.scheme': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.registry.data.strings': { - type: 'wildcard', - array: true, - required: false, - }, - 'threat.enrichments.indicator.registry.data.type': { + 'threat.indicator.url.subdomain': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.registry.hive': { + 'threat.indicator.url.top_level_domain': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.registry.key': { + 'threat.indicator.url.username': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.registry.path': { + 'threat.indicator.x509.alternative_names': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.registry.value': { + 'threat.indicator.x509.issuer.common_name': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.scanner_stats': { - type: 'long', - array: false, + 'threat.indicator.x509.issuer.country': { + type: 'keyword', + array: true, required: false, }, - 'threat.enrichments.indicator.sightings': { - type: 'long', + 'threat.indicator.x509.issuer.distinguished_name': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.type': { + 'threat.indicator.x509.issuer.locality': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.url.domain': { + 'threat.indicator.x509.issuer.organization': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.url.extension': { + 'threat.indicator.x509.issuer.organizational_unit': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.url.fragment': { + 'threat.indicator.x509.issuer.state_or_province': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.url.full': { - type: 'wildcard', + 'threat.indicator.x509.not_after': { + type: 'date', array: false, required: false, }, - 'threat.enrichments.indicator.url.original': { - type: 'wildcard', + 'threat.indicator.x509.not_before': { + type: 'date', array: false, required: false, }, - 'threat.enrichments.indicator.url.password': { + 'threat.indicator.x509.public_key_algorithm': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.url.path': { - type: 'wildcard', + 'threat.indicator.x509.public_key_curve': { + type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.url.port': { + 'threat.indicator.x509.public_key_exponent': { type: 'long', array: false, required: false, }, - 'threat.enrichments.indicator.url.query': { - type: 'keyword', + 'threat.indicator.x509.public_key_size': { + type: 'long', array: false, required: false, }, - 'threat.enrichments.indicator.url.registered_domain': { + 'threat.indicator.x509.serial_number': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.url.scheme': { + 'threat.indicator.x509.signature_algorithm': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.indicator.url.subdomain': { + 'threat.indicator.x509.subject.common_name': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.url.top_level_domain': { + 'threat.indicator.x509.subject.country': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.indicator.url.username': { + 'threat.indicator.x509.subject.distinguished_name': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.feed': { - type: 'object', - array: false, + 'threat.indicator.x509.subject.locality': { + type: 'keyword', + array: true, required: false, }, - 'threat.enrichments.feed.name': { + 'threat.indicator.x509.subject.organization': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.matched.atomic': { + 'threat.indicator.x509.subject.organizational_unit': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.matched.field': { + 'threat.indicator.x509.subject.state_or_province': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.matched.id': { + 'threat.indicator.x509.version_number': { type: 'keyword', array: false, required: false, }, - 'threat.enrichments.matched.index': { + 'threat.software.alias': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.enrichments.matched.type': { + 'threat.software.id': { type: 'keyword', array: false, required: false, }, - 'threat.group.alias': { + 'threat.software.name': { type: 'keyword', - array: true, + array: false, required: false, }, - 'threat.group.id': { + 'threat.software.platforms': { type: 'keyword', - array: false, + array: true, required: false, }, - 'threat.group.name': { + 'threat.software.reference': { type: 'keyword', array: false, required: false, }, - 'threat.group.reference': { + 'threat.software.type': { type: 'keyword', array: false, required: false, @@ -3436,12 +5687,12 @@ export const ecsFieldMap = { required: false, }, 'url.full': { - type: 'keyword', + type: 'wildcard', array: false, required: false, }, 'url.original': { - type: 'keyword', + type: 'wildcard', array: false, required: false, }, @@ -3451,7 +5702,7 @@ export const ecsFieldMap = { required: false, }, 'url.path': { - type: 'keyword', + type: 'wildcard', array: false, required: false, }, diff --git a/x-pack/plugins/rule_registry/common/field_map/types.ts b/x-pack/plugins/rule_registry/common/field_map/types.ts index ad2f8ed1e5536d..6eeffa12400fe2 100644 --- a/x-pack/plugins/rule_registry/common/field_map/types.ts +++ b/x-pack/plugins/rule_registry/common/field_map/types.ts @@ -11,5 +11,6 @@ export interface FieldMap { required?: boolean; array?: boolean; path?: string; + scaling_factor?: number; }; } diff --git a/x-pack/plugins/rule_registry/common/types.ts b/x-pack/plugins/rule_registry/common/types.ts index 8ffbebbc631a16..4bf5fa8b23fdc1 100644 --- a/x-pack/plugins/rule_registry/common/types.ts +++ b/x-pack/plugins/rule_registry/common/types.ts @@ -275,6 +275,7 @@ export interface ClusterPutComponentTemplateBody { template: { settings: { number_of_shards: number; + 'index.mapping.total_fields.limit'?: number; }; mappings: estypes.MappingTypeMapping; }; diff --git a/x-pack/plugins/rule_registry/scripts/generate_ecs_fieldmap/index.js b/x-pack/plugins/rule_registry/scripts/generate_ecs_fieldmap/index.js index bbcf651bd6d691..5e90a3c16aa7c6 100644 --- a/x-pack/plugins/rule_registry/scripts/generate_ecs_fieldmap/index.js +++ b/x-pack/plugins/rule_registry/scripts/generate_ecs_fieldmap/index.js @@ -33,11 +33,17 @@ async function generate() { const flatYaml = await yaml.safeLoad(await readFile(ecsYamlFilename)); const fields = mapValues(flatYaml, (description) => { - return { + const field = { type: description.type, array: description.normalize.includes('array'), required: !!description.required, }; + + if (description.scaling_factor) { + field.scaling_factor = description.scaling_factor; + } + + return field; }); await Promise.all([ diff --git a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts index 0d55335a652ea9..c49e9d1e111bfe 100644 --- a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts +++ b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts @@ -315,7 +315,7 @@ export class ResourceInstaller { // @ts-expect-error rollover_alias: primaryNamespacedAlias, }, - 'index.mapping.total_fields.limit': 1200, + 'index.mapping.total_fields.limit': 1700, }, mappings: { dynamic: false,