sigma-rules/etc/non-ecs-schema.json

{
  "endgame-*": {
    "endgame": {
      "metadata": {
        "type": "keyword"
      },
      "event_subtype_full": "keyword"
    }
  },
  "winlogbeat-*": {
    "winlog": {
      "event_data": {
        "AccessList": "keyword",
        "AccessMask": "keyword",
        "AccessMaskDescription": "keyword",
        "AllowedToDelegateTo": "keyword",
        "AttributeLDAPDisplayName": "keyword",
        "AttributeValue": "keyword",
        "CallerProcessName": "keyword",
        "CallTrace": "keyword",
        "ClientProcessId": "keyword",
        "GrantedAccess": "keyword",
        "NewTargetUserName": "keyword",
        "ObjectClass": "keyword",
        "ObjectDN": "keyword",
        "ObjectName": "keyword",
        "OldTargetUserName": "keyword",
        "OriginalFileName": "keyword",
        "ParentProcessId": "keyword",
        "ProcessName": "keyword",
        "Properties": "keyword",
        "RelativeTargetName": "keyword",
        "ShareName": "keyword",
        "SubjectLogonId": "keyword",
        "SubjectUserName": "keyword",
        "TargetImage": "keyword",
        "TargetLogonId": "keyword",
        "TargetProcessGUID": "keyword",
        "TargetSid": "keyword", 
	"PrivilegeList": "keyword"
      }
    },
    "winlog.logon.type": "keyword",
    "powershell.file.script_block_text": "text"
  },
  "filebeat-*": {
    "o365.audit.NewValue": "keyword",
    "o365audit.Parameters.ForwardTo": "keyword",
    "o365audit.Parameters.ForwardAsAttachmentTo": "keyword",
    "o365audit.Parameters.RedirectTo": "keyword"
  },
  "logs-endpoint.events.*": {
    "process.Ext.token.integrity_level_name": "keyword",
    "process.parent.Ext.real.pid": "long", 
    "file.Ext.header_bytes": "keyword"
  },
  "logs-windows.*": {
    "powershell.file.script_block_text": "text"
  }
}