sigma-rules/etc/non-ecs-schema.json

{
  "endgame-*": {
    "endgame": {
      "metadata": {
        "type": "keyword"
      },
      "event_subtype_full": "keyword"
    }
  },
  "winlogbeat-*": {
    "winlog.event_data.OriginalFileName": "keyword"
  },
  "filebeat-*": {
    "o365.audit.NewValue": "keyword"
  },
  "logs-endpoint.events.*": {
    "process.Ext.token.integrity_level_name": "keyword",
	"process.parent.Ext.real.pid": "long"
  }
}