# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 [DEFAULT] # bump_version = 2.10.0 [security] role_es_loader = { "description" : "Provide the minimum permissions for aws es_loader", "cluster_permissions" : [ "cluster_monitor", "cluster_composite_ops", "indices:admin/template/get", "indices:admin/template/put", "cluster:admin/ingest/pipeline/put", "cluster:admin/ingest/pipeline/get", "cluster:admin/cold/indices/search" ], "index_permissions" : [ { "index_patterns" : [ "log-*" ], "fls" : [ ], "masked_fields" : [ ], "allowed_actions" : [ "crud", "create_index" ] }, { "index_patterns" : [ "metrics-*" ], "fls" : [ ], "masked_fields" : [ ], "allowed_actions" : [ "crud", "create_index" ] }, { "index_patterns" : [ "*" ], "fls" : [ ], "masked_fields" : [ ], "allowed_actions" : [ "indices:monitor/settings/get", "indices:monitor/stats" ] } ], "tenant_permissions" : [ ] } [cluster-settings] # #48 opendistro-alert = { "persistent" : { "opendistro.alerting.alert_history_max_age": "30d", "opendistro.alerting.alert_history_retention_period": "120d" } } [index_state_management_policies] rollover100gb = { "policy": { "description": "Do not edit. Provided by AWS. rollover by 100gb. This policy affect the only indices which are configured with index_rotation=auto in user.ini", "schema_version": 1, "error_notification": null, "default_state": "rollover", "states": [ {"name": "rollover", "actions": [{"rollover": {"min_size": "100gb"}}]} ], "ism_template": [ {"index_patterns": ["log-*-00*"], "priority": 0} ] } } [component-templates] component_template_log = { "template": { "settings": { "index.refresh_interval" : "2s", "index.mapping.ignore_malformed": true, "index.max_docvalue_fields_search": 200, "index.number_of_shards": 3 }, "mappings": { "dynamic_templates": [{ "strings": { "match_mapping_type": "string", "mapping": {"type": "keyword"} } }], "properties": { "@id": {"type": "keyword", "doc_values": false}, "@log_s3bucket": {"type": "keyword"}, "@log_s3key": {"type": "keyword", "doc_values": false}, "@log_type": {"type": "keyword"}, "@message": {"type": "text"}, "@timestamp": {"type": "date"}, "cwl_timestamp": {"type": "date", "format": "epoch_millis"}, "cwe_timestamp": {"type": "date"}, "base": {"type": "object"}, "base.tags": {"type": "keyword"}, "base.labels": {"type": "object"}, "agent": {"type": "object"}, "as": {"type": "object"}, "client": {"type": "object"}, "cloud": {"type": "object"}, "code_signature": {"type": "object"}, "container": {"type": "object"}, "container.image.tag": {"type": "keyword"}, "container.labels": {"type": "object"}, "data_stream": {"type": "object"}, "destination": {"type": "object"}, "destination.as.number": {"type": "integer"}, "destination.as.organization.name": {"type": "keyword"}, "destination.bytes": {"type": "long"}, "destination.geo.city_name": {"type": "keyword"}, "destination.geo.country_iso_code": {"type": "keyword"}, "destination.geo.country_name": {"type": "keyword"}, "destination.geo.location": {"type": "geo_point"}, "destination.ip": {"type": "ip"}, "destination.nat.ip": {"type": "ip"}, "destination.nat.port": {"type": "integer"}, "destination.packets": {"type": "long"}, "destination.port": {"type": "integer"}, "dll": {"type": "object"}, "dns": {"type": "object"}, "dns.answers": {"type": "object"}, "dns.answers.ttl": {"type": "long"}, "dns.id": {"type": "keyword", "doc_values": false}, "dns.header_flags": {"type": "keyword", "doc_values": false}, "dns.resolved_ip": {"type": "ip"}, "ecs": {"type": "object"}, "elf": {"type": "object"}, "error": {"type": "object"}, "error.message": {"type": "text"}, "event": {"type": "object"}, "event.category": {"type": "keyword"}, "event.code": {"type": "keyword"}, "event.created": {"type": "date"}, "event.duration": {"type": "long"}, "event.end": {"type": "date"}, "event.id": {"type": "keyword"}, "event.ingested": {"type": "date"}, "event.kind": {"type": "keyword"}, "event.outcome": {"type": "keyword"}, "event.risk_score": {"type": "float"}, "event.risk_score_norm": {"type": "float"}, "event.sequence": {"type": "long"}, "event.severity": {"type": "long"}, "event.start": {"type": "date"}, "event.timezone": {"type": "keyword"}, "event.type": {"type": "keyword"}, "file": {"type": "object"}, "file.accessed": {"type": "date"}, "file.attributes": {"type": "keyword"}, "file.created": {"type": "date"}, "file.ctime": {"type": "date"}, "file.gid": {"type": "keyword"}, "file.inode": {"type": "keyword"}, "file.mode": {"type": "keyword"}, "file.mtime": {"type": "date"}, "file.size": {"type": "long"}, "file.uid": {"type": "keyword"}, "geo": {"type": "object"}, "group": {"type": "object"}, "group.id": {"type": "keyword"}, "hash": {"type": "object"}, "host": {"type": "object"}, "host.disk.read.bytes": {"type": "long"}, "host.disk.write.bytes": {"type": "long"}, "host.hostname": {"type": "keyword"}, "host.id": {"type": "keyword"}, "host.ip": {"type": "ip"}, "host.mac": {"type": "keyword"}, "host.network.egress.bytes": {"type": "long"}, "host.network.egress.packets": {"type": "long"}, "host.network.ingress.bytes": {"type": "long"}, "host.network.ingress.packets": {"type": "long"}, "host.uptime": {"type": "long"}, "http": {"type": "object"}, "http.request.body.bytes": {"type": "long"}, "http.request.body.content": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "http.request.bytes": {"type": "long"}, "http.response.body.bytes": {"type": "long"}, "http.response.body.content": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "http.response.bytes": {"type": "long"}, "http.response.status_code": {"type": "short"}, "http.version": {"type": "keyword"}, "interface": {"type": "object"}, "interface.alias": {"type": "keyword"}, "interface.id": {"type": "keyword"}, "interface.name": {"type": "keyword"}, "log": {"type": "object"}, "log.level": {"type": "keyword"}, "log.origin.file.line": {"type": "long"}, "log.syslog": {"type": "object"}, "log.syslog.facility.code": {"type": "long"}, "log.syslog.priority": {"type": "long"}, "log.syslog.severity.code": {"type": "long"}, "network": {"type": "object"}, "network.bytes": {"type": "integer"}, "network.community_id": {"type": "keyword"}, "network.forwarded_ip": {"type": "ip"}, "network.iana_number": {"type": "short"}, "network.inner": {"type": "object"}, "network.packets": {"type": "long"}, "observer": {"type": "object"}, "observer.ip": {"type": "ip"}, "observer.mac": {"type": "keyword"}, "observer.serial_number": {"type": "keyword"}, "observer.version": {"type": "keyword"}, "orchestrator": {"type": "object"}, "organization": {"type": "object"}, "organization.id": {"type": "keyword"}, "os": {"type": "object"}, "os.family": {"type": "keyword"}, "os.full": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "os.kernel": {"type": "keyword"}, "os.name": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "os.platform": {"type": "keyword"}, "os.type": {"type": "keyword"}, "os.version": {"type": "keyword"}, "package": {"type": "object"}, "pe": {"type": "object"}, "process": {"type": "object"}, "process.args": {"type": "keyword"}, "process.args_count": {"type": "long"}, "process.command_line": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "process.entity_id": {"type": "keyword"}, "process.exit_code": {"type": "long"}, "process.pgid": {"type": "long"}, "process.pid": {"type": "long"}, "process.ppid": {"type": "long"}, "process.start": {"type": "date"}, "process.thread.id": {"type": "long"}, "process.uptime": {"type": "long"}, "registry": {"type": "object"}, "related": {"type": "object"}, "related.hash": {"type": "keyword"}, "related.hosts": {"type": "keyword"}, "related.ip": {"type": "ip"}, "related.user": {"type": "keyword"}, "rule": {"type": "object"}, "rule.author": {"type": "keyword"}, "rule.category": {"type": "keyword"}, "rule.description": {"type": "keyword"}, "rule.id": {"type": "keyword"}, "rule.uuid": {"type": "keyword"}, "rule.version": {"type": "keyword"}, "server": {"type": "object"}, "service": {"type": "object"}, "service.ephemeral_id": {"type": "keyword"}, "service.id": {"type": "keyword"}, "service.version": {"type": "keyword"}, "source": {"type": "object"}, "source.address": {"type": "keyword"}, "source.as.number": {"type": "integer"}, "source.as.organization.name": {"type": "keyword"}, "source.bytes": {"type": "long"}, "source.geo.city_name": {"type": "keyword"}, "source.geo.country_iso_code": {"type": "keyword"}, "source.geo.country_name": {"type": "keyword"}, "source.geo.location": {"type": "geo_point"}, "source.ip": {"type": "ip"}, "source.nat.ip": {"type": "ip"}, "source.nat.port": {"type": "integer"}, "source.packets": {"type": "long"}, "source.port": {"type": "integer"}, "threat": {"type": "object"}, "threat.enrichments": {"type": "nested", "properties": { "indicator": {"type": "object"}, "indicator.confidence": {"type": "keyword"}, "indicator.description": {"type": "keyword"}, "indicator.email.address": {"type": "keyword"}, "indicator.first_seen": {"type": "date"}, "indicator.ip": {"type": "ip"}, "indicator.last_seen": {"type": "date"}, "indicator.marking.tlp": {"type": "keyword"}, "indicator.modified_at": {"type": "date"}, "indicator.name": {"type": "keyword"}, "indicator.port": {"type": "long"}, "indicator.provider": {"type": "keyword"}, "indicator.reference": {"type": "keyword"}, "indicator.scanner_stats": {"type": "long"}, "indicator.sightings": {"type": "long"}, "indicator.type": {"type": "keyword"}, "matched.atomic": {"type": "keyword"}, "matched.field": {"type": "keyword"}, "matched.id": {"type": "keyword"}, "matched.index": {"type": "keyword"}, "matched.occurred": {"type": "date"}, "matched.type": {"type": "keyword"}}}, "threat.matched.indicators": {"type": "keyword"}, "threat.matched.names": {"type": "keyword"}, "threat.matched.providers": {"type": "keyword"}, "threat.matched.types": {"type": "keyword"}, "tls": {"type": "object"}, "span.id": {"type": "keyword"}, "trace.id": {"type": "keyword"}, "transaction.id": {"type": "keyword"}, "url": {"type": "object"}, "url.full": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "url.original": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "url.port": {"type": "long"}, "user": {"type": "object"}, "user.id": {"type": "keyword"}, "user.name": {"type": "keyword"}, "user.roles": {"type": "keyword"}, "user_agent": {"type": "object"}, "user_agent.device.name": {"type": "keyword"}, "user_agent.name": {"type": "keyword"}, "user_agent.original": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "user_agent.os.family": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "user_agent.os.full": {"type": "keyword"}, "user_agent.os.kernel": {"type": "keyword"}, "user_agent.os.name": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "user_agent.os.platform": {"type": "keyword"}, "user_agent.os.type": {"type": "keyword"}, "user_agent.os.version": {"type": "keyword"}, "user_agent.version": {"type": "keyword"}, "vlan": {"type": "object"}, "vlan.id": {"type": "keyword"}, "vulnerability.category": {"type": "keyword"}, "vulnerability.classification": {"type": "keyword"}, "vulnerability.description": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "vulnerability.enumeration": {"type": "keyword"}, "vulnerability.id": {"type": "keyword"}, "vulnerability.reference": {"type": "keyword"}, "vulnerability.report_id": {"type": "keyword"}, "vulnerability.scanner.vendor": {"type": "keyword"}, "vulnerability.score.base": {"type": "float"}, "vulnerability.score.environmental": {"type": "float"}, "vulnerability.score.temporal": {"type": "float"}, "vulnerability.score.version": {"type": "keyword", "doc_values": false}, "vulnerability.severity": {"type": "keyword"}, "x509": {"type": "object"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws = { "template": { "mappings": { "properties": { "SchemaVersion": {"type": "keyword"}, "apiVersion": {"type": "keyword"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-clientvpn = { "template": { "settings": { "index.refresh_interval": "30s", "index.number_of_shards": "1" }, "mappings" : { "properties": { "clientvpn.client-ip": {"type": "ip"}, "clientvpn.client-vpn-endpoint-id": {"type": "keyword"}, "clientvpn.common-name": {"type": "keyword"}, "clientvpn.connection-attempt-failure-reason": {"type": "keyword"}, "clientvpn.connection-attempt-status": {"type": "keyword"}, "clientvpn.connection-duration-seconds": {"type": "keyword"}, "clientvpn.connection-end-time": {"type": "date"}, "clientvpn.connection-id": {"type": "keyword"}, "clientvpn.connection-last-update-time": {"type": "date"}, "clientvpn.connection-log-type": {"type": "keyword"}, "clientvpn.connection-reset-status": {"type": "keyword"}, "clientvpn.connection-start-time": {"type": "date"}, "clientvpn.device-ip": {"type": "ip"}, "clientvpn.device-type": {"type": "keyword"}, "clientvpn.egress-bytes": {"type": "long"}, "clientvpn.egress-packets": {"type": "long"}, "clientvpn.ingress-bytes": {"type": "long"}, "clientvpn.ingress-packets": {"type": "long"}, "clientvpn.port": {"type": "long"}, "clientvpn.transport-protocol": {"type": "keyword"}, "clientvpn.username": {"type": "keyword"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-cloudfront = { "template": { "mappings" : { "properties": { "c_ip": {"type": "ip"}, "c_port": {"type": "integer"}, "cs_bytes": {"type": "long"}, "cs_headers_count": {"type": "short"}, "date_time": {"type": "date", "format": "yyyy-MM-dd HH:mm:ss||date_optional_time||epoch_millis"}, "sc-range-end": {"type": "long"}, "sc-range-start": {"type": "long"}, "sc_bytes": {"type": "long"}, "sc_content_len": {"type": "long"}, "sc_status": {"type": "keyword"}, "time_taken": {"type": "half_float"}, "time_to_first_byte": {"type": "half_float"}, "timestamp": {"type": "date", "format": "epoch_second"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-cloudhsm = { "template": { "settings": { "index.refresh_interval": "30s", "index.number_of_shards": "1" }, "mappings" : { "properties": { "cloudhsm.command_type_hex": {"type": "keyword"}, "cloudhsm.key_handle": {"type": "keyword"}, "cloudhsm.host_time": {"type": "date_nanos", "format": "MM/dd/yy HH:mm:ss.SSSSSS||strict_date_optional_time_nanos"}, "cloudhsm.host_time_usec": {"type": "long"}, "cloudhsm.local_time": {"type": "date_nanos", "format": "MM/dd/yy HH:mm:ss.SSSSSS||strict_date_optional_time_nanos"}, "cloudhsm.local_time_usec": {"type": "long"}, "cloudhsm.log_type_code": {"type": "keyword"}, "cloudhsm.opcode_hex": {"type": "keyword"}, "cloudhsm.priv_secret_key_handle": {"type": "keyword"}, "cloudhsm.propagation_delay": {"type": "long"}, "cloudhsm.public_key_handle": {"type": "keyword"}, "cloudhsm.reboot_counter": {"type": "long"}, "cloudhsm.response": {"type": "keyword"}, "cloudhsm.sequence_no": {"type": "long"}, "cloudhsm.session_handle": {"type": "keyword"}, "cloudhsm.timestamp": {"type": "date_nanos", "format": "MM/dd/yy HH:mm:ss.SSSSSS||strict_date_optional_time_nanos"}, "cloudhsm.timestamp_usec": {"type": "long"}, "cloudhsm.unknown_field_value": {"type": "keyword"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-cloudtrail = { "template": { "settings": { "index.refresh_interval": "30s", "index.mapping.total_fields.limit": 8000, "index.mapping.ignore_malformed": true }, "mappings" : { "properties": { "additionalEventData.bytesTransferredIn": {"type": "float"}, "additionalEventData.bytesTransferredOut": {"type": "float"}, "additionalEventData.vpcEndpointId": {"type": "keyword"}, "awsRegion": {"type": "keyword"}, "errorCode": {"type": "keyword"}, "eventID": {"type": "keyword"}, "requestParameters.CreateFleetRequest.TagSpecification.Tag.Value": {"type": "keyword"}, "requestParameters.CreateLaunchTemplateRequest.LaunchTemplateData.TagSpecification.Tag.Value": {"type": "keyword"}, "requestParameters.CreateLaunchTemplateVersionRequest.LaunchTemplateData.TagSpecification.Tag.Value": {"type": "keyword"}, "requestParameters.CreateSnapshotsRequest.TagSpecification.Tag.Value": {"type": "keyword"}, "requestParameters.CreateVpcEndpointRequest.TagSpecification.Tag.Value": {"type": "keyword"}, "requestParameters.DescribeFlowLogsRequest": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.DescribeLaunchTemplateVersionsRequest.LaunchTemplateVersion.content": {"type": "keyword"}, "requestParameters.FilterValues": {"type": "keyword"}, "requestParameters.MaxResults": {"type": "integer"}, "requestParameters.NotificationConfiguration.QueueConfiguration.Id": {"type": "keyword"}, "requestParameters.ReplicationConfiguration.Rule.Destination.Account": {"type": "keyword"}, "requestParameters.ReplicationConfiguration.Rule.Filter": {"type": "keyword"}, "requestParameters.Tagging.TagSet.Tag.Value": {"type": "keyword"}, "requestParameters.accountIds": {"type": "keyword"}, "requestParameters.attribute": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.authParameters": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.bucketPolicy.Statement": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.configuration.text": {"type": "text"}, "requestParameters.containerOverrides.environment.value": {"type": "keyword"}, "requestParameters.content": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.disableApiStop": {"type": "boolean", "doc_values": false}, "requestParameters.disableApiTermination": {"type": "boolean", "doc_values": false}, "requestParameters.description": {"type": "keyword"}, "requestParameters.ebsOptimized": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.endTime": {"type": "date", "format": "MMM d, yyyy[,] h:mm:ss a||epoch_millis"}, "requestParameters.filter": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.groupDescription": {"type": "keyword"}, "requestParameters.iamInstanceProfile": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.imageId": {"type": "keyword"}, "requestParameters.instanceType": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.items": {"type": "object"}, "requestParameters.limit": {"type": "long"}, "requestParameters.logStreamNamePrefix": {"type": "keyword"}, "requestParameters.maxItems": {"type": "integer"}, "requestParameters.maxResults": {"type": "integer"}, "requestParameters.metrics": {"type": "keyword"}, "requestParameters.overrides.containerOverrides.environment.value": {"type": "keyword"}, "requestParameters.parameters": {"type": "object"}, "requestParameters.partitionInputList": {"type": "text"}, "requestParameters.principal": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.resourceId": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.result": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.searchExpression.subExpressions.subExpressions.filters.value": {"type": "keyword"}, "requestParameters.size": {"type": "integer"}, "requestParameters.sort": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.sortBy": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.source": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.startTime": {"type": "date", "format": "MMM d, yyyy[,] h:mm:ss a||epoch_millis"}, "requestParameters.status": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.subnets": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.tableInput.parameters": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.tagSpecificationSet.items.tags.value": {"type": "keyword"}, "requestParameters.tags.value": {"type": "keyword"}, "requestParameters.target": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "requestParameters.value": {"type": "keyword"}, "requestParameters.vpc": {"type": "keyword"}, "responseElements.CreateLaunchTemplateVersionResponse.launchTemplateVersion.launchTemplateData.tagSpecificationSet.item.tagSet.item.value": {"type": "keyword"}, "responseElements.CreateSnapshotsResponse.snapshotSet.item.tagSet.item.value": {"type": "keyword"}, "responseElements.CreateVpcEndpointResponse.vpcEndpoint.tagSet.item.value": {"type": "keyword"}, "responseElements.availabilityZones": {"type": "keyword"}, "responseElements.createTime": {"type": "date", "format": "epoch_millis||MMM d, yyyy[,] h:mm:ss a"}, "responseElements.createdDate": {"type": "date", "format": "strict_date_optional_time||MMM d, yyyy[,] h:mm:ss a"}, "responseElements.dBSubnetGroup": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "responseElements.data": {"type": "keyword"}, "responseElements.description": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "responseElements.endpoint": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "responseElements.errors.partitionValues": {"type": "keyword"}, "responseElements.imageId": {"type": "keyword"}, "responseElements.lastModified": {"type": "date", "format": "strict_date_optional_time||MMM d, yyyy[,] h:mm:ss a"}, "responseElements.lastUpdatedDate": {"type": "date", "format": "strict_date_optional_time||MMM d, yyyy[,] h:mm:ss a"}, "responseElements.multiAZ": {"type": "keyword"}, "responseElements.networkInterface.tagSet.items.value": {"type": "keyword"}, "responseElements.policy.value": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "responseElements.responseParameters.method.response.header.Access-Control-Allow-Headers": {"type": "keyword"}, "responseElements.responseParameters.method.response.header.Access-Control-Allow-Methods": {"type": "keyword"}, "responseElements.responseParameters.method.response.header.Access-Control-Allow-Origin": {"type": "keyword"}, "responseElements.result": {"type": "keyword", "doc_values": false}, "responseElements.role": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "responseElements.subnets": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "responseElements.tasks.overrides.containerOverrides.environment.value": {"type": "keyword"}, "responseElements.version": {"type": "keyword"}, "serviceEventDetails.eventRequestDetails": {"type": "keyword", "fields": {"text": {"type": "text"}}} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-config = { "template": { "settings": { "index.mapping.total_fields.limit": 3000, "index.number_of_shards": "1" }, "mappings" : { "properties": { "awsRegion": {"type": "keyword"}, "configuration.AWS:AWSComponent.Content": {"type": "nested", "properties": { "InstalledTime": {"type": "date", "format": "date_optional_time||epoch_millis||MMM d, yyyy[,] h:mm:ss a"}}}, "configuration.AWS:Application.Content": {"type": "nested", "properties": { "InstalledTime": {"type": "date", "format": "date_optional_time||epoch_millis||MMM d, yyyy[,] h:mm:ss a"}}}, "configuration.AWS:ComplianceItem.Content.Association": {"type": "nested", "properties": { "InstalledTime": {"type": "date", "format": "date_optional_time||epoch_millis||MMM d, yyyy[,] h:mm:ss a"}}}, "configuration.AWS:ComplianceItem.Content.Patch": {"type": "nested", "properties": { "InstalledTime": {"type": "date", "format": "date_optional_time||epoch_millis||MMM d, yyyy[,] h:mm:ss a"}}}, "configuration.AWS:Network.Content": {"type": "nested"}, "configuration.AWS:WindowsUpdate.Content": {"type": "nested", "properties": { "InstalledTime": {"type": "date", "format": "date_optional_time||epoch_millis||MMM d, yyyy[,] h:mm:ss a"}}}, "configuration.CreatedTimestamp": {"type": "date"}, "configuration.CreationTime": {"type": "date", "format": "date_optional_time||epoch_second||MMM d, yyyy[,] h:mm:ss a"}, "configuration.EventPattern.source": {"type": "keyword"}, "configuration.LastModifiedTimestamp": {"type": "date"}, "configuration.Owner": {"type": "keyword"}, "configuration.alarmConfigurationUpdatedTimestamp": {"type": "date"}, "configuration.billingModeSummary.lastUpdateToPayPerRequestDateTime": {"type": "date"}, "configuration.createTime": {"type": "date", "format": "date_optional_time||epoch_millis||MMM d, yyyy[,] h:mm:ss a"}, "configuration.createdDate": {"type": "date", "format": "date_optional_time||epoch_millis||MMM d, yyyy[,] h:mm:ss a"}, "configuration.createdTime": {"type": "date"}, "configuration.creationDate": {"type": "date"}, "configuration.creationDateTime": {"type": "date"}, "configuration.creationTime": {"type": "date", "format": "date_optional_time||epoch_millis||MMM d, yyyy[,] h:mm:ss a"}, "configuration.creationTimestamp": {"type": "date"}, "configuration.clusterCreateTime": {"type": "date"}, "configuration.dateCreated": {"type": "date", "format": "date_optional_time||epoch_millis||MMM d, yyyy[,] h:mm:ss a"}, "configuration.dateModified": {"type": "date"}, "configuration.dateUpdated": {"type": "date", "format": "date_optional_time||epoch_millis||MMM d, yyyy[,] h:mm:ss a"}, "configuration.deleteTime": {"type": "date"}, "configuration.deletionDate": {"type": "date"}, "configuration.deletionTime": {"type": "date"}, "configuration.configRuleList": {"type": "nested"}, "configuration.lastUpdatedDate": {"type": "date", "format": "date_optional_time||epoch_millis||MMM d, yyyy[,] h:mm:ss a"}, "configuration.lastUpdatedTime": {"type": "date", "format": "date_optional_time||epoch_millis||MMM d, yyyy[,] h:mm:ss a"}, "configuration.metadata.created": {"type": "date"}, "configuration.provisionedThroughput.lastIncreaseDateTime": {"type": "date"}, "configuration.rules.statement": {"type": "text"}, "configuration.serviceSoftwareOptions.automatedUpdateDate": {"type": "date"}, "configuration.snapshotCreateTime": {"type": "date"}, "configuration.state": {"type": "keyword"}, "configuration.state_code": {"type": "keyword"}, "configurationStateId": {"type": "keyword"}, "newEvaluationResult.configRuleInvokedTime": {"type": "date"}, "newEvaluationResult.evaluationResultIdentifier.orderingTimestamp": {"type": "date"}, "newEvaluationResult.resultRecordedTime": {"type": "date"}, "notificationCreationTime": {"type": "date"}, "oldEvaluationResult.configRuleInvokedTime": {"type": "date"}, "oldEvaluationResult.evaluationResultIdentifier.orderingTimestamp": {"type": "date"}, "oldEvaluationResult.resultRecordedTime": {"type": "date"}, "supplementaryConfiguration.StackResourceSummaries": {"type": "nested", "properties": { "lastUpdatedTimestamp": {"type": "date", "format": "date_optional_time||epoch_millis||MMM d, yyyy[,] h:mm:ss a"}}}, "supplementaryConfiguration.BucketNotificationConfiguration.configurations": {"type": "nested"}, "supplementaryConfiguration.BucketReplicationConfiguration.rules": {"type": "nested"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-elasticache = { "template": { "mappings" : { "properties": { "elasticache.CacheClusterId": {"type": "keyword"}, "elasticache.CacheNodeId": {"type": "keyword"}, "elasticache.Id": {"type": "keyword"}, "elasticache.Timestamp": {"type": "date", "format": "epoch_second"}, "elasticache.Duration_us": {"type": "long"}, "elasticache.Command": {"type": "keyword"}, "elasticache.ClientAddress": {"type": "keyword"}, "elasticache.ClientName": {"type": "keyword"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-elb = { "template": { "settings": { "index.refresh_interval": "30s" }, "mappings" : { "properties": { "backend_ip": {"type": "ip"}, "backend_port": {"type": "integer"}, "backend_processing_time": {"type": "half_float"}, "backend_status_code": {"type": "short"}, "client_ip": {"type": "ip"}, "client_port": {"type": "integer"}, "connection_time": {"type": "integer"}, "destination_ip": {"type": "ip"}, "destination_port": {"type": "integer"}, "elb_status_code": {"type": "short"}, "http_port": {"type": "integer"}, "http_version": {"type": "keyword"}, "matched_rule_priority": {"type": "integer"}, "received_bytes": {"type": "integer"}, "request_creation_time": {"type": "date"}, "request_processing_time": {"type": "half_float"}, "response_processing_time": {"type": "half_float"}, "sent_bytes": {"type": "integer"}, "target_ip": {"type": "ip"}, "target_port": {"type": "integer"}, "target_processing_time": {"type": "half_float"}, "target_status_code": {"type": "short"}, "timestamp": {"type": "date"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-guardduty = { "template": { "settings": { "index.number_of_shards": "1" }, "mappings": { "properties": { "description": {"type": "text"}, "resource.instanceDetails.launchTime": {"type": "date"}, "resource.instanceDetails.networkInterfaces.privateIpAddress": {"type": "ip"}, "resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress": {"type": "ip"}, "resource.instanceDetails.networkInterfaces.publicIp": {"type": "ip"}, "service.action.awsApiCallAction.remoteIpDetails.geoLocation": {"type": "geo_point"}, "service.action.awsApiCallAction.remoteIpDetails.ipAddressV4": {"type": "ip"}, "service.action.awsApiCallAction.remoteIpDetails.ipAddressV6": {"type": "ip"}, "service.action.awsApiCallAction.remoteIpDetails.organization.asn": {"type": "integer"}, "service.action.networkConnectionAction.localIpDetails.ipAddressV4": {"type": "ip"}, "service.action.networkConnectionAction.localPortDetails.port": {"type": "integer"}, "service.action.networkConnectionAction.remoteIpDetails.geoLocation": {"type": "geo_point"}, "service.action.networkConnectionAction.remoteIpDetails.ipAddressV4": {"type": "ip"}, "service.action.networkConnectionAction.remoteIpDetails.organization.asn": {"type": "integer"}, "service.action.portProbeAction.portProbeDetails.localIpDetails.ipAddressV4": {"type": "ip"}, "service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation": {"type": "geo_point"}, "service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4": {"type": "ip"}, "service.additionalInfo.apiCalls.firstSeen": {"type": "date"}, "service.additionalInfo.apiCalls.lastSeen": {"type": "date"}, "service.additionalInfo.inBytes": {"type": "long"}, "service.additionalInfo.localPort": {"type": "integer"}, "service.additionalInfo.newPolicy.maxPasswordAge": {"type": "short"}, "service.additionalInfo.newPolicy.minimumPasswordLength": {"type": "short"}, "service.additionalInfo.newPolicy.passwordReusePrevention": {"type": "short"}, "service.additionalInfo.oldPolicy.maxPasswordAge": {"type": "short"}, "service.additionalInfo.oldPolicy.minimumPasswordLength": {"type": "short"}, "service.additionalInfo.oldPolicy.passwordReusePrevention": {"type": "short"}, "service.additionalInfo.outBytes": {"type": "long"}, "service.additionalInfo.recentCredentials.ipAddressV4": {"type": "ip"}, "service.additionalInfo.unusual": {"type": "text"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-inspector = { "template": { "settings": { "index.number_of_shards": 1 }, "mappings" : { "properties": { "inspector.awsAccountId": {"type": "keyword"}, "inspector.firstObservedAt": {"type": "date", "format": "MMM d, yyyy[,] h:mm:ss a"}, "inspector.inspectorScore": {"type": "float"}, "inspector.inspectorScoreDetails.adjustedCvss.score": {"type": "float"}, "inspector.inspectorScoreDetails.adjustedCvss.version": {"type": "keyword"}, "inspector.lastObservedAt": {"type": "date", "format": "MMM d, yyyy[,] h:mm:ss a"}, "inspector.packageVulnerabilityDetails.cvss": {"type": "nested", "properties": { "baseScore": {"type": "float"}, "version": {"type": "keyword"}}}, "inspector.packageVulnerabilityDetails.vulnerablePackages": {"type": "nested"}, "inspector.updatedAt": {"type": "date", "format": "MMM d, yyyy[,] h:mm:ss a"} } } } } component_template_log-aws-msk = { "template": { "mappings" : { "properties": { "msk.broker_id": {"type": "keyword"}, "msk.max_lag": {"type": "long"}, "msk.message": {"type": "text"}, "msk.sum_lag": {"type": "long"}, "msk.time_lag": {"type": "long"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-networkfirewall = { "template": { "settings": { "index.refresh_interval": "10s" }, "mappings" : { "properties": { "event.alert.rev": {"type": "keyword"}, "event.alert.severity": {"type": "long"}, "event.alert.signature_id": {"type": "keyword"}, "event.dest_ip": {"type": "ip"}, "event.dest_port": {"type": "long"}, "event.http.length": {"type": "long"}, "event.netflow.bytes": {"type": "long"}, "event.netflow.max_ttl": {"type": "long"}, "event.netflow.min_ttl": {"type": "long"}, "event.netflow.pkts": {"type": "long"}, "event.src_ip": {"type": "ip"}, "event.src_port": {"type": "long"}, "event.tcp.tcp_flag": {"type": "keyword"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-opensearch = { "template": { "settings": { "index.refresh_interval": "30s" }, "mappings" : { "properties": { "opensearch.audit_format_version": {"type": "keyword"}, "opensearch.audit_request_body": {"type": "text"}, "opensearch.audit_request_remote_address": {"type": "ip"}, "opensearch.audit_trace_shard_id": {"type": "keyword"}, "opensearch.timestamp": {"type": "date"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-r53resolver = { "template": { "settings": { "index.refresh_interval": "30s" }, "mappings" : { "properties": { "answers": {"type": "object"}, "query_timestamp": {"type": "date"}, "srcaddr": {"type": "ip"}, "srcport": {"type": "integer"}, "version": {"type": "keyword"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-rds = { "template": { "settings": { "index.refresh_interval": "30s" }, "mappings" : { "properties": { "mysql.lock_time": {"type": "float"}, "mysql.message": {"type": "text"}, "mysql.object": {"type": "keyword"}, "mysql.query": {"type": "text"}, "mysql.query_id": {"type": "long"}, "mysql.query_time": {"type": "float"}, "mysql.retcode": {"type": "keyword"}, "mysql.source_ip": {"type": "ip"}, "mysql.thread_id": {"type": "long"}, "mysql.timestamp": {"type": "date", "format": "date_optional_time||uMMdd [ ]H:m:s||epoch_second||u-MM-dd [ ]H:m:s"}, "postgresql.duration_ms": {"type": "float"}, "postgresql.message": {"type": "text"}, "postgresql.pid": {"type": "integer"}, "postgresql.query": {"type": "text"}, "postgresql.session_time_seconds": {"type": "float"}, "postgresql.source_port": {"type": "integer"}, "postgresql.thread_id": {"type": "integer"}, "postgresql.timestamp": {"type": "date", "format": "date_optional_time||epoch_millis||yyyy-MM-dd HH:mm:ss[.SSS]"}, "rds.cluster_identifier": {"type": "keyword"}, "rds.database_name": {"type": "keyword"}, "rds.instance_identifier": {"type": "keyword"}, "rds.message": {"type": "text"}, "rds.query": {"type": "text"}, "rds.query_time": {"type": "float"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-s3accesslog = { "template": { "settings": { "index.refresh_interval": "30s" }, "mappings" : { "properties": { "BytesSent": {"type": "integer"}, "HTTPstatus": {"type": "short"}, "ObjectSize": {"type": "integer"}, "RemoteIP": {"type": "ip"}, "RequestDateTime": {"type": "date", "format": "dd/MMM/yyyy:HH:mm:ss Z"}, "TotalTime": {"type": "integer"}, "TurnAroundTime": {"type": "integer"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-securityhub = { "template": { "settings": { "index.mapping.total_fields.limit": 2000, "index.number_of_shards": 1 }, "mappings" : { "properties": { "ProductFields.aws/inspector/inspectorScore": {"type": "float"}, "ProductFields.aws/inspector/ProductVersion": {"type": "keyword"}, "Vulnerabilities.Cvss.BaseScore": {"type": "float"}, "Vulnerabilities.VulnerablePackages.Epoch": {"type": "date", "format": "epoch_second"}, "Vulnerabilities.VulnerablePackages.Release": {"type": "keyword"}, "Vulnerabilities.VulnerablePackages.Version": {"type": "keyword"} #"ProductFields.aws/guardduty/service/evidence/threatIntelligenceDetails.0_/threatNames": {"type": "keyword","fields": {"text" : {"type" : "text"} }} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-vpcflowlogs = { "template": { "settings": { "index.refresh_interval": "30s" }, "mappings" : { "properties": { "account_id": {"type": "keyword"}, "action": {"type": "keyword"}, "bytes": {"type": "integer"}, "dstaddr": {"type": "ip"}, "dstport": {"type": "integer"}, "end": {"type": "date", "format": "epoch_second"}, "instance_id": {"type": "keyword"}, "interface_id": {"type": "keyword"}, "log_status": {"type": "keyword"}, "packets": {"type": "integer"}, "packets_lost_no_route": {"type": "long"}, "packets_lost_blackhole": {"type": "long"}, "packets_lost_mtu_exceeded": {"type": "long"}, "packets_lost_ttl_expired": {"type": "long"}, "protocol": {"type": "short"}, "srcaddr": {"type": "ip"}, "srcport": {"type": "integer"}, "start": {"type": "date", "format": "epoch_second"}, "subnet_id": {"type": "keyword"}, "tcp_flags": {"type": "byte"}, "tgw_src_vpc_account_id": {"type": "keyword"}, "tgw_dst_vpc_account_id": {"type": "keyword"}, "traffic_path": {"type": "keyword"}, "version": {"type": "keyword"}, "vpc_id": {"type": "keyword"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-waf = { "template": { "settings": { "index.refresh_interval": "30s" }, "mappings" : { "properties": { "formatVersion": {"type": "keyword"}, "httpRequest.clientIp": {"type": "ip"}, "httpRequest.header.cache_control": {"type": "keyword"}, "httpRequest.header.content_length": {"type": "keyword"}, "httpRequest.header.dnt": {"type": "keyword"}, "httpRequest.header.host": {"type": "keyword"}, "httpRequest.header.upgrade_insecure_requests": {"type": "keyword"}, "httpRequest.header.user_agent": {"type": "keyword"}, "timestamp": {"type": "date", "format": "epoch_millis"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-workspaces = { "template": { "settings": { "index.number_of_shards": 1 }, "mappings" : { "properties": { "ConnectionStateCheckTimestamp": {"type": "date"}, "LastKnownUserConnectionTimestamp": {"type": "date"}, "clientIpAddress": {"type": "ip"}, "loginTime": {"type": "date"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-aws-trustedadvisor = { "template": { "settings": { "index.number_of_shards": 1 }, "mappings" : { "properties": { "trustedadvisor.check.id": {"type": "keyword"}, "trustedadvisor.check.name": {"type": "keyword"}, "trustedadvisor.check.description": {"type": "text"}, "trustedadvisor.check.category": {"type": "keyword"}, "trustedadvisor.check.metadata": {"type": "keyword"}, "trustedadvisor.check_ja.id": {"type": "keyword"}, "trustedadvisor.check_ja.name": {"type": "keyword"}, "trustedadvisor.check_ja.description": {"type": "text"}, "trustedadvisor.check_ja.category": {"type": "keyword"}, "trustedadvisor.check_ja.metadata": {"type": "keyword"}, "trustedadvisor.creation_date": {"type": "date"}, "trustedadvisor.refreshable": {"type": "boolean", "doc_values": false}, "trustedadvisor.requestid": {"type": "keyword"}, "trustedadvisor.result.checkId": {"type": "keyword"}, "trustedadvisor.result.flaggedResource.isSuppressed": {"type": "boolean", "doc_values": false}, "trustedadvisor.result.flaggedResource.metadata": {"type": "keyword"}, "trustedadvisor.result.flaggedResource.number": {"type": "integer"}, "trustedadvisor.result.flaggedResource.region": {"type": "keyword"}, "trustedadvisor.result.flaggedResource.resourceId": {"type": "keyword"}, "trustedadvisor.result.flaggedResource.status": {"type": "keyword"}, "trustedadvisor.result.flaggedResources.isSuppressed": {"type": "boolean", "doc_values": false}, "trustedadvisor.result.flaggedResources.metadata": {"type": "keyword"}, "trustedadvisor.result.flaggedResources.number": {"type": "integer"}, "trustedadvisor.result.flaggedResources.region": {"type": "keyword"}, "trustedadvisor.result.flaggedResources.resourceId": {"type": "keyword"}, "trustedadvisor.result.flaggedResources.status": {"type": "keyword"}, "trustedadvisor.result.resourcesSummary.resourcesFlagged": {"type": "long"}, "trustedadvisor.result.resourcesSummary.resourcesIgnored": {"type": "long"}, "trustedadvisor.result.resourcesSummary.resourcesProcessed": {"type": "long"}, "trustedadvisor.result.resourcesSummary.resourcesSuppressed": {"type": "long"}, "trustedadvisor.result.status": {"type": "keyword"}, "trustedadvisor.result.timestamp": {"type": "date"}, "trustedadvisor.result.categorySpecificSummary.costOptimizing.estimatedMonthlySavings": {"type": "float"}, "trustedadvisor.result.categorySpecificSummary.costOptimizing.estimatedPercentMonthlySavings": {"type": "float"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-linux = { "template": { "settings": { "index.refresh_interval": "30s" }, "mappings" : { "properties": { "syslog_message": {"type": "text"}, "syslog_timestamp": {"type": "keyword"}, "pid": {"type": "integer"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_log-win = { "template": { "settings": { "index.refresh_interval": "30s" }, "mappings" : { "properties": { "Event.EventData.Data.0": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "Event.EventData.Data.1": {"type": "keyword"}, "Event.EventData.Data.2": {"type": "keyword"}, "Event.EventData.Data.3": {"type": "keyword"}, "Event.EventData.Data.4": {"type": "keyword"}, "Event.EventData.Data.5": {"type": "keyword"}, "Event.EventData.Data.6": {"type": "keyword"}, "Event.EventData.Data.7": {"type": "keyword"}, "Event.EventData.Data.8": {"type": "keyword"}, "Event.EventData.Data.9": {"type": "keyword"}, "Event.EventData.Data.10": {"type": "keyword"}, "Event.EventData.Data.11": {"type": "keyword"}, "Event.EventData.Data.12": {"type": "keyword"}, "Event.EventData.Data.13": {"type": "keyword"}, "Event.EventData.Data.14": {"type": "keyword"}, "Event.EventData.Data.15": {"type": "keyword"}, "Event.EventData.Data.16": {"type": "keyword"}, "Event.EventData.Data.17": {"type": "keyword"}, "Event.EventData.Data.18": {"type": "keyword"}, "Event.EventData.Data.19": {"type": "keyword"}, "Event.EventData.Data.20": {"type": "keyword"}, "Event.EventData.Data.AccountExpires": {"type": "keyword"}, "Event.EventData.Data.BitlockerUserInputTime": {"type": "keyword"}, "Event.EventData.Data.ClientCreationTime": {"type": "keyword"}, "Event.EventData.Data.CreationUtcTime": {"type": "keyword"}, "Event.EventData.Data.DestAddress": {"type": "ip"}, "Event.EventData.Data.DestPort": {"type": "integer"}, "Event.EventData.Data.DeviceTime": {"type": "keyword"}, "Event.EventData.Data.IpAddress": {"type": "ip"}, "Event.EventData.Data.IpPort": {"type": "integer"}, "Event.EventData.Data.NewTime": {"type": "keyword"}, "Event.EventData.Data.OldTime": {"type": "keyword"}, "Event.EventData.Data.PasswordLastSet": {"type": "keyword"}, "Event.EventData.Data.PreviousCreationUtcTime": {"type": "keyword"}, "Event.EventData.Data.PreviousTime": {"type": "keyword"}, "Event.EventData.Data.ProcessingTimeInMilliseconds": {"type": "keyword"}, "Event.EventData.Data.SourceAddress": {"type": "ip"}, "Event.EventData.Data.SourcePort": {"type": "integer"}, "Event.EventData.Data.StartTime": {"type": "keyword"}, "Event.EventData.Data.StopTime": {"type": "keyword"}, "Event.EventData.Data.TimeSource": {"type": "keyword"}, "Event.EventData.Data.TimeSourceRefId": {"type": "keyword"}, "Event.RenderingInfo.Message": {"type": "text"}, "Event.System.EventID": {"type": "keyword"}, "Event.System.Execution.ProcessID": {"type": "long"}, "Event.System.Execution.ThreadID": {"type": "long"}, "Event.System.TimeCreated.SystemTime": {"type": "date"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } component_template_metrics-opensearch-index = { "template": { "settings": { "index.number_of_shards": 1, "index.number_of_replicas": 1 }, "mappings": { "properties": { "opensearch.cluster.id": {"type": "keyword"}, "opensearch.cluster.name": {"type": "keyword"}, "opensearch.index.creation.date": {"type": "date"}, "opensearch.index.end_time": {"type": "date"}, "opensearch.index.hidden": {"type": "boolean", "doc_values": false}, "opensearch.index.index_status": {"type": "keyword"}, "opensearch.index.name": {"type": "keyword"}, "opensearch.index.status": {"type": "keyword"}, "opensearch.index.storage_tier": {"type": "keyword"}, "opensearch.index.primaries.docs.count": {"type": "long"}, "opensearch.index.primaries.docs.deleted": {"type": "long"}, "opensearch.index.primaries.indexing.index_time_in_millis": {"type": "long"}, "opensearch.index.primaries.indexing.index_total": {"type": "long"}, "opensearch.index.primaries.indexing.throttle_time_in_millis": {"type": "long"}, "opensearch.index.primaries.merges.total_size_in_bytes": {"type": "long"}, "opensearch.index.primaries.refresh.total_time_in_millis": {"type": "long"}, "opensearch.index.primaries.segments.count": {"type": "long"}, "opensearch.index.primaries.store.size_in_bytes": {"type": "long"}, "opensearch.index.shards.total": {"type": "long"}, "opensearch.index.shards.primaries": {"type": "long"}, "opensearch.index.start_time": {"type": "date"}, "opensearch.index.status": {"type": "keyword"}, "opensearch.index.total.docs.count": {"type": "long"}, "opensearch.index.total.docs.deleted": {"type": "long"}, "opensearch.index.total.fielddata.memory_size_in_bytes": {"type": "long"}, "opensearch.index.total.indexing.index_time_in_millis": {"type": "long"}, "opensearch.index.total.indexing.index_total": {"type": "long"}, "opensearch.index.total.indexing.throttle_time_in_millis": {"type": "long"}, "opensearch.index.total.merges.total_size_in_bytes": {"type": "long"}, "opensearch.index.total.refresh.total_time_in_millis": {"type": "long"}, "opensearch.index.total.search.query_time_in_millis": {"type": "long"}, "opensearch.index.total.search.query_total": {"type": "long"}, "opensearch.index.total.segments.count": {"type": "long"}, "opensearch.index.total.segments.doc_values_memory_in_bytes": {"type": "long"}, "opensearch.index.total.segments.fixed_bit_set_memory_in_bytes": {"type": "long"}, "opensearch.index.total.segments.index_writer_memory_in_bytes": {"type": "long"}, "opensearch.index.total.segments.memory_in_bytes": {"type": "long"}, "opensearch.index.total.segments.norms_memory_in_bytes": {"type": "long"}, "opensearch.index.total.segments.points_memory_in_bytes": {"type": "long"}, "opensearch.index.total.segments.stored_fields_memory_in_bytes": {"type": "long"}, "opensearch.index.total.segments.term_vectors_memory_in_bytes": {"type": "long"}, "opensearch.index.total.segments.terms_memory_in_bytes": {"type": "long"}, "opensearch.index.total.segments.version_map_memory_in_bytes": {"type": "long"}, "opensearch.index.total.store.size_in_bytes": {"type": "long"}, "opensearch.index.uuid": {"type": "keyword"}, "opensearch.node.id": {"type": "keyword"}, "opensearch.shard.docs.count": {"type": "long"}, "opensearch.shard.number": {"type": "long"}, "opensearch.shard.primary": {"type": "boolean", "doc_values": false}, "opensearch.shard.source_node.name": {"type": "keyword"}, "opensearch.shard.source_node.uuid": {"type": "keyword"}, "opensearch.shard.state": {"type": "keyword"}, "opensearch.shard.store.size_in_bytes": {"type": "long"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } # Elastic Common Schema minimum component_template_ecs_minimum = { "template": { "settings": { "index.refresh_interval" : "2s", "index.mapping.ignore_malformed": true, "index.max_docvalue_fields_search": 200, "index.number_of_shards": 3 }, "mappings": { "dynamic_templates": [{ "strings": { "match_mapping_type": "string", "mapping": {"type": "keyword"} } }], "properties": { "@id": {"type": "keyword", "doc_values": false}, "@log_s3bucket": {"type": "keyword"}, "@log_s3key": {"type": "keyword", "doc_values": false}, "@log_type": {"type": "keyword"}, "@message": {"type": "text"}, "@timestamp": {"type": "date"}, "agent": {"type": "object"}, "as": {"type": "object"}, "base": {"type": "object"}, "client": {"type": "object"}, "cloud": {"type": "object"}, "code_signature": {"type": "object"}, "container": {"type": "object"}, "container.labels": {"type": "object"}, "data_stream": {"type": "object"}, "destination": {"type": "object"}, "destination.as.number": {"type": "integer"}, "destination.as.organization.name": {"type": "keyword"}, "destination.bytes": {"type": "long"}, "destination.geo.city_name": {"type": "keyword"}, "destination.geo.country_iso_code": {"type": "keyword"}, "destination.geo.country_name": {"type": "keyword"}, "destination.geo.location": {"type": "geo_point"}, "destination.ip": {"type": "ip"}, "destination.nat.ip": {"type": "ip"}, "destination.nat.port": {"type": "integer"}, "destination.packets": {"type": "long"}, "destination.port": {"type": "integer"}, "dll": {"type": "object"}, "dns": {"type": "object"}, "dns.answers": {"type": "object"}, "dns.answers.ttl": {"type": "long"}, "dns.header_flags": {"type": "keyword", "doc_values": false}, "dns.id": {"type": "keyword", "doc_values": false}, "dns.resolved_ip": {"type": "ip"}, "ecs": {"type": "object"}, "elf": {"type": "object"}, "error": {"type": "object"}, "error.message": {"type": "text"}, "event": {"type": "object"}, "event.category": {"type": "keyword"}, "event.code": {"type": "keyword"}, "event.created": {"type": "date"}, "event.duration": {"type": "long"}, "event.end": {"type": "date"}, "event.id": {"type": "keyword"}, "event.ingested": {"type": "date"}, "event.kind": {"type": "keyword"}, "event.outcome": {"type": "keyword"}, "event.risk_score": {"type": "float", "doc_values": false}, "event.risk_score_norm": {"type": "float", "doc_values": false}, "event.sequence": {"type": "long", "doc_values": false}, "event.severity": {"type": "long", "doc_values": false}, "event.start": {"type": "date"}, "event.timezone": {"type": "keyword", "doc_values": false}, "event.type": {"type": "keyword", "doc_values": false}, "file": {"type": "object"}, "geo": {"type": "object"}, "group": {"type": "object"}, "hash": {"type": "object"}, "host": {"type": "object"}, "http": {"type": "object"}, "http.request.body.bytes": {"type": "long"}, "http.request.body.content": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "http.request.bytes": {"type": "long"}, "http.response.body.bytes": {"type": "long"}, "http.response.body.content": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "http.response.bytes": {"type": "long"}, "http.response.status_code": {"type": "short"}, "http.version": {"type": "keyword"}, "interface": {"type": "object"}, "log": {"type": "object"}, "network": {"type": "object"}, "network.bytes": {"type": "integer"}, "network.community_id": {"type": "keyword"}, "network.forwarded_ip": {"type": "ip"}, "network.iana_number": {"type": "short"}, "network.inner": {"type": "object"}, "network.packets": {"type": "long"}, "observer": {"type": "object"}, "orchestrator": {"type": "object"}, "organization": {"type": "object"}, "os": {"type": "object"}, "package": {"type": "object"}, "pe": {"type": "object"}, "process": {"type": "object"}, "registry": {"type": "object"}, "related": {"type": "object"}, "rule": {"type": "object"}, "server": {"type": "object"}, "service": {"type": "object"}, "source": {"type": "object"}, "source.address": {"type": "keyword"}, "source.as.number": {"type": "integer"}, "source.as.organization.name": {"type": "keyword"}, "source.bytes": {"type": "long"}, "source.geo.city_name": {"type": "keyword"}, "source.geo.country_iso_code": {"type": "keyword"}, "source.geo.country_name": {"type": "keyword"}, "source.geo.location": {"type": "geo_point"}, "source.ip": {"type": "ip"}, "source.nat.ip": {"type": "ip"}, "source.nat.port": {"type": "integer"}, "source.packets": {"type": "long"}, "source.port": {"type": "integer"}, "threat": {"type": "object"}, "threat.enrichments": {"type": "nested", "properties": { "indicator": {"type": "object"}, "indicator.confidence": {"type": "keyword"}, "indicator.description": {"type": "keyword"}, "indicator.email.address": {"type": "keyword", "doc_values": false}, "indicator.first_seen": {"type": "date"}, "indicator.ip": {"type": "ip"}, "indicator.last_seen": {"type": "date"}, "indicator.marking.tlp": {"type": "keyword"}, "indicator.modified_at": {"type": "date"}, "indicator.name": {"type": "keyword"}, "indicator.port": {"type": "long"}, "indicator.provider": {"type": "keyword"}, "indicator.reference": {"type": "keyword"}, "indicator.scanner_stats": {"type": "long"}, "indicator.sightings": {"type": "long"}, "indicator.type": {"type": "keyword"}, "matched.atomic": {"type": "keyword"}, "matched.field": {"type": "keyword"}, "matched.id": {"type": "keyword"}, "matched.index": {"type": "keyword"}, "matched.occurred": {"type": "date"}, "matched.type": {"type": "keyword"}}}, "threat.matched.indicators": {"type": "keyword"}, "threat.matched.names": {"type": "keyword"}, "threat.matched.providers": {"type": "keyword"}, "threat.matched.types": {"type": "keyword"}, "tls": {"type": "object"}, "url": {"type": "object"}, "url.full": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "url.original": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "url.port": {"type": "long"}, "user": {"type": "object"}, "user.id": {"type": "keyword"}, "user.name": {"type": "keyword"}, "user.roles": {"type": "keyword"}, "user_agent": {"type": "object"}, "user_agent.device.name": {"type": "keyword"}, "user_agent.name": {"type": "keyword"}, "user_agent.original": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "user_agent.os.family": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "user_agent.os.full": {"type": "keyword"}, "user_agent.os.kernel": {"type": "keyword"}, "user_agent.os.name": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "user_agent.os.platform": {"type": "keyword"}, "user_agent.os.type": {"type": "keyword"}, "user_agent.os.version": {"type": "keyword"}, "user_agent.version": {"type": "keyword"}, "vlan": {"type": "object"}, "x509": {"type": "object"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 1 } # OCSF v1.0.0-rc3 # https://schema.ocsf.io/1.0.0-rc.3/data_types component_template_log-ocsf = { "template": { "settings": { "index.refresh_interval": "10s", "index.mapping.total_fields.limit": 4000 }, "mappings": { "properties": { # 1.0.0-rc2 only "cloud.account_name": {"type": "keyword"}, "cloud.account_uid": {"type": "keyword"}, "cloud.org_uid": {"type": "keyword"}, "data": {"type": "text"}, "mfa": {"type": "boolean", "doc_values": false}, "activity_name": {"type": "keyword"}, "activity_id": {"type": "integer"}, # 1.0.0-rc3 # Base Category # https://schema.ocsf.io/1.0.0-rc.3/base_event "api.request.flags": {"type": "keyword"}, "api.request.uid": {"type": "keyword"}, "api.response.error": {"type": "keyword"}, "api.response.error_message": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "api.response.flags": {"type": "keyword"}, "api.response.message": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "api.response.code": {"type": "integer"}, "api.operation": {"type": "keyword"}, "api.service.labels": {"type": "keyword"}, "api.service.name": {"type": "keyword"}, "api.service.uid": {"type": "keyword"}, "api.service.version": {"type": "keyword"}, "api.version": {"type": "keyword"}, "category_name": {"type": "keyword"}, "category_uid": {"type": "integer"}, "class_name": {"type": "keyword"}, "class_uid": {"type": "integer"}, "cloud.account": {"type": "object", "properties": ${ocsf-schema-core:account} }, "cloud.zone": {"type": "keyword"}, "cloud.org": {"type": "object", "properties": ${ocsf-schema-core:organization} }, "cloud.project_uid": {"type": "keyword"}, "cloud.provider": {"type": "keyword"}, "cloud.region": {"type": "keyword"}, "count": {"type": "integer"}, "duration": {"type": "integer"}, "end_time": {"type": "date", "format": "epoch_millis"}, "end_time_dt": {"type": "date"}, "enrichments.data": {"type": "text"}, "enrichments.name": {"type": "keyword"}, "enrichments.provider": {"type": "keyword"}, "enrichments.type": {"type": "keyword"}, "enrichments.value": {"type": "keyword"}, "time": {"type": "date", "format": "epoch_millis"}, "time_dt": {"type": "date"}, "message": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "metadata": {"type": "object", "properties": ${ocsf-schema-core:metadata} }, "observables.name": {"type": "keyword", "doc_values": false}, "observables.reputation.provider": {"type": "keyword", "doc_values": false}, "observables.reputation.base_score": {"type": "float", "doc_values": false}, "observables.reputation.score": {"type": "keyword", "doc_values": false}, "observables.reputation.score_id": {"type": "integer", "doc_values": false}, "observables.type": {"type": "keyword", "doc_values": false}, "observables.type_id": {"type": "integer", "doc_values": false}, "observables.value": {"type": "keyword", "doc_values": false}, "raw_data": {"type": "text"}, "severity": {"type": "keyword"}, "severity_id": {"type": "integer"}, "start_time": {"type": "date", "format": "epoch_millis"}, "start_time_dt": {"type": "date"}, "status": {"type": "keyword"}, "status_code": {"type": "keyword"}, "status_detail": {"type": "keyword", "doc_values": false}, "status_id": {"type": "integer"}, "timezone_offset": {"type": "integer"}, "type_uid": {"type": "integer"}, "type_name": {"type": "keyword"}, "unmapped": {"type": "text"}, # 2001 Security Finding: Security Hub "analytic.category": {"type": "keyword"}, "analytic.desc": {"type": "text"}, "analytic.name": {"type": "keyword"}, "analytic.related_analytics": {"type": "object"}, "analytic.type": {"type": "keyword"}, "analytic.type_id": {"type": "integer"}, "analytic.uid": {"type": "keyword"}, "analytic.version": {"type": "keyword", "doc_values": false}, "attacks": {"type": "object", "properties": ${ocsf-schema-core:attack} }, "cis_csc.control": {"type": "keyword"}, "cis_csc.version": {"type": "keyword"}, "compliance.requirements": {"type": "keyword"}, "compliance.status": {"type": "keyword"}, "compliance.status_detail": {"type": "keyword", "doc_values": false}, "confidence": {"type": "keyword"}, "confidence_id": {"type": "integer"}, "confidence_score": {"type": "integer"}, "data_sources": {"type": "keyword"}, "evidence": {"type": "text"}, "finding.created_time": {"type": "date", "format": "epoch_millis"}, "finding.created_time_dt": {"type": "date"}, "finding.desc": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "finding.first_seen_time": {"type": "date", "format": "epoch_millis"}, "finding.first_seen_time_dt": {"type": "date"}, "finding.last_seen_time": {"type": "date", "format": "epoch_millis"}, "finding.last_seen_time_dt": {"type": "date"}, "finding.modified_time": {"type": "date", "format": "epoch_millis"}, "finding.modified_time_dt": {"type": "date"}, "finding.product_uid": {"type": "keyword"}, "finding.related_events.product_uid": {"type": "keyword"}, "finding.related_events.type": {"type": "keyword"}, "finding.related_events.type_uid": {"type": "integer"}, "finding.related_events.uid": {"type": "keyword"}, "finding.remediation.desc": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "finding.remediation.kb_articles": {"type": "keyword"}, "finding.src_url": {"type": "keyword"}, "finding.supporting_data": {"type": "text"}, "finding.title": {"type": "keyword"}, "finding.types": {"type": "keyword"}, "finding.uid": {"type": "keyword"}, "impact": {"type": "keyword"}, "impact_score": {"type": "integer"}, "impact_id": {"type": "integer"}, "kill_chain.phase": {"type": "keyword"}, "kill_chain.phase_id": {"type": "integer"}, "malware": {"type": "object", "properties": ${ocsf-schema-core:malware} }, "nist": {"type": "keyword"}, "process": {"type": "object", "properties": ${ocsf-schema-core:process} }, "resources": {"type": "object", "properties": ${ocsf-schema-core:resource_details} }, "risk_level": {"type": "keyword"}, "risk_level_id": {"type": "integer"}, "risk_score": {"type": "integer"}, "state": {"type": "keyword"}, "state_id": {"type": "integer"}, "vulnerabilities": {"type": "object", "properties": ${ocsf-schema-core:vulnerability} }, # 3001 Authentication: CloudTrail # 3002 Authentication: CloudTrail # 3005 API activity: CloudTrail "actor": {"type": "object", "properties": ${ocsf-schema-core:actor} }, "auth_protocol": {"type": "keyword"}, "auth_protocol_id": {"type": "integer"}, "dst_endpoint": {"type": "object", "properties": ${ocsf-schema-core:network_endpoint} }, "http_request": {"type": "object", "properties": ${ocsf-schema-core:http_request} }, "is_cleartext": {"type": "boolean", "doc_values": false}, "logon_process": {"type": "object", "properties": ${ocsf-schema-core:process} }, "logon_type": {"type": "keyword"}, "logon_type_id": {"type": "integer"}, "is_mfa": {"type": "boolean", "doc_values": false}, "is_new_logon": {"type": "boolean", "doc_values": false}, "is_remote": {"type": "boolean", "doc_values": false}, "session": {"type": "object", "properties": ${ocsf-schema-core:session} }, "src_endpoint": {"type": "object", "properties": ${ocsf-schema-core:network_endpoint} }, "user": {"type": "object", "properties": ${ocsf-schema-core:user} }, "user_result": {"type": "object", "properties": ${ocsf-schema-core:user} }, # 4001 Network Activity: VPC Flow Logs "app_name": {"type": "keyword"}, "connection_info": {"type": "object", "properties": ${ocsf-schema-core:network_connection_info} }, "device": {"type": "object", "properties": ${ocsf-schema-core:device} }, "disposition": {"type": "keyword"}, "disposition_id": {"type": "integer"}, "proxy": {"type": "object", "properties": ${ocsf-schema-core:network_proxy} }, "tls": {"type": "object", "properties": ${ocsf-schema-core:tls} }, "traffic": {"type": "object", "properties": ${ocsf-schema-core:network_traffic} }, # 4003 DNS Activity: Route 53 DNS resolver "answers": {"type": "object", "properties": ${ocsf-schema-core:dns_answer} }, "query": {"type": "object", "properties": ${ocsf-schema-core:dns_answer} }, "query_time": {"type": "date", "format": "epoch_millis"}, "query_time_dt": {"type": "date"}, "rcode": {"type": "keyword"}, "rcode_id": {"type": "integer"}, "response_time": {"type": "date", "format": "epoch_millis"}, "response_time_dt": {"type": "date"}, # custom "unmapped_original": {"type": "keyword"} } } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 3 } [index-templates] log_aws = { "index_patterns": ["log-*"], "template": {}, "priority": 0, "composed_of": [ "component_template_log" ], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws_aws = { "index_patterns": ["log-aws-*"], "template": {}, "priority": 1, "composed_of": [ "component_template_log", "component_template_log-aws" ], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-clientvpn_aws = { "index_patterns": ["log-aws-clientvpn-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-clientvpn"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-cloudfront_aws = { "index_patterns": ["log-aws-cloudfront-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-cloudfront"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-cloudhsm_aws = { "index_patterns": ["log-aws-cloudhsm-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-cloudhsm"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-cloudtrail_aws = { "index_patterns": ["log-aws-cloudtrail-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-cloudtrail"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-config_aws = { "index_patterns": ["log-aws-config-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-config"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-elb_aws = { "index_patterns": ["log-aws-elb-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-elb"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-elasticache_aws = { "index_patterns": ["log-aws-elasticache-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-elasticache"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-guardduty_aws = { "index_patterns": ["log-aws-guardduty-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-guardduty"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-inspector_aws = { "index_patterns": ["log-aws-inspector-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-inspector" ], "version": 1 } log-aws-msk_aws = { "index_patterns": ["log-aws-msk-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-msk"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-networkfirewall_aws = { "index_patterns": ["log-aws-networkfirewall-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-networkfirewall"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-opensearch_aws = { "index_patterns": ["log-aws-opensearch-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-opensearch"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-r53resolver_aws = { "index_patterns": ["log-aws-r53resolver-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-r53resolver"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-rds_aws = { "index_patterns": ["log-aws-rds-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-rds"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-s3accesslog_aws = { "index_patterns": ["log-aws-s3accesslog-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-s3accesslog"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-securityhub_aws = { "index_patterns": ["log-aws-securityhub-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-securityhub"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-trustedadvisor_aws = { "index_patterns": ["log-aws-trustedadvisor-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-trustedadvisor"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-vpcflowlogs_aws = { "index_patterns": ["log-aws-vpcflowlogs-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-vpcflowlogs"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-waf_aws = { "index_patterns": ["log-aws-waf-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-waf"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-workspaces_aws = { "index_patterns": ["log-aws-workspaces-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-workspaces"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-linux_aws = { "index_patterns": ["log-linux-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-linux"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-win_aws = { "index_patterns": ["log-win-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-win"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } # alias of log-aws-directory-service log-aws-directory-service_aws = { "index_patterns": ["log-aws-directory-service-*"], "priority": 2, "template": { "aliases": {"log-win-aws-directory-service": {"is_write_index": false}} }, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-win"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } # alias of log-aws-directory-service log-aws-fsx-win_aws = { "index_patterns": ["log-aws-fsx-win-*"], "priority": 2, "template": { "aliases": {"log-win-aws-fsx-win": {"is_write_index": false}} }, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-win"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } metrics-opensearch-index_aws = { "index_patterns": ["metrics-opensearch-index-*"], "priority": 2, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_metrics-opensearch-index"], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } # #48 ism-history-indices_aws = { "index_patterns": [".opendistro-ism-managed-index-history-*"], "priority": 0, "template": { "settings": { "index.number_of_shards": 1, "index.number_of_replicas": 1}}, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } # #48 alert-history-indices_aws = { "index_patterns": [".opendistro-alerting-alert-history-*"], "priority": 0, "template": { "settings": { "index.number_of_shards": 1, "index.number_of_replicas": 1}}, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } default-opendistro-indices_aws = { "index_patterns": [ ".opendistro-alerting-alerts", ".opendistro-alerting-config", ".opendistro-ism-config", ".opendistro-job-scheduler-lock" ], "priority": 0, "template": { "settings": { "index.number_of_shards": 1, "index.number_of_replicas": 1 }}, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-ocsf_aws = { "index_patterns": ["log-ocsf-*"], "template": { "settings": { "index.max_docvalue_fields_search": 200 } }, "priority": 1, "composed_of": [ "component_template_log", "component_template_log-ocsf" ], "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } [index-rollover] log-aws-clientvpn_rollover = { "index_patterns": ["log-aws-clientvpn-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-clientvpn" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-clientvpn" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-cloudfront_rollover = { "index_patterns": ["log-aws-cloudfront-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-cloudfront" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-cloudfront" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-cloudhsm_rollover = { "index_patterns": ["log-aws-cloudhsm-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-cloudhsm" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-cloudhsm" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-cloudtrail_rollover = { "index_patterns": ["log-aws-cloudtrail-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-cloudtrail" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-cloudtrail" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-config_rollover = { "index_patterns": ["log-aws-config-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-config" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-config" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-directory-service_rollover = { "index_patterns": ["log-aws-directory-service-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-win" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-directory-service" }, "aliases": {"log-win-aws-directory-service": {"is_write_index": false}} }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-elasticache_rollover = { "index_patterns": ["log-aws-elasticache-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-elasticache" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-elasticache" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-elb_rollover = { "index_patterns": ["log-aws-elb-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-elb" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-elb" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-fsx-win_rollover = { "index_patterns": ["log-aws-fsx-win-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-win" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-fsx-win" }, "aliases": {"log-win-aws-fsx-win": {"is_write_index": false}} }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-guardduty_rollover = { "index_patterns": ["log-aws-guardduty-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-guardduty" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-guardduty" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-inspector_rollover = { "index_patterns": ["log-aws-inspector-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-inspector" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-inspector" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-msk_rollover = { "index_patterns": ["log-aws-msk-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-msk" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-msk" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-networkfirewall_rollover = { "index_patterns": ["log-aws-networkfirewall-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-networkfirewall" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-networkfirewall" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-opensearch_rollover = { "index_patterns": ["log-aws-opensearch-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-opensearch" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-opensearch" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-r53resolver_rollover = { "index_patterns": ["log-aws-r53resolver-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-r53resolver" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-r53resolver" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-rds-mysql_rollover = { "index_patterns": ["log-aws-rds-mysql-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-rds" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-rds-mysql" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-rds-postgresql_rollover = { "index_patterns": ["log-aws-rds-postgresql-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-rds" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-rds-postgresql" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-s3accesslog_rollover = { "index_patterns": ["log-aws-s3accesslog-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-s3accesslog" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-s3accesslog" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-securityhub_rollover = { "index_patterns": ["log-aws-securityhub-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-securityhub" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-securityhub" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-trustedadvisor_rollover = { "index_patterns": ["log-aws-trustedadvisor-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-trustedadvisor" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-trustedadvisor" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-vpcflowlogs_rollover = { "index_patterns": ["log-aws-vpcflowlogs-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-vpcflowlogs" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-vpcflowlogs" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-waf_rollover = { "index_patterns": ["log-aws-waf-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-waf" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-waf" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-aws-workspaces_rollover = { "index_patterns": ["log-aws-workspaces-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-aws-workspaces" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-aws-workspaces" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-linux-os_rollover = { "index_patterns": ["log-linux-os-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-linux" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-linux-os" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-linux-secure_rollover = { "index_patterns": ["log-linux-secure-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-linux" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-linux-secure" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } log-win-event_rollover = { "index_patterns": ["log-win-event-0*"], "priority": 5, "composed_of": [ "component_template_log", "component_template_log-aws", "component_template_log-win" ], "template": { "settings": { "opendistro.index_state_management.rollover_alias": "log-win-event" } }, "_meta": {"description": "Provided by AWS. Do not edit"}, "version": 2 } [legacy-index-template] log_aws = { "index_patterns": ["log-*"], "order": 0, "settings": { "index.refresh_interval" : "2s", "index.mapping.ignore_malformed": true, "index.max_docvalue_fields_search": 200, "index.number_of_shards": 3 }, "mappings": { "dynamic_templates": [{ "strings": { "match_mapping_type": "string", "mapping": {"type": "keyword"} } }], "properties": { "@id": {"type": "keyword", "doc_values": false}, "@log_s3bucket": {"type": "keyword"}, "@log_s3key": {"type": "keyword", "doc_values": false}, "@log_type": {"type": "keyword"}, "@message": {"type": "text"}, "cwl_timestamp": {"type": "date", "format": "epoch_millis"}, "cwe_timestamp": {"type": "date"}, "base": {"type": "object"}, "base.labels": {"type": "object"}, "agent": {"type": "object"}, "as": {"type": "object"}, "client": {"type": "object"}, "cloud": {"type": "object"}, "code_signature": {"type": "object"}, "container": {"type": "object"}, "container.image.tag": {"type": "keyword"}, "container.labels": {"type": "object"}, "data_stream": {"type": "object"}, "destination": {"type": "object"}, "destination.as.number": {"type": "integer"}, "destination.as.organization.name": {"type": "keyword"}, "destination.bytes": {"type": "long"}, "destination.geo.city_name": {"type": "keyword"}, "destination.geo.country_iso_code": {"type": "keyword"}, "destination.geo.country_name": {"type": "keyword"}, "destination.geo.location": {"type": "geo_point"}, "destination.ip": {"type": "ip"}, "destination.nat.ip": {"type": "ip"}, "destination.nat.port": {"type": "integer"}, "destination.packets": {"type": "long"}, "destination.port": {"type": "integer"}, "dll": {"type": "object"}, "dns": {"type": "object"}, "dns.answers": {"type": "object"}, "dns.answers.ttl": {"type": "long"}, "dns.id": {"type": "keyword"}, "dns.header_flags": {"type": "keyword"}, "dns.resolved_ip": {"type": "ip"}, "ecs": {"type": "object"}, "elf": {"type": "object"}, "error": {"type": "object"}, "error.message": {"type": "text"}, "event": {"type": "object"}, "event.category": {"type": "keyword"}, "event.code": {"type": "keyword"}, "event.created": {"type": "date"}, "event.duration": {"type": "long"}, "event.end": {"type": "date"}, "event.id": {"type": "keyword"}, "event.ingested": {"type": "date"}, "event.kind": {"type": "keyword"}, "event.outcome": {"type": "keyword"}, "event.risk_score": {"type": "float"}, "event.risk_score_norm": {"type": "float"}, "event.sequence": {"type": "long"}, "event.severity": {"type": "long"}, "event.start": {"type": "date"}, "event.timezone": {"type": "keyword"}, "event.type": {"type": "keyword"}, "file": {"type": "object"}, "file.accessed": {"type": "date"}, "file.attributes": {"type": "keyword"}, "file.created": {"type": "date"}, "file.ctime": {"type": "date"}, "file.gid": {"type": "keyword"}, "file.inode": {"type": "keyword"}, "file.mode": {"type": "keyword"}, "file.mtime": {"type": "date"}, "file.size": {"type": "long"}, "file.uid": {"type": "keyword"}, "geo": {"type": "object"}, "group": {"type": "object"}, "group.id": {"type": "keyword"}, "hash": {"type": "object"}, "host": {"type": "object"}, "host.disk.read.bytes": {"type": "long"}, "host.disk.write.bytes": {"type": "long"}, "host.hostname": {"type": "keyword"}, "host.id": {"type": "keyword"}, "host.ip": {"type": "ip"}, "host.mac": {"type": "keyword"}, "host.network.egress.bytes": {"type": "long"}, "host.network.egress.packets": {"type": "long"}, "host.network.ingress.bytes": {"type": "long"}, "host.network.ingress.packets": {"type": "long"}, "host.uptime": {"type": "long"}, "http": {"type": "object"}, "http.request.body.bytes": {"type": "long"}, "http.request.body.content": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "http.request.bytes": {"type": "long"}, "http.response.body.bytes": {"type": "long"}, "http.response.body.content": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "http.response.bytes": {"type": "long"}, "http.response.status_code": {"type": "short"}, "http.version": {"type": "keyword"}, "interface": {"type": "object"}, "interface.alias": {"type": "keyword"}, "interface.id": {"type": "keyword"}, "interface.name": {"type": "keyword"}, "log": {"type": "object"}, "log.level": {"type": "keyword"}, "log.origin.file.line": {"type": "long"}, "log.syslog": {"type": "object"}, "log.syslog.facility.code": {"type": "long"}, "log.syslog.priority": {"type": "long"}, "log.syslog.severity.code": {"type": "long"}, "network": {"type": "object"}, "network.bytes": {"type": "integer"}, "network.community_id": {"type": "keyword"}, "network.forwarded_ip": {"type": "ip"}, "network.iana_number": {"type": "short"}, "network.inner": {"type": "object"}, "network.packets": {"type": "long"}, "observer": {"type": "object"}, "observer.ip": {"type": "ip"}, "observer.mac": {"type": "keyword"}, "observer.serial_number": {"type": "keyword"}, "observer.version": {"type": "keyword"}, "orchestrator": {"type": "object"}, "organization": {"type": "object"}, "organization.id": {"type": "keyword"}, "os": {"type": "object"}, "os.family": {"type": "keyword"}, "os.full": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "os.kernel": {"type": "keyword"}, "os.name": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "os.platform": {"type": "keyword"}, "os.type": {"type": "keyword"}, "os.version": {"type": "keyword"}, "package": {"type": "object"}, "pe": {"type": "object"}, "process": {"type": "object"}, "process.args": {"type": "keyword"}, "process.args_count": {"type": "long"}, "process.command_line": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "process.entity_id": {"type": "keyword"}, "process.exit_code": {"type": "long"}, "process.pgid": {"type": "long"}, "process.pid": {"type": "long"}, "process.ppid": {"type": "long"}, "process.start": {"type": "date"}, "process.thread.id": {"type": "long"}, "process.uptime": {"type": "long"}, "registry": {"type": "object"}, "related": {"type": "object"}, "related.hash": {"type": "keyword"}, "related.hosts": {"type": "keyword"}, "related.ip": {"type": "ip"}, "related.user": {"type": "keyword"}, "rule": {"type": "object"}, "rule.author": {"type": "keyword"}, "rule.category": {"type": "keyword"}, "rule.description": {"type": "keyword"}, "rule.id": {"type": "keyword"}, "rule.uuid": {"type": "keyword"}, "rule.version": {"type": "keyword"}, "server": {"type": "object"}, "service": {"type": "object"}, "service.ephemeral_id": {"type": "keyword"}, "service.id": {"type": "keyword"}, "service.version": {"type": "keyword"}, "source": {"type": "object"}, "source.address": {"type": "keyword"}, "source.as.number": {"type": "integer"}, "source.as.organization.name": {"type": "keyword"}, "source.bytes": {"type": "long"}, "source.geo.city_name": {"type": "keyword"}, "source.geo.country_iso_code": {"type": "keyword"}, "source.geo.country_name": {"type": "keyword"}, "source.geo.location": {"type": "geo_point"}, "source.ip": {"type": "ip"}, "source.nat.ip": {"type": "ip"}, "source.nat.port": {"type": "integer"}, "source.packets": {"type": "long"}, "source.port": {"type": "integer"}, "threat": {"type": "object"}, "threat.enrichments": {"type": "nested", "properties": { "indicator": {"type": "object"}, "indicator.confidence": {"type": "keyword"}, "indicator.description": {"type": "keyword"}, "indicator.email.address": {"type": "keyword"}, "indicator.first_seen": {"type": "date"}, "indicator.ip": {"type": "ip"}, "indicator.last_seen": {"type": "date"}, "indicator.marking.tlp": {"type": "keyword"}, "indicator.modified_at": {"type": "date"}, "indicator.name": {"type": "keyword"}, "indicator.port": {"type": "long"}, "indicator.provider": {"type": "keyword"}, "indicator.reference": {"type": "keyword"}, "indicator.scanner_stats": {"type": "long"}, "indicator.sightings": {"type": "long"}, "indicator.type": {"type": "keyword"}, "matched.atomic": {"type": "keyword"}, "matched.field": {"type": "keyword"}, "matched.id": {"type": "keyword"}, "matched.index": {"type": "keyword"}, "matched.occurred": {"type": "date"}, "matched.type": {"type": "keyword"}}}, "threat.matched.indicators": {"type": "keyword"}, "threat.matched.names": {"type": "keyword"}, "threat.matched.providers": {"type": "keyword"}, "threat.matched.types": {"type": "keyword"}, "tls": {"type": "object"}, "span.id": {"type": "keyword"}, "trace.id": {"type": "keyword"}, "transaction.id": {"type": "keyword"}, "url": {"type": "object"}, "url.full": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "url.original": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "url.port": {"type": "long"}, "user": {"type": "object"}, "user.id": {"type": "keyword"}, "user.name": {"type": "keyword"}, "user.roles": {"type": "keyword"}, "user_agent": {"type": "object"}, "user_agent.device.name": {"type": "keyword"}, "user_agent.name": {"type": "keyword"}, "user_agent.original": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "user_agent.os.family": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "user_agent.os.full": {"type": "keyword"}, "user_agent.os.kernel": {"type": "keyword"}, "user_agent.os.name": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "user_agent.os.platform": {"type": "keyword"}, "user_agent.os.type": {"type": "keyword"}, "user_agent.os.version": {"type": "keyword"}, "user_agent.version": {"type": "keyword"}, "vlan": {"type": "object"}, "vlan.id": {"type": "keyword"}, "vulnerability.category": {"type": "keyword"}, "vulnerability.classification": {"type": "keyword"}, "vulnerability.description": {"type": "keyword", "fields": {"text": {"type": "text"}}}, "vulnerability.enumeration": {"type": "keyword"}, "vulnerability.id": {"type": "keyword"}, "vulnerability.reference": {"type": "keyword"}, "vulnerability.report_id": {"type": "keyword"}, "vulnerability.scanner.vendor": {"type": "keyword"}, "vulnerability.score.base": {"type": "float"}, "vulnerability.score.environmental": {"type": "float"}, "vulnerability.score.temporal": {"type": "float"}, "vulnerability.score.version": {"type": "keyword"}, "vulnerability.severity": {"type": "keyword"}, "x509": {"type": "object"} } } } [deleted-old-index-template] # log_aws = None log-aws_aws = None log-aws-cloudfront_aws = None log-aws-cloudtrail_aws = None log-aws-directory-service_aws = None log-aws-elb_aws = None log-aws-fsx-win_aws = None log-aws-guardduty_aws = None log-aws-msk_aws = None log-aws-networkfirewall_aws = None log-aws-r53resolver_aws = None log-aws-rds_aws = None log-aws-s3accesslog_aws = None log-aws-securityhub_aws = None log-aws-vpcflowlogs_aws = None log-aws-waf_aws = None log-aws-workspaces_aws = None log-linux_aws = None log-linux-secure_aws = None log-win_aws = None log-aws-cloudfront_rollover = None log-aws-cloudtrail_rollover = None log-aws-directory-service_rollover = None log-aws-elb_rollover = None log-aws-fsx-win_rollover = None log-aws-guardduty_rollover = None log-aws-msk_rollover = None log-aws-r53resolver_rollover = None log-aws-rds_rollover = None log-aws-s3accesslog_rollover = None log-aws-securityhub_rollover = None log-aws-vpcflowlogs_rollover = None log-aws-waf_rollover = None log-aws-workspaces_rollover = None log-linux-os_rollover = None log-linux-secure_rollover = None log-win-event_rollover = None ism-history-indices_aws = None alert-history-indices_aws = None [ocsf-schema-core] # OCSF v1.0.0-rc3 # https://schema.ocsf.io/1.0.0-rc.3/objects/account account = { "name": {"type": "keyword"}, "type": {"type": "keyword"}, "type_id": {"type": "integer"}, "uid": {"type": "keyword"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/actor actor = { "authorizations.decision": {"type": "keyword"}, "authorizations.policy": {"type": "object", "properties": ${policy} }, "idp.name": {"type": "keyword"}, "idp.uid": {"type": "keyword", "doc_values": false}, "invoked_by": {"type": "keyword"}, "process": {"type": "object", "properties": ${process} }, "session": {"type": "object", "properties": ${session} }, "user": {"type": "object", "properties": ${user} } } # https://schema.ocsf.io/1.0.0-rc.3/objects/attack attack = { "tactics.name": {"type": "keyword"}, "tactics.uid": {"type": "keyword"}, "technique.name": {"type": "keyword"}, "technique.uid": {"type": "keyword"}, "version": {"type": "keyword", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/certificate certificate = { "serial_number": {"type": "keyword", "doc_values": false}, "created_time": {"type": "date", "format": "epoch_millis"}, "created_time_dt": {"type": "date"}, "expiration_time": {"type": "date", "format": "epoch_millis"}, "expiration_time_dt": {"type": "date"}, "fingerprints": {"type": "object", "properties": ${fingerprint} }, "issuer": {"type": "keyword"}, "subject": {"type": "keyword"}, "version": {"type": "keyword", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/container container = { "hash": {"type": "object", "properties": ${fingerprint} }, "image": {"type": "object", "properties": ${image} }, "tag": {"type": "keyword", "doc_values": false}, "name": {"type": "keyword"}, "network_driver": {"type": "keyword"}, "orchestrator": {"type": "keyword"}, "pod_uuid": {"type": "keyword", "doc_values": false}, "runtime": {"type": "keyword"}, "size": {"type": "long"}, "uid": {"type": "keyword"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/digital_signature digital_signature = { "algorithm": {"type": "keyword"}, "algorithm_id": {"type": "integer"}, "certificate": {"type": "object", "properties": ${certificate} }, "created_time": {"type": "date", "format": "epoch_millis"}, "created_time_dt": {"type": "date"}, "developer_uid": {"type": "keyword", "doc_values": false}, "digest": {"type": "object", "properties": ${fingerprint} } } # https://schema.ocsf.io/1.0.0-rc.3/objects/dns_answer dns_answer = { "flag_ids": {"type": "integer"}, "flags": {"type": "keyword"}, "rdata": {"type": "keyword"}, "packet_uid": {"type": "integer"}, "class": {"type": "keyword"}, "type": {"type": "keyword"}, "ttl": {"type": "integer"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/dns_query dns_query = { "opcode": {"type": "keyword"}, "opcode_id": {"type": "integer"}, "hostname": {"type": "keyword"}, "packet_uid": {"type": "integer"}, "class": {"type": "keyword"}, "type": {"type": "keyword"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/cve cve = { "uid": {"type": "keyword"}, "cvss": {"type": "object", "properties": ${cvss} }, "cwe_uid": {"type": "keyword"}, "cwe_url": {"type": "keyword", "doc_values": false}, "product": {"type": "object", "properties": ${product} }, "created_time": {"type": "date", "format": "epoch_millis"}, "created_time_dt": {"type": "date"}, "modified_time": {"type": "date", "format": "epoch_millis"}, "modified_time_dt": {"type": "date"}, "type": {"type": "keyword"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/cvss cvss = { "base_score": {"type": "float"}, "depth": {"type": "keyword"}, "metrics": {"type": "keyword", "doc_values": false}, "overall_score": {"type": "float"}, "severity": {"type": "keyword"}, "vector_string": {"type": "keyword"}, "version": {"type": "keyword", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/fingerprint fingerprint = { "algorithm": {"type": "keyword", "doc_values": false}, "algorithm_id": {"type": "integer", "doc_values": false}, "value": {"type": "keyword", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/device device = { "uid_alt": {"type": "keyword"}, "autoscale_uid": {"type": "keyword"}, "is_compliant": {"type": "boolean", "doc_values": false}, "created_time_dt": {"type": "date"}, "created_time": {"type": "date", "format": "epoch_millis"}, "desc": {"type": "keyword", "doc_values": false}, "domain": {"type": "keyword"}, "first_seen_time_dt": {"type": "date"}, "first_seen_time": {"type": "date", "format": "epoch_millis"}, "location": {"type": "object", "properties": ${location} }, "groups": {"type": "object", "properties": ${group} }, "hw_info": {"type": "object", "properties": ${device_hw_info} }, "hostname": {"type": "keyword"}, "hypervisor": {"type": "keyword", "doc_values": false}, "imei": {"type": "keyword", "doc_values": false}, "ip": {"type": "ip"}, "image": {"type": "object", "properties": ${image} }, "instance_uid": {"type": "keyword"}, "last_seen_time_dt": {"type": "date"}, "last_seen_time": {"type": "date", "format": "epoch_millis"}, "mac": {"type": "keyword", "doc_values": false}, "is_managed": {"type": "boolean", "doc_values": false}, "modified_time_dt": {"type": "date"}, "modified_time": {"type": "date", "format": "epoch_millis"}, "name": {"type": "keyword"}, "interface_uid": {"type": "keyword", "doc_values": false}, "interface_name": {"type": "keyword", "doc_values": false}, "network_interfaces": {"type": "object", "properties": ${network_interface} }, "os": {"type": "object", "properties": ${os} }, "org": {"type": "object", "properties": ${organization} }, "is_personal": {"type": "boolean", "doc_values": false}, "region": {"type": "keyword"}, "risk_level": {"type": "keyword"}, "risk_level_id": {"type": "integer"}, "risk_score": {"type": "integer"}, "subnet": {"type": "keyword"}, "subnet_uid": {"type": "keyword"}, "is_trusted": {"type": "boolean", "doc_values": false}, "type": {"type": "keyword"}, "type_id": {"type": "integer"}, "uid": {"type": "keyword"}, "vlan_uid": {"type": "keyword"}, "vpc_uid": {"type": "keyword", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/device_hw_info device_hw_info = { "bios_date": {"type": "keyword", "doc_values": false}, "bios_manufacturer": {"type": "keyword", "doc_values": false}, "bios_ver": {"type": "keyword", "doc_values": false}, "cpu_bits": {"type": "integer", "doc_values": false}, "cpu_cores": {"type": "integer", "doc_values": false}, "cpu_count": {"type": "integer", "doc_values": false}, "chassis": {"type": "keyword", "doc_values": false}, "desktop_display": {"type": "object", "properties": ${display} }, "keyboard_info": {"type": "object", "properties": ${keyboard_info} }, "cpu_speed": {"type": "integer", "doc_values": false}, "cpu_type": {"type": "keyword", "doc_values": false}, "ram_size": {"type": "integer", "doc_values": false}, "serial_number": {"type": "keyword", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/display display = { "color_depth": {"type": "integer", "doc_values": false}, "physical_height": {"type": "integer", "doc_values": false}, "physical_orientation": {"type": "integer", "doc_values": false}, "physical_width": {"type": "integer", "doc_values": false}, "scale_factor": {"type": "integer", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/file file = { "accessed_time": {"type": "date", "format": "epoch_millis"}, "accessed_time_dt": {"type": "date"}, "accessor": {"type": "object", "properties": ${user} }, "attributes": {"type": "integer", "doc_values": false}, "company_name": {"type": "keyword", "doc_values": false}, "confidentiality": {"type": "keyword", "doc_values": false}, "confidentiality_id": {"type": "integer", "doc_values": false}, "created_time": {"type": "date", "format": "epoch_millis"}, "created_time_dt": {"type": "date"}, "creator": {"type": "object", "properties": ${user} }, "desc": {"type": "keyword", "doc_values": false}, "signature": {"type": "object", "properties": ${digital_signature} }, "xattributes": {"type": "object"}, "hashes": {"type": "object", "properties": ${fingerprint} }, "mime_type": {"type": "keyword"}, "modified_time": {"type": "date", "format": "epoch_millis"}, "modified_time_dt": {"type": "date"}, "modifier": {"type": "object", "properties": ${user} }, "name": {"type": "keyword"}, "owner": {"type": "object", "properties": ${user} }, "parent_folder": {"type": "keyword"}, "path": {"type": "keyword"}, "product": {"type": "object", "properties": ${product} }, "security_descriptor": {"type": "keyword"}, "size": {"type": "long"}, "is_system": {"type": "boolean", "doc_values": false}, "type": {"type": "keyword"}, "type_id": {"type": "integer"}, "uid": {"type": "keyword"}, "version": {"type": "keyword", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/image image = { "tag": {"type": "keyword", "doc_values": false}, "labels": {"type": "keyword", "doc_values": false}, "name": {"type": "keyword", "doc_values": false}, "path": {"type": "keyword", "doc_values": false}, "uid": {"type": "keyword", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/keyboard_info keyboard_info = { "function_keys": {"type": "integer", "doc_values": false}, "ime": {"type": "keyword", "doc_values": false}, "keyboard_layout": {"type": "keyword", "doc_values": false}, "keyboard_subtype": {"type": "integer", "doc_values": false}, "keyboard_type": {"type": "keyword", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/location location = { "city": {"type": "keyword"}, "continent": {"type": "keyword"}, "coordinates": {"type": "geo_point"}, "country": {"type": "keyword"}, "desc": {"type": "keyword", "doc_values": false}, "isp": {"type": "keyword"}, "is_on_premises": {"type": "boolean", "doc_values": false}, "postal_code": {"type": "keyword", "doc_values": false}, "provider": {"type": "keyword"}, "region": {"type": "keyword"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/group group = { "type": {"type": "keyword"}, "desc": {"type": "keyword", "doc_values": false}, "name": {"type": "keyword"}, "privileges": {"type": "keyword"}, "uid": {"type": "keyword"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/http_request http_request = { "args": {"type": "keyword"}, "http_headers.name": {"type": "keyword"}, "http_headers.value": {"type": "keyword"}, "http_method": {"type": "keyword"}, "referrer": {"type": "keyword"}, "user_agent": {"type": "keyword"}, "version": {"type": "keyword", "doc_values": false}, "url": {"type": "object", "properties": ${url} }, "uid": {"type": "keyword"}, "x_forwarded_for": {"type": "ip"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/malware malware = { "cves": {"type": "object", "properties": ${cve} }, "classification_ids": {"type": "integer"}, "classification": {"type": "keyword"}, "name": {"type": "keyword"}, "path": {"type": "keyword"}, "provider": {"type": "keyword"}, "uid": {"type": "keyword"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/metadata metadata = { "correlation_uid": {"type": "keyword"}, "event_code": {"type": "keyword"}, "uid": {"type": "keyword"}, "labels": {"type": "keyword"}, "log_name": {"type": "keyword"}, "log_provider": {"type": "keyword"}, "log_version": {"type": "keyword", "doc_values": false}, "logged_time": {"type": "date", "format": "epoch_millis"}, "logged_time_dt": {"type": "date"}, "modified_time": {"type": "date", "format": "epoch_millis"}, "modified_time_dt": {"type": "date"}, "original_time": {"type": "keyword", "doc_values": false}, "processed_time": {"type": "date", "format": "epoch_millis"}, "processed_time_dt": {"type": "date"}, "product": {"type": "object", "properties": ${product} }, "profiles": {"type": "keyword"}, "extension.name": {"type": "keyword", "doc_values": false}, "extension.uid": {"type": "keyword", "doc_values": false}, "extension.version": {"type": "keyword", "doc_values": false}, "sequence": {"type": "integer"}, "version": {"type": "keyword", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/network_connection_info network_connection_info = { "boundary": {"type": "keyword"}, "boundary_id": {"type": "integer"}, "uid": {"type": "keyword", "doc_values": false}, "direction": {"type": "keyword"}, "direction_id": {"type": "integer"}, "protocol_ver": {"type": "keyword"}, "protocol_ver_id": {"type": "integer"}, "protocol_name": {"type": "keyword"}, "protocol_num": {"type": "integer"}, "tcp_flags": {"type": "integer"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/network_interface network_interface = { "hostname": {"type": "keyword"}, "ip": {"type": "ip"}, "mac": {"type": "keyword", "doc_values": false}, "name": {"type": "keyword"}, "namespace": {"type": "keyword", "doc_values": false}, "type": {"type": "keyword"}, "type_id": {"type": "integer"}, "uid": {"type": "keyword"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/network_endpoint network_endpoint = { "domain": {"type": "keyword"}, "location": {"type": "object", "properties": ${location} }, "hostname": {"type": "keyword"}, "ip": {"type": "ip"}, "instance_uid": {"type": "keyword"}, "intermediate_ips": {"type": "ip"}, "mac": {"type": "keyword"}, "name": {"type": "keyword"}, "interface_uid": {"type": "keyword"}, "interface_name": {"type": "keyword"}, "port": {"type": "integer"}, "svc_name": {"type": "keyword"}, "subnet_uid": {"type": "keyword"}, "uid": {"type": "keyword"}, "vlan_uid": {"type": "keyword"}, "vpc_uid": {"type": "keyword"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/network_proxy network_proxy = ${network_endpoint} # https://schema.ocsf.io/1.0.0-rc.3/objects/network_traffic network_traffic = { "bytes_in": {"type": "long"}, "bytes_out": {"type": "long"}, "packets_in": {"type": "long"}, "packets_out": {"type": "long"}, "bytes": {"type": "long"}, "packets": {"type": "long"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/organization organization = { "name": {"type": "keyword"}, "ou_uid": {"type": "keyword"}, "ou_name": {"type": "keyword"}, "uid": {"type": "keyword"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/os os = { "cpu_bits": {"type": "integer"}, "country": {"type": "keyword"}, "lang": {"type": "keyword", "doc_values": false}, "name": {"type": "keyword"}, "build": {"type": "keyword", "doc_values": false}, "edition": {"type": "keyword", "doc_values": false}, "sp_name": {"type": "keyword", "doc_values": false}, "sp_ver": {"type": "integer", "doc_values": false}, "type": {"type": "keyword", "doc_values": false}, "type_id": {"type": "integer", "doc_values": false}, "version": {"type": "keyword", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/package package = { "architecture": {"type": "keyword"}, "epoch": {"type": "integer", "doc_values": false}, "name": {"type": "keyword"}, "license": {"type": "keyword", "doc_values": false}, "release": {"type": "keyword", "doc_values": false}, "version": {"type": "keyword", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/policy policy = { "architecture": {"type": "keyword", "doc_values": false}, "epoch": {"type": "integer", "doc_values": false}, "name": {"type": "keyword", "doc_values": false}, "license": {"type": "keyword", "doc_values": false}, "release": {"type": "keyword", "doc_values": false}, "version": {"type": "keyword", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/process process = { "auid": {"type": "integer", "doc_values": false}, "cmd_line": {"type": "keyword", "doc_values": false}, "container": {"type": "object", "properties": ${container} }, "created_time": {"type": "date", "format": "epoch_millis"}, "created_time_dt": {"type": "date"}, "egid": {"type": "integer", "doc_values": false}, "euid": {"type": "integer", "doc_values": false}, "xattributes": {"type": "object"}, "file": {"type": "object", "properties": ${file} }, "group": {"type": "object", "properties": ${group} }, "integrity": {"type": "keyword"}, "integrity_id": {"type": "integer"}, "lineage": {"type": "keyword", "doc_values": false}, "loaded_modules": {"type": "keyword"}, "name": {"type": "keyword"}, "namespace_pid": {"type": "integer", "doc_values": false}, "parent_process": {"type": "object"}, "pid": {"type": "integer", "doc_values": false}, "sandbox": {"type": "keyword", "doc_values": false}, "session": {"type": "object", "properties": ${session} }, "terminated_time": {"type": "date", "format": "epoch_millis"}, "terminated_time_dt": {"type": "date"}, "tid": {"type": "integer", "doc_values": false}, "uid": {"type": "keyword", "doc_values": false}, "user": {"type": "object", "properties": ${user} } } # https://schema.ocsf.io/1.0.0-rc.3/objects/product product = { "feature.name": {"type": "keyword"}, "feature.uid": {"type": "keyword", "doc_values": false}, "feature.version": {"type": "keyword", "doc_values": false}, "lang": {"type": "keyword", "doc_values": false}, "name": {"type": "keyword"}, "path": {"type": "keyword", "doc_values": false}, "uid": {"type": "keyword", "doc_values": false}, "vendor_name": {"type": "keyword", "doc_values": false}, "version": {"type": "keyword", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/resource_details resource_details = { "cloud_partition": {"type": "keyword", "doc_values": false}, "criticality": {"type": "keyword", "doc_values": false}, "data": {"type": "keyword", "doc_values": false}, "group": {"type": "object", "properties": ${group} }, "labels": {"type": "keyword", "doc_values": false}, "name": {"type": "keyword", "doc_values": false}, "owner": {"type": "object", "properties": ${user} }, "region": {"type": "keyword", "doc_values": false}, "type": {"type": "keyword", "doc_values": false}, "uid": {"type": "keyword", "doc_values": false}, "version": {"type": "keyword", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/session session = { # 1.0.0-rc2 only "mfa": {"type": "boolean", "doc_values": false}, # 1.0.0-rc3 "created_time": {"type": "date", "format": "epoch_millis"}, "created_time_dt": {"type": "date"}, "expiration_time": {"type": "date", "format": "epoch_millis"}, "expiration_time_dt": {"type": "date"}, "issuer": {"type": "keyword"}, "is_remote": {"type": "boolean", "doc_values": false}, "uuid": {"type": "keyword", "doc_values": false}, "uid": {"type": "keyword"}, "credential_uid": {"type": "keyword"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/tls tls = { "certificate": {"type": "object", "properties": ${certificate} }, "certificate_chain": {"type": "keyword", "doc_values": false}, "cipher": {"type": "keyword"}, "client_ciphers": {"type": "keyword"}, "alert": {"type": "integer"}, "extension_list.data": {"type": "keyword"}, "extension_list.type": {"type": "keyword"}, "extension_list.type_id": {"type": "integer"}, "handshake_dur": {"type": "integer"}, "ja3_hash": {"type": "object", "properties": ${fingerprint} }, "ja3s_hash": {"type": "object", "properties": ${fingerprint} }, "key_length": {"type": "integer"}, "server_ciphers": {"type": "keyword"}, "sni": {"type": "keyword"}, "sans.name": {"type": "keyword", "doc_values": false}, "sans.type": {"type": "keyword", "doc_values": false}, "version": {"type": "integer", "doc_values": false} } # https://schema.ocsf.io/1.0.0-rc.3/objects/url url = { # 1.0.0-rc2 only "text": {"type": "keyword"}, # 1.0.0-rc3 "account_type": {"type": "keyword", "doc_values": false}, "query_string": {"type": "keyword", "doc_values": false}, "hostname": {"type": "keyword"}, "path": {"type": "keyword"}, "port": {"type": "integer"}, "resource_type": {"type": "keyword"}, "scheme": {"type": "keyword"}, "subdomain": {"type": "keyword"}, "url_string": {"type": "keyword", "doc_values": false}, "categories": {"type": "keyword", "doc_values": false}, "category_ids": {"type": "integer"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/user user = { # 1.0.0-rc2 only "account_type": {"type": "keyword", "doc_values": false}, "account_type_id": {"type": "integer", "doc_values": false}, "account_uid": {"type": "keyword", "doc_values": false}, "org_uid": {"type": "keyword", "doc_values": false}, "uuid": {"type": "keyword", "doc_values": false}, # 1.0.0-rc3 "account": {"type": "object", "properties": ${account} }, "uid_alt": {"type": "keyword", "doc_values": false}, "domain": {"type": "keyword", "doc_values": false}, "email_addr": {"type": "keyword", "doc_values": false}, "full_name": {"type": "keyword", "doc_values": false}, "groups": {"type": "object", "properties": ${group} }, "name": {"type": "keyword"}, "org": {"type": "object", "properties": ${organization} }, "type": {"type": "keyword", "doc_values": false}, "type_id": {"type": "integer", "doc_values": false}, "uid": {"type": "keyword"}, "credential_uid": {"type": "keyword"} } # https://schema.ocsf.io/1.0.0-rc.3/objects/vulnerability vulnerability = { "cve": {"type": "object", "properties": ${cve} }, "desc": {"type": "text"}, "fix_available": {"type": "boolean", "doc_values": false}, "kb_articles": {"type": "keyword", "doc_values": false}, "references": {"type": "keyword", "doc_values": false}, "related_vulnerabilities": {"type": "keyword"}, "severity": {"type": "keyword"}, "packages": {"type": "object", "properties": ${package} }, "title": {"type": "keyword"}, "vendor_name": {"type": "keyword", "doc_values": false} }