{ "auditbeat-*": { "auditd.data.addr": "keyword", "auditd.data.grantors": "keyword", "auditd.data.syscall": "keyword", "auditd.data.terminal": "keyword", "auditd.result": "keyword" }, "endgame-*": { "endgame": { "metadata": { "type": "keyword" }, "event_subtype_full": "keyword" } }, "winlogbeat-*": { "problemchild.prediction": "long", "problemchild.prediction_probability": "long", "blocklist_label": "long", "winlog": { "event_data": { "AccessList": "keyword", "AccessMask": "keyword", "AccessMaskDescription": "keyword", "AdditionalInfo": "keyword", "AllowedToDelegateTo": "keyword", "AttributeLDAPDisplayName": "keyword", "AttributeValue": "keyword", "AuditPolicyChangesDescription": "keyword", "CallerProcessName": "keyword", "CallTrace": "keyword", "ClientProcessId": "keyword", "Consumer": "keyword", "GrantedAccess": "keyword", "NewTargetUserName": "keyword", "ObjectClass": "keyword", "ObjectDN": "keyword", "ObjectName": "keyword", "OldTargetUserName": "keyword", "OriginalFileName": "keyword", "ParentProcessId": "keyword", "ProcessName": "keyword", "Properties": "keyword", "RelativeTargetName": "keyword", "ShareName": "keyword", "SubjectLogonId": "keyword", "SubjectUserName": "keyword", "SubjectUserSid": "keyword", "ServiceAccount": "keyword", "ElevatedToken": "keyword", "TargetUserName": "keyword", "TargetImage": "keyword", "TargetLogonId": "keyword", "TargetProcessGUID": "keyword", "TargetSid": "keyword", "SchemaFriendlyName": "keyword", "Resource": "keyword", "RpcCallClientLocality": "keyword", "PrivilegeList": "keyword", "AuthenticationPackageName" : "keyword", "TargetUserSid" : "keyword", "LogonProcessName": "keyword", "DnsHostName" : "keyword", "ServiceFileName": "keyword", "ImagePath": "keyword", "TaskName": "keyword", "Status": "keyword", "EnabledPrivilegeList": "keyword", "Operation": "keyword", "OperationType": "keyword", "NewUACList": "keyword", "SubCategory": "keyword" } }, "winlog.logon.type": "keyword", "winlog.logon.id": "keyword", "powershell.file.script_block_text": "text" }, "filebeat-*": { "o365.audit.NewValue": "keyword", "labels.is_ioc_transform_source": "keyword" }, "logs-endpoint.events.*": { "process.Ext.token.integrity_level_name": "keyword", "process.parent.Ext.real.pid": "long", "process.Ext.effective_parent.executable": "keyword", "process.Ext.effective_parent.entity_id": "keyword", "process.Ext.effective_parent.name": "keyword", "file.Ext.header_bytes": "keyword", "file.Ext.entropy": "long", "file.Ext.windows.zone_identifier": "long", "file.size": "long", "file.Ext.original.name": "keyword", "dll.Ext.device.product_id": "keyword", "dll.Ext.relative_file_creation_time": "double", "dll.Ext.relative_file_name_modify_time": "double", "process.Ext.relative_file_name_modify_time": "double", "process.Ext.relative_file_creation_time": "double", "Target.process.name": "keyword", "process.Ext.api.name": "keyword" }, "logs-endpoint.events.api-*": { "process.Ext.api.parameters.consumer_type": "keyword", "process.Ext.api.name": "keyword" }, "logs-endpoint.events.file-*": { "file.Ext.header_bytes": "keyword", "file.Ext.windows.zone_identifier": "long" }, "logs-windows.*": { "powershell.file.script_block_text": "text" }, "logs-kubernetes.audit_logs-*": { "kubernetes.audit.objectRef.resource": "keyword", "kubernetes.audit.objectRef.subresource": "keyword", "kubernetes.audit.verb": "keyword", "kubernetes.audit.user.username": "keyword", "kubernetes.audit.impersonatedUser.username": "keyword", "kubernetes.audit.annotations.authorization_k8s_io/decision": "keyword", "kubernetes.audit.annotations.authorization_k8s_io/reason": "keyword", "kubernetes.audit.userAgent": "keyword", "kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name": "keyword", "kubernetes.audit.user.groups": "keyword", "kubernetes.audit.requestObject.spec.containers.securityContext.privileged": "boolean", "kubernetes.audit.requestObject.spec.containers.securityContext.allowPrivilegeEscalation": "boolean", "kubernetes.audit.requestObject.spec.securityContext.runAsUser": "long", "kubernetes.audit.requestObject.spec.containers.securityContext.runAsUser": "long", "kubernetes.audit.requestObject.spec.hostPID": "boolean", "kubernetes.audit.requestObject.spec.hostNetwork": "boolean", "kubernetes.audit.requestObject.spec.hostIPC": "boolean", "kubernetes.audit.requestObject.spec.volumes.hostPath.path": "keyword", "kubernetes.audit.requestObject.spec.type": "keyword", "kubernetes.audit.requestObject.rules.resources": "keyword", "kubernetes.audit.requestObject.rules.verb": "keyword", "kubernetes.audit.objectRef.namespace": "keyword", "kubernetes.audit.objectRef.serviceAccountName": "keyword", "kubernetes.audit.requestObject.spec.serviceAccountName": "keyword", "kubernetes.audit.responseStatus.reason": "keyword", "kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add": "keyword", "kubernetes.audit.requestObject.spec.containers.image": "keyword" }, ".alerts-security.*": { "signal.rule.name": "keyword", "signal.rule.tags": "keyword", "signal.rule.threat.tactic.name": "keyword", "kibana.alert.rule.threat.tactic.id": "keyword", "kibana.alert.workflow_status": "keyword", "kibana.alert.rule.rule_id": "keyword", "kibana.alert.rule.name": "keyword", "kibana.alert.risk_score": "long", "kibana.alert.rule.type": "keyword", "kibana.alert.rule.threat.tactic.name": "keyword", "kibana.alert.rule.threat.technique.name": "keyword", "kibana.alert.rule.threat.technique.id": "keyword", "kibana.alert.severity": "keyword", "job_id": "keyword", "influencers.influencer_field_name": "keyword", "influencers.influencer_field_values": "keyword" }, "logs-github.audit-*": { "github.branch": "keyword", "github.overridden_codes": "keyword", "github.reasons.code": "keyword", "github.reasons.message": "text", "github.repository_public": "boolean", "github.previous_visibility": "keyword" }, "logs-google_workspace*": { "gsuite.admin": "keyword", "gsuite.admin.new_value": "keyword", "gsuite.admin.setting.name": "keyword", "google_workspace.drive.owner_is_team_drive": "keyword", "google_workspace.drive.copy_type": "keyword", "google_workspace.drive.file.type": "keyword", "google_workspace.drive.visibility": "keyword", "google_workspace.token.client.id": "keyword", "google_workspace.token.scope.data": "keyword", "google_workspace.token.scope.data.scope_name": "keyword" }, "logs-ti_*": { "labels.is_ioc_transform_source": "keyword" }, "logs-auditd_manager.auditd-*": { "auditd.data.a0": "keyword", "auditd.data.a1": "keyword", "auditd.data.a2": "keyword", "auditd.data.a3": "keyword" }, "logs-aws.cloudtrail-*": { "aws.cloudtrail.flattened.request_parameters.ipPermissions.items.ipRanges.items.cidrIp": "keyword", "aws.cloudtrail.flattened.request_parameters.ipPermissions.items.fromPort": "keyword", "aws.cloudtrail.flattened.request_parameters.serialNumber": "keyword", "aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm": "keyword", "aws.cloudtrail.flattened.request_parameters.includeDeprecated": "keyword", "aws.cloudtrail.flattened.request_parameters.withDecryption": "boolean", "aws.cloudtrail.flattened.request_parameters.instanceId": "keyword", "aws.cloudtrail.flattened.request_parameters.attribute": "keyword", "aws.cloudtrail.flattened.request_parameters.reason": "keyword", "aws.cloudtrail.flattened.request_parameters.omitted": "keyword", "aws.cloudtrail.flattened.response_elements.documentDescription.documentType": "keyword", "aws.cloudtrail.flattened.request_parameters.groupSet.items.groupId": "keyword", "aws.cloudtrail.flattened.request_parameters.protocol": "keyword" }, "logs-azure.signinlogs-*": { "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword", "azure.signinlogs.properties.original_transfer_method": "keyword", "azure.auditlogs.properties.target_resources.0.display_name": "keyword", "azure.signinlogs.properties.authentication_details.authentication_method": "keyword", "azure.signinlogs.properties.authentication_processing_details": "keyword", "azure.signinlogs.properties.token_protection_status_details.sign_in_session_status": "keyword", "azure.signinlogs.properties.session_id": "keyword", "azure.signinlogs.properties.mfa_detail.auth_method": "keyword", "azure.signinlogs.properties.client_credential_type": "keyword", "azure.signinlogs.properties.app_owner_tenant_id": "keyword", "azure.signinlogs.properties.resource_owner_tenant_id": "keyword", "azure.signinlogs.properties.tenant_id": "keyword" }, "logs-azure.activitylogs-*": { "azure.activitylogs.properties.authentication_protocol": "keyword", "azure.activitylogs.properties.appId": "keyword", "azure.activitylogs.properties.resourceDisplayName": "keyword", "azure.activitylogs.properties.appDisplayName": "keyword", "azure.activitylogs.properties.requestbody.properties.roleDefinitionId": "keyword", "azure.activitylogs.properties.responseBody": "keyword", "azure.activitylogs.properties.status_code": "keyword", "azure.activitylogs.identity.claims.appid": "keyword" }, "logs-azure.graphactivitylogs-*": { "azure.graphactivitylogs.properties.c_idtyp": "keyword", "azure.graphactivitylogs.properties.user_principal_object_id": "keyword", "azure.graphactivitylogs.properties.requestUri": "keyword", "azure.graphactivitylogs.properties.c_sid": "keyword" }, "logs-azure.auditlogs-*": { "azure.auditlogs.properties.target_resources.0.display_name": "keyword", "azure.auditlogs.properties.target_resources.0.id": "keyword", "azure.auditlogs.properties.target_resources.0.modified_properties.1.display_name": "keyword", "azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value": "keyword", "azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value": "keyword", "azure.auditlogs.properties.target_resources.0.modified_properties.2.new_value": "keyword", "azure.auditlogs.properties.target_resources.0.modified_properties.4.new_value": "keyword", "azure.auditlogs.properties.target_resources.0.modified_properties.5.new_value": "keyword", "azure.auditlogs.properties.additional_details.value": "keyword", "azure.auditlogs.properties.target_resources.0.modified_properties.0.new_value": "keyword", "azure.auditlogs.properties.target_resources.0.modified_properties.0.old_value": "keyword", "azure.auditlogs.properties.target_resources.0.modified_properties.0.display_name": "keyword" }, "logs-azure.platformlogs-*": { "azure.platformlogs.identity.claim.upn": "keyword", "azure.platformlogs.properties.id": "keyword", "azure.platformlogs.identity.claim.appid": "keyword", "azure.platformlogs.identity.type": "keyword", "azure.platformlogs.properties.userAgentHeader": "keyword", "azure.platformlogs.statusCode": "keyword", "azure.platformlogs.properties.accountName": "keyword" }, "logs-o365.audit-*": { "o365.audit.ExtendedProperties.RequestType": "keyword", "o365.audit.ExtendedProperties.ResultStatusDetail": "keyword", "o365.audit.OperationProperties.Name": "keyword", "o365.audit.OperationProperties.Value": "keyword", "o365.audit.OperationCount": "long", "o365.audit.AppAccessContext.AADSessionId": "keyword", "o365.audit.SearchQueryText": "keyword", "o365.audit.AffectedItems.Subject": "keyword", "o365.audit.IsManagedDevice": "boolean" }, "logs-okta*": { "okta.debug_context.debug_data.flattened.requestedScopes": "keyword", "okta.debug_context.debug_data.flattened.grantType": "keyword", "okta.debug_context.debug_data.flattened.privilegeGranted": "keyword" }, "logs-network_traffic.http*": { "data_stream.dataset": "keyword", "url.path": "keyword", "http.request.referrer": "keyword", "http.request.headers.content-type": "keyword", "network.direction": "keyword", "http.request.method": "keyword", "request": "keyword", "http.request.body.bytes": "long", "http.request.body.content": "keyword", "http.response.headers.server": "keyword" }, "metrics-*": { "system.process.cpu.total.norm.pct": "double", "system.cpu.total.norm.pct": "double" } }