diff --git a/.gitignore b/.gitignore index aa2c6d6c..d931162f 100644 --- a/.gitignore +++ b/.gitignore @@ -11,10 +11,12 @@ helk-logstash/.DS_Store .swp .tmp .test +.backup # Byte-compiled / optimized / DLL files __pycache__/ *.py[cod] *$py.class # HELK Custom Configurations *custom* -/docker/docker-compose.yml \ No newline at end of file +/docker/docker-compose.yml +/docker/helk-nginx/htpasswd.user* diff --git a/configs/filebeat/filebeat-osquery.yml b/configs/filebeat/filebeat-osquery.yml new file mode 100644 index 00000000..8389e2cb --- /dev/null +++ b/configs/filebeat/filebeat-osquery.yml @@ -0,0 +1,21 @@ +###################### Filebeat OSQuery Configuration Example ######################### +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html +#=========================== Filebeat inputs ============================= +filebeat.inputs: +- type: log + enabled: true + paths: + - /var/log/osquery/osqueryd.results.log + json.keys_under_root: true + fields_under_root: true +#================================ Outputs ===================================== +#----------------------------- Kafka output -------------------------------- +output.kafka: + hosts: [":9092", ":9093"] + topic: "filebeat" + max_message_bytes: 1000000 +#================================ Procesors ===================================== +processors: + - add_host_metadata: ~ + - add_cloud_metadata: ~ \ No newline at end of file diff --git a/configs/filebeat/filebeat-zeek.yml b/configs/filebeat/filebeat-zeek.yml new file mode 100644 index 00000000..e925a4a2 --- /dev/null +++ b/configs/filebeat/filebeat-zeek.yml @@ -0,0 +1,18 @@ +###################### Filebeat Zeek/Corelight Configuration Example ######################### +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html +#----------------------------- Input Logs -------------------------------- +filebeat.inputs: +- type: log + enabled: true + # Change this to the directory of where your Zeek logs are stored + paths: + - /usr/share/zeek/logs/*.log + #json.keys_under_root: true + #fields_under_root: true +#----------------------------- Kafka output -------------------------------- +output.kafka: + # Place your HELK IP(s) here (keep the port). + hosts: [":9092"] + topic: "zeek" + max_message_bytes: 1000000 \ No newline at end of file diff --git a/configs/filebeat/filebeat.yml b/configs/filebeat/filebeat.yml deleted file mode 100644 index b020e0ed..00000000 --- a/configs/filebeat/filebeat.yml +++ /dev/null @@ -1,217 +0,0 @@ -###################### Filebeat Configuration Example ######################### - -# This file is an example configuration file highlighting only the most common -# options. The filebeat.reference.yml file from the same directory contains all the -# supported options with more comments. You can use it as a reference. -# -# You can find the full configuration reference here: -# https://www.elastic.co/guide/en/beats/filebeat/index.html - -# For more available modules and options, please see the filebeat.reference.yml sample -# configuration file. - -#=========================== Filebeat inputs ============================= - -filebeat.inputs: - -# Each - is an input. Most options can be set at the input level, so -# you can use different inputs for various configurations. -# Below are the input specific configurations. - -- type: log - - # Change to true to enable this input configuration. - enabled: true - - # Paths that should be crawled and fetched. Glob based paths. - paths: - - /var/log/osquery/osqueryd.results.log - #- c:\programdata\elasticsearch\logs\* - json.keys_under_root: true - fields_under_root: true - - - # Exclude lines. A list of regular expressions to match. It drops the lines that are - # matching any regular expression from the list. - #exclude_lines: ['^DBG'] - - # Include lines. A list of regular expressions to match. It exports the lines that are - # matching any regular expression from the list. - #include_lines: ['^ERR', '^WARN'] - - # Exclude files. A list of regular expressions to match. Filebeat drops the files that - # are matching any regular expression from the list. By default, no files are dropped. - #exclude_files: ['.gz$'] - - # Optional additional fields. These fields can be freely picked - # to add additional information to the crawled log files for filtering - #fields: - # level: debug - # review: 1 - - ### Multiline options - - # Multiline can be used for log messages spanning multiple lines. This is common - # for Java Stack Traces or C-Line Continuation - - # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ - #multiline.pattern: ^\[ - - # Defines if the pattern set under pattern should be negated or not. Default is false. - #multiline.negate: false - - # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern - # that was (not) matched before or after or as long as a pattern is not matched based on negate. - # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash - #multiline.match: after - - -#============================= Filebeat modules =============================== - -filebeat.config.modules: - # Glob pattern for configuration loading - path: ${path.config}/modules.d/*.yml - - # Set to true to enable config reloading - reload.enabled: false - - # Period on which files under path should be checked for changes - #reload.period: 10s - -#==================== Elasticsearch template setting ========================== - -setup.template.settings: - index.number_of_shards: 3 - #index.codec: best_compression - #_source.enabled: false - -#================================ General ===================================== - -# The name of the shipper that publishes the network data. It can be used to group -# all the transactions sent by a single shipper in the web interface. -#name: - -# The tags of the shipper are included in their own field with each -# transaction published. -#tags: ["service-X", "web-tier"] - -# Optional fields that you can specify to add additional information to the -# output. -#fields: -# env: staging - - -#============================== Dashboards ===================================== -# These settings control loading the sample dashboards to the Kibana index. Loading -# the dashboards is disabled by default and can be enabled either by setting the -# options here, or by using the `-setup` CLI flag or the `setup` command. -#setup.dashboards.enabled: false - -# The URL from where to download the dashboards archive. By default this URL -# has a value which is computed based on the Beat name and version. For released -# versions, this URL points to the dashboard archive on the artifacts.elastic.co -# website. -#setup.dashboards.url: - -#============================== Kibana ===================================== - -# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. -# This requires a Kibana endpoint configuration. -# setup.kibana: - - # Kibana Host - # Scheme and port can be left out and will be set to the default (http and 5601) - # In case you specify and additional path, the scheme is required: http://localhost:5601/path - # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 - #host: "localhost:5601" - - # Kibana Space ID - # ID of the Kibana Space into which the dashboards should be loaded. By default, - # the Default Space will be used. - #space.id: - -#============================= Elastic Cloud ================================== - -# These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/). - -# The cloud.id setting overwrites the `output.elasticsearch.hosts` and -# `setup.kibana.host` options. -# You can find the `cloud.id` in the Elastic Cloud web UI. -#cloud.id: - -# The cloud.auth setting overwrites the `output.elasticsearch.username` and -# `output.elasticsearch.password` settings. The format is `:`. -#cloud.auth: - -#================================ Outputs ===================================== - -# Configure what output to use when sending the data collected by the beat. - -#-------------------------- Elasticsearch output ------------------------------ -#output.elasticsearch: - # Array of hosts to connect to. - #hosts: ["localhost:9200"] - - # Optional protocol and basic auth credentials. - #protocol: "https" - #username: "elastic" - #password: "changeme" - -#----------------------------- Logstash output -------------------------------- -#output.logstash: - # The Logstash hosts - #hosts: ["192.168.1.151:5044"] - - # Optional SSL. By default is off. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client Certificate Key - #ssl.key: "/etc/pki/client/cert.key" -#----------------------------- Kafka output -------------------------------- -output.kafka: - # initial brokers for reading cluster metadata - hosts: [":9092", ":9093"] - - # message topic selection + partitioning - topic: "filebeat" - max_message_bytes: 1000000 - - - -#================================ Procesors ===================================== - -# Configure processors to enhance or manipulate events generated by the beat. - -processors: - - add_host_metadata: ~ - - add_cloud_metadata: ~ - -#================================ Logging ===================================== - -# Sets log level. The default log level is info. -# Available log levels are: error, warning, info, debug -#logging.level: debug - -# At debug level, you can selectively enable logging only for some components. -# To enable all selectors use ["*"]. Examples of other selectors are "beat", -# "publish", "service". -#logging.selectors: ["*"] - -#============================== Xpack Monitoring =============================== -# filebeat can export internal metrics to a central Elasticsearch monitoring -# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The -# reporting is disabled by default. - -# Set to true to enable the monitoring reporter. -#xpack.monitoring.enabled: false - -# Uncomment to send the metrics to Elasticsearch. Most settings from the -# Elasticsearch output are accepted here as well. Any setting that is not set is -# automatically inherited from the Elasticsearch output configuration, so if you -# have the Elasticsearch output configured, you can simply uncomment the -# following line. -#xpack.monitoring.elasticsearch: diff --git a/configs/winlogbeat/winlogbeat.yml b/configs/winlogbeat/winlogbeat.yml index d2210f0b..cec2988d 100644 --- a/configs/winlogbeat/winlogbeat.yml +++ b/configs/winlogbeat/winlogbeat.yml @@ -1,12 +1,13 @@ +###################### Winlogbeat Configuration Example ######################### # Winlogbeat 6, 7, and 8 are currently supported! # You can download the latest stable version of winlogbeat here: # https://www.elastic.co/downloads/beats/winlogbeat -# For simplicity/brevity we have only included only the enabled options necessary for sending windows logs to HELK. +# For simplicity/brevity we have only enabled the options necessary for sending windows logs to HELK. # Please visit the Elastic documentation for the complete details of each option and full reference config: # https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-reference-yml.html -#======================= Winlogbeat specific options ========================== +#-------------------------- Windows Logs To Collect ----------------------------- winlogbeat.event_logs: - name: Application ignore_older: 30m diff --git a/docker/helk-elastalert/config.yaml b/docker/helk-elastalert/config.yaml index 6f2892d1..f3ae47c0 100644 --- a/docker/helk-elastalert/config.yaml +++ b/docker/helk-elastalert/config.yaml @@ -20,4 +20,4 @@ alert_time_limit: writeback_index: elastalert_status alert_text: "Index: {0} \nEvent_Timestamp: {1} \nBeat_Name: {2} \nUser_Name: {3} \nHost_Name: {4} \nLog_Name: {5} \nOriginal_Message: \n\n{6}" alert_text_type: alert_text_only -alert_text_args: ["_index","@timestamp","beat.name","user_name","host_name","log_name","z_original_message"] +alert_text_args: ["_index","@timestamp","beat_name","user_name","host_name","log_name","event_original_message"] diff --git a/docker/helk-elastalert/pull-sigma-config.yaml b/docker/helk-elastalert/pull-sigma-config.yaml new file mode 100644 index 00000000..9064cb1d --- /dev/null +++ b/docker/helk-elastalert/pull-sigma-config.yaml @@ -0,0 +1,2 @@ +allow_updates: false # Setting to disable/enable fetching updates from sigma repository, if this key is missing, sigma updates are enabled by default +overwrite_modified: true # Setting to control overwriting of rules modified by user, an example \ No newline at end of file diff --git a/docker/helk-elastalert/rules/helk_security_dcsync_backdoor_user.yml b/docker/helk-elastalert/rules/helk_security_dcsync_backdoor_user.yml index beabda3c..3c646556 100644 --- a/docker/helk-elastalert/rules/helk_security_dcsync_backdoor_user.yml +++ b/docker/helk-elastalert/rules/helk_security_dcsync_backdoor_user.yml @@ -4,7 +4,7 @@ description: Detects potential DCSync backdoor user filter: - query: query_string: - query: (event_id:5136 AND dsobject_attribute_name:"ntsecuritydescriptor" AND dsobject_attribute_value:("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" OR "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" OR "89e95b76-444d-4c62-991a-0facbeda640c")) + query: (event_id:5136 AND dsobject_attribute_name:"ntsecuritydescriptor" AND dsobject_attribute_value:("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" OR "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" OR "89e95b76-444d-4c62-991a-0facbeda640c")) index: logs-endpoint-winevent-security* name: Windows-DCSync-backdoor-user_0 priority: 2 diff --git a/docker/helk-elastalert/rules/helk_security_dcsync_non_dc.yml b/docker/helk-elastalert/rules/helk_security_dcsync_non_dc.yml index 85a8ad0b..3c8d1dbb 100644 --- a/docker/helk-elastalert/rules/helk_security_dcsync_non_dc.yml +++ b/docker/helk-elastalert/rules/helk_security_dcsync_non_dc.yml @@ -4,7 +4,7 @@ description: Detects potential DCSync from non-dcs filter: - query: query_string: - query: (event_id:4662 AND NOT user_name.keyword:*$ AND object_operation_type:"Object Access" AND object_access_mask_requested:"0x100" AND object_properties:("*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*" OR "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*" OR "*89e95b76-444d-4c62-991a-0facbeda640c*")) + query: (event_id:4662 AND NOT user_name.keyword:*$ AND object_operation_type:"Object Access" AND object_access_mask:"0x100" AND object_properties:("*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*" OR "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*" OR "*89e95b76-444d-4c62-991a-0facbeda640c*")) index: logs-endpoint-winevent-security-* name: Windows-dcsync-non-dc_0 priority: 2 diff --git a/docker/helk-elastalert/scripts/pull-sigma.sh b/docker/helk-elastalert/scripts/pull-sigma.sh index 57208cb3..f6b82023 100755 --- a/docker/helk-elastalert/scripts/pull-sigma.sh +++ b/docker/helk-elastalert/scripts/pull-sigma.sh @@ -11,6 +11,37 @@ HELK_ELASTALERT_INFO_TAG="HELK-ELASTALERT-DOCKER-INSTALLATION-INFO" #HELK_ERROR_TAG="[HELK-ELASTALERT-DOCKER-INSTALLATION-ERROR]" +# ******* Read helk-elastalert preferences ************ +CONFIG_FILE="$ESALERT_HOME/pull-sigma-config.yaml" +HELK_ERROR_FILE="/tmp/helk_error" + +getYamlKey() { + python3 -c "import yaml;print(yaml.safe_load(open('$1'))$2)" 2>$HELK_ERROR_FILE +} + +updatesAreEnabled(){ + if test -f $HELK_ERROR_FILE && grep -q FileNotFoundError $HELK_ERROR_FILE; then + echo "$HELK_ELASTALERT_INFO_TAG Update control file missing, proceeding..." + return 0 + fi + + local ALLOW_UPDATES=$(getYamlKey $CONFIG_FILE "['allow_updates']") + if test -f $HELK_ERROR_FILE && grep -q KeyError $HELK_ERROR_FILE; then + echo "$HELK_ELASTALERT_INFO_TAG Update control setting missing, proceeding..." + return 0 + fi + + if [ "$ALLOW_UPDATES" = "False" ]; then + echo "$HELK_ELASTALERT_INFO_TAG Updates disabled." + return 1 + fi + + # If control reaches here, that means updates are enabled. + echo "$HELK_ELASTALERT_INFO_TAG Updates enabled." + test -f "tmp/helk_error" && rm /tmp/helk_error + return 0 +} + # ******* Change directory to SIGMA local repo ************ cd "$ESALERT_SIGMA_HOME" || exit @@ -23,37 +54,44 @@ else echo "[+++++] SIGMA rules not available in rules folder.." fi -# ******* Check if local SIGMA repo needs update ************* -echo "$HELK_ELASTALERT_INFO_TAG Fetch updates for SIGMA remote.." -git remote update - -# Reference: https://stackoverflow.com/a/3278427 -echo "$HELK_ELASTALERT_INFO_TAG Checking to see if local SIGMA repo is up to date or not.." -UPSTREAM=${1:-"@{u}"} -LOCAL=$(git rev-parse @) -REMOTE=$(git rev-parse "$UPSTREAM") -BASE=$(git merge-base @ "$UPSTREAM") - -if [ $LOCAL = $REMOTE ]; then - echo "[++++++] Local SIGMA repo is up-to-date.." - if [[ $SIGMA_RULES_AVAILABLE == "YES" ]]; then - echo "[++++++] SIGMA rules available in Elastalert rules folder.." - echo "[++++++] Nothing to do here.." +function getUpdates() { + # ******* Check if local SIGMA repo needs update ************* + echo "$HELK_ELASTALERT_INFO_TAG Fetch updates for SIGMA remote.." + git remote update + + # Reference: https://stackoverflow.com/a/3278427 + echo "$HELK_ELASTALERT_INFO_TAG Checking to see if local SIGMA repo is up to date or not.." + UPSTREAM=${1:-"@{u}"} + LOCAL=$(git rev-parse @) + REMOTE=$(git rev-parse "$UPSTREAM") + BASE=$(git merge-base @ "$UPSTREAM") + + if [ $LOCAL = $REMOTE ]; then + echo "[++++++] Local SIGMA repo is up-to-date.." + if [[ $SIGMA_RULES_AVAILABLE == "YES" ]]; then + echo "[++++++] SIGMA rules available in Elastalert rules folder.." + echo "[++++++] Nothing to do here.." + #exit 1 + fi + elif [ $LOCAL = $BASE ]; then + echo "[++++++] Local SIGMA repo needs to be updated. Updating local SIGMA repo.." + git pull + if [[ $SIGMA_RULES_AVAILABLE == "YES" ]]; then + echo "[+++++++++] Elastalert rules folder has potentially old SIGMA rules.." + find $ESALERT_HOME/rules/ -type f -not -name "helk_*" -delete + fi + elif [ $REMOTE = $BASE ]; then + echo "[++++++] Need to push" + #exit 1 + else + echo "[++++++] Diverged" #exit 1 fi -elif [ $LOCAL = $BASE ]; then - echo "[++++++] Local SIGMA repo needs to be updated. Updating local SIGMA repo.." - git pull - if [[ $SIGMA_RULES_AVAILABLE == "YES" ]]; then - echo "[+++++++++] Elastalert rules folder has potentially old SIGMA rules.." - find $ESALERT_HOME/rules/ -type f -not -name "helk_*" -delete - fi -elif [ $REMOTE = $BASE ]; then - echo "[++++++] Need to push" - #exit 1 -else - echo "[++++++] Diverged" - #exit 1 +} + +if updatesAreEnabled; then + # There will be additional conditions to be checked here, for example if overwriting of rules (including those added/modified by user) is enabled or not. + getUpdates fi # *********** Unsupported SIGMA Functions *************** diff --git a/docker/helk-elastalert/sigmac/sigmac-config.yml b/docker/helk-elastalert/sigmac/sigmac-config.yml index 315307ca..580fe9e6 100644 --- a/docker/helk-elastalert/sigmac/sigmac-config.yml +++ b/docker/helk-elastalert/sigmac/sigmac-config.yml @@ -3,6 +3,7 @@ order: 20 backends: - es-qs - es-dsl + - es-rule - kibana - xpack-watcher - elastalert @@ -38,154 +39,251 @@ logsources: index: logs-endpoint-winevent-powershell-* defaultindex: logs-* fieldmappings: - AccessMask: - EventID=4656: object_access_mask - EventID=4659: object_access_mask - EventID=4660: object_access_mask - EventID=4661: object_access_mask - EventID=4662: object_access_mask - EventID=4663: object_access_mask - EventID=4674: object_access_mask - EventID=5140: share_access_mask - EventID=5142: share_access_mask - EventID=5143: share_access_mask - EventID=5144: share_access_mask - EventID=5145: share_access_mask - EventID=5447: object_access_mask - AccountName: user_name - AllowedToDelegateTo: target_user_allowed_to_delegate - AttributeLDAPDisplayName: dsobject_attribute_name - AuditPolicyChanges: policy_changes - AuthenticationPackageName: logon_authentication_package - CallingProcessName: process_path - CallTrace: process_call_trace - ClientAddress: src_ip_addr - ClientIPAddress: src_ip_addr - ClientIP: src_ip_addr - CommandLine: process_command_line - Company: file_company - ComputerName: host_name - Configuration: - EventID=16: sysmon_configuration - ConnectedViaIPAddress: dst_nat_ip_addr - CurrentDirectory: process_current_directory - Description: file_description - DestAddress: dst_ip_addr - Destination: - EventID=20: wmi_consumer_destination - DestinationHostname: dst_host_name - DestinationIp: dst_ip_addr - DestinationPort: dst_port - DestinationPortName: dst_port_name - DestinationIsIpv6: dst_is_ipv6 - Details: - EventID=13: registry_key_value - Device: device_name - EngineVersion: powershell.engine.version - EventID: event_id - EventType: event_type - EventNamespace: - EventID=19: wmi_namespace - Filter: - EventID=21: wmi_filter_path - FailureCode: ticket_failure_code - FileName: file_name - FileVersion: file_version - GrantedAccess: process_granted_access - GroupName: group_name - GroupSid: group_sid - HiveName: hive_name - HostVersion: powershell.host.version - Image: process_path - ImageLoaded: - EventID=6: driver_loaded - EventID=7: module_loaded - Imphash: hash_imphash - Initiated: - EventID=3: network_initiated - IntegrityLevel: - EventID=1: process_integrity_level - ipAddress: dst_ip_addr - IpAddress: src_ip_addr - IPString: src_ip_addr - LaunchedViaIPAddress: dst_ip_addr - LogonProcessName: logon_process_name - LogonType: logon_type - MachineIpAddress: dst_ip_addr - MachineName: host_name - Name: - EventID=19: wmi_name - EventID=20: wmi_name - NewProcessName: process_path - NewName: - EventID=14: registry_key_new_name - ObjectClass: dsobject_class - ObjectName: object_name - ObjectType: object_type - ObjectValueName: object_value_name - Operation: - EventID=19: wmi_operation - EventID=20: wmi_operation - EventID=21: wmi_operation - OperationType: object_operation_type - OriginalFileName: file_name_original - ParentImage: process_parent_path - ParentProcessName: process_parent_path - PasswordLastSet: user_attribute_password_lastset - Path: process_path - ParentCommandLine: process_parent_command_line - PipeName: pipe_name - ProcessName: process_path - ProcessCommandLine: process_command_line - Product: file_product - Properties: object_properties - Protocol: - EventID=3: network_protocol - Query: - EventID=19: wmi_query - RelativeTargetName: share_relative_target_name - SchemaVersion: - EventID=4: sysmon_schema_version - ServiceFileName: service_image_path - ServiceName: service_name - ShareName: share_name - Signature: signature - SignatureStatus: signature_status - Signed: signed - Source: source_name - SourceAddress: src_ip_addr - SourceHostname: src_host_name - SourceIsIpv6: src_is_ipv6 - SourceImage: process_path - SourceIp: src_ip_addr - SourcePort: src_port - SourcePortName: src_port_name - StartAddress: thread_start_address - StartFunction: thread_start_function - StartModule: thread_start_module - Status: event_status - State: - EventID=4: service_state - EventID=16: sysmon_configuration_state - SubjectUserName: - EventID=4624: user_reporter_name - EventId=4648: user_name - EventID=5140: user_name - TargetServer: dst_ip_addr - TaskName: task_name - TicketEncryptionType: ticket_encryption_type - TicketOptions: ticket_options - TargetFilename: file_name - TargetImage: target_process_path - TargetProcessAddress: thread_start_address - TargetObject: registry_key_path - Type: - EventID=20: wmi_consumer_type - User: user_account - UserName: user_name - Value: - EventID=1102: dst_ip_addr - Version: - EventID=4: sysmon_version - Workstation: src_host_name - WorkstationName: src_host_name \ No newline at end of file + AccessList: + EventID=4656: object_access_list + EventID=4659: object_access_list + EventID=4660: object_access_list + EventID=4661: object_access_list + EventID=4662: object_access_list + EventID=4663: object_access_list + EventID=5140: user_access_list + EventID=5142: user_access_list + EventID=5143: user_access_list + EventID=5144: user_access_list + EventID=5145: user_access_list + EventID=5447: object_access_list + AccessMask: + EventID=4656: object_access_mask + EventID=4659: object_access_mask + EventID=4660: object_access_mask + EventID=4661: object_access_mask + EventID=4662: object_access_mask + EventID=4663: object_access_mask + EventID=4674: object_access_mask + EventID=5140: share_access_mask + EventID=5142: share_access_mask + EventID=5143: share_access_mask + EventID=5144: share_access_mask + EventID=5145: share_access_mask + EventID=5447: object_access_mask + AccountName: user_name + AllowedToDelegateTo: target_user_allowed_to_delegate + AppCorrelationID: dsoperation_app_correlation_id + AttributeLDAPDisplayName: dsobject_attribute_name + AttributeSyntaxOID: dsobject_attribute_type + AttributeValue: dsobject_attribute_value + AuditPolicyChanges: policy_changes + AuthenticationPackageName: logon_authentication_package + CallingProcessName: process_path + CallTrace: process_call_trace + ClientAddress: src_ip_addr + ClientIPAddress: src_ip_addr + ClientIP: src_original_value + CommandLine: process_command_line + Company: file_company + ComputerName: host_name + Configuration: + EventID=16: sysmon_configuration + ConnectedViaIPAddress: dst_nat_ip_addr + CurrentDirectory: process_current_directory + Description: file_description + DestAddress: dst_ip_addr + Destination: + EventID=20: wmi_consumer_destination + DestinationHostname: dst_host_name + DestinationIp: dst_ip_addr + DestinationPort: dst_port + DestinationPortName: dst_port_name + DestinationIsIpv6: dst_is_ipv6 + Details: + EventID=13: registry_key_value + Device: device_name + DisabledPrivilegeList: + EventID=4703: target_user_disabled_privilege_list + DSName: host_domain + DSType: dsobject_domain_type + EnabledPrivilegeList: + EventID=4703: target_user_enabled_privilege_list + EngineVersion: powershell.engine.version + EventID: event_id + EventType: event_type + EventNamespace: + EventID=19: wmi_namespace + Filter: + EventID=21: wmi_filter_path + FailureCode: ticket_failure_code + FileName: file_name + FileVersion: file_version + GrantedAccess: process_granted_access + GroupName: group_name + GroupSid: group_sid + HiveName: hive_name + HostVersion: powershell.host.version + Image: process_path + ImageLoaded: + EventID=6: driver_loaded + EventID=7: module_loaded + Imphash: hash_imphash + Initiated: + EventID=3: network_initiated + IntegrityLevel: + EventID=1: process_integrity_level + ipAddress: dst_ip_addr + IpAddress: src_original_value + IpAddresses: + EventID=5168: ip_addresses + IPString: src_ip_addr + LaunchedViaIPAddress: dst_ip_addr + LogonProcessName: logon_process_name + LogonType: logon_type + MachineIpAddress: dst_ip_addr + MachineName: host_name + Name: + EventID=19: wmi_name + EventID=20: wmi_name + NewObjectDN: dsobject_new_dn + NewProcessName: process_path + NewName: + EventID=14: registry_key_new_name + ObjectClass: dsobject_class + ObjectDN: dsobject_dn + ObjectGUID: dsobject_guid + ObjectName: object_name + ObjectServer: object_server + ObjectType: object_type + ObjectValueName: object_value_name + OldObjectDN: dsobject_old_dn + OpCorrelationID: dsoperation_correlation_id + Operation: + EventID=19: wmi_operation + EventID=20: wmi_operation + EventID=21: wmi_operation + OperationType: + EventID=5136: dsoperation_type + EventID=5137: dsoperation_type + EventID=5138: dsoperation_type + EventID=5139: dsoperation_type + EventID=5141: dsoperation_type + EventID=5169: dsoperation_type + EventID=5170: dsoperation_type + default: object_operation_type + OriginalFileName: file_name_original + ParentImage: process_parent_path + ParentProcessName: process_parent_path + PasswordLastSet: user_attribute_password_lastset + Path: process_path + ParentCommandLine: process_parent_command_line + PipeName: pipe_name + ProcessCommandLine: process_command_line + ProcessName: process_path + processPath: process_path + ProcessPath: process_path + Product: file_product + Properties: object_properties + Protocol: + EventID=3: network_protocol + Query: + EventID=19: wmi_query + RelativeTargetName: share_relative_target_name + SamAccountName: user_attribute_samaccount_name + SchemaVersion: + EventID=4: sysmon_schema_version + ServiceFileName: service_image_path + ServiceName: service_name + ShareName: share_name + Signature: signature + SignatureStatus: signature_status + Signed: signed + Source: source_name + SourceAddress: src_ip_addr + SourceHostname: src_host_name + SourceIsIpv6: src_is_ipv6 + SourceImage: process_path + SourceIp: src_ip_addr + SourcePort: src_port + SourcePortName: src_port_name + StartAddress: thread_start_address + StartFunction: thread_start_function + StartModule: thread_start_module + Status: event_status + State: + EventID=4: service_state + EventID=16: sysmon_configuration_state + SubjectUserName: + EventID=4624: user_reporter_name + EventId=4648: user_name + EventID=5140: user_name + TargetServer: + EventID=5738: dst_original_value + default: target_server_name + TargetServerName: target_server_name + TaskName: task_name + TicketEncryptionType: ticket_encryption_type + TicketOptions: ticket_options + TargetFilename: file_name + TargetImage: target_process_path + TargetProcessAddress: thread_start_address + TargetObject: registry_key_path + TransactionId: object_transaction_guid + Type: + EventID=20: wmi_consumer_type + User: user_account + UserName: user_name + Value: + EventID=1102: dst_ip_addr + Version: + EventID=4: sysmon_version + Workstation: src_host_name + WorkstationName: src_host_name + PrivilegeList: + EventID=4656: object_privilege_list + EventID=4660: object_privilege_list + EventID=4661: object_privilege_list + EventID=4662: object_privilege_list + EventID=4663: object_privilege_list + EventID=4672: logon_privilege_list + EventID=4673: service_privilege_list + EventID=4674: object_privilege_list + EventID=4720: user_privilege_list + EventID=4722: user_privilege_list + EventID=4723: user_privilege_list + EventID=4724: user_privilege_list + EventID=4725: user_privilege_list + EventID=4726: user_privilege_list + EventID=4727: user_privilege_list + EventID=4728: user_privilege_list + EventID=4729: user_privilege_list + EventID=4730: user_privilege_list + EventID=4731: user_privilege_list + EventID=4732: user_privilege_list + EventID=4733: user_privilege_list + EventID=4734: user_privilege_list + EventID=4735: user_privilege_list + EventID=4737: user_privilege_list + EventID=4738: user_privilege_list + EventID=4741: user_privilege_list + EventID=4742: user_privilege_list + EventID=4743: user_privilege_list + EventID=4744: user_privilege_list + EventID=4745: user_privilege_list + EventID=4746: user_privilege_list + EventID=4747: user_privilege_list + EventID=4748: user_privilege_list + EventID=4749: user_privilege_list + EventID=4750: user_privilege_list + EventID=4751: user_privilege_list + EventID=4752: user_privilege_list + EventID=4753: user_privilege_list + EventID=4754: user_privilege_list + EventID=4755: user_privilege_list + EventID=4756: user_privilege_list + EventID=4757: user_privilege_list + EventID=4758: user_privilege_list + EventID=4759: user_privilege_list + EventID=4760: user_privilege_list + EventID=4761: user_privilege_list + EventID=4762: user_privilege_list + EventID=4763: user_privilege_list + EventID=4764: user_privilege_list + UtcTime: '@timestamp' + EventTime: '@timestamp' diff --git a/docker/helk-elasticsearch/Dockerfile b/docker/helk-elasticsearch/Dockerfile index c06eb6d7..fc4fdcda 100644 --- a/docker/helk-elasticsearch/Dockerfile +++ b/docker/helk-elasticsearch/Dockerfile @@ -6,6 +6,6 @@ # References: # https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_98.html -FROM docker.elastic.co/elasticsearch/elasticsearch:7.5.2 +FROM docker.elastic.co/elasticsearch/elasticsearch:7.6.2 LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g" LABEL description="Dockerfile base for the HELK Elasticsearch." \ No newline at end of file diff --git a/docker/helk-elasticsearch/config/elasticsearch.yml b/docker/helk-elasticsearch/config/elasticsearch.yml index c1a57f90..50494d4a 100644 --- a/docker/helk-elasticsearch/config/elasticsearch.yml +++ b/docker/helk-elasticsearch/config/elasticsearch.yml @@ -94,10 +94,10 @@ network.host: 0.0.0.0 #action.destructive_requires_name: true #https://www.elastic.co/subscriptions -# The images are available in three different configurations or "flavors". -# The basic flavor, which is the default, ships with X-Pack Basic features pre-installed -# and automatically activated with a free licence. The platinum flavor features all X-Pack -# functionally under a 30-day trial licence. The oss flavor does not include X-Pack, +# The images are available in three different configurations or "flavors". +# The basic flavor, which is the default, ships with X-Pack Basic features pre-installed +# and automatically activated with a free licence. The platinum flavor features all X-Pack +# functionally under a 30-day trial licence. The oss flavor does not include X-Pack, # and contains only open-source Elasticsearch. bootstrap.memory_lock: true @@ -105,4 +105,7 @@ discovery.zen.minimum_master_nodes: 1 discovery.type: single-node #https://www.elastic.co/guide/en/elasticsearch/reference/current/monitoring-settings.html -xpack.monitoring.collection.enabled: true \ No newline at end of file +xpack.monitoring.collection.enabled: true + +# fix max_clause_count +indices.query.bool.max_clause_count: 4096 \ No newline at end of file diff --git a/docker/helk-elasticsearch/scripts/elasticsearch-entrypoint.sh b/docker/helk-elasticsearch/scripts/elasticsearch-entrypoint.sh index ff767938..86c98e8a 100755 --- a/docker/helk-elasticsearch/scripts/elasticsearch-entrypoint.sh +++ b/docker/helk-elasticsearch/scripts/elasticsearch-entrypoint.sh @@ -3,56 +3,87 @@ # HELK script: elasticsearch-entrypoint.sh # HELK script description: sets elasticsearch configs and starts elasticsearch # HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g) +# Author: Roberto Rodriguez (@Cyb3rWard0g), Nate Guagenti (@neu5ron) # License: GPL-3.0 -# *********** Setting ES_JAVA_OPTS *************** -if [[ -z "$ES_JAVA_OPTS" ]]; then - if (grep -P "^#\-Xms\d+" "./config/jvm.options") && (grep -P "^#\-Xmx\d+" "./config/jvm.options"); then - # Check using more accurate MB - AVAILABLE_MEMORY=$(awk '/MemAvailable/{printf "%.f", $2/1024}' /proc/meminfo) - if [ $AVAILABLE_MEMORY -ge 1000 -a $AVAILABLE_MEMORY -le 5999 ]; then - ES_MEMORY="2000m" - elif [ $AVAILABLE_MEMORY -ge 6000 -a $AVAILABLE_MEMORY -le 8999 ]; then - ES_MEMORY="3200m" - elif [ $AVAILABLE_MEMORY -ge 9000 -a $AVAILABLE_MEMORY -le 12999 ]; then - ES_MEMORY="5000m" - elif [ $AVAILABLE_MEMORY -ge 13000 -a $AVAILABLE_MEMORY -le 16000 ]; then - ES_MEMORY="7100m" - else - # Using GB instead of MB -- because plenty of RAM now - ES_MEMORY=$(( AVAILABLE_MEMORY / 1024 / 2 )) - if [ $ES_MEMORY -gt 31 ]; then - ES_MEMORY="31g" - else - ES_MEMORY="${ES_MEMORY}g" - fi - fi - export ES_JAVA_OPTS="-Xms${ES_MEMORY} -Xmx${ES_MEMORY}" - echo "[HELK-ES-DOCKER-INSTALLATION-INFO] Setting ES_JAVA_OPTS to $ES_JAVA_OPTS from custom HELK \"algorithm\"" +RED='\033[0;31m' +CYAN='\033[0;36m' +WAR='\033[1;33m' +STD='\033[0m' +# *********** Helk log tagging variables *************** +# For more efficient script editing/reading, and also if/when we switch to different install script language +HELK_INFO_TAG="${CYAN}[HELK-ES-DOCKER-INSTALLATION-INFO]${STD}" +HELK_ERROR_TAG="${RED}[HELK-ES-DOCKER-INSTALLATION-ERROR]${STD}" +HELK_WARNING_TAG="${WAR}[HELK-ES-DOCKER-INSTALLATION-WARNING]${STD}" + +TOTAL_MEMORY=$(awk '/MemTotal/{printf "%.f", $2/1024}' /proc/meminfo) +# Check using more accurate MB for setting later +AVAILABLE_MEMORY=$(awk '/MemAvailable/{printf "%.f", $2/1024}' /proc/meminfo) + +# *********** Setting Elasticsearch Memory *************** +# Check to make sure not set in docker config/runtime +if [[ -z "$HELK_ES_MEMORY" ]]; then + # Check to make sure not statically set in config file + if (grep -P "^#\-Xms\d+" "./config/jvm.options") && (grep -P "^#\-Xmx\d+" "./config/jvm.options"); then + + if [[ ${AVAILABLE_MEMORY} -le 1499 ]]; then + echo -e "${HELK_ERROR_TAG} Not enough memory available to the docker container. There is only ${AVAILABLE_MEMORY}MBs.\nExiting script..." + exit 1 + elif [[ ${AVAILABLE_MEMORY} -ge 1500 && ${AVAILABLE_MEMORY} -le 1999 ]]; then + echo -e "${HELK_WARNING_TAG} Low memory available to the docker container. There is only ${AVAILABLE_MEMORY}MBs." + ES_MEMORY="1000m" + elif [[ ${AVAILABLE_MEMORY} -ge 2000 && ${AVAILABLE_MEMORY} -le 2499 ]]; then + echo -e "${HELK_WARNING_TAG} Low memory available to the docker container. There is only ${AVAILABLE_MEMORY}MBs." + ES_MEMORY="1200m" + elif [[ ${AVAILABLE_MEMORY} -ge 2500 && ${AVAILABLE_MEMORY} -le 2999 ]]; then + ES_MEMORY="1500m" + elif [[ ${AVAILABLE_MEMORY} -ge 3000 && ${AVAILABLE_MEMORY} -le 4999 ]]; then + ES_MEMORY="1750m" + elif [[ ${AVAILABLE_MEMORY} -ge 5000 && ${AVAILABLE_MEMORY} -le 5999 ]]; then + ES_MEMORY="2000m" + elif [[ ${AVAILABLE_MEMORY} -ge 6000 && ${AVAILABLE_MEMORY} -le 7999 ]]; then + ES_MEMORY="3000m" + elif [[ ${AVAILABLE_MEMORY} -ge 8000 && ${AVAILABLE_MEMORY} -le 8999 ]]; then + ES_MEMORY="3000m" + elif [[ ${AVAILABLE_MEMORY} -ge 9000 && ${AVAILABLE_MEMORY} -le 9999 ]]; then + ES_MEMORY="4000m" + elif [[ ${AVAILABLE_MEMORY} -ge 10000 && ${AVAILABLE_MEMORY} -le 12999 ]]; then + ES_MEMORY="5000m" + elif [[ ${AVAILABLE_MEMORY} -ge 13000 && ${AVAILABLE_MEMORY} -le 15999 ]]; then + ES_MEMORY="6500m" else - echo "[HELK-ES-DOCKER-INSTALLATION-INFO] Setting ES_JAVA_OPTS to user defined (hardcoded) value from jvm.options" + # Using GB instead of MB -- because plenty of RAM now + ES_MEMORY=$(( AVAILABLE_MEMORY / 1024 / 2 )) + if [[ ${ES_MEMORY} -gt 31 ]]; then + ES_MEMORY="31g" + else + ES_MEMORY="${ES_MEMORY}g" + fi fi + export ES_JAVA_OPTS="${ES_JAVA_OPTS} -Xms${ES_MEMORY} -Xmx${ES_MEMORY} " + echo -e "${HELK_INFO_TAG} Setting ES_JAVA_OPTS to ${ES_JAVA_OPTS} from custom HELK \"algorithm\"" + else + echo -e "${HELK_INFO_TAG} Setting ES_JAVA_OPTS to user defined (hardcoded) value from jvm.options" + fi else - echo "[HELK-ES-DOCKER-INSTALLATION-INFO] Setting ES_JAVA_OPTS to $ES_JAVA_OPTS from runtime or docker config file " + echo -e "${HELK_INFO_TAG} Setting ES_JAVA_OPTS to ${ES_JAVA_OPTS} from runtime docker config file" fi # ******** Checking License Type *************** ENVIRONMENT_VARIABLES=$(env) -XPACK_LICENSE_TYPE="$(echo $ENVIRONMENT_VARIABLES | grep -oE 'xpack.license.self_generated.type=[^ ]*' | sed s/.*=//)" +XPACK_LICENSE_TYPE="$(echo ${ENVIRONMENT_VARIABLES} | grep -oE 'xpack.license.self_generated.type=[^ ]*' | sed s/.*=//)" # ******** Set Trial License Variables *************** -if [[ $XPACK_LICENSE_TYPE == "trial" ]]; then +if [[ ${XPACK_LICENSE_TYPE} == "trial" ]]; then # *********** HELK ES Password *************** if [[ -z "$ELASTIC_PASSWORD" ]]; then export ELASTIC_PASSWORD=elasticpassword fi - echo "[HELK-ES-DOCKER-INSTALLATION-INFO] Setting Elastic password to $ELASTIC_PASSWORD" fi -echo "[HELK-ES-DOCKER-INSTALLATION-INFO] Setting Elastic license to $XPACK_LICENSE_TYPE" +echo -e "${HELK_INFO_TAG} Setting Elastic license to $XPACK_LICENSE_TYPE" # ********** Starting Elasticsearch ***************** -echo "[HELK-ES-DOCKER-INSTALLATION-INFO] Running docker-entrypoint script.." +echo -e "${HELK_INFO_TAG} Running docker-entrypoint script.." /usr/local/bin/docker-entrypoint.sh \ No newline at end of file diff --git a/docker/helk-jupyter/notebooks/demos/basic_event_log_analysis_pandas.ipynb b/docker/helk-jupyter/notebooks/demos/basic_event_log_analysis_pandas.ipynb index ff4e1a1d..29dfb169 100644 --- a/docker/helk-jupyter/notebooks/demos/basic_event_log_analysis_pandas.ipynb +++ b/docker/helk-jupyter/notebooks/demos/basic_event_log_analysis_pandas.ipynb @@ -606,7 +606,7 @@ "@metadata.type doc\n", "@metadata.version 6.7.0\n", "@metadata.topic winlogbeat\n", - "beat.name WECserver\n", + "host_name WECserver\n", "beat.hostname WECserver\n", "beat.version 6.7.0\n", "host.name WECserver\n", @@ -723,7 +723,7 @@ "@metadata.type doc\n", "@metadata.version 6.7.0\n", "@metadata.topic winlogbeat\n", - "beat.name WECserver\n", + "host_name WECserver\n", "beat.hostname WECserver\n", "beat.version 6.7.0\n", "host.name WECserver\n", diff --git a/docker/helk-kafka-base/Dockerfile b/docker/helk-kafka-base/Dockerfile index 1671cb77..0a831851 100644 --- a/docker/helk-kafka-base/Dockerfile +++ b/docker/helk-kafka-base/Dockerfile @@ -10,7 +10,7 @@ LABEL description="Dockerfile base for the HELK Kafka." ENV DEBIAN_FRONTEND noninteractive # *********** Kafka Variables *************** -ENV KAFKA_VERSION=2.4.0 +ENV KAFKA_VERSION=2.4.1 ENV SCALA_VERSION=2.13 ENV KAFKA_LOGS_PATH=/var/log/kafka ENV KAFKA_CONSOLE_LOG=/var/log/kafka/helk-kafka.log diff --git a/docker/helk-kafka-broker/Dockerfile b/docker/helk-kafka-broker/Dockerfile index 74d85b13..9e59e1f4 100644 --- a/docker/helk-kafka-broker/Dockerfile +++ b/docker/helk-kafka-broker/Dockerfile @@ -3,7 +3,7 @@ # Author: Roberto Rodriguez (@Cyb3rWard0g) # License: GPL-3.0 -FROM otrf/helk-kafka-base:2.3.0 +FROM otrf/helk-kafka-base:2.4.0 LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g" LABEL description="Dockerfile base for the HELK Kafka Broker." diff --git a/docker/helk-kafka-broker/server.properties b/docker/helk-kafka-broker/server.properties index 159233b3..5633d62a 100644 --- a/docker/helk-kafka-broker/server.properties +++ b/docker/helk-kafka-broker/server.properties @@ -105,7 +105,7 @@ transaction.state.log.min.isr=1 # from the end of the log. # The minimum age of a log file to be eligible for deletion due to age -log.retention.hours=4 +log.retention.hours=96 # A size-based retention policy for logs. Segments are pruned from the log unless the remaining # segments drop below log.retention.bytes. Functions independently of log.retention.hours. diff --git a/docker/helk-kibana-analysis-alert-basic.yml b/docker/helk-kibana-analysis-alert-basic.yml index fedf975d..fe659f2a 100644 --- a/docker/helk-kibana-analysis-alert-basic.yml +++ b/docker/helk-kibana-analysis-alert-basic.yml @@ -2,7 +2,7 @@ version: '3.5' services: helk-elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.5.2 + image: docker.elastic.co/elasticsearch/elasticsearch:7.6.2 container_name: helk-elasticsearch logging: driver: "json-file" @@ -22,6 +22,7 @@ services: - node.name=helk-1 - xpack.license.self_generated.type=basic - xpack.security.enabled=false + #- "HELK_ES_MEMORY=-Xms$2g -Xmx2g" ulimits: memlock: soft: -1 @@ -34,7 +35,7 @@ services: networks: helk: helk-logstash: - image: otrf/helk-logstash:7.5.2.2 + image: otrf/helk-logstash:7.6.2.1 container_name: helk-logstash logging: driver: "json-file" @@ -52,18 +53,25 @@ services: environment: - xpack.monitoring.enabled=true - xpack.monitoring.elasticsearch.hosts=http://helk-elasticsearch:9200 + - log.level=warn - "HELK_LOGSTASH_JAVA_OPTS=-XX:-UseConcMarkSweepGC -XX:-UseCMSInitiatingOccupancyOnly -XX:+UseG1GC" ports: - "5044:5044" - "8531:8531" - "3515:3515" + - "5514:5514" + - "8515:8515" + - "8516:8516" + - "5514:5514/udp" + - "8515:8515/udp" + - "8516:8516/udp" restart: always depends_on: - helk-kibana networks: helk: helk-kibana: - image: docker.elastic.co/kibana/kibana:7.5.2 + image: docker.elastic.co/kibana/kibana:7.6.2 container_name: helk-kibana logging: driver: "json-file" @@ -84,7 +92,7 @@ services: networks: helk: helk-nginx: - image: otrf/helk-nginx:0.0.8 + image: otrf/helk-nginx:0.3.0 container_name: helk-nginx logging: driver: "json-file" @@ -95,7 +103,7 @@ services: - source: htpasswd.users target: /etc/nginx/htpasswd.users volumes: - - ./helk-nginx/config/basic-elk:/etc/nginx/sites-available/default + - ./helk-nginx/config/basic-elk:/etc/nginx/conf.d/default.conf - ./helk-nginx/scripts/:/opt/helk/scripts/ entrypoint: /opt/helk/scripts/nginx-entrypoint.sh ports: @@ -107,7 +115,7 @@ services: networks: helk: helk-zookeeper: - image: otrf/helk-zookeeper:2.3.0 + image: otrf/helk-zookeeper:2.4.0 container_name: helk-zookeeper logging: driver: "json-file" @@ -120,7 +128,7 @@ services: networks: helk: helk-kafka-broker: - image: otrf/helk-kafka-broker:2.3.0 + image: otrf/helk-kafka-broker:2.4.0 container_name: helk-kafka-broker logging: driver: "json-file" @@ -137,7 +145,7 @@ services: REPLICATION_FACTOR: 1 ADVERTISED_LISTENER: ${ADVERTISED_LISTENER} ZOOKEEPER_NAME: helk-zookeeper - KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat + KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat, zeek KAFKA_HEAP_OPTS: -Xmx1G -Xms1G LOG_RETENTION_HOURS: 4 ports: @@ -186,7 +194,7 @@ services: networks: helk: helk-elastalert: - image: otrf/helk-elastalert:0.2.6 + image: otrf/helk-elastalert:0.3.0 container_name: helk-elastalert logging: driver: "json-file" diff --git a/docker/helk-kibana-analysis-alert-trial.yml b/docker/helk-kibana-analysis-alert-trial.yml index 203f7719..72b46c45 100644 --- a/docker/helk-kibana-analysis-alert-trial.yml +++ b/docker/helk-kibana-analysis-alert-trial.yml @@ -2,7 +2,7 @@ version: '3.5' services: helk-elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.5.2 + image: docker.elastic.co/elasticsearch/elasticsearch:7.6.2 container_name: helk-elasticsearch logging: driver: "json-file" @@ -23,6 +23,7 @@ services: - xpack.license.self_generated.type=trial - xpack.security.enabled=true - "ELASTIC_PASSWORD=${ELASTIC_PASSWORD}" + #- "HELK_ES_MEMORY=-Xms$2g -Xmx2g" ulimits: memlock: soft: -1 @@ -35,7 +36,7 @@ services: networks: helk: helk-logstash: - image: otrf/helk-logstash:7.5.2.2 + image: otrf/helk-logstash:7.6.2.1 container_name: helk-logstash logging: driver: "json-file" @@ -62,13 +63,19 @@ services: - "5044:5044" - "8531:8531" - "3515:3515" + - "5514:5514" + - "8515:8515" + - "8516:8516" + - "5514:5514/udp" + - "8515:8515/udp" + - "8516:8516/udp" restart: always depends_on: - helk-kibana networks: helk: helk-kibana: - image: docker.elastic.co/kibana/kibana:7.5.2 + image: docker.elastic.co/kibana/kibana:7.6.2 container_name: helk-kibana logging: driver: "json-file" @@ -91,7 +98,7 @@ services: networks: helk: helk-nginx: - image: otrf/helk-nginx:0.0.8 + image: otrf/helk-nginx:0.3.0 container_name: helk-nginx logging: driver: "json-file" @@ -99,7 +106,7 @@ services: max-file: "9" max-size: "6m" volumes: - - ./helk-nginx/config/trial-elk:/etc/nginx/sites-available/default + - ./helk-nginx/config/trial-elk:/etc/nginx/conf.d/default.conf - ./helk-nginx/scripts/:/opt/helk/scripts/ entrypoint: /opt/helk/scripts/nginx-entrypoint.sh ports: @@ -111,7 +118,7 @@ services: networks: helk: helk-zookeeper: - image: otrf/helk-zookeeper:2.3.0 + image: otrf/helk-zookeeper:2.4.0 container_name: helk-zookeeper logging: driver: "json-file" @@ -124,7 +131,7 @@ services: networks: helk: helk-kafka-broker: - image: otrf/helk-kafka-broker:2.3.0 + image: otrf/helk-kafka-broker:2.4.0 container_name: helk-kafka-broker logging: driver: "json-file" @@ -141,7 +148,7 @@ services: REPLICATION_FACTOR: 1 ADVERTISED_LISTENER: ${ADVERTISED_LISTENER} ZOOKEEPER_NAME: helk-zookeeper - KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat + KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat, zeek KAFKA_HEAP_OPTS: -Xmx1G -Xms1G LOG_RETENTION_HOURS: 4 ports: @@ -190,7 +197,7 @@ services: networks: helk: helk-elastalert: - image: otrf/helk-elastalert:0.2.6 + image: otrf/helk-elastalert:0.3.0 container_name: helk-elastalert logging: driver: "json-file" diff --git a/docker/helk-kibana-analysis-basic.yml b/docker/helk-kibana-analysis-basic.yml index d0156897..bbfcd195 100644 --- a/docker/helk-kibana-analysis-basic.yml +++ b/docker/helk-kibana-analysis-basic.yml @@ -2,7 +2,7 @@ version: '3.5' services: helk-elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.5.2 + image: docker.elastic.co/elasticsearch/elasticsearch:7.6.2 container_name: helk-elasticsearch logging: driver: "json-file" @@ -22,6 +22,7 @@ services: - node.name=helk-1 - xpack.license.self_generated.type=basic - xpack.security.enabled=false + #- "HELK_ES_MEMORY=-Xms$2g -Xmx2g" ulimits: memlock: soft: -1 @@ -34,7 +35,7 @@ services: networks: helk: helk-logstash: - image: otrf/helk-logstash:7.5.2.2 + image: otrf/helk-logstash:7.6.2.1 container_name: helk-logstash logging: driver: "json-file" @@ -52,18 +53,25 @@ services: environment: - xpack.monitoring.enabled=true - xpack.monitoring.elasticsearch.hosts=http://helk-elasticsearch:9200 + - log.level=warn - "HELK_LOGSTASH_JAVA_OPTS=-XX:-UseConcMarkSweepGC -XX:-UseCMSInitiatingOccupancyOnly -XX:+UseG1GC" ports: - "5044:5044" - "8531:8531" - "3515:3515" + - "5514:5514" + - "8515:8515" + - "8516:8516" + - "5514:5514/udp" + - "8515:8515/udp" + - "8516:8516/udp" restart: always depends_on: - helk-kibana networks: helk: helk-kibana: - image: docker.elastic.co/kibana/kibana:7.5.2 + image: docker.elastic.co/kibana/kibana:7.6.2 container_name: helk-kibana logging: driver: "json-file" @@ -84,7 +92,7 @@ services: networks: helk: helk-nginx: - image: otrf/helk-nginx:0.0.8 + image: otrf/helk-nginx:0.3.0 container_name: helk-nginx logging: driver: "json-file" @@ -95,7 +103,7 @@ services: - source: htpasswd.users target: /etc/nginx/htpasswd.users volumes: - - ./helk-nginx/config/basic-elk:/etc/nginx/sites-available/default + - ./helk-nginx/config/basic-elk:/etc/nginx/conf.d/default.conf - ./helk-nginx/scripts/:/opt/helk/scripts/ entrypoint: /opt/helk/scripts/nginx-entrypoint.sh ports: @@ -107,7 +115,7 @@ services: networks: helk: helk-zookeeper: - image: otrf/helk-zookeeper:2.3.0 + image: otrf/helk-zookeeper:2.4.0 container_name: helk-zookeeper logging: driver: "json-file" @@ -120,7 +128,7 @@ services: networks: helk: helk-kafka-broker: - image: otrf/helk-kafka-broker:2.3.0 + image: otrf/helk-kafka-broker:2.4.0 container_name: helk-kafka-broker logging: driver: "json-file" @@ -137,7 +145,7 @@ services: REPLICATION_FACTOR: 1 ADVERTISED_LISTENER: ${ADVERTISED_LISTENER} ZOOKEEPER_NAME: helk-zookeeper - KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat + KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat, zeek KAFKA_HEAP_OPTS: -Xmx1G -Xms1G LOG_RETENTION_HOURS: 4 ports: diff --git a/docker/helk-kibana-analysis-trial.yml b/docker/helk-kibana-analysis-trial.yml index 0945783a..5046c880 100644 --- a/docker/helk-kibana-analysis-trial.yml +++ b/docker/helk-kibana-analysis-trial.yml @@ -2,7 +2,7 @@ version: '3.5' services: helk-elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.5.2 + image: docker.elastic.co/elasticsearch/elasticsearch:7.6.2 container_name: helk-elasticsearch logging: driver: "json-file" @@ -23,6 +23,7 @@ services: - xpack.license.self_generated.type=trial - xpack.security.enabled=true - "ELASTIC_PASSWORD=${ELASTIC_PASSWORD}" + #- "HELK_ES_MEMORY=-Xms$2g -Xmx2g" ulimits: memlock: soft: -1 @@ -35,7 +36,7 @@ services: networks: helk: helk-logstash: - image: otrf/helk-logstash:7.5.2.2 + image: otrf/helk-logstash:7.6.2.1 container_name: helk-logstash logging: driver: "json-file" @@ -62,13 +63,19 @@ services: - "5044:5044" - "8531:8531" - "3515:3515" + - "5514:5514" + - "8515:8515" + - "8516:8516" + - "5514:5514/udp" + - "8515:8515/udp" + - "8516:8516/udp" restart: always depends_on: - helk-kibana networks: helk: helk-kibana: - image: docker.elastic.co/kibana/kibana:7.5.2 + image: docker.elastic.co/kibana/kibana:7.6.2 container_name: helk-kibana logging: driver: "json-file" @@ -91,7 +98,7 @@ services: networks: helk: helk-nginx: - image: otrf/helk-nginx:0.0.8 + image: otrf/helk-nginx:0.3.0 container_name: helk-nginx logging: driver: "json-file" @@ -99,7 +106,7 @@ services: max-file: "9" max-size: "6m" volumes: - - ./helk-nginx/config/trial-elk:/etc/nginx/sites-available/default + - ./helk-nginx/config/trial-elk:/etc/nginx/conf.d/default.conf - ./helk-nginx/scripts/:/opt/helk/scripts/ entrypoint: /opt/helk/scripts/nginx-entrypoint.sh ports: @@ -111,7 +118,7 @@ services: networks: helk: helk-zookeeper: - image: otrf/helk-zookeeper:2.3.0 + image: otrf/helk-zookeeper:2.4.0 container_name: helk-zookeeper logging: driver: "json-file" @@ -124,7 +131,7 @@ services: networks: helk: helk-kafka-broker: - image: otrf/helk-kafka-broker:2.3.0 + image: otrf/helk-kafka-broker:2.4.0 container_name: helk-kafka-broker logging: driver: "json-file" @@ -141,7 +148,7 @@ services: REPLICATION_FACTOR: 1 ADVERTISED_LISTENER: ${ADVERTISED_LISTENER} ZOOKEEPER_NAME: helk-zookeeper - KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat + KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat, zeek KAFKA_HEAP_OPTS: -Xmx1G -Xms1G LOG_RETENTION_HOURS: 4 ports: diff --git a/docker/helk-kibana-notebook-analysis-alert-basic.yml b/docker/helk-kibana-notebook-analysis-alert-basic.yml index 1f62d4e8..c23e82d2 100644 --- a/docker/helk-kibana-notebook-analysis-alert-basic.yml +++ b/docker/helk-kibana-notebook-analysis-alert-basic.yml @@ -2,7 +2,7 @@ version: '3.5' services: helk-elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.5.2 + image: docker.elastic.co/elasticsearch/elasticsearch:7.6.2 container_name: helk-elasticsearch logging: driver: "json-file" @@ -22,6 +22,7 @@ services: - node.name=helk-1 - xpack.license.self_generated.type=basic - xpack.security.enabled=false + #- "HELK_ES_MEMORY=-Xms$2g -Xmx2g" ulimits: memlock: soft: -1 @@ -34,7 +35,7 @@ services: networks: helk: helk-logstash: - image: otrf/helk-logstash:7.5.2.2 + image: otrf/helk-logstash:7.6.2.1 container_name: helk-logstash logging: driver: "json-file" @@ -52,18 +53,25 @@ services: environment: - xpack.monitoring.enabled=true - xpack.monitoring.elasticsearch.hosts=http://helk-elasticsearch:9200 + - log.level=warn - "HELK_LOGSTASH_JAVA_OPTS=-XX:-UseConcMarkSweepGC -XX:-UseCMSInitiatingOccupancyOnly -XX:+UseG1GC" ports: - "5044:5044" - "8531:8531" - "3515:3515" + - "5514:5514" + - "8515:8515" + - "8516:8516" + - "5514:5514/udp" + - "8515:8515/udp" + - "8516:8516/udp" restart: always depends_on: - helk-kibana networks: helk: helk-kibana: - image: docker.elastic.co/kibana/kibana:7.5.2 + image: docker.elastic.co/kibana/kibana:7.6.2 container_name: helk-kibana logging: driver: "json-file" @@ -84,7 +92,7 @@ services: networks: helk: helk-nginx: - image: otrf/helk-nginx:0.0.8 + image: otrf/helk-nginx:0.3.0 container_name: helk-nginx logging: driver: "json-file" @@ -95,7 +103,7 @@ services: - source: htpasswd.users target: /etc/nginx/htpasswd.users volumes: - - ./helk-nginx/config/basic-helk:/etc/nginx/sites-available/default + - ./helk-nginx/config/basic-helk:/etc/nginx/conf.d/default.conf - ./helk-nginx/scripts/:/opt/helk/scripts/ entrypoint: /opt/helk/scripts/nginx-entrypoint.sh ports: @@ -107,7 +115,7 @@ services: networks: helk: helk-zookeeper: - image: otrf/helk-zookeeper:2.3.0 + image: otrf/helk-zookeeper:2.4.0 container_name: helk-zookeeper logging: driver: "json-file" @@ -120,7 +128,7 @@ services: networks: helk: helk-kafka-broker: - image: otrf/helk-kafka-broker:2.3.0 + image: otrf/helk-kafka-broker:2.4.0 container_name: helk-kafka-broker logging: driver: "json-file" @@ -137,7 +145,7 @@ services: REPLICATION_FACTOR: 1 ADVERTISED_LISTENER: ${ADVERTISED_LISTENER} ZOOKEEPER_NAME: helk-zookeeper - KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat + KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat, zeek KAFKA_HEAP_OPTS: -Xmx1G -Xms1G LOG_RETENTION_HOURS: 4 ports: @@ -240,7 +248,7 @@ services: networks: helk: helk-elastalert: - image: otrf/helk-elastalert:0.2.6 + image: otrf/helk-elastalert:0.3.0 container_name: helk-elastalert logging: driver: "json-file" diff --git a/docker/helk-kibana-notebook-analysis-alert-trial.yml b/docker/helk-kibana-notebook-analysis-alert-trial.yml index 52bdccb8..17c1a5e4 100644 --- a/docker/helk-kibana-notebook-analysis-alert-trial.yml +++ b/docker/helk-kibana-notebook-analysis-alert-trial.yml @@ -2,7 +2,7 @@ version: '3.5' services: helk-elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.5.2 + image: docker.elastic.co/elasticsearch/elasticsearch:7.6.2 container_name: helk-elasticsearch logging: driver: "json-file" @@ -23,6 +23,7 @@ services: - xpack.license.self_generated.type=trial - xpack.security.enabled=true - "ELASTIC_PASSWORD=${ELASTIC_PASSWORD}" + #- "HELK_ES_MEMORY=-Xms$2g -Xmx2g" ulimits: memlock: soft: -1 @@ -35,7 +36,7 @@ services: networks: helk: helk-logstash: - image: otrf/helk-logstash:7.5.2.2 + image: otrf/helk-logstash:7.6.2.1 container_name: helk-logstash logging: driver: "json-file" @@ -62,13 +63,19 @@ services: - "5044:5044" - "8531:8531" - "3515:3515" + - "5514:5514" + - "8515:8515" + - "8516:8516" + - "5514:5514/udp" + - "8515:8515/udp" + - "8516:8516/udp" restart: always depends_on: - helk-kibana networks: helk: helk-kibana: - image: docker.elastic.co/kibana/kibana:7.5.2 + image: docker.elastic.co/kibana/kibana:7.6.2 container_name: helk-kibana logging: driver: "json-file" @@ -91,7 +98,7 @@ services: networks: helk: helk-nginx: - image: otrf/helk-nginx:0.0.8 + image: otrf/helk-nginx:0.3.0 container_name: helk-nginx logging: driver: "json-file" @@ -99,7 +106,7 @@ services: max-file: "9" max-size: "6m" volumes: - - ./helk-nginx/config/trial-helk:/etc/nginx/sites-available/default + - ./helk-nginx/config/trial-helk:/etc/nginx/conf.d/default.conf - ./helk-nginx/scripts/:/opt/helk/scripts/ entrypoint: /opt/helk/scripts/nginx-entrypoint.sh ports: @@ -112,7 +119,7 @@ services: networks: helk: helk-zookeeper: - image: otrf/helk-zookeeper:2.3.0 + image: otrf/helk-zookeeper:2.4.0 container_name: helk-zookeeper logging: driver: "json-file" @@ -125,7 +132,7 @@ services: networks: helk: helk-kafka-broker: - image: otrf/helk-kafka-broker:2.3.0 + image: otrf/helk-kafka-broker:2.4.0 container_name: helk-kafka-broker logging: driver: "json-file" @@ -142,7 +149,7 @@ services: REPLICATION_FACTOR: 1 ADVERTISED_LISTENER: ${ADVERTISED_LISTENER} ZOOKEEPER_NAME: helk-zookeeper - KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat + KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat, zeek KAFKA_HEAP_OPTS: -Xmx1g -Xms1g LOG_RETENTION_HOURS: 4 ports: @@ -245,7 +252,7 @@ services: networks: helk: helk-elastalert: - image: otrf/helk-elastalert:0.2.6 + image: otrf/helk-elastalert:0.3.0 container_name: helk-elastalert logging: driver: "json-file" diff --git a/docker/helk-kibana-notebook-analysis-basic.yml b/docker/helk-kibana-notebook-analysis-basic.yml index b611f646..cf3a2123 100644 --- a/docker/helk-kibana-notebook-analysis-basic.yml +++ b/docker/helk-kibana-notebook-analysis-basic.yml @@ -2,7 +2,7 @@ version: '3.5' services: helk-elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.5.2 + image: docker.elastic.co/elasticsearch/elasticsearch:7.6.2 container_name: helk-elasticsearch logging: driver: "json-file" @@ -22,6 +22,7 @@ services: - node.name=helk-1 - xpack.license.self_generated.type=basic - xpack.security.enabled=false + #- "HELK_ES_MEMORY=-Xms$2g -Xmx2g" ulimits: memlock: soft: -1 @@ -34,7 +35,7 @@ services: networks: helk: helk-logstash: - image: otrf/helk-logstash:7.5.2.2 + image: otrf/helk-logstash:7.6.2.1 container_name: helk-logstash logging: driver: "json-file" @@ -52,18 +53,25 @@ services: environment: - xpack.monitoring.enabled=true - xpack.monitoring.elasticsearch.hosts=http://helk-elasticsearch:9200 + - log.level=warn - "HELK_LOGSTASH_JAVA_OPTS=-XX:-UseConcMarkSweepGC -XX:-UseCMSInitiatingOccupancyOnly -XX:+UseG1GC" ports: - "5044:5044" - "8531:8531" - "3515:3515" + - "5514:5514" + - "8515:8515" + - "8516:8516" + - "5514:5514/udp" + - "8515:8515/udp" + - "8516:8516/udp" restart: always depends_on: - helk-kibana networks: helk: helk-kibana: - image: docker.elastic.co/kibana/kibana:7.5.2 + image: docker.elastic.co/kibana/kibana:7.6.2 container_name: helk-kibana logging: driver: "json-file" @@ -84,7 +92,7 @@ services: networks: helk: helk-nginx: - image: otrf/helk-nginx:0.0.8 + image: otrf/helk-nginx:0.3.0 container_name: helk-nginx logging: driver: "json-file" @@ -95,7 +103,7 @@ services: - source: htpasswd.users target: /etc/nginx/htpasswd.users volumes: - - ./helk-nginx/config/basic-helk:/etc/nginx/sites-available/default + - ./helk-nginx/config/basic-helk:/etc/nginx/conf.d/default.conf - ./helk-nginx/scripts/:/opt/helk/scripts/ entrypoint: /opt/helk/scripts/nginx-entrypoint.sh ports: @@ -107,7 +115,7 @@ services: networks: helk: helk-zookeeper: - image: otrf/helk-zookeeper:2.3.0 + image: otrf/helk-zookeeper:2.4.0 container_name: helk-zookeeper logging: driver: "json-file" @@ -120,7 +128,7 @@ services: networks: helk: helk-kafka-broker: - image: otrf/helk-kafka-broker:2.3.0 + image: otrf/helk-kafka-broker:2.4.0 container_name: helk-kafka-broker logging: driver: "json-file" @@ -137,7 +145,7 @@ services: REPLICATION_FACTOR: 1 ADVERTISED_LISTENER: ${ADVERTISED_LISTENER} ZOOKEEPER_NAME: helk-zookeeper - KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat + KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat, zeek KAFKA_HEAP_OPTS: -Xmx1G -Xms1G LOG_RETENTION_HOURS: 4 ports: diff --git a/docker/helk-kibana-notebook-analysis-trial.yml b/docker/helk-kibana-notebook-analysis-trial.yml index e5c3493b..95c27c3b 100644 --- a/docker/helk-kibana-notebook-analysis-trial.yml +++ b/docker/helk-kibana-notebook-analysis-trial.yml @@ -2,7 +2,7 @@ version: '3.5' services: helk-elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.5.2 + image: docker.elastic.co/elasticsearch/elasticsearch:7.6.2 container_name: helk-elasticsearch logging: driver: "json-file" @@ -23,6 +23,7 @@ services: - xpack.license.self_generated.type=trial - xpack.security.enabled=true - "ELASTIC_PASSWORD=${ELASTIC_PASSWORD}" + #- "HELK_ES_MEMORY=-Xms$2g -Xmx2g" ulimits: memlock: soft: -1 @@ -35,7 +36,7 @@ services: networks: helk: helk-logstash: - image: otrf/helk-logstash:7.5.2.2 + image: otrf/helk-logstash:7.6.2.1 container_name: helk-logstash logging: driver: "json-file" @@ -62,13 +63,19 @@ services: - "5044:5044" - "8531:8531" - "3515:3515" + - "5514:5514" + - "8515:8515" + - "8516:8516" + - "5514:5514/udp" + - "8515:8515/udp" + - "8516:8516/udp" restart: always depends_on: - helk-kibana networks: helk: helk-kibana: - image: docker.elastic.co/kibana/kibana:7.5.2 + image: docker.elastic.co/kibana/kibana:7.6.2 container_name: helk-kibana logging: driver: "json-file" @@ -91,7 +98,7 @@ services: networks: helk: helk-nginx: - image: otrf/helk-nginx:0.0.8 + image: otrf/helk-nginx:0.3.0 container_name: helk-nginx logging: driver: "json-file" @@ -99,7 +106,7 @@ services: max-file: "9" max-size: "6m" volumes: - - ./helk-nginx/config/trial-helk:/etc/nginx/sites-available/default + - ./helk-nginx/config/trial-helk:/etc/nginx/conf.d/default.conf - ./helk-nginx/scripts/:/opt/helk/scripts/ entrypoint: /opt/helk/scripts/nginx-entrypoint.sh ports: @@ -112,7 +119,7 @@ services: networks: helk: helk-zookeeper: - image: otrf/helk-zookeeper:2.3.0 + image: otrf/helk-zookeeper:2.4.0 container_name: helk-zookeeper logging: driver: "json-file" @@ -125,7 +132,7 @@ services: networks: helk: helk-kafka-broker: - image: otrf/helk-kafka-broker:2.3.0 + image: otrf/helk-kafka-broker:2.4.0 container_name: helk-kafka-broker logging: driver: "json-file" @@ -142,7 +149,7 @@ services: REPLICATION_FACTOR: 1 ADVERTISED_LISTENER: ${ADVERTISED_LISTENER} ZOOKEEPER_NAME: helk-zookeeper - KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat + KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat, zeek KAFKA_HEAP_OPTS: -Xmx1g -Xms1g LOG_RETENTION_HOURS: 4 ports: diff --git a/docker/helk-kibana/Dockerfile b/docker/helk-kibana/Dockerfile index fd56e162..1135b730 100644 --- a/docker/helk-kibana/Dockerfile +++ b/docker/helk-kibana/Dockerfile @@ -6,6 +6,6 @@ # References: # https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_98.html -FROM docker.elastic.co/kibana/kibana:7.5.2 +FROM docker.elastic.co/kibana/kibana:7.6.2 LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g" LABEL description="Dockerfile base for the HELK Kibana." \ No newline at end of file diff --git a/docker/helk-kibana/config/kibana.yml b/docker/helk-kibana/config/kibana.yml index ed945282..aed213e3 100644 --- a/docker/helk-kibana/config/kibana.yml +++ b/docker/helk-kibana/config/kibana.yml @@ -110,5 +110,5 @@ xpack.monitoring.ui.container.elasticsearch.enabled: true xpack.reporting.capture.browser.chromium.disableSandbox: true # If your Elasticsearch is protected with basic authentication, these settings provide the username and password -# that the Kibana server uses to perform maintenance on the Kibana index at startup. Your Kibana users still need +# that the Kibana server uses to perform maintenance on the Kibana index at startup. Your Kibana users still need # to authenticate with Elasticsearch, which is proxied through the Kibana server. \ No newline at end of file diff --git a/docker/helk-kibana/objects/config/7_6_2.ndjson b/docker/helk-kibana/objects/config/7_6_2.ndjson new file mode 100644 index 00000000..c943bab6 --- /dev/null +++ b/docker/helk-kibana/objects/config/7_6_2.ndjson @@ -0,0 +1 @@ +{"attributes":{"buildNum":29199,"defaultIndex":"logs-endpoint-winevent-sysmon-*","state:storeInSessionStorage":true},"id":"7.6.2","references":[],"type":"config","updated_at":"2020-04-21T08:48:03.355Z","version":"WzEwOCwxXQ=="} diff --git a/docker/helk-kibana/objects/dashboard/ALL_MITRE_ATTACK__HELK.ndjson b/docker/helk-kibana/objects/dashboard/ALL_MITRE_ATTACK__HELK.ndjson new file mode 100644 index 00000000..534d2726 --- /dev/null +++ b/docker/helk-kibana/objects/dashboard/ALL_MITRE_ATTACK__HELK.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"Enterprise, PRE and Mobile ATTACK","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"},"optionsJSON":"{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":17,\"h\":7,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":31,\"y\":7,\"w\":17,\"h\":13,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":17,\"y\":0,\"w\":20,\"h\":7,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":13,\"y\":7,\"w\":18,\"h\":13,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":37,\"y\":0,\"w\":11,\"h\":7,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":7,\"w\":13,\"h\":11,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":18,\"w\":13,\"h\":14,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":20,\"w\":13,\"h\":12,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":37,\"y\":20,\"w\":11,\"h\":12,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":13,\"y\":20,\"w\":11,\"h\":12,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":32,\"w\":48,\"h\":25,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"ALL-MITRE-ATTACK (HELK)","version":1},"id":"0afcb130-6f8b-11e8-8945-7d43ba9ddc77","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"c10c2a10-6f8a-11e8-8945-7d43ba9ddc77","name":"panel_0","type":"visualization"},{"id":"5bcad6b0-6f8a-11e8-8945-7d43ba9ddc77","name":"panel_1","type":"visualization"},{"id":"bf6e4e00-6f89-11e8-8945-7d43ba9ddc77","name":"panel_2","type":"visualization"},{"id":"b0354ae0-6f8b-11e8-8945-7d43ba9ddc77","name":"panel_3","type":"visualization"},{"id":"5dcdeaf0-6f90-11e8-8945-7d43ba9ddc77","name":"panel_4","type":"visualization"},{"id":"6cb1c1d0-6f91-11e8-8945-7d43ba9ddc77","name":"panel_5","type":"visualization"},{"id":"4e512810-6f92-11e8-8945-7d43ba9ddc77","name":"panel_6","type":"visualization"},{"id":"4b1fd360-6f94-11e8-8945-7d43ba9ddc77","name":"panel_7","type":"visualization"},{"id":"2653efa0-6f97-11e8-8945-7d43ba9ddc77","name":"panel_8","type":"visualization"},{"id":"a7e62f40-6f99-11e8-8945-7d43ba9ddc77","name":"panel_9","type":"visualization"},{"id":"89d14480-6f9a-11e8-8945-7d43ba9ddc77","name":"panel_10","type":"search"}],"type":"dashboard","updated_at":"2020-04-21T08:47:54.155Z","version":"Wzk5LDFd"} diff --git a/docker/helk-kibana/objects/dashboard/Global_Dashboard__HELK.ndjson b/docker/helk-kibana/objects/dashboard/Global_Dashboard__HELK.ndjson new file mode 100644 index 00000000..1c538219 --- /dev/null +++ b/docker/helk-kibana/objects/dashboard/Global_Dashboard__HELK.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"},"optionsJSON":"{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.2\",\"gridData\":{\"w\":16,\"h\":12,\"x\":12,\"y\":8,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"w\":12,\"h\":8,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"w\":12,\"h\":8,\"x\":12,\"y\":0,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"w\":12,\"h\":12,\"x\":0,\"y\":8,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"w\":12,\"h\":12,\"x\":0,\"y\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"w\":12,\"h\":8,\"x\":24,\"y\":0,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"w\":12,\"h\":8,\"x\":36,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"w\":12,\"h\":12,\"x\":28,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"w\":24,\"h\":12,\"x\":24,\"y\":20,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":32,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"w\":12,\"h\":12,\"x\":12,\"y\":20,\"i\":\"9eb066c4-a720-4373-a284-d59b38498044\"},\"panelIndex\":\"9eb066c4-a720-4373-a284-d59b38498044\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.2\",\"gridData\":{\"w\":8,\"h\":12,\"x\":40,\"y\":8,\"i\":\"9c1b96e5-8401-4240-a20f-67a7f6f353a0\"},\"panelIndex\":\"9c1b96e5-8401-4240-a20f-67a7f6f353a0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]","refreshInterval":{"pause":true,"value":0},"timeFrom":"now-2y","timeRestore":true,"timeTo":"now","title":"Global Dashboard (HELK)","version":1},"id":"fa97e480-1dd8-11e8-8f1b-1b86647d4817","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"e351c080-1dd7-11e8-8f1b-1b86647d4817","name":"panel_0","type":"visualization"},{"id":"97478120-1dd7-11e8-8f1b-1b86647d4817","name":"panel_1","type":"visualization"},{"id":"a5fe7110-1dd7-11e8-8f1b-1b86647d4817","name":"panel_2","type":"visualization"},{"id":"bf617710-1dd7-11e8-8f1b-1b86647d4817","name":"panel_3","type":"visualization"},{"id":"24cc4b70-1dd8-11e8-8f1b-1b86647d4817","name":"panel_4","type":"visualization"},{"id":"32f92e60-1dd9-11e8-8f1b-1b86647d4817","name":"panel_5","type":"visualization"},{"id":"45159070-1dd9-11e8-8f1b-1b86647d4817","name":"panel_6","type":"visualization"},{"id":"9b6fe330-1dd9-11e8-8f1b-1b86647d4817","name":"panel_7","type":"visualization"},{"id":"cb8b5280-1de2-11e8-8f1b-1b86647d4817","name":"panel_8","type":"visualization"},{"id":"0e899740-1de3-11e8-8f1b-1b86647d4817","name":"panel_9","type":"search"},{"id":"49e84990-7e43-11ea-809d-5972b5df304f","name":"panel_10","type":"visualization"},{"id":"4dda3ea0-83b1-11ea-9c6c-fbcf2d331f22","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-04-21T09:21:39.536Z","version":"WzEzMywxXQ=="} diff --git a/docker/helk-kibana/objects/dashboard/Host_Investigation_Dashboard__HELK.ndjson b/docker/helk-kibana/objects/dashboard/Host_Investigation_Dashboard__HELK.ndjson new file mode 100644 index 00000000..3dffbb82 --- /dev/null +++ b/docker/helk-kibana/objects/dashboard/Host_Investigation_Dashboard__HELK.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"Enter a hostname in the search bar to investigate activity on that host.","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"lucene\",\"query\":\"Enter a system name here\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":17,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":47},\"panelIndex\":\"1\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":64},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":79},\"panelIndex\":\"3\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":109},\"panelIndex\":\"4\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":94},\"panelIndex\":\"5\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":124},\"panelIndex\":\"6\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":139},\"panelIndex\":\"7\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"8\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"9\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":17,\"i\":\"10\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"10\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"11\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"11\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"12\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"12\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":170},\"panelIndex\":\"16\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":154},\"panelIndex\":\"17\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"Host Investigation Dashboard (HELK)","version":1},"id":"624865e0-434f-11e9-a4c5-1717ba697d0d","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"689ef060-4342-11e9-a4c5-1717ba697d0d","name":"panel_0","type":"search"},{"id":"5a792770-4343-11e9-a4c5-1717ba697d0d","name":"panel_1","type":"search"},{"id":"1821dba0-4344-11e9-a4c5-1717ba697d0d","name":"panel_2","type":"search"},{"id":"db661470-4347-11e9-a4c5-1717ba697d0d","name":"panel_3","type":"search"},{"id":"1a68e8a0-4348-11e9-a4c5-1717ba697d0d","name":"panel_4","type":"search"},{"id":"4bb63750-4348-11e9-a4c5-1717ba697d0d","name":"panel_5","type":"search"},{"id":"ffb5aa00-4349-11e9-a4c5-1717ba697d0d","name":"panel_6","type":"search"},{"id":"c0d3f7c0-483e-11e9-8770-35c0f1a2cce0","name":"panel_7","type":"visualization"},{"id":"cdd1ed10-483e-11e9-8770-35c0f1a2cce0","name":"panel_8","type":"visualization"},{"id":"a3878f20-4829-11e9-a85d-d748de0cd831","name":"panel_9","type":"search"},{"id":"47b5abb0-48f0-11e9-b62f-8f6921045c4c","name":"panel_10","type":"visualization"},{"id":"c91f0df0-48ef-11e9-b62f-8f6921045c4c","name":"panel_11","type":"search"},{"id":"159666e0-4ce9-11e9-b05e-6fc957c1b917","name":"panel_12","type":"search"},{"id":"bc44bd30-4cd4-11e9-b05e-6fc957c1b917","name":"panel_13","type":"search"}],"type":"dashboard","updated_at":"2020-04-21T08:47:56.254Z","version":"WzEwMSwxXQ=="} diff --git a/docker/helk-kibana/objects/dashboard/MITRE_ATTACK_GROUPS__HELK.ndjson b/docker/helk-kibana/objects/dashboard/MITRE_ATTACK_GROUPS__HELK.ndjson new file mode 100644 index 00000000..d00f7f8a --- /dev/null +++ b/docker/helk-kibana/objects/dashboard/MITRE_ATTACK_GROUPS__HELK.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"Groups from Enterprise, PRE and Mobile","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"},"optionsJSON":"{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.2\",\"gridData\":{\"x\":13,\"y\":7,\"w\":17,\"h\":12,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"spy\":null},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":30,\"y\":7,\"w\":18,\"h\":12,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":28,\"h\":7,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":0,\"w\":19,\"h\":7,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":32,\"w\":48,\"h\":27,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":7,\"w\":13,\"h\":12,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":11,\"y\":19,\"w\":13,\"h\":13,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":19,\"w\":11,\"h\":13,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":19,\"w\":24,\"h\":13,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"MITRE-ATTACK-GROUPS (HELK)","version":1},"id":"1bca3130-6ff0-11e8-8d23-170b1a3fd248","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"0166a090-6fef-11e8-8d23-170b1a3fd248","name":"panel_0","type":"visualization"},{"id":"db3dafc0-6fef-11e8-8d23-170b1a3fd248","name":"panel_1","type":"visualization"},{"id":"511297c0-6fef-11e8-8d23-170b1a3fd248","name":"panel_2","type":"visualization"},{"id":"951b0410-6ff0-11e8-8d23-170b1a3fd248","name":"panel_3","type":"visualization"},{"id":"89d14480-6f9a-11e8-8945-7d43ba9ddc77","name":"panel_4","type":"search"},{"id":"2653efa0-6f97-11e8-8945-7d43ba9ddc77","name":"panel_5","type":"visualization"},{"id":"43450a80-6ffc-11e8-8d23-170b1a3fd248","name":"panel_6","type":"visualization"},{"id":"d04821b0-6ffc-11e8-8d23-170b1a3fd248","name":"panel_7","type":"visualization"},{"id":"0067e580-7000-11e8-8d23-170b1a3fd248","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-04-21T08:47:57.284Z","version":"WzEwMiwxXQ=="} diff --git a/docker/helk-kibana/objects/dashboard/Process_Investigation__HELK.ndjson b/docker/helk-kibana/objects/dashboard/Process_Investigation__HELK.ndjson new file mode 100644 index 00000000..46434901 --- /dev/null +++ b/docker/helk-kibana/objects/dashboard/Process_Investigation__HELK.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"Dashboard for investigating individual processes","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\\\"enter a process Guid here\\\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":60,\"w\":48,\"h\":20,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":19,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":43,\"w\":48,\"h\":17,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":99,\"w\":48,\"h\":17,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":8,\"w\":48,\"h\":20,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":116,\"w\":48,\"h\":32,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"sort\":[\"@timestamp\",\"desc\"]},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":28,\"w\":48,\"h\":15,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Process Investigation (HELK)","version":1},"id":"41449550-48f2-11e9-b62f-8f6921045c4c","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"db661470-4347-11e9-a4c5-1717ba697d0d","name":"panel_0","type":"search"},{"id":"1821dba0-4344-11e9-a4c5-1717ba697d0d","name":"panel_1","type":"search"},{"id":"1a68e8a0-4348-11e9-a4c5-1717ba697d0d","name":"panel_2","type":"search"},{"id":"cc5bb4b0-4826-11e9-a85d-d748de0cd831","name":"panel_3","type":"search"},{"id":"689ef060-4342-11e9-a4c5-1717ba697d0d","name":"panel_4","type":"search"},{"id":"4d391470-48f3-11e9-b62f-8f6921045c4c","name":"panel_5","type":"visualization"},{"id":"bcafaac0-48f4-11e9-b62f-8f6921045c4c","name":"panel_6","type":"search"},{"id":"aad50710-4d9e-11e9-9ebb-eb9011b9c659","name":"panel_7","type":"search"}],"type":"dashboard","updated_at":"2020-04-21T08:47:58.309Z","version":"WzEwMywxXQ=="} diff --git a/docker/helk-kibana/objects/dashboard/Sysmon_Dashboard__HELK.ndjson b/docker/helk-kibana/objects/dashboard/Sysmon_Dashboard__HELK.ndjson new file mode 100644 index 00000000..9cc4227f --- /dev/null +++ b/docker/helk-kibana/objects/dashboard/Sysmon_Dashboard__HELK.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"},"optionsJSON":"{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":20,\"h\":12,\"x\":16,\"y\":8,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":12,\"h\":8,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":12,\"h\":8,\"x\":12,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":20,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":8,\"x\":24,\"y\":0,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":12,\"x\":28,\"y\":32,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":16,\"h\":12,\"x\":12,\"y\":20,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":8,\"h\":12,\"x\":40,\"y\":32,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":12,\"h\":12,\"x\":36,\"y\":8,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":12,\"h\":12,\"x\":0,\"y\":20,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":28,\"h\":12,\"x\":0,\"y\":32,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":12,\"h\":8,\"x\":36,\"y\":0,\"i\":\"12\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"13\",\"gridData\":{\"w\":16,\"h\":12,\"x\":0,\"y\":8,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":24,\"h\":12,\"x\":0,\"y\":44,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}},{\"panelIndex\":\"16\",\"gridData\":{\"w\":24,\"h\":12,\"x\":24,\"y\":44,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_15\",\"embeddableConfig\":{}}]","refreshInterval":{"display":"Off","pause":false,"value":0},"timeFrom":"now-30m","timeRestore":true,"timeTo":"now","title":"Sysmon Dashboard (HELK)","version":1},"id":"b8497150-1de4-11e8-8f1b-1b86647d4817","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b2b6b460-1de3-11e8-8f1b-1b86647d4817","name":"panel_0","type":"visualization"},{"id":"40aab0b0-1de3-11e8-8f1b-1b86647d4817","name":"panel_1","type":"visualization"},{"id":"55e73e80-1de3-11e8-8f1b-1b86647d4817","name":"panel_2","type":"visualization"},{"id":"1f8837d0-1de4-11e8-8f1b-1b86647d4817","name":"panel_3","type":"visualization"},{"id":"68484ab0-1de3-11e8-8f1b-1b86647d4817","name":"panel_4","type":"visualization"},{"id":"0c438260-1de4-11e8-8f1b-1b86647d4817","name":"panel_5","type":"visualization"},{"id":"d36e8f20-1de3-11e8-8f1b-1b86647d4817","name":"panel_6","type":"visualization"},{"id":"2ff90cc0-1de4-11e8-8f1b-1b86647d4817","name":"panel_7","type":"visualization"},{"id":"601666f0-1de4-11e8-8f1b-1b86647d4817","name":"panel_8","type":"visualization"},{"id":"f000dc10-1de3-11e8-8f1b-1b86647d4817","name":"panel_9","type":"visualization"},{"id":"4a347160-1de4-11e8-8f1b-1b86647d4817","name":"panel_10","type":"visualization"},{"id":"7c191380-1de3-11e8-8f1b-1b86647d4817","name":"panel_11","type":"visualization"},{"id":"cb0bfe70-1de4-11e8-8f1b-1b86647d4817","name":"panel_12","type":"visualization"},{"id":"2754df30-1de5-11e8-8f1b-1b86647d4817","name":"panel_13","type":"search"},{"id":"c23c05f0-1de5-11e8-8f1b-1b86647d4817","name":"panel_14","type":"visualization"},{"id":"fc7c21f0-1de5-11e8-8f1b-1b86647d4817","name":"panel_15","type":"visualization"}],"type":"dashboard","updated_at":"2020-04-21T08:47:59.307Z","version":"WzEwNCwxXQ=="} diff --git a/docker/helk-kibana/objects/dashboard/Sysmon_Network_Dashboard__HELK.ndjson b/docker/helk-kibana/objects/dashboard/Sysmon_Network_Dashboard__HELK.ndjson new file mode 100644 index 00000000..bf6e4a47 --- /dev/null +++ b/docker/helk-kibana/objects/dashboard/Sysmon_Network_Dashboard__HELK.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"},"optionsJSON":"{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.2\",\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":12,\"x\":36,\"y\":20},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":12,\"x\":12,\"y\":20},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":12,\"x\":0,\"y\":8},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":12,\"i\":\"7\",\"w\":12,\"x\":36,\"y\":8},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":12,\"x\":24,\"y\":20},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":28,\"i\":\"10\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"w\":24,\"h\":20,\"x\":12,\"y\":0,\"i\":\"fb18f90d-9997-4b47-a7e8-c533ec3600aa\"},\"panelIndex\":\"fb18f90d-9997-4b47-a7e8-c533ec3600aa\",\"embeddableConfig\":{\"isLayerTOCOpen\":false,\"openTOCDetails\":[],\"mapCenter\":{\"lat\":44.1628,\"lon\":-29.31966,\"zoom\":1.65},\"hiddenLayers\":[]},\"panelRefName\":\"panel_9\"}]","refreshInterval":{"pause":true,"value":0},"timeFrom":"now-2y","timeRestore":true,"timeTo":"now","title":"Sysmon Network Dashboard (HELK)","version":1},"id":"486d1780-1de7-11e8-8f1b-1b86647d4817","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"88ba6280-1de6-11e8-8f1b-1b86647d4817","name":"panel_0","type":"visualization"},{"id":"fea5c340-1de6-11e8-8f1b-1b86647d4817","name":"panel_1","type":"visualization"},{"id":"9d5cac20-1de6-11e8-8f1b-1b86647d4817","name":"panel_2","type":"visualization"},{"id":"e71b9bf0-1de6-11e8-8f1b-1b86647d4817","name":"panel_3","type":"visualization"},{"id":"5895e6f0-1de7-11e8-8f1b-1b86647d4817","name":"panel_4","type":"visualization"},{"id":"70cca1f0-1de7-11e8-8f1b-1b86647d4817","name":"panel_5","type":"visualization"},{"id":"8d4f5e80-1de7-11e8-8f1b-1b86647d4817","name":"panel_6","type":"visualization"},{"id":"bd839c10-1de7-11e8-8f1b-1b86647d4817","name":"panel_7","type":"visualization"},{"id":"754acc80-1de6-11e8-8f1b-1b86647d4817","name":"panel_8","type":"search"},{"id":"07a52530-7e48-11ea-809d-5972b5df304f","name":"panel_9","type":"map"}],"type":"dashboard","updated_at":"2020-04-21T08:48:00.334Z","version":"WzEwNSwxXQ=="} diff --git a/docker/helk-kibana/objects/dashboard/User_Investigation_Dashboard__HELK.ndjson b/docker/helk-kibana/objects/dashboard/User_Investigation_Dashboard__HELK.ndjson new file mode 100644 index 00000000..9d3b98ed --- /dev/null +++ b/docker/helk-kibana/objects/dashboard/User_Investigation_Dashboard__HELK.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"Enter a username in the search bar to investigate activity on that host.","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\\\"Enter a username here\\\"\",\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":17,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":43,\"w\":48,\"h\":15,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":58,\"w\":48,\"h\":15,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":88,\"w\":48,\"h\":15,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":73,\"w\":48,\"h\":15,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":103,\"w\":48,\"h\":15,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"sort\":[\"@timestamp\",\"desc\"]},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":16,\"h\":11,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":11,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":11,\"w\":48,\"h\":15,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"User Investigation Dashboard (HELK)","version":1},"id":"cf46c5b0-434f-11e9-a4c5-1717ba697d0d","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"689ef060-4342-11e9-a4c5-1717ba697d0d","name":"panel_0","type":"search"},{"id":"5a792770-4343-11e9-a4c5-1717ba697d0d","name":"panel_1","type":"search"},{"id":"1821dba0-4344-11e9-a4c5-1717ba697d0d","name":"panel_2","type":"search"},{"id":"db661470-4347-11e9-a4c5-1717ba697d0d","name":"panel_3","type":"search"},{"id":"1a68e8a0-4348-11e9-a4c5-1717ba697d0d","name":"panel_4","type":"search"},{"id":"ffb5aa00-4349-11e9-a4c5-1717ba697d0d","name":"panel_5","type":"search"},{"id":"3c414620-48fc-11e9-b62f-8f6921045c4c","name":"panel_6","type":"visualization"},{"id":"ccec7dc0-48fc-11e9-b62f-8f6921045c4c","name":"panel_7","type":"visualization"},{"id":"a3878f20-4829-11e9-a85d-d748de0cd831","name":"panel_8","type":"search"}],"type":"dashboard","updated_at":"2020-04-21T08:48:01.370Z","version":"WzEwNiwxXQ=="} diff --git a/docker/helk-kibana/objects/dashboards/ALL-MITRE-ATTACK.json b/docker/helk-kibana/objects/dashboards/ALL-MITRE-ATTACK.json deleted file mode 100644 index ed6f28a5..00000000 --- a/docker/helk-kibana/objects/dashboards/ALL-MITRE-ATTACK.json +++ /dev/null @@ -1,226 +0,0 @@ -{ - "version": "6.5.3", - "objects": [ - { - "id": "c10c2a10-6f8a-11e8-8945-7d43ba9ddc77", - "type": "visualization", - "updated_at": "2018-06-14T04:50:09.722Z", - "version": 2, - "attributes": { - "title": "mitre_attack_select", - "visState": "{\"title\":\"mitre_attack_select\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1528950139638\",\"indexPattern\":\"mitre-attack-*\",\"fieldName\":\"matrix.keyword\",\"parent\":\"\",\"label\":\"Select Matrix\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"size\":5,\"order\":\"desc\"}},{\"id\":\"1528951743018\",\"indexPattern\":\"mitre-attack-*\",\"fieldName\":\"platform.keyword\",\"parent\":\"\",\"label\":\"Select Platform\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"size\":5,\"order\":\"desc\"}}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - } - }, - { - "id": "5bcad6b0-6f8a-11e8-8945-7d43ba9ddc77", - "type": "visualization", - "updated_at": "2018-06-14T05:49:23.609Z", - "version": 4, - "attributes": { - "title": "mitre_attack_software_groups", - "visState": "{\"title\":\"mitre_attack_software_groups\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"groups\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"groups\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"group_id.keyword\",\"customLabel\":\"groups\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"software.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"software\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "bf6e4e00-6f89-11e8-8945-7d43ba9ddc77", - "type": "visualization", - "updated_at": "2018-06-14T04:16:44.768Z", - "version": 1, - "attributes": { - "title": "mitre_attack_techniques_matrices", - "visState": "{\"title\":\"mitre_attack_techniques_matrices\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"technique_id.keyword\",\"customLabel\":\"techniques\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"matrix.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"matrices\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "b0354ae0-6f8b-11e8-8945-7d43ba9ddc77", - "type": "visualization", - "updated_at": "2018-06-14T05:28:33.361Z", - "version": 3, - "attributes": { - "title": "mitre_attack_technique_data_sources_cloud", - "visState": "{\"title\":\"mitre_attack_technique_data_sources_cloud\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":8,\"maxFontSize\":40,\"showLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"technique_id.keyword\",\"customLabel\":\"techniques\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"data_sources.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"data sources\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "5dcdeaf0-6f90-11e8-8945-7d43ba9ddc77", - "type": "visualization", - "updated_at": "2018-06-14T05:04:22.644Z", - "version": 2, - "attributes": { - "title": "mitre_attack_permissions_required", - "visState": "{\"title\":\"mitre_attack_permissions_required\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"technique_id.keyword\",\"customLabel\":\"techniques\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"permissions_required.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"permissions_required\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "6cb1c1d0-6f91-11e8-8945-7d43ba9ddc77", - "type": "visualization", - "updated_at": "2018-06-14T05:14:36.784Z", - "version": 3, - "attributes": { - "title": "mitre_attack_tactic_techniques", - "visState": "{\"title\":\"mitre_attack_tactic_techniques\",\"type\":\"table\",\"params\":{\"perPage\":20,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"technique_id.keyword\",\"customLabel\":\"techniques\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"tactic.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"tactic\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "4e512810-6f92-11e8-8945-7d43ba9ddc77", - "type": "visualization", - "updated_at": "2018-06-14T05:18:00.465Z", - "version": 1, - "attributes": { - "title": "mitre_attack_technique_data_sources", - "visState": "{\"title\":\"mitre_attack_technique_data_sources\",\"type\":\"table\",\"params\":{\"perPage\":20,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"data_sources.keyword\",\"customLabel\":\"data_sources\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"technique.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":300,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"technique\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "4b1fd360-6f94-11e8-8945-7d43ba9ddc77", - "type": "visualization", - "updated_at": "2018-06-14T05:32:14.102Z", - "version": 1, - "attributes": { - "title": "mitre_attack_mitigation_technique", - "visState": "{\"title\":\"mitre_attack_mitigation_technique\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"technique_id.keyword\",\"customLabel\":\"techniques\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mitigation.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"mitigation\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "2653efa0-6f97-11e8-8945-7d43ba9ddc77", - "type": "visualization", - "updated_at": "2018-06-14T05:52:40.858Z", - "version": 1, - "attributes": { - "title": "mitre_attack_groups_techniques", - "visState": "{\"title\":\"mitre_attack_groups_techniques\",\"type\":\"table\",\"params\":{\"perPage\":35,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"technique_id.keyword\",\"customLabel\":\"techniques\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"group.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"groups\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "a7e62f40-6f99-11e8-8945-7d43ba9ddc77", - "type": "visualization", - "updated_at": "2018-06-14T06:10:37.235Z", - "version": 1, - "attributes": { - "title": "mitre_attack_data_sources_techniques", - "visState": "{\"title\":\"mitre_attack_data_sources_techniques\",\"type\":\"table\",\"params\":{\"perPage\":25,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"technique_id.keyword\",\"customLabel\":\"techniques\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"data_sources.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"data_sources\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "89d14480-6f9a-11e8-8945-7d43ba9ddc77", - "type": "search", - "updated_at": "2018-06-14T06:16:56.264Z", - "version": 1, - "attributes": { - "title": "mitre_attack_discover", - "description": "", - "hits": 0, - "columns": [ - "matrix", - "tactic", - "technique", - "technique_id", - "mitigation", - "group", - "group_id", - "software", - "software_id", - "relationship_description", - "data_sources", - "platform" - ], - "sort": [ - "_score", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" - } - } - }, - { - "id": "mitre-attack-*", - "type": "index-pattern", - "updated_at": "2018-06-14T06:16:11.774Z", - "version": 20, - "attributes": { - "title": "mitre-attack-*", - "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Validation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Validation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"contributors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"contributors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_sources\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"detectable_by_common_defenses\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"detectable_by_common_defenses.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"detectable_explanation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"detectable_explanation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"difficulty_explanation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"difficulty_explanation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"difficulty_for_adversary\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"difficulty_for_adversary.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"effective_permissions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"effective_permissions.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group\",\"type\":\"string\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group_aliases\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_aliases.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group_id\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matrix\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matrix.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mitigation\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mitigation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mitigation_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mitigation_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_requirements\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_requirements.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"permissions_required\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"permissions_required.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"platform\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"platform.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relationship_description\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relationship_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_support\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"remote_support.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_id\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_labels\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_labels.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system_requirements\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"system_requirements.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tactic\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tactic.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"technique\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"technique.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"technique_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"technique_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"technique_id\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"technique_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" - } - }, - { - "id": "0afcb130-6f8b-11e8-8945-7d43ba9ddc77", - "type": "dashboard", - "updated_at": "2018-06-14T06:17:59.821Z", - "version": 18, - "attributes": { - "title": "ALL-MITRE-ATTACK", - "hits": 0, - "description": "Enterprise, PRE and Mobile ATTACK", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":17,\"h\":7,\"i\":\"1\"},\"embeddableConfig\":{},\"id\":\"c10c2a10-6f8a-11e8-8945-7d43ba9ddc77\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"2\",\"gridData\":{\"x\":31,\"y\":7,\"w\":17,\"h\":13,\"i\":\"2\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"id\":\"5bcad6b0-6f8a-11e8-8945-7d43ba9ddc77\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"3\",\"gridData\":{\"x\":17,\"y\":0,\"w\":20,\"h\":7,\"i\":\"3\"},\"embeddableConfig\":{},\"id\":\"bf6e4e00-6f89-11e8-8945-7d43ba9ddc77\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"4\",\"gridData\":{\"x\":13,\"y\":7,\"w\":18,\"h\":13,\"i\":\"4\"},\"embeddableConfig\":{},\"id\":\"b0354ae0-6f8b-11e8-8945-7d43ba9ddc77\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":37,\"y\":0,\"w\":11,\"h\":7,\"i\":\"5\"},\"embeddableConfig\":{},\"id\":\"5dcdeaf0-6f90-11e8-8945-7d43ba9ddc77\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":0,\"y\":7,\"w\":13,\"h\":11,\"i\":\"6\"},\"embeddableConfig\":{},\"id\":\"6cb1c1d0-6f91-11e8-8945-7d43ba9ddc77\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":0,\"y\":18,\"w\":13,\"h\":14,\"i\":\"7\"},\"embeddableConfig\":{},\"id\":\"4e512810-6f92-11e8-8945-7d43ba9ddc77\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":24,\"y\":20,\"w\":13,\"h\":12,\"i\":\"8\"},\"embeddableConfig\":{},\"id\":\"4b1fd360-6f94-11e8-8945-7d43ba9ddc77\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":37,\"y\":20,\"w\":11,\"h\":12,\"i\":\"9\"},\"embeddableConfig\":{},\"id\":\"2653efa0-6f97-11e8-8945-7d43ba9ddc77\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"11\",\"gridData\":{\"x\":13,\"y\":20,\"w\":11,\"h\":12,\"i\":\"11\"},\"embeddableConfig\":{},\"id\":\"a7e62f40-6f99-11e8-8945-7d43ba9ddc77\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":0,\"y\":32,\"w\":48,\"h\":25,\"i\":\"12\"},\"version\":\"6.3.0\",\"type\":\"search\",\"id\":\"89d14480-6f9a-11e8-8945-7d43ba9ddc77\",\"embeddableConfig\":{}}]", - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}" - } - } - } - ] -} \ No newline at end of file diff --git a/docker/helk-kibana/objects/dashboards/Global_Dashboard.json b/docker/helk-kibana/objects/dashboards/Global_Dashboard.json deleted file mode 100644 index 99ca6c4b..00000000 --- a/docker/helk-kibana/objects/dashboards/Global_Dashboard.json +++ /dev/null @@ -1,256 +0,0 @@ -{ - "version": "6.5.3", - "objects": [ - { - "id": "e351c080-1dd7-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T05:09:30.376Z", - "version": 1, - "attributes": { - "title": "Global_process_command_line", - "visState": "{\"title\":\"Global_process_command_line\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_command_line.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_command_line\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "97478120-1dd7-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T05:07:22.802Z", - "version": 1, - "attributes": { - "title": "Global_Count", - "visState": "{\"title\":\"Global_Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "a5fe7110-1dd7-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T05:07:47.489Z", - "version": 1, - "attributes": { - "title": "Global_EventIDs", - "visState": "{\"title\":\"Global_EventIDs\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_id\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "bf617710-1dd7-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T05:09:44.251Z", - "version": 2, - "attributes": { - "title": "Global_Process_Name", - "visState": "{\"title\":\"Global_Process_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_name\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "24cc4b70-1dd8-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T05:11:20.231Z", - "version": 1, - "attributes": { - "title": "Global_Process_Parent_Name", - "visState": "{\"title\":\"Global_Process_Parent_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_parent_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_parent_name\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "07d74510-1dd8-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T05:10:31.649Z", - "version": 1, - "attributes": { - "title": "Global_Service_Name", - "visState": "{\"title\":\"Global_Service_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"service_name\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "32f92e60-1dd9-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T05:18:53.510Z", - "version": 1, - "attributes": { - "title": "Global_Host_Name", - "visState": "{\"title\":\"Global_Host_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "45159070-1dd9-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T05:19:23.895Z", - "version": 1, - "attributes": { - "title": "Global_User_Name", - "visState": "{\"title\":\"Global_User_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "9b6fe330-1dd9-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T05:21:48.771Z", - "version": 1, - "attributes": { - "title": "Global_dst_ip", - "visState": "{\"title\":\"Global_dst_ip\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dst_ip_addr\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"dst_ip_addr\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "ccdf5fe0-1dd9-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T05:23:11.710Z", - "version": 1, - "attributes": { - "title": "Global_Logon_Type", - "visState": "{\"title\":\"Global_Logon_Type\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"logon_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"logon_type\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "cb8b5280-1de2-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:27:34.952Z", - "version": 1, - "attributes": { - "title": "Global_Hashes_Sha256", - "visState": "{\"title\":\"Global_Hashes_Sha256\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash_sha256.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"hash_sha256\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "0e899740-1de3-11e8-8f1b-1b86647d4817", - "type": "search", - "updated_at": "2018-03-02T06:29:27.348Z", - "version": 1, - "attributes": { - "title": "Global_Discover", - "description": "", - "hits": 0, - "columns": [ - "user_name", - "user_domain", - "process_name", - "host_name", - "log_name", - "process_guid", - "event_id" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}" - } - } - }, - { - "id": "logs-*", - "type": "index-pattern", - "updated_at": "2018-03-02T06:29:15.356Z", - "version": 8, - "attributes": { - "title": "logs-*", - "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@meta.sysmon.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"activity_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AddressLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.AddressLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Attributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Attributes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Binary.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.BiosInitDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.BiosInitDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DriverInitDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.DriverInitDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.EffectiveState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.EffectiveState.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberPagesWritten\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberPagesWritten.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberReadDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberReadDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberWriteDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberWriteDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NoMultiStageResumeReason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.NoMultiStageResumeReason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OldTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.QueryName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.QueryName.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SleepDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.SleepDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SleepTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.TargetState.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TransitionsToOn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.TransitionsToOn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeSourceTextLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeSourceTextLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeSourceType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeSourceType.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTimerContextLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeTimerContextLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTimerOwnerLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeTimerOwnerLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param4.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_creation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@date_creation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_imphash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_loaded\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_loaded.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_authentication_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_authentication_package_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_elevated_token\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_elevated_token.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_key_length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_key_length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_package_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_privileges_assigned\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_privileges_assigned.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_restricted_adminmode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_restricted_adminmode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_transmitted_services\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_transmitted_services.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_virtual_account\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_virtual_account.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_calltrace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_calltrace.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_granted_access\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_granted_access.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"device_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"device_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"record_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reporter_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reporter_logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_account_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_account_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_host_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_start_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_start_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_scheduled\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system_new_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_previous_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_newthreadid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"User.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_linked_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_linked_logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_network_account_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_network_account_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_network_account_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_network_account_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_client_machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_client_machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_component.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_possible_cause\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_possible_cause.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_result_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_result_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_xml_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_xml_operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" - } - }, - { - "id": "logs-endpoint-*", - "type": "index-pattern", - "updated_at": "2018-03-02T05:21:05.957Z", - "version": 2, - "attributes": { - "title": "logs-endpoint-*", - "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@meta.sysmon.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"activity_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AddressLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.AddressLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Attributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Attributes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Binary.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.BiosInitDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.BiosInitDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DriverInitDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.DriverInitDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.EffectiveState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.EffectiveState.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberPagesWritten\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberPagesWritten.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberReadDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberReadDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberWriteDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberWriteDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NoMultiStageResumeReason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.NoMultiStageResumeReason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OldTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.QueryName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.QueryName.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SleepDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.SleepDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SleepTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.TargetState.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TransitionsToOn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.TransitionsToOn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeSourceTextLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeSourceTextLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeSourceType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeSourceType.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTimerContextLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeTimerContextLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTimerOwnerLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeTimerOwnerLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param4.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.serviceGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.serviceGuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.updateGuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateRevisionNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.updateRevisionNumber.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateTitle\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.updateTitle.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_creation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@date_creation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_imphash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_loaded\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_loaded.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_authentication_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_authentication_package_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_elevated_token\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_elevated_token.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_key_length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_key_length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_package_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_privileges_assigned\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_privileges_assigned.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_restricted_adminmode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_restricted_adminmode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_transmitted_services\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_transmitted_services.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_virtual_account\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_virtual_account.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_calltrace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_calltrace.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_granted_access\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_granted_access.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"device_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"device_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"record_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reporter_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reporter_logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_account_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_account_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_host_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_start_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_start_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"spp_restart_reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_scheduled\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system_new_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_previous_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_newthreadid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_startaddress\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_startaddress.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_startfunction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_startfunction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_startmodule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_startmodule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"User.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_linked_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_linked_logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_network_account_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_network_account_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_network_account_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_network_account_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_client_machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_client_machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_component.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_possible_cause\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_possible_cause.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_provider.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_provider_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_provider_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_result_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_result_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_xml_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_xml_operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" - } - }, - { - "id": "fa97e480-1dd8-11e8-8f1b-1b86647d4817", - "type": "dashboard", - "updated_at": "2018-03-02T06:51:46.503Z", - "version": 6, - "attributes": { - "title": "Global_Dashboard", - "hits": 0, - "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":3,\"y\":2,\"w\":4,\"h\":3,\"i\":\"1\"},\"id\":\"e351c080-1dd7-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":3,\"h\":2,\"i\":\"2\"},\"id\":\"97478120-1dd7-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"4\",\"gridData\":{\"x\":3,\"y\":0,\"w\":3,\"h\":2,\"i\":\"4\"},\"id\":\"a5fe7110-1dd7-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":0,\"y\":2,\"w\":3,\"h\":3,\"i\":\"6\"},\"id\":\"bf617710-1dd7-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":0,\"y\":5,\"w\":3,\"h\":3,\"i\":\"7\"},\"id\":\"24cc4b70-1dd8-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":3,\"y\":5,\"w\":3,\"h\":3,\"i\":\"8\"},\"id\":\"07d74510-1dd8-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":6,\"y\":0,\"w\":3,\"h\":2,\"i\":\"9\"},\"id\":\"32f92e60-1dd9-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":9,\"y\":0,\"w\":3,\"h\":2,\"i\":\"10\"},\"id\":\"45159070-1dd9-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"11\",\"gridData\":{\"x\":7,\"y\":2,\"w\":3,\"h\":3,\"i\":\"11\"},\"id\":\"9b6fe330-1dd9-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":10,\"y\":2,\"w\":2,\"h\":3,\"i\":\"12\"},\"id\":\"ccdf5fe0-1dd9-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":6,\"y\":5,\"w\":6,\"h\":3,\"i\":\"13\"},\"id\":\"cb8b5280-1de2-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":0,\"y\":8,\"w\":12,\"h\":7,\"i\":\"14\"},\"version\":\"6.2.3\",\"type\":\"search\",\"id\":\"0e899740-1de3-11e8-8f1b-1b86647d4817\"}]", - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "version": 1, - "timeRestore": true, - "timeTo": "now", - "timeFrom": "now-30m", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}" - } - } - } - ] -} \ No newline at end of file diff --git a/docker/helk-kibana/objects/dashboards/Host_Investigation_dashboard.json b/docker/helk-kibana/objects/dashboards/Host_Investigation_dashboard.json deleted file mode 100644 index 0290d8ce..00000000 --- a/docker/helk-kibana/objects/dashboards/Host_Investigation_dashboard.json +++ /dev/null @@ -1,423 +0,0 @@ -{ - "version": "6.6.1", - "objects": [ - { - "id": "689ef060-4342-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:37.494Z", - "version": 7, - "attributes": { - "title": "Sysmon_Process Creation - EventId1", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "user_account", - "process_parent_guid", - "process_guid", - "process_parent_command_line", - "process_command_line", - "file_description", - "file_product", - "file_company" - ], - "sort": [ - "@timestamp", - "asc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:1\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "5a792770-4343-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:36.457Z", - "version": 8, - "attributes": { - "title": "Sysmon_Public Network Connections - EventId 3", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "user_account", - "process_guid", - "process_path", - "src_ip_addr", - "src_port", - "dst_ip_addr", - "dst_port", - "meta_dst_ip_geo.city_name", - "ipv6_src_addr", - "ipv6_dst_addr" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:3 AND (NOT dst_ip_addr: \\\"127.0.0.1\\\" AND NOT dst_ip_addr:[10.0.0.0 TO 10.255.255.255] AND NOT dst_ip_addr:[192.168.0.0 TO 192.168.255.255] AND NOT dst_ip_addr:[172.16.0.0 TO 172.31.255.255])\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "1821dba0-4344-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:36.205Z", - "version": 3, - "attributes": { - "title": "Sysmon_File Creation - EventId 11", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "event_id", - "process_guid", - "process_path", - "file_name" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:11\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "db661470-4347-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:36.201Z", - "version": 3, - "attributes": { - "title": "Sysmon_Registry Events", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "process_path", - "event_id", - "process_guid", - "event_type", - "registry_key_path", - "registry_key_value" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event_id:12 OR event_id:13 OR event_id:14\"},\"filter\":[]}" - } - } - }, - { - "id": "1a68e8a0-4348-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:36.427Z", - "version": 3, - "attributes": { - "title": "Sysmon_Downloads-EventId 15", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "process_path", - "event_id", - "process_guid", - "file_name" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"source_name: \\\"Microsoft-Windows-Sysmon\\\" AND event_id:15\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"logs-endpoint-*\",\"type\":\"phrase\",\"key\":\"source_name\",\"value\":\"Microsoft-Windows-Sysmon\",\"params\":{\"query\":\"Microsoft-Windows-Sysmon\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"source_name\":{\"query\":\"Microsoft-Windows-Sysmon\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" - } - } - }, - { - "id": "4bb63750-4348-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:36.440Z", - "version": 5, - "attributes": { - "title": "Sysmon_WMI Subscription Events", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "event_id", - "process_path", - "pipe_name", - "process_guid" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"source_name: \\\"Microsoft-Windows-Sysmon\\\" AND (event_id:19 OR event_id:20 OR event_id:21)\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "ffb5aa00-4349-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:36.458Z", - "version": 6, - "attributes": { - "title": "windows_login_events", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "event_id", - "keywords", - "user_name", - "logon_type", - "user_reporter_domain" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"source_name: \\\"Microsoft-Windows-Security-Auditing\\\" AND (event_id:[4624 TO 4625] OR event_id:4634)\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "c0d3f7c0-483e-11e9-8770-35c0f1a2cce0", - "type": "visualization", - "updated_at": "2019-03-23T20:24:38.524Z", - "version": 6, - "attributes": { - "title": "Sysmon_Timelion_NetworkEvents_byUser", - "visState": "{\"title\":\"Sysmon_Timelion_NetworkEvents_byUser\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(q=event_id:3, index=logs-endpoint-winevent-sysmon*, split=user_account.keyword:40).label(\\\"$1\\\", \\\"^.* > user_account.keyword:(\\\\S+) > .*\\\").title(\\\"Network Events by User\\\")\",\"interval\":\"15m\"},\"aggs\":[]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "cdd1ed10-483e-11e9-8770-35c0f1a2cce0", - "type": "visualization", - "updated_at": "2019-03-23T20:24:38.523Z", - "version": 8, - "attributes": { - "title": "Sysmon_Timelion_ProcessEvents_byUser", - "visState": "{\"title\":\"Sysmon_Timelion_ProcessEvents_byUser\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(q=event_id:1, index=logs-endpoint-winevent-sysmon*, split=user_account.keyword:40).label(\\\"$1\\\", \\\"^.* > user_account.keyword:(\\\\S+) > .*\\\").title(\\\"Process Execution by User\\\")\",\"interval\":\"15m\"},\"aggs\":[]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "a3878f20-4829-11e9-a85d-d748de0cd831", - "type": "search", - "updated_at": "2019-03-23T20:24:36.197Z", - "version": 4, - "attributes": { - "title": "Sysmon_ExecutedCommands", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "event_id", - "user_account", - "process_guid", - "process_parent_command_line", - "process_command_line", - "file_description", - "file_product", - "file_company" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:1 AND (process_parent_name:\\\"CmD.exe\\\" OR process_parent_name:\\\"powershell.exe\\\" OR process_parent_name:\\\"wscript.exe\\\" OR process_parent_name:\\\"cscript.exe\\\")\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "47b5abb0-48f0-11e9-b62f-8f6921045c4c", - "type": "visualization", - "updated_at": "2019-03-23T20:24:39.532Z", - "version": 3, - "attributes": { - "title": "Sysmon_Elastalert-count", - "visState": "{\"title\":\"Sysmon_Elastalert-count\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule_name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "c91f0df0-48ef-11e9-b62f-8f6921045c4c", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "c91f0df0-48ef-11e9-b62f-8f6921045c4c", - "type": "search", - "updated_at": "2019-03-23T20:24:37.479Z", - "version": 3, - "attributes": { - "title": "Sysmon_elastalert-alerts", - "description": "", - "hits": 0, - "columns": [ - "rule_name", - "match_body.beat_hostname", - "match_body.num_hits", - "match_body.process_guid", - "match_body.user_account" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"elastalert_status\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "159666e0-4ce9-11e9-b05e-6fc957c1b917", - "type": "search", - "updated_at": "2019-03-23T20:24:36.450Z", - "version": 3, - "attributes": { - "title": "Sysmon_Private Network Connections - EventId 3", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "user_account", - "process_guid", - "process_path", - "src_ip_addr", - "src_port", - "dst_ip_addr", - "dst_port", - "meta_dst_ip_geo.city_name", - "ipv6_src_addr", - "ipv6_dst_addr" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:3 AND (dst_ip_addr:[10.0.0.0 TO 10.255.255.255] OR dst_ip_addr:[192.168.0.0 TO 192.168.255.255] OR dst_ip_addr:[172.16.0.0 TO 172.31.255.255])\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":true,\"index\":\"logs-endpoint-*\",\"type\":\"phrase\",\"key\":\"src_ip_addr\",\"value\":\"239.255.255.250\",\"params\":{\"query\":\"239.255.255.250\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"src_ip_addr\":{\"query\":\"239.255.255.250\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" - } - } - }, - { - "id": "bc44bd30-4cd4-11e9-b05e-6fc957c1b917", - "type": "search", - "updated_at": "2019-03-23T20:24:36.195Z", - "version": 2, - "attributes": { - "title": "Sysmon_Invalid Drivers", - "description": "", - "hits": 0, - "columns": [ - "beat_hostname", - "driver_loaded", - "signed", - "signature_status", - "signature" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:6\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":true,\"index\":\"logs-endpoint-winevent-sysmon-*\",\"type\":\"phrase\",\"key\":\"signature_status\",\"value\":\"Valid\",\"params\":{\"query\":\"Valid\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"signature_status\":{\"query\":\"Valid\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" - } - } - }, - { - "id": "logs-endpoint-winevent-sysmon-*", - "type": "index-pattern", - "updated_at": "2019-03-22T18:59:29.818Z", - "version": 58, - "attributes": { - "title": "logs-endpoint-winevent-sysmon-*", - "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_creation_previous\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@event_date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@file_date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"any_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"driver_loaded\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"driver_loaded.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_nat_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_nat_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_company\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_product\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_product.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint_process_command_line_mm3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_dst_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_dst_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_src_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_nat_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_nat_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_src_nat_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_ingest_timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_log_tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_log_tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_has_net\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_has_non_ascii\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst_nat\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src_nat\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_value\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_status\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signature_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signed\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_nat_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_new_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_account\",\"type\":\"string\",\"count\":4,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_account.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" - }, - "migrationVersion": { - "index-pattern": "6.5.0" - } - }, - { - "id": "logs-endpoint-*", - "type": "index-pattern", - "updated_at": "2019-03-21T21:50:44.291Z", - "version": 53, - "attributes": { - "title": "logs-endpoint-*", - "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_creation_previous\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_new_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_previous_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@event_date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@file_date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Binary.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Context\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Context.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"CurrentStratumNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"CurrentStratumNumber.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Detail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Detail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DeviceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"DeviceName.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DeviceNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"DeviceNameLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DeviceTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DeviceVersionMajor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"DeviceVersionMajor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DeviceVersionMinor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"DeviceVersionMinor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DomainPeer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"DomainPeer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EffectiveState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"EffectiveState.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ErrorMessage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ErrorMessage.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"FinalStatus\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"FinalStatus.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"HiveName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"HiveName.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"HiveNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"HiveNameLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"MaxSystemTimeChangeSeconds\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"MaxSystemTimeChangeSeconds.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"NewSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"NewSize.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"NewTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ObjId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ObjId.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"OldTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"OriginalSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"OriginalSize.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"RetryMinutes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"RetryMinutes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"SystemTimeChangeSeconds\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"SystemTimeChangeSeconds.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TSId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TSId.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TargetState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TargetState.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TimeOffsetSeconds\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TimeOffsetSeconds.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TimeProvider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TimeProvider.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TimeSource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TimeSource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TimeSourceRefId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TimeSourceRefId.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TransitionsToOn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TransitionsToOn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"UserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"UserSid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"activity_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"any_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"driver_loaded\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"driver_loaded.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_addr\",\"type\":\"ip\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_nat_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_nat_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"errorCode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"errorCode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":4,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_product.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint_powershell_param_value_mm3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint_powershell_scriptblock_text_sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint_process_command_line_mm3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group_domain_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_domain_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group_name_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_name_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group_sid_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_sid_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hive_dirty_pages\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hive_dirty_pages.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hive_keys_updated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hive_keys_updated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hive_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hive_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hive_name_length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hive_name_length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impersonation_level_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_dst_addr\",\"type\":\"string\",\"count\":4,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_dst_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_addr\",\"type\":\"string\",\"count\":4,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_src_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_nat_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_nat_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_src_nat_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_ingest_timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_authentication_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_authentication_package_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_elevated_token\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_elevated_token.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_elevated_token_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_elevated_token_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_key_length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_key_length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_privileges_assigned\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_privileges_assigned.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_type\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_virtual_account\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_virtual_account.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_virtual_account_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_virtual_account_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_log_tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_log_tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_powershell_param_value_has_non_ascii\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_powershell_scriptblock_text_has_non_ascii\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_powershell_scriptblock_text_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_has_net\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_has_non_ascii\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst_nat\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src_nat\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_access_handle_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_access_handle_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_new_sddl\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_new_sddl.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_old_sddl\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_old_sddl.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param10\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param10.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param11\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param11.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param12\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param12.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param13.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param14\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param14.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param15\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param15.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param16\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param16.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param17\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param17.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param19\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param19.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param20\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param20.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param21\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param21.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param22\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param22.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param23\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param23.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param4.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param7\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param7.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param8\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param8.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param9\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param9.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.command.line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.command.line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.command.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.command.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.command.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.command.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.command.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.command.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.connected_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.connected_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.engine_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.host.application\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.host.application.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.host.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.host.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.host.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.newengine_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.newengine_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.newproviderstate\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.newproviderstate.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.param.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.param.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.param.value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.param.value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.param.value_nonalphanumeric\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.pipeline_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.previousengine_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.previousengine_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.providername\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.providername.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.remaining_payload\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.remaining_payload.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.runspace_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.script.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.script.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.script.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.script.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.scriptblock.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.scriptblock.message_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.scriptblock.message_total\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.scriptblock.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.scriptblock.text.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.sequence_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.shell_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell_scriptblock_text_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":6,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_value\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reporter_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reporter_logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"serviceGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"serviceGuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_start_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_start_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signature_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"spp_restart_reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_scheduled\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_addr\",\"type\":\"ip\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_nat_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_new_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"updateGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"updateGuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"updateRevisionNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"updateRevisionNumber.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"updateTitle\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"updateTitle.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_account\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_account.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"User.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_linked_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_linked_logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_sid_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_sid_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_client_machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_client_machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_component.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_consumer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_consumer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_event_subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_event_subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_namespace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_namespace.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_possible_cause\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_possible_cause.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_provider.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_provider_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_provider_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_query_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_query_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_result_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_result_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_xml_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_xml_operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" - }, - "migrationVersion": { - "index-pattern": "6.5.0" - } - }, - { - "id": "elastalert_status", - "type": "index-pattern", - "updated_at": "2019-03-17T19:57:38.046Z", - "version": 2, - "attributes": { - "title": "elastalert_status", - "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aggregate_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_info.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_sent\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" - }, - "migrationVersion": { - "index-pattern": "6.5.0" - } - }, - { - "id": "624865e0-434f-11e9-a4c5-1717ba697d0d", - "type": "dashboard", - "updated_at": "2019-03-23T20:24:38.496Z", - "version": 17, - "attributes": { - "title": "Host Investigation Dashboard", - "hits": 0, - "description": "Enter a hostname in the search bar to investigate activity on that host.", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":17,\"i\":\"1\"},\"id\":\"689ef060-4342-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"1\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":64,\"w\":48,\"h\":15,\"i\":\"2\"},\"id\":\"5a792770-4343-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"2\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":79,\"w\":48,\"h\":15,\"i\":\"3\"},\"id\":\"1821dba0-4344-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"3\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":109,\"w\":48,\"h\":15,\"i\":\"4\"},\"id\":\"db661470-4347-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"4\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":94,\"w\":48,\"h\":15,\"i\":\"5\"},\"id\":\"1a68e8a0-4348-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"5\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":124,\"w\":48,\"h\":15,\"i\":\"6\"},\"id\":\"4bb63750-4348-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"6\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":139,\"w\":48,\"h\":15,\"i\":\"7\"},\"id\":\"ffb5aa00-4349-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"7\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":0,\"w\":24,\"h\":15,\"i\":\"8\"},\"id\":\"c0d3f7c0-483e-11e9-8770-35c0f1a2cce0\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":15,\"i\":\"9\"},\"id\":\"cdd1ed10-483e-11e9-8770-35c0f1a2cce0\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":30,\"w\":48,\"h\":17,\"i\":\"10\"},\"id\":\"a3878f20-4829-11e9-a85d-d748de0cd831\",\"panelIndex\":\"10\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":15,\"w\":24,\"h\":15,\"i\":\"11\"},\"id\":\"47b5abb0-48f0-11e9-b62f-8f6921045c4c\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":15,\"w\":24,\"h\":15,\"i\":\"12\"},\"id\":\"c91f0df0-48ef-11e9-b62f-8f6921045c4c\",\"panelIndex\":\"12\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"gridData\":{\"x\":0,\"y\":170,\"w\":48,\"h\":15,\"i\":\"16\"},\"version\":\"6.6.1\",\"panelIndex\":\"16\",\"type\":\"search\",\"id\":\"159666e0-4ce9-11e9-b05e-6fc957c1b917\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":154,\"w\":48,\"h\":16,\"i\":\"17\"},\"version\":\"6.6.1\",\"panelIndex\":\"17\",\"type\":\"search\",\"id\":\"bc44bd30-4cd4-11e9-b05e-6fc957c1b917\",\"embeddableConfig\":{}}]", - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"Enter a system name here\"},\"filter\":[]}" - } - } - } - ] -} \ No newline at end of file diff --git a/docker/helk-kibana/objects/dashboards/MITRE-ATTACK-GROUPS.json b/docker/helk-kibana/objects/dashboards/MITRE-ATTACK-GROUPS.json deleted file mode 100644 index f770fc6b..00000000 --- a/docker/helk-kibana/objects/dashboards/MITRE-ATTACK-GROUPS.json +++ /dev/null @@ -1,194 +0,0 @@ -{ - "version": "6.5.3", - "objects": [ - { - "id": "0166a090-6fef-11e8-8d23-170b1a3fd248", - "type": "visualization", - "updated_at": "2018-06-14T16:28:15.647Z", - "version": 2, - "attributes": { - "title": "mitre_attack_groups_software_cloud", - "visState": "{\"title\":\"mitre_attack_groups_software_cloud\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":10,\"maxFontSize\":40,\"showLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"group_id.keyword\",\"customLabel\":\"groups\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"software.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"software\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "db3dafc0-6fef-11e8-8d23-170b1a3fd248", - "type": "visualization", - "updated_at": "2018-06-14T16:27:40.092Z", - "version": 1, - "attributes": { - "title": "mitre_attack_groups_techniques_bar", - "visState": "{\"title\":\"mitre_attack_groups_techniques_bar\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"groups\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"groups\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"group_id.keyword\",\"customLabel\":\"groups\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"technique.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"techniques\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "511297c0-6fef-11e8-8d23-170b1a3fd248", - "type": "visualization", - "updated_at": "2018-06-14T18:38:09.778Z", - "version": 3, - "attributes": { - "title": "mitre_attack_group_select", - "visState": "{\"title\":\"mitre_attack_group_select\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1528993307982\",\"indexPattern\":\"mitre-attack-*\",\"fieldName\":\"group.keyword\",\"parent\":\"\",\"label\":\"Select Group\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"size\":200,\"order\":\"desc\"}},{\"id\":\"1529001453476\",\"indexPattern\":\"mitre-attack-*\",\"fieldName\":\"technique.keyword\",\"parent\":\"1528993307982\",\"label\":\"techniques\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"size\":100,\"order\":\"desc\"}},{\"id\":\"1528994941328\",\"indexPattern\":\"mitre-attack-*\",\"fieldName\":\"matrix.keyword\",\"parent\":\"\",\"label\":\"Select Matrix\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"size\":10,\"order\":\"desc\"}}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - } - }, - { - "id": "951b0410-6ff0-11e8-8d23-170b1a3fd248", - "type": "visualization", - "updated_at": "2018-06-14T16:43:57.633Z", - "version": 2, - "attributes": { - "title": "mitre_attack_groups_matrices", - "visState": "{\"title\":\"mitre_attack_groups_matrices\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"group_id.keyword\",\"customLabel\":\"groups\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"matrix.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"matrix\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "89d14480-6f9a-11e8-8945-7d43ba9ddc77", - "type": "search", - "updated_at": "2018-06-14T16:12:52.226Z", - "version": 1, - "attributes": { - "title": "mitre_attack_discover", - "description": "", - "hits": 0, - "columns": [ - "matrix", - "tactic", - "technique", - "technique_id", - "mitigation", - "group", - "group_id", - "software", - "software_id", - "relationship_description", - "data_sources", - "platform" - ], - "sort": [ - "_score", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" - } - } - }, - { - "id": "2653efa0-6f97-11e8-8945-7d43ba9ddc77", - "type": "visualization", - "updated_at": "2018-06-14T16:12:52.226Z", - "version": 1, - "attributes": { - "title": "mitre_attack_groups_techniques", - "visState": "{\"title\":\"mitre_attack_groups_techniques\",\"type\":\"table\",\"params\":{\"perPage\":35,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"technique_id.keyword\",\"customLabel\":\"techniques\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"group.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"groups\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "43450a80-6ffc-11e8-8d23-170b1a3fd248", - "type": "visualization", - "updated_at": "2018-06-14T18:02:12.673Z", - "version": 2, - "attributes": { - "title": "mitre_attack_techniques_groups", - "visState": "{\"title\":\"mitre_attack_techniques_groups\",\"type\":\"table\",\"params\":{\"perPage\":25,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"group_id.keyword\",\"customLabel\":\"groups\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"technique.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"techniques\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "d04821b0-6ffc-11e8-8d23-170b1a3fd248", - "type": "visualization", - "updated_at": "2018-06-14T18:00:25.163Z", - "version": 1, - "attributes": { - "title": "mitre_attack_groups_tactics", - "visState": "{\"title\":\"mitre_attack_groups_tactics\",\"type\":\"table\",\"params\":{\"perPage\":25,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"group_id.keyword\",\"customLabel\":\"groups\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"tactic.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"tactic\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "0067e580-7000-11e8-8d23-170b1a3fd248", - "type": "visualization", - "updated_at": "2018-06-14T18:23:14.392Z", - "version": 1, - "attributes": { - "title": "mitre_attack_group_relationship", - "visState": "{\"title\":\"mitre_attack_group_relationship\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"group_id.keyword\",\"customLabel\":\"groups\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"relationship_description.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"relationship\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"mitre-attack-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "mitre-attack-*", - "type": "index-pattern", - "updated_at": "2018-06-14T18:32:21.541Z", - "version": 5, - "attributes": { - "title": "mitre-attack-*", - "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Validation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Validation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"contributors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"contributors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"detectable_by_common_defenses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"detectable_by_common_defenses.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"detectable_explanation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"detectable_explanation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"difficulty_explanation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"difficulty_explanation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"difficulty_for_adversary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"difficulty_for_adversary.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"effective_permissions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"effective_permissions.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group_aliases\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_aliases.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group_description\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group_id\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matrix\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matrix.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mitigation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mitigation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mitigation_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mitigation_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_requirements\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_requirements.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"permissions_required\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"permissions_required.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"platform\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"platform.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relationship_description\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relationship_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_support\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"remote_support.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_labels\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_labels.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system_requirements\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"system_requirements.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tactic\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tactic.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"technique\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"technique.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"technique_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"technique_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"technique_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"technique_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" - } - }, - { - "id": "1bca3130-6ff0-11e8-8d23-170b1a3fd248", - "type": "dashboard", - "updated_at": "2018-06-14T18:39:12.950Z", - "version": 12, - "attributes": { - "title": "MITRE-ATTACK-GROUPS", - "hits": 0, - "description": "Groups from Enterprise, PRE and Mobile", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":13,\"y\":7,\"w\":17,\"h\":12,\"i\":\"1\"},\"embeddableConfig\":{\"spy\":null},\"id\":\"0166a090-6fef-11e8-8d23-170b1a3fd248\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"2\",\"gridData\":{\"x\":30,\"y\":7,\"w\":18,\"h\":12,\"i\":\"2\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"id\":\"db3dafc0-6fef-11e8-8d23-170b1a3fd248\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"3\",\"gridData\":{\"x\":0,\"y\":0,\"w\":28,\"h\":7,\"i\":\"3\"},\"embeddableConfig\":{},\"id\":\"511297c0-6fef-11e8-8d23-170b1a3fd248\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"4\",\"gridData\":{\"x\":28,\"y\":0,\"w\":19,\"h\":7,\"i\":\"4\"},\"embeddableConfig\":{},\"id\":\"951b0410-6ff0-11e8-8d23-170b1a3fd248\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":0,\"y\":32,\"w\":48,\"h\":27,\"i\":\"5\"},\"embeddableConfig\":{},\"id\":\"89d14480-6f9a-11e8-8945-7d43ba9ddc77\",\"type\":\"search\",\"version\":\"6.3.0\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":0,\"y\":7,\"w\":13,\"h\":12,\"i\":\"7\"},\"embeddableConfig\":{},\"id\":\"2653efa0-6f97-11e8-8945-7d43ba9ddc77\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":11,\"y\":19,\"w\":13,\"h\":13,\"i\":\"8\"},\"embeddableConfig\":{},\"id\":\"43450a80-6ffc-11e8-8d23-170b1a3fd248\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":19,\"w\":11,\"h\":13,\"i\":\"9\"},\"embeddableConfig\":{},\"id\":\"d04821b0-6ffc-11e8-8d23-170b1a3fd248\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":24,\"y\":19,\"w\":24,\"h\":13,\"i\":\"10\"},\"embeddableConfig\":{},\"id\":\"0067e580-7000-11e8-8d23-170b1a3fd248\",\"type\":\"visualization\",\"version\":\"6.3.0\"}]", - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}" - } - } - } - ] -} \ No newline at end of file diff --git a/docker/helk-kibana/objects/dashboards/Process_Investigation_dashboard.json b/docker/helk-kibana/objects/dashboards/Process_Investigation_dashboard.json deleted file mode 100644 index 7de66bf7..00000000 --- a/docker/helk-kibana/objects/dashboards/Process_Investigation_dashboard.json +++ /dev/null @@ -1,262 +0,0 @@ -{ - "version": "6.6.1", - "objects": [ - { - "id": "db661470-4347-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:36.201Z", - "version": 3, - "attributes": { - "title": "Sysmon_Registry Events", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "process_path", - "event_id", - "process_guid", - "event_type", - "registry_key_path", - "registry_key_value" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event_id:12 OR event_id:13 OR event_id:14\"},\"filter\":[]}" - } - } - }, - { - "id": "1821dba0-4344-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:36.205Z", - "version": 3, - "attributes": { - "title": "Sysmon_File Creation - EventId 11", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "event_id", - "process_guid", - "process_path", - "file_name" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:11\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "1a68e8a0-4348-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:36.427Z", - "version": 3, - "attributes": { - "title": "Sysmon_Downloads-EventId 15", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "process_path", - "event_id", - "process_guid", - "file_name" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"source_name: \\\"Microsoft-Windows-Sysmon\\\" AND event_id:15\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"logs-endpoint-*\",\"type\":\"phrase\",\"key\":\"source_name\",\"value\":\"Microsoft-Windows-Sysmon\",\"params\":{\"query\":\"Microsoft-Windows-Sysmon\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"source_name\":{\"query\":\"Microsoft-Windows-Sysmon\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" - } - } - }, - { - "id": "cc5bb4b0-4826-11e9-a85d-d748de0cd831", - "type": "search", - "updated_at": "2019-03-23T20:24:37.492Z", - "version": 3, - "attributes": { - "title": "Sysmon_Named Pipes-EventId 17,18", - "description": "", - "hits": 0, - "columns": [ - "beat_hostname", - "process_guid", - "pipe_name", - "process_path", - "task" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:17 OR event_id:18\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "689ef060-4342-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:37.494Z", - "version": 7, - "attributes": { - "title": "Sysmon_Process Creation - EventId1", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "user_account", - "process_parent_guid", - "process_guid", - "process_parent_command_line", - "process_command_line", - "file_description", - "file_product", - "file_company" - ], - "sort": [ - "@timestamp", - "asc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:1\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "4d391470-48f3-11e9-b62f-8f6921045c4c", - "type": "visualization", - "updated_at": "2019-03-23T20:24:38.526Z", - "version": 4, - "attributes": { - "title": "Sysmon_Timelion_ProcessEvents_byProcessGuid", - "visState": "{\"title\":\"Sysmon_Timelion_ProcessEvents_byProcessGuid\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(q=*, index=logs-endpoint-winevent-sysmon*, split=process_guid.keyword:500 ).label(\\\"$1\\\", \\\"^.* > process_guid.keyword:(\\\\S+) > .*\\\").title(\\\"Events by ProcessGuid\\\")\",\"interval\":\"15m\"},\"aggs\":[]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "bcafaac0-48f4-11e9-b62f-8f6921045c4c", - "type": "search", - "updated_at": "2019-03-23T20:24:36.189Z", - "version": 4, - "attributes": { - "title": "Sysmon_All_events", - "description": "", - "hits": 0, - "columns": [ - "action", - "beat_name", - "process_guid", - "process_parent_guid", - "user_account", - "process_path" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - } - } - }, - { - "id": "aad50710-4d9e-11e9-9ebb-eb9011b9c659", - "type": "search", - "updated_at": "2019-03-23T20:24:37.468Z", - "version": 5, - "attributes": { - "title": "Sysmon_all Network Connections - EventId 3", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "user_account", - "process_guid", - "process_path", - "src_ip_addr", - "src_port", - "dst_ip_addr", - "dst_port", - "meta_dst_ip_geo.city_name", - "ipv6_src_addr", - "ipv6_dst_addr" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:3\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "logs-endpoint-*", - "type": "index-pattern", - "updated_at": "2019-03-21T21:50:44.291Z", - "version": 53, - "attributes": { - "title": "logs-endpoint-*", - "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_creation_previous\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_new_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_previous_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@event_date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@file_date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Binary.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Context\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Context.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"CurrentStratumNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"CurrentStratumNumber.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Detail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Detail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DeviceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"DeviceName.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DeviceNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"DeviceNameLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DeviceTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DeviceVersionMajor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"DeviceVersionMajor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DeviceVersionMinor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"DeviceVersionMinor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DomainPeer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"DomainPeer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EffectiveState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"EffectiveState.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ErrorMessage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ErrorMessage.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"FinalStatus\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"FinalStatus.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"HiveName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"HiveName.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"HiveNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"HiveNameLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"MaxSystemTimeChangeSeconds\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"MaxSystemTimeChangeSeconds.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"NewSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"NewSize.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"NewTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ObjId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ObjId.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"OldTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"OriginalSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"OriginalSize.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"RetryMinutes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"RetryMinutes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"SystemTimeChangeSeconds\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"SystemTimeChangeSeconds.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TSId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TSId.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TargetState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TargetState.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TimeOffsetSeconds\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TimeOffsetSeconds.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TimeProvider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TimeProvider.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TimeSource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TimeSource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TimeSourceRefId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TimeSourceRefId.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TransitionsToOn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TransitionsToOn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"UserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"UserSid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"activity_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"any_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"driver_loaded\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"driver_loaded.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_addr\",\"type\":\"ip\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_nat_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_nat_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"errorCode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"errorCode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":4,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_product.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint_powershell_param_value_mm3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint_powershell_scriptblock_text_sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint_process_command_line_mm3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group_domain_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_domain_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group_name_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_name_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group_sid_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_sid_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hive_dirty_pages\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hive_dirty_pages.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hive_keys_updated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hive_keys_updated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hive_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hive_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hive_name_length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hive_name_length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impersonation_level_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_dst_addr\",\"type\":\"string\",\"count\":4,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_dst_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_addr\",\"type\":\"string\",\"count\":4,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_src_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_nat_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_nat_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_src_nat_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_ingest_timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_authentication_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_authentication_package_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_elevated_token\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_elevated_token.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_elevated_token_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_elevated_token_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_key_length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_key_length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_privileges_assigned\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_privileges_assigned.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_type\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_virtual_account\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_virtual_account.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_virtual_account_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_virtual_account_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_log_tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_log_tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_powershell_param_value_has_non_ascii\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_powershell_scriptblock_text_has_non_ascii\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_powershell_scriptblock_text_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_has_net\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_has_non_ascii\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst_nat\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src_nat\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_access_handle_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_access_handle_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_new_sddl\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_new_sddl.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_old_sddl\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_old_sddl.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param10\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param10.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param11\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param11.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param12\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param12.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param13.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param14\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param14.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param15\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param15.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param16\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param16.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param17\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param17.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param19\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param19.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param20\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param20.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param21\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param21.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param22\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param22.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param23\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param23.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param4.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param7\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param7.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param8\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param8.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param9\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param9.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.command.line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.command.line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.command.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.command.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.command.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.command.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.command.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.command.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.connected_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.connected_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.engine_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.host.application\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.host.application.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.host.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.host.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.host.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.newengine_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.newengine_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.newproviderstate\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.newproviderstate.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.param.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.param.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.param.value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.param.value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.param.value_nonalphanumeric\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.pipeline_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.previousengine_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.previousengine_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.providername\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.providername.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.remaining_payload\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.remaining_payload.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.runspace_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.script.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.script.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.script.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.script.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.scriptblock.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.scriptblock.message_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.scriptblock.message_total\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.scriptblock.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.scriptblock.text.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.sequence_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.shell_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell_scriptblock_text_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":6,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_value\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reporter_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reporter_logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"serviceGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"serviceGuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_start_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_start_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signature_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"spp_restart_reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_scheduled\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_addr\",\"type\":\"ip\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_nat_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_new_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"updateGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"updateGuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"updateRevisionNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"updateRevisionNumber.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"updateTitle\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"updateTitle.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_account\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_account.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"User.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_linked_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_linked_logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_sid_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_sid_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_client_machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_client_machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_component.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_consumer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_consumer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_event_subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_event_subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_namespace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_namespace.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_possible_cause\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_possible_cause.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_provider.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_provider_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_provider_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_query_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_query_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_result_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_result_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_xml_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_xml_operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" - }, - "migrationVersion": { - "index-pattern": "6.5.0" - } - }, - { - "id": "logs-endpoint-winevent-sysmon-*", - "type": "index-pattern", - "updated_at": "2019-03-22T18:59:29.818Z", - "version": 58, - "attributes": { - "title": "logs-endpoint-winevent-sysmon-*", - "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_creation_previous\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@event_date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@file_date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"any_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"driver_loaded\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"driver_loaded.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_nat_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_nat_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_company\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_product\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_product.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint_process_command_line_mm3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_dst_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_dst_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_src_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_nat_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_nat_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_src_nat_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_ingest_timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_log_tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_log_tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_has_net\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_has_non_ascii\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst_nat\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src_nat\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_value\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_status\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signature_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signed\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_nat_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_new_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_account\",\"type\":\"string\",\"count\":4,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_account.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" - }, - "migrationVersion": { - "index-pattern": "6.5.0" - } - }, - { - "id": "41449550-48f2-11e9-b62f-8f6921045c4c", - "type": "dashboard", - "updated_at": "2019-03-23T20:24:38.517Z", - "version": 12, - "attributes": { - "title": "Process Investigation", - "hits": 0, - "description": "Dashboard for investigating individual processes", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":60,\"w\":48,\"h\":20,\"i\":\"2\"},\"id\":\"db661470-4347-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"2\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":19,\"i\":\"3\"},\"id\":\"1821dba0-4344-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"3\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":43,\"w\":48,\"h\":17,\"i\":\"4\"},\"id\":\"1a68e8a0-4348-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"4\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":99,\"w\":48,\"h\":17,\"i\":\"5\"},\"id\":\"cc5bb4b0-4826-11e9-a85d-d748de0cd831\",\"panelIndex\":\"5\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":8,\"w\":48,\"h\":20,\"i\":\"6\"},\"id\":\"689ef060-4342-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"6\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":8,\"i\":\"7\"},\"version\":\"6.6.1\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"id\":\"4d391470-48f3-11e9-b62f-8f6921045c4c\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":116,\"w\":48,\"h\":32,\"i\":\"8\"},\"version\":\"6.6.1\",\"panelIndex\":\"8\",\"type\":\"search\",\"id\":\"bcafaac0-48f4-11e9-b62f-8f6921045c4c\",\"embeddableConfig\":{\"sort\":[\"@timestamp\",\"desc\"]}},{\"gridData\":{\"x\":0,\"y\":28,\"w\":48,\"h\":15,\"i\":\"9\"},\"version\":\"6.6.1\",\"panelIndex\":\"9\",\"type\":\"search\",\"id\":\"aad50710-4d9e-11e9-9ebb-eb9011b9c659\",\"embeddableConfig\":{}}]", - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\\\"enter a process Guid here\\\"\",\"language\":\"kuery\"},\"filter\":[]}" - } - } - } - ] -} \ No newline at end of file diff --git a/docker/helk-kibana/objects/dashboards/Sysmon_Dashboard.json b/docker/helk-kibana/objects/dashboards/Sysmon_Dashboard.json deleted file mode 100644 index 450d5d5a..00000000 --- a/docker/helk-kibana/objects/dashboards/Sysmon_Dashboard.json +++ /dev/null @@ -1,308 +0,0 @@ -{ - "version": "6.5.3", - "objects": [ - { - "id": "b2b6b460-1de3-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:34:02.790Z", - "version": 1, - "attributes": { - "title": "Sysmon_Process_Command_Line", - "visState": "{\"title\":\"Sysmon_Process_Command_Line\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_command_line.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_command_line\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "40aab0b0-1de3-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:30:51.450Z", - "version": 1, - "attributes": { - "title": "Sysmon_Count", - "visState": "{\"title\":\"Sysmon_Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "55e73e80-1de3-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:31:27.080Z", - "version": 1, - "attributes": { - "title": "Sysmon_EventIDs", - "visState": "{\"title\":\"Sysmon_EventIDs\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_id\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "1f8837d0-1de4-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:37:05.357Z", - "version": 1, - "attributes": { - "title": "Sysmon_File_Name", - "visState": "{\"title\":\"Sysmon_File_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"file_name\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "68484ab0-1de3-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:31:57.915Z", - "version": 1, - "attributes": { - "title": "Sysmon_Host_Name", - "visState": "{\"title\":\"Sysmon_Host_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "0c438260-1de4-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:36:33.030Z", - "version": 1, - "attributes": { - "title": "Sysmon_module_loaded", - "visState": "{\"title\":\"Sysmon_module_loaded\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"module_loaded.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"module_loaded\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "d36e8f20-1de3-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:34:57.682Z", - "version": 1, - "attributes": { - "title": "Sysmon_Process_Parent_Command_Line", - "visState": "{\"title\":\"Sysmon_Process_Parent_Command_Line\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_parent_command_line.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_parent_command_line\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "2ff90cc0-1de4-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:37:32.940Z", - "version": 1, - "attributes": { - "title": "Sysmon_Pipe_Name", - "visState": "{\"title\":\"Sysmon_Pipe_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"pipe_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"pipe_name\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "601666f0-1de4-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:38:53.663Z", - "version": 1, - "attributes": { - "title": "Sysmon_Process_Granted_Access", - "visState": "{\"title\":\"Sysmon_Process_Granted_Access\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_granted_access.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_granted_access\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "f000dc10-1de3-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:35:45.617Z", - "version": 1, - "attributes": { - "title": "Sysmon_Process_Parent_Name", - "visState": "{\"title\":\"Sysmon_Process_Parent_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_parent_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_parent_name\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "4a347160-1de4-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:38:16.950Z", - "version": 1, - "attributes": { - "title": "Sysmon_Registry_Key_Path", - "visState": "{\"title\":\"Sysmon_Registry_Key_Path\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"registry_key_path.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"registry_key_path\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "7c191380-1de3-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:32:31.160Z", - "version": 1, - "attributes": { - "title": "Sysmon_User_Name", - "visState": "{\"title\":\"Sysmon_User_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "cb0bfe70-1de4-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:41:53.111Z", - "version": 1, - "attributes": { - "title": "Sysmon_Process_Name", - "visState": "{\"title\":\"Sysmon_Process_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_name\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "2754df30-1de5-11e8-8f1b-1b86647d4817", - "type": "search", - "updated_at": "2018-03-02T06:44:27.938Z", - "version": 1, - "attributes": { - "title": "Sysmon_Discover", - "description": "", - "hits": 0, - "columns": [ - "host_name", - "user_name", - "user_domain", - "process_name", - "process_parent_name", - "process_guid" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "c23c05f0-1de5-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:48:47.823Z", - "version": 1, - "attributes": { - "title": "Sysmon_Unique_module_loaded", - "visState": "{\"title\":\"Sysmon_Unique_module_loaded\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash_sha256.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"hash_sha256\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"module_loaded.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"module_loaded\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"module_loaded.keyword\",\"customLabel\":\"uniq module_loaded\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host_name.keyword\",\"customLabel\":\"uniq host_name\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"filter\":[],\"query\":{\"query\":\"event_id:7\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "fc7c21f0-1de5-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:50:25.551Z", - "version": 1, - "attributes": { - "title": "Sysmon_Unique_Process_Name", - "visState": "{\"title\":\"Sysmon_Unique_Process_Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash_sha256.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"hash_sha256\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"process_name.keyword\",\"customLabel\":\"uniq process_name\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host_name.keyword\",\"customLabel\":\"uniq host_name\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"filter\":[],\"query\":{\"query\":\"event_id:1\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "logs-endpoint-winevent-sysmon-*", - "type": "index-pattern", - "updated_at": "2018-03-02T06:53:33.576Z", - "version": 33, - "attributes": { - "title": "logs-endpoint-winevent-sysmon-*", - "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@meta.sysmon.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_creation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@date_creation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_imphash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_loaded\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_loaded.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_calltrace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_calltrace.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_granted_access\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_granted_access.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"device_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"device_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"record_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_new_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" - } - }, - { - "id": "b8497150-1de4-11e8-8f1b-1b86647d4817", - "type": "dashboard", - "updated_at": "2018-03-02T06:51:25.589Z", - "version": 3, - "attributes": { - "title": "Sysmon_Dashboard", - "hits": 0, - "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":4,\"y\":2,\"w\":5,\"h\":3,\"i\":\"1\"},\"id\":\"b2b6b460-1de3-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":3,\"h\":2,\"i\":\"2\"},\"id\":\"40aab0b0-1de3-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"3\",\"gridData\":{\"x\":3,\"y\":0,\"w\":3,\"h\":2,\"i\":\"3\"},\"id\":\"55e73e80-1de3-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"4\",\"gridData\":{\"x\":7,\"y\":5,\"w\":5,\"h\":3,\"i\":\"4\"},\"id\":\"1f8837d0-1de4-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":6,\"y\":0,\"w\":3,\"h\":2,\"i\":\"5\"},\"id\":\"68484ab0-1de3-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":7,\"y\":8,\"w\":3,\"h\":3,\"i\":\"6\"},\"id\":\"0c438260-1de4-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":3,\"y\":5,\"w\":4,\"h\":3,\"i\":\"7\"},\"id\":\"d36e8f20-1de3-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":10,\"y\":8,\"w\":2,\"h\":3,\"i\":\"8\"},\"id\":\"2ff90cc0-1de4-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":9,\"y\":2,\"w\":3,\"h\":3,\"i\":\"9\"},\"id\":\"601666f0-1de4-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":0,\"y\":5,\"w\":3,\"h\":3,\"i\":\"10\"},\"id\":\"f000dc10-1de3-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"11\",\"gridData\":{\"x\":0,\"y\":8,\"w\":7,\"h\":3,\"i\":\"11\"},\"id\":\"4a347160-1de4-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":9,\"y\":0,\"w\":3,\"h\":2,\"i\":\"12\"},\"id\":\"7c191380-1de3-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":0,\"y\":2,\"w\":4,\"h\":3,\"i\":\"13\"},\"id\":\"cb0bfe70-1de4-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":0,\"y\":14,\"w\":12,\"h\":6,\"i\":\"14\"},\"id\":\"2754df30-1de5-11e8-8f1b-1b86647d4817\",\"type\":\"search\",\"version\":\"6.2.3\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":0,\"y\":11,\"w\":6,\"h\":3,\"i\":\"15\"},\"version\":\"6.2.3\",\"type\":\"visualization\",\"id\":\"c23c05f0-1de5-11e8-8f1b-1b86647d4817\"},{\"panelIndex\":\"16\",\"gridData\":{\"x\":6,\"y\":11,\"w\":6,\"h\":3,\"i\":\"16\"},\"version\":\"6.2.3\",\"type\":\"visualization\",\"id\":\"fc7c21f0-1de5-11e8-8f1b-1b86647d4817\"}]", - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "version": 1, - "timeRestore": true, - "timeTo": "now", - "timeFrom": "now-30m", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}" - } - } - } - ] -} \ No newline at end of file diff --git a/docker/helk-kibana/objects/dashboards/Sysmon_Network_Dashboard.json b/docker/helk-kibana/objects/dashboards/Sysmon_Network_Dashboard.json deleted file mode 100644 index 651a1208..00000000 --- a/docker/helk-kibana/objects/dashboards/Sysmon_Network_Dashboard.json +++ /dev/null @@ -1,221 +0,0 @@ -{ - "version": "6.5.3", - "objects": [ - { - "id": "88ba6280-1de6-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:54:20.840Z", - "version": 1, - "attributes": { - "title": "Sysmon_Network_Count", - "visState": "{\"title\":\"Sysmon_Network_Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "754acc80-1de6-11e8-8f1b-1b86647d4817", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "fea5c340-1de6-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:57:38.676Z", - "version": 1, - "attributes": { - "title": "Sysmon_Network_Country_Name", - "visState": "{\"title\":\"Sysmon_Network_Country_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"meta_dst_ip_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"meta_dst_ip_geo.country_name\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "754acc80-1de6-11e8-8f1b-1b86647d4817", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "9d5cac20-1de6-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:54:55.457Z", - "version": 1, - "attributes": { - "title": "Sysmon_Network_Host_Name", - "visState": "{\"title\":\"Sysmon_Network_Host_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "754acc80-1de6-11e8-8f1b-1b86647d4817", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "d00f7e40-1de6-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:56:20.516Z", - "version": 1, - "attributes": { - "title": "Sysmon_Network_Map", - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"meta_dst_ip_geo.location\",\"isFilteredByCollar\":true,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"heatClusterSize\":2,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":10,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.2.3\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":10,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.2.3\"}]}},\"title\":\"Sysmon_Network_Map\",\"type\":\"tile_map\"}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "754acc80-1de6-11e8-8f1b-1b86647d4817", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - } - } - }, - { - "id": "e71b9bf0-1de6-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T06:56:59.183Z", - "version": 1, - "attributes": { - "title": "Sysmon_Network_Process_Name", - "visState": "{\"title\":\"Sysmon_Network_Process_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_name\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "754acc80-1de6-11e8-8f1b-1b86647d4817", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "5895e6f0-1de7-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T07:00:09.567Z", - "version": 1, - "attributes": { - "title": "Sysmon_Network_City_Name", - "visState": "{\"title\":\"Sysmon_Network_City_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"meta_dst_ip_geo.city_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "754acc80-1de6-11e8-8f1b-1b86647d4817", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "70cca1f0-1de7-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T07:00:50.191Z", - "version": 1, - "attributes": { - "title": "Sysmon_Network_dst_ip", - "visState": "{\"title\":\"Sysmon_Network_dst_ip\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dst_ip_addr\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "754acc80-1de6-11e8-8f1b-1b86647d4817", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "8d4f5e80-1de7-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T07:01:38.024Z", - "version": 1, - "attributes": { - "title": "Sysmon_Network_Port_Dst_Number", - "visState": "{\"title\":\"Sysmon_Network_Port_Dst_Number\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dst_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"dst_port\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "754acc80-1de6-11e8-8f1b-1b86647d4817", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "bd839c10-1de7-11e8-8f1b-1b86647d4817", - "type": "visualization", - "updated_at": "2018-03-02T07:02:58.897Z", - "version": 1, - "attributes": { - "title": "Sysmon_Network_User_Name", - "visState": "{\"title\":\"Sysmon_Network_User_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"user_name\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "754acc80-1de6-11e8-8f1b-1b86647d4817", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - } - }, - { - "id": "754acc80-1de6-11e8-8f1b-1b86647d4817", - "type": "search", - "updated_at": "2018-03-02T06:53:48.232Z", - "version": 1, - "attributes": { - "title": "Sysmon_Network_Discover", - "description": "", - "hits": 0, - "columns": [ - "host_name", - "user_domain", - "user_name", - "process_path", - "process_name", - "dst_ip_addr" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:3\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "logs-endpoint-winevent-sysmon-*", - "type": "index-pattern", - "updated_at": "2018-03-02T06:53:33.576Z", - "version": 33, - "attributes": { - "title": "logs-endpoint-winevent-sysmon-*", - "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@meta.sysmon.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_creation_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_creation_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_imphash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_loaded\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_loaded.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_calltrace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_calltrace.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_granted_access\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_granted_access.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_target_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_target_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_target_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_target_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_target_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_target_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_target_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_thread_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_thread_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rawaccess_read_device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rawaccess_read_device.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"record_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_target_object\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_target_object.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_newthreadid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" - } - }, - { - "id": "486d1780-1de7-11e8-8f1b-1b86647d4817", - "type": "dashboard", - "updated_at": "2018-03-02T07:04:34.359Z", - "version": 4, - "attributes": { - "title": "Sysmon_Network_Dashboard", - "hits": 0, - "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":3,\"h\":2,\"i\":\"1\"},\"id\":\"88ba6280-1de6-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"2\",\"gridData\":{\"x\":9,\"y\":5,\"w\":3,\"h\":3,\"i\":\"2\"},\"id\":\"fea5c340-1de6-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"3\",\"gridData\":{\"x\":9,\"y\":0,\"w\":3,\"h\":2,\"i\":\"3\"},\"id\":\"9d5cac20-1de6-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"4\",\"gridData\":{\"x\":3,\"y\":0,\"w\":6,\"h\":5,\"i\":\"4\"},\"id\":\"d00f7e40-1de6-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":3,\"y\":5,\"w\":3,\"h\":3,\"i\":\"5\"},\"id\":\"e71b9bf0-1de6-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":0,\"y\":2,\"w\":3,\"h\":3,\"i\":\"6\"},\"id\":\"5895e6f0-1de7-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":9,\"y\":2,\"w\":3,\"h\":3,\"i\":\"7\"},\"id\":\"70cca1f0-1de7-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":6,\"y\":5,\"w\":3,\"h\":3,\"i\":\"8\"},\"id\":\"8d4f5e80-1de7-11e8-8f1b-1b86647d4817\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":5,\"w\":3,\"h\":3,\"i\":\"9\"},\"version\":\"6.2.3\",\"type\":\"visualization\",\"id\":\"bd839c10-1de7-11e8-8f1b-1b86647d4817\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":0,\"y\":8,\"w\":12,\"h\":7,\"i\":\"10\"},\"version\":\"6.2.3\",\"type\":\"search\",\"id\":\"754acc80-1de6-11e8-8f1b-1b86647d4817\"}]", - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "version": 1, - "timeRestore": true, - "timeTo": "now", - "timeFrom": "now-30m", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}" - } - } - } - ] -} \ No newline at end of file diff --git a/docker/helk-kibana/objects/dashboards/User_Investigation_dashboard.json b/docker/helk-kibana/objects/dashboards/User_Investigation_dashboard.json deleted file mode 100644 index bc91a499..00000000 --- a/docker/helk-kibana/objects/dashboards/User_Investigation_dashboard.json +++ /dev/null @@ -1,310 +0,0 @@ -{ - "version": "6.6.1", - "objects": [ - { - "id": "689ef060-4342-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:37.494Z", - "version": 7, - "attributes": { - "title": "Sysmon_Process Creation - EventId1", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "user_account", - "process_parent_guid", - "process_guid", - "process_parent_command_line", - "process_command_line", - "file_description", - "file_product", - "file_company" - ], - "sort": [ - "@timestamp", - "asc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:1\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "5a792770-4343-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:36.457Z", - "version": 8, - "attributes": { - "title": "Sysmon_Public Network Connections - EventId 3", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "user_account", - "process_guid", - "process_path", - "src_ip_addr", - "src_port", - "dst_ip_addr", - "dst_port", - "meta_dst_ip_geo.city_name", - "ipv6_src_addr", - "ipv6_dst_addr" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:3 AND (NOT dst_ip_addr: \\\"127.0.0.1\\\" AND NOT dst_ip_addr:[10.0.0.0 TO 10.255.255.255] AND NOT dst_ip_addr:[192.168.0.0 TO 192.168.255.255] AND NOT dst_ip_addr:[172.16.0.0 TO 172.31.255.255])\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "1821dba0-4344-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:36.205Z", - "version": 3, - "attributes": { - "title": "Sysmon_File Creation - EventId 11", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "event_id", - "process_guid", - "process_path", - "file_name" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:11\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "db661470-4347-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:36.201Z", - "version": 3, - "attributes": { - "title": "Sysmon_Registry Events", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "process_path", - "event_id", - "process_guid", - "event_type", - "registry_key_path", - "registry_key_value" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event_id:12 OR event_id:13 OR event_id:14\"},\"filter\":[]}" - } - } - }, - { - "id": "1a68e8a0-4348-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:36.427Z", - "version": 3, - "attributes": { - "title": "Sysmon_Downloads-EventId 15", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "process_path", - "event_id", - "process_guid", - "file_name" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"source_name: \\\"Microsoft-Windows-Sysmon\\\" AND event_id:15\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"logs-endpoint-*\",\"type\":\"phrase\",\"key\":\"source_name\",\"value\":\"Microsoft-Windows-Sysmon\",\"params\":{\"query\":\"Microsoft-Windows-Sysmon\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"source_name\":{\"query\":\"Microsoft-Windows-Sysmon\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" - } - } - }, - { - "id": "ffb5aa00-4349-11e9-a4c5-1717ba697d0d", - "type": "search", - "updated_at": "2019-03-23T20:24:36.458Z", - "version": 6, - "attributes": { - "title": "windows_login_events", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "event_id", - "keywords", - "user_name", - "logon_type", - "user_reporter_domain" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"source_name: \\\"Microsoft-Windows-Security-Auditing\\\" AND (event_id:[4624 TO 4625] OR event_id:4634)\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "3c414620-48fc-11e9-b62f-8f6921045c4c", - "type": "visualization", - "updated_at": "2019-03-23T20:24:39.530Z", - "version": 2, - "attributes": { - "title": "Sysmon_Eventcount-per-host", - "visState": "{\"title\":\"Sysmon_Eventcount-per-host\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"beat_hostname.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "bcafaac0-48f4-11e9-b62f-8f6921045c4c", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - } - } - }, - { - "id": "ccec7dc0-48fc-11e9-b62f-8f6921045c4c", - "type": "visualization", - "updated_at": "2019-03-23T20:24:39.489Z", - "version": 3, - "attributes": { - "title": "Sysmon_Timelion_bySystem", - "visState": "{\"title\":\"Sysmon_Timelion_bySystem\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(q=*, index=logs-endpoint-winevent-sysmon*, split=beat_hostname.keyword:40).label(\\\"$1\\\", \\\"^.* > beat_hostname.keyword:(\\\\S+) > .*\\\").title(\\\"Events per system timeline\\\")\",\"interval\":\"1h\"},\"aggs\":[]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "a3878f20-4829-11e9-a85d-d748de0cd831", - "type": "search", - "updated_at": "2019-03-23T20:24:36.197Z", - "version": 4, - "attributes": { - "title": "Sysmon_ExecutedCommands", - "description": "", - "hits": 0, - "columns": [ - "beat_name", - "event_id", - "user_account", - "process_guid", - "process_parent_command_line", - "process_command_line", - "file_description", - "file_product", - "file_company" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:1 AND (process_parent_name:\\\"CmD.exe\\\" OR process_parent_name:\\\"powershell.exe\\\" OR process_parent_name:\\\"wscript.exe\\\" OR process_parent_name:\\\"cscript.exe\\\")\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "logs-endpoint-winevent-sysmon-*", - "type": "index-pattern", - "updated_at": "2019-03-22T18:59:29.818Z", - "version": 58, - "attributes": { - "title": "logs-endpoint-winevent-sysmon-*", - "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_creation_previous\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@event_date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@file_date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"any_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"driver_loaded\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"driver_loaded.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_nat_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_nat_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_company\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_product\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_product.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint_process_command_line_mm3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_dst_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_dst_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_src_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_nat_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_nat_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_src_nat_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_ingest_timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_log_tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_log_tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_has_net\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_has_non_ascii\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst_nat\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src_nat\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_value\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_status\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signature_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signed\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_nat_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_new_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_account\",\"type\":\"string\",\"count\":4,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_account.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" - }, - "migrationVersion": { - "index-pattern": "6.5.0" - } - }, - { - "id": "logs-endpoint-*", - "type": "index-pattern", - "updated_at": "2019-03-21T21:50:44.291Z", - "version": 53, - "attributes": { - "title": "logs-endpoint-*", - "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_creation_previous\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_new_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_previous_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@event_date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@file_date_creation\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Binary.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Context\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Context.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"CurrentStratumNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"CurrentStratumNumber.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Detail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Detail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DeviceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"DeviceName.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DeviceNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"DeviceNameLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DeviceTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DeviceVersionMajor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"DeviceVersionMajor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DeviceVersionMinor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"DeviceVersionMinor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"DomainPeer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"DomainPeer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EffectiveState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"EffectiveState.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ErrorMessage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ErrorMessage.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"FinalStatus\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"FinalStatus.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"HiveName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"HiveName.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"HiveNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"HiveNameLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"MaxSystemTimeChangeSeconds\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"MaxSystemTimeChangeSeconds.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"NewSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"NewSize.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"NewTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ObjId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ObjId.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"OldTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"OriginalSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"OriginalSize.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"RetryMinutes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"RetryMinutes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"SystemTimeChangeSeconds\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"SystemTimeChangeSeconds.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TSId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TSId.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TargetState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TargetState.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TimeOffsetSeconds\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TimeOffsetSeconds.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TimeProvider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TimeProvider.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TimeSource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TimeSource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TimeSourceRefId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TimeSourceRefId.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TransitionsToOn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"TransitionsToOn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"UserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"UserSid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"activity_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"any_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"driver_loaded\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"driver_loaded.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_addr\",\"type\":\"ip\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_nat_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_nat_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"errorCode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"errorCode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":4,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_product.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint_powershell_param_value_mm3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint_powershell_scriptblock_text_sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint_process_command_line_mm3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group_domain_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_domain_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group_name_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_name_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group_sid_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_sid_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hive_dirty_pages\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hive_dirty_pages.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hive_keys_updated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hive_keys_updated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hive_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hive_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hive_name_length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hive_name_length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impersonation_level_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_dst_addr\",\"type\":\"string\",\"count\":4,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_dst_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_addr\",\"type\":\"string\",\"count\":4,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_src_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_nat_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv6_src_nat_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv6_src_nat_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_ingest_timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_authentication_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_authentication_package_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_elevated_token\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_elevated_token.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_elevated_token_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_elevated_token_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_key_length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_key_length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_privileges_assigned\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_privileges_assigned.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_type\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_virtual_account\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_virtual_account.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_virtual_account_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_virtual_account_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_log_tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_log_tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_powershell_param_value_has_non_ascii\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_powershell_scriptblock_text_has_non_ascii\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_powershell_scriptblock_text_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_has_net\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_has_non_ascii\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ipv6_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ipv6_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst_nat\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src_nat\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_access_handle_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_access_handle_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_new_sddl\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_new_sddl.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_old_sddl\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_old_sddl.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param10\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param10.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param11\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param11.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param12\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param12.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param13.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param14\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param14.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param15\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param15.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param16\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param16.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param17\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param17.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param19\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param19.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param20\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param20.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param21\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param21.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param22\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param22.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param23\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param23.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param4.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param7\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param7.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param8\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param8.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param9\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param9.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.command.line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.command.line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.command.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.command.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.command.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.command.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.command.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.command.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.connected_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.connected_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.engine_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.host.application\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.host.application.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.host.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.host.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.host.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.newengine_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.newengine_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.newproviderstate\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.newproviderstate.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.param.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.param.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.param.value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.param.value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.param.value_nonalphanumeric\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.pipeline_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.previousengine_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.previousengine_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.providername\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.providername.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.remaining_payload\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.remaining_payload.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.runspace_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.script.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.script.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.script.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.script.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.scriptblock.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.scriptblock.message_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.scriptblock.message_total\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.scriptblock.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"powershell.scriptblock.text.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.sequence_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell.shell_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"powershell_scriptblock_text_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":6,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_value\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reporter_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reporter_logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"serviceGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"serviceGuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_start_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_start_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signature_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"spp_restart_reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_scheduled\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_addr\",\"type\":\"ip\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ipv6_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ipv6_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ipv6_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_addr\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_public\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_nat_ip_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_new_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"updateGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"updateGuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"updateRevisionNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"updateRevisionNumber.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"updateTitle\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"updateTitle.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_account\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_account.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"User.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_linked_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_linked_logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_sid_enumerated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_sid_enumerated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_client_machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_client_machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_component.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_consumer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_consumer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_event_subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_event_subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_namespace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_namespace.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_possible_cause\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_possible_cause.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_provider.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_provider_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_provider_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_query_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_query_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_result_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_result_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_xml_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_xml_operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" - }, - "migrationVersion": { - "index-pattern": "6.5.0" - } - }, - { - "id": "bcafaac0-48f4-11e9-b62f-8f6921045c4c", - "type": "search", - "updated_at": "2019-03-23T20:24:36.189Z", - "version": 4, - "attributes": { - "title": "Sysmon_All_events", - "description": "", - "hits": 0, - "columns": [ - "action", - "beat_name", - "process_guid", - "process_parent_guid", - "user_account", - "process_path" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logs-endpoint-winevent-sysmon-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - } - } - }, - { - "id": "cf46c5b0-434f-11e9-a4c5-1717ba697d0d", - "type": "dashboard", - "updated_at": "2019-03-23T20:24:38.510Z", - "version": 15, - "attributes": { - "title": "User Investigation Dashboard", - "hits": 0, - "description": "Enter a username in the search bar to investigate activity on that host.", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":17,\"i\":\"1\"},\"id\":\"689ef060-4342-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"1\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":43,\"w\":48,\"h\":15,\"i\":\"2\"},\"id\":\"5a792770-4343-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"2\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":58,\"w\":48,\"h\":15,\"i\":\"3\"},\"id\":\"1821dba0-4344-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"3\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":88,\"w\":48,\"h\":15,\"i\":\"4\"},\"id\":\"db661470-4347-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"4\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":73,\"w\":48,\"h\":15,\"i\":\"5\"},\"id\":\"1a68e8a0-4348-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"5\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"x\":0,\"y\":103,\"w\":48,\"h\":15,\"i\":\"7\"},\"id\":\"ffb5aa00-4349-11e9-a4c5-1717ba697d0d\",\"panelIndex\":\"7\",\"type\":\"search\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":0,\"w\":16,\"h\":11,\"i\":\"8\"},\"id\":\"3c414620-48fc-11e9-b62f-8f6921045c4c\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":11,\"i\":\"9\"},\"id\":\"ccec7dc0-48fc-11e9-b62f-8f6921045c4c\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.6.1\"},{\"gridData\":{\"x\":0,\"y\":11,\"w\":48,\"h\":15,\"i\":\"10\"},\"version\":\"6.6.1\",\"panelIndex\":\"10\",\"type\":\"search\",\"id\":\"a3878f20-4829-11e9-a85d-d748de0cd831\",\"embeddableConfig\":{}}]", - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\\\"Enter a username here\\\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - } - ] -} \ No newline at end of file diff --git a/docker/helk-kibana/objects/index-pattern/elastalert_status.ndjson b/docker/helk-kibana/objects/index-pattern/elastalert_status.ndjson new file mode 100644 index 00000000..43123073 --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/elastalert_status.ndjson @@ -0,0 +1 @@ +{"attributes":{"fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aggregate_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.z_logstash_pipeline\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","timeFieldName":"@timestamp","title":"elastalert_status"},"id":"elastalert_status","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:15.213Z","version":"WzQsMV0="} diff --git a/docker/helk-kibana/objects/index-pattern/elastalert_status_error.ndjson b/docker/helk-kibana/objects/index-pattern/elastalert_status_error.ndjson new file mode 100644 index 00000000..47510e3d --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/elastalert_status_error.ndjson @@ -0,0 +1 @@ +{"attributes":{"timeFieldName":"@timestamp","title":"elastalert_status_error"},"id":"elastalert_status_error","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:16.084Z","version":"WzUsMV0="} diff --git a/docker/helk-kibana/objects/index-pattern/elastalert_status_past.ndjson b/docker/helk-kibana/objects/index-pattern/elastalert_status_past.ndjson new file mode 100644 index 00000000..b307f6c1 --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/elastalert_status_past.ndjson @@ -0,0 +1 @@ +{"attributes":{"timeFieldName":"@timestamp","title":"elastalert_status_past"},"id":"elastalert_status_past","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:17.173Z","version":"WzYsMV0="} diff --git a/docker/helk-kibana/objects/index-pattern/elastalert_status_silence.ndjson b/docker/helk-kibana/objects/index-pattern/elastalert_status_silence.ndjson new file mode 100644 index 00000000..8ca5d97e --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/elastalert_status_silence.ndjson @@ -0,0 +1 @@ +{"attributes":{"timeFieldName":"@timestamp","title":"elastalert_status_silence"},"id":"elastalert_status_silence","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:18.148Z","version":"WzcsMV0="} diff --git a/docker/helk-kibana/objects/index-pattern/elastalert_status_status.ndjson b/docker/helk-kibana/objects/index-pattern/elastalert_status_status.ndjson new file mode 100644 index 00000000..637de945 --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/elastalert_status_status.ndjson @@ -0,0 +1 @@ +{"attributes":{"timeFieldName":"@timestamp","title":"elastalert_status_status"},"id":"elastalert_status_status","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:19.191Z","version":"WzgsMV0="} diff --git a/docker/helk-kibana/objects/index-pattern/indexme.ndjson b/docker/helk-kibana/objects/index-pattern/indexme.ndjson new file mode 100644 index 00000000..11a90f33 --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/indexme.ndjson @@ -0,0 +1 @@ +{"attributes":{"timeFieldName":"@timestamp","title":"indexme-*"},"id":"indexme-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:20.265Z","version":"WzksMV0="} diff --git a/docker/helk-kibana/objects/index-pattern/logs.ndjson b/docker/helk-kibana/objects/index-pattern/logs.ndjson new file mode 100644 index 00000000..a1638acf --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/logs.ndjson @@ -0,0 +1 @@ +{"attributes":{"fields":"[{\"name\":\"@date_new_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_previous_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@event_date_creation\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@file_date_creation\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@file_previous_date_creation\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Binary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Binary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"Binary\"}}},{\"name\":\"OriginalFileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"OriginalFileName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"OriginalFileName\"}}},{\"name\":\"SubjectLogonId\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TargetLogonId\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"User\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"User.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"User\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"action\"}}},{\"name\":\"activity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"activity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"activity_id\"}}},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.hostname\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"any_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"any_ip_geo.as_org\"}}},{\"name\":\"any_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"beat_hostname\"}}},{\"name\":\"beat_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"beat_version\"}}},{\"name\":\"destination.as.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.as.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.nat.geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.nat.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.nat.geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dst_host_name\"}}},{\"name\":\"dst_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_public\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_rfc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_is_ipv6\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_public\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_rfc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_is_ipv6\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dst_port_name\"}}},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"etl_pipeline\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"etl_processed_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_original_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event_status\"}}},{\"name\":\"event_status_value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_status_value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event_status_value\"}}},{\"name\":\"event_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event_type\"}}},{\"name\":\"file_company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file_company\"}}},{\"name\":\"file_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file_description\"}}},{\"name\":\"file_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file_name\"}}},{\"name\":\"file_product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file_product\"}}},{\"name\":\"file_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file_version\"}}},{\"name\":\"fingerprint_network_community_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint_process_command_line_mm3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash\"}}},{\"name\":\"hash_imphash\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_imphash.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash_imphash\"}}},{\"name\":\"hash_md5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash_md5\"}}},{\"name\":\"hash_sha1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash_sha1\"}}},{\"name\":\"hash_sha256\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash_sha256\"}}},{\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host_name\"}}},{\"name\":\"impersonation_level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"impersonation_level\"}}},{\"name\":\"impersonation_level_value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level_value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"impersonation_level_value\"}}},{\"name\":\"keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"keywords\"}}},{\"name\":\"level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"level\"}}},{\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.level\"}}},{\"name\":\"log_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log_name\"}}},{\"name\":\"logon_authentication_package_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_authentication_package_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_authentication_package_name\"}}},{\"name\":\"logon_key_length\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_key_length.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_key_length\"}}},{\"name\":\"logon_package_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_package_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_package_name\"}}},{\"name\":\"logon_privilege_list\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_privilege_list.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_privilege_list\"}}},{\"name\":\"logon_process_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_process_name\"}}},{\"name\":\"logon_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_type\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.area_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"meta_dst_ip_geo.as_org\"}}},{\"name\":\"meta_dst_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.area_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"meta_dst_nat_ip_geo.as_org\"}}},{\"name\":\"meta_dst_nat_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.dma_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_log_tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_log_tags.keyword\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"meta_log_tags\"}}},{\"name\":\"meta_process_command_line_has_net\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_has_non_ascii\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_length\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.area_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"meta_src_ip_geo.as_org\"}}},{\"name\":\"meta_src_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.dma_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.area_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"meta_src_nat_ip_geo.as_org\"}}},{\"name\":\"meta_src_nat_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.dma_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_target_user_name_is_machine\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_user_name_is_machine\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_user_reporter_name_is_machine\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_loaded\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_loaded.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"module_loaded\"}}},{\"name\":\"module_signed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.application\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_application_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_application_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst_nat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_log\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src_nat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_name\"}}},{\"name\":\"opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"opcode\"}}},{\"name\":\"param1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"param1\"}}},{\"name\":\"param2\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param2.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"param2\"}}},{\"name\":\"pipe_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pipe_name\"}}},{\"name\":\"process_call_trace\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_call_trace.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_call_trace\"}}},{\"name\":\"process_command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_command_line\"}}},{\"name\":\"process_current_directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_current_directory\"}}},{\"name\":\"process_granted_access\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_guid\"}}},{\"name\":\"process_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_integrity_level\"}}},{\"name\":\"process_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_name\"}}},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_parent_command_line\"}}},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_parent_guid\"}}},{\"name\":\"process_parent_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_parent_name\"}}},{\"name\":\"process_parent_path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_parent_path\"}}},{\"name\":\"process_path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_path\"}}},{\"name\":\"provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"provider_guid\"}}},{\"name\":\"record_number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"registry_key_path\"}}},{\"name\":\"registry_key_value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"registry_key_value\"}}},{\"name\":\"related.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reporter_logon_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_host_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"service_host_info\"}}},{\"name\":\"service_host_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"service_host_name\"}}},{\"name\":\"signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"signature\"}}},{\"name\":\"signature_status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signature_status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"signature_status\"}}},{\"name\":\"signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"signed\"}}},{\"name\":\"source.as.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.as.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.nat.geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.nat.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.nat.geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source_name\"}}},{\"name\":\"spp_restart_scheduled\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"src_host_name\"}}},{\"name\":\"src_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_public\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_rfc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_is_ipv6\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_public\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_rfc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_is_ipv6\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"src_port_name\"}}},{\"name\":\"sysmon_version\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sysmon_version\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"name\":\"target_process_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_process_guid\"}}},{\"name\":\"target_process_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_process_name\"}}},{\"name\":\"target_process_path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_process_path\"}}},{\"name\":\"target_server_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_server_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_server_name\"}}},{\"name\":\"target_user_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_user_domain\"}}},{\"name\":\"target_user_logon_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_logon_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_user_logon_guid\"}}},{\"name\":\"target_user_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_user_name\"}}},{\"name\":\"task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"task\"}}},{\"name\":\"thread_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_new_id\",\"type\":\"number\",\"esTypes\":[\"integer\",\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_start_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_start_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread_start_address\"}}},{\"name\":\"thread_start_function\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_start_function.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread_start_function\"}}},{\"name\":\"thread_start_module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_start_module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread_start_module\"}}},{\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"type\"}}},{\"name\":\"user_account\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_account.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_account\"}}},{\"name\":\"user_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_domain\"}}},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_logon_guid\"}}},{\"name\":\"user_logon_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_name\"}}},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_reporter_domain\"}}},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_reporter_name\"}}},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_reporter_sid\"}}},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_reporter_type\"}}},{\"name\":\"user_session_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_sid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_sid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_sid\"}}},{\"name\":\"version\",\"type\":\"number\",\"esTypes\":[\"integer\",\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.activity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.activity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.activity_id\"}}},{\"name\":\"winlog.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.api.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.api\"}}},{\"name\":\"winlog.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.channel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.channel\"}}},{\"name\":\"winlog.computer_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.computer_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.computer_name\"}}},{\"name\":\"winlog.event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.host_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.host_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.host_name\"}}},{\"name\":\"winlog.keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.keywords\"}}},{\"name\":\"winlog.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.opcode\"}}},{\"name\":\"winlog.process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_guid\"}}},{\"name\":\"winlog.provider_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_name\"}}},{\"name\":\"winlog.record_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.task\"}}},{\"name\":\"winlog.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_client_machine\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_client_machine.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wmi_client_machine\"}}},{\"name\":\"wmi_component\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_component.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wmi_component\"}}},{\"name\":\"wmi_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wmi_id\"}}},{\"name\":\"wmi_operation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_operation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wmi_operation\"}}},{\"name\":\"wmi_possible_cause\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_possible_cause.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wmi_possible_cause\"}}},{\"name\":\"wmi_provider\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_provider.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wmi_provider\"}}},{\"name\":\"wmi_provider_path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_provider_path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wmi_provider_path\"}}},{\"name\":\"wmi_result_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_result_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wmi_result_code\"}}},{\"name\":\"wmi_xml_operation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_xml_operation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wmi_xml_operation\"}}},{\"name\":\"z_etl_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z_original_timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","timeFieldName":"@timestamp","title":"logs-*"},"id":"logs-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T09:18:27.480Z","version":"WzExMywxXQ=="} diff --git a/docker/helk-kibana/objects/index-pattern/logs_endpoint.ndjson b/docker/helk-kibana/objects/index-pattern/logs_endpoint.ndjson new file mode 100644 index 00000000..15e87e7e --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/logs_endpoint.ndjson @@ -0,0 +1 @@ +{"attributes":{"fields":"[{\"name\":\"@meta.sysmon.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"activity_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AddressLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.AddressLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Attributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Attributes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Binary.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.BiosInitDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.BiosInitDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DriverInitDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.DriverInitDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.EffectiveState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.EffectiveState.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberPagesWritten\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberPagesWritten.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberReadDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberReadDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberWriteDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberWriteDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NoMultiStageResumeReason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.NoMultiStageResumeReason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OldTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.QueryName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.QueryName.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SleepDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.SleepDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SleepTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.TargetState.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TransitionsToOn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.TransitionsToOn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeSourceTextLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeSourceTextLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeSourceType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeSourceType.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTimerContextLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeTimerContextLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTimerOwnerLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeTimerOwnerLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param4.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.serviceGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.serviceGuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.updateGuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateRevisionNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.updateRevisionNumber.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateTitle\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.updateTitle.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_creation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@date_creation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_loaded\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_loaded.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_authentication_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_authentication_package_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_elevated_token\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_elevated_token.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_key_length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_key_length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_package_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_privileges_assigned\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_privileges_assigned.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_restricted_adminmode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_restricted_adminmode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_transmitted_services\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_transmitted_services.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_virtual_account\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_virtual_account.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_calltrace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_calltrace.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_granted_access\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_granted_access.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"device_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"device_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"record_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reporter_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reporter_logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_account_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_account_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_host_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_start_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_start_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"spp_restart_reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_scheduled\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system_new_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_previous_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_newthreadid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_startaddress\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_startaddress.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_startfunction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_startfunction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_startmodule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_startmodule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"User.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_linked_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_linked_logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_network_account_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_network_account_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_network_account_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_network_account_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_client_machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_client_machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_component.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_possible_cause\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_possible_cause.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_provider.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_provider_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_provider_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_result_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_result_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_xml_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_xml_operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","timeFieldName":"@timestamp","title":"logs-endpoint-*"},"id":"logs-endpoint-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T09:18:27.480Z","version":"WzExOCwxXQ=="} diff --git a/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_application.ndjson b/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_application.ndjson new file mode 100644 index 00000000..0b9a5b53 --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_application.ndjson @@ -0,0 +1 @@ +{"attributes":{"timeFieldName":"@timestamp","title":"logs-endpoint-winevent-application-*"},"id":"logs-endpoint-winevent-application-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:23.554Z","version":"WzEyLDFd"} diff --git a/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_etw.ndjson b/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_etw.ndjson new file mode 100644 index 00000000..ea9e6605 --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_etw.ndjson @@ -0,0 +1 @@ +{"attributes":{"timeFieldName":"@timestamp","title":"logs-endpoint-winevent-etw-*"},"id":"logs-endpoint-winevent-etw-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:24.608Z","version":"WzEzLDFd"} diff --git a/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_powershell.ndjson b/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_powershell.ndjson new file mode 100644 index 00000000..3b42fed7 --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_powershell.ndjson @@ -0,0 +1 @@ +{"attributes":{"timeFieldName":"@timestamp","title":"logs-endpoint-winevent-powershell-*"},"id":"logs-endpoint-winevent-powershell-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:25.581Z","version":"WzE0LDFd"} diff --git a/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_security.ndjson b/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_security.ndjson new file mode 100644 index 00000000..caa2a01b --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_security.ndjson @@ -0,0 +1 @@ +{"attributes":{"fields":"[{\"name\":\"@date_new_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_previous_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ScheduledTask.Actions.ComHandler.ClassId.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Actions.ComHandler.ClassId.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Actions.ComHandler.ClassId.content\"}}},{\"name\":\"ScheduledTask.Actions.ComHandler.Data.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Actions.ComHandler.Data.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Actions.ComHandler.Data.content\"}}},{\"name\":\"ScheduledTask.Actions.Context\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Actions.Context.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Actions.Context\"}}},{\"name\":\"ScheduledTask.Actions.Exec.Arguments.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Actions.Exec.Arguments.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Actions.Exec.Arguments.content\"}}},{\"name\":\"ScheduledTask.Actions.Exec.Command.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Actions.Exec.Command.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Actions.Exec.Command.content\"}}},{\"name\":\"ScheduledTask.Principals.Principal.RunLevel.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Principals.Principal.RunLevel.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Principals.Principal.RunLevel.content\"}}},{\"name\":\"ScheduledTask.Principals.Principal.UserId.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Principals.Principal.UserId.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Principals.Principal.UserId.content\"}}},{\"name\":\"ScheduledTask.Principals.Principal.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Principals.Principal.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Principals.Principal.id\"}}},{\"name\":\"ScheduledTask.RegistrationInfo.Author.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.RegistrationInfo.Author.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.RegistrationInfo.Author.content\"}}},{\"name\":\"ScheduledTask.RegistrationInfo.Date.content\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ScheduledTask.RegistrationInfo.Description.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.RegistrationInfo.Description.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.RegistrationInfo.Description.content\"}}},{\"name\":\"ScheduledTask.RegistrationInfo.SecurityDescriptor.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.RegistrationInfo.SecurityDescriptor.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.RegistrationInfo.SecurityDescriptor.content\"}}},{\"name\":\"ScheduledTask.RegistrationInfo.Source.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.RegistrationInfo.Source.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.RegistrationInfo.Source.content\"}}},{\"name\":\"ScheduledTask.RegistrationInfo.URI.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.RegistrationInfo.URI.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.RegistrationInfo.URI.content\"}}},{\"name\":\"ScheduledTask.RegistrationInfo.Version.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.RegistrationInfo.Version.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.RegistrationInfo.Version.content\"}}},{\"name\":\"ScheduledTask.Settings.AllowHardTerminate.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.AllowHardTerminate.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.AllowHardTerminate.content\"}}},{\"name\":\"ScheduledTask.Settings.AllowStartOnDemand.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.AllowStartOnDemand.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.AllowStartOnDemand.content\"}}},{\"name\":\"ScheduledTask.Settings.DisallowStartIfOnBatteries.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.DisallowStartIfOnBatteries.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.DisallowStartIfOnBatteries.content\"}}},{\"name\":\"ScheduledTask.Settings.DisallowStartOnRemoteAppSession.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.DisallowStartOnRemoteAppSession.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.DisallowStartOnRemoteAppSession.content\"}}},{\"name\":\"ScheduledTask.Settings.Enabled.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.Enabled.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.Enabled.content\"}}},{\"name\":\"ScheduledTask.Settings.ExecutionTimeLimit.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.ExecutionTimeLimit.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.ExecutionTimeLimit.content\"}}},{\"name\":\"ScheduledTask.Settings.Hidden.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.Hidden.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.Hidden.content\"}}},{\"name\":\"ScheduledTask.Settings.IdleSettings.Duration.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.IdleSettings.Duration.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.IdleSettings.Duration.content\"}}},{\"name\":\"ScheduledTask.Settings.IdleSettings.RestartOnIdle.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.IdleSettings.RestartOnIdle.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.IdleSettings.RestartOnIdle.content\"}}},{\"name\":\"ScheduledTask.Settings.IdleSettings.StopOnIdleEnd.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.IdleSettings.StopOnIdleEnd.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.IdleSettings.StopOnIdleEnd.content\"}}},{\"name\":\"ScheduledTask.Settings.IdleSettings.WaitTimeout.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.IdleSettings.WaitTimeout.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.IdleSettings.WaitTimeout.content\"}}},{\"name\":\"ScheduledTask.Settings.MultipleInstancesPolicy.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.MultipleInstancesPolicy.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.MultipleInstancesPolicy.content\"}}},{\"name\":\"ScheduledTask.Settings.Priority.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.Priority.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.Priority.content\"}}},{\"name\":\"ScheduledTask.Settings.RestartOnFailure.Count.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.RestartOnFailure.Count.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.RestartOnFailure.Count.content\"}}},{\"name\":\"ScheduledTask.Settings.RestartOnFailure.Interval.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.RestartOnFailure.Interval.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.RestartOnFailure.Interval.content\"}}},{\"name\":\"ScheduledTask.Settings.RunOnlyIfIdle.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.RunOnlyIfIdle.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.RunOnlyIfIdle.content\"}}},{\"name\":\"ScheduledTask.Settings.RunOnlyIfNetworkAvailable.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.RunOnlyIfNetworkAvailable.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.RunOnlyIfNetworkAvailable.content\"}}},{\"name\":\"ScheduledTask.Settings.StartWhenAvailable.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.StartWhenAvailable.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.StartWhenAvailable.content\"}}},{\"name\":\"ScheduledTask.Settings.StopIfGoingOnBatteries.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.StopIfGoingOnBatteries.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.StopIfGoingOnBatteries.content\"}}},{\"name\":\"ScheduledTask.Settings.UseUnifiedSchedulingEngine.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.UseUnifiedSchedulingEngine.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.UseUnifiedSchedulingEngine.content\"}}},{\"name\":\"ScheduledTask.Settings.WakeToRun.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Settings.WakeToRun.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Settings.WakeToRun.content\"}}},{\"name\":\"ScheduledTask.Triggers.BootTrigger.Delay.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Triggers.BootTrigger.Delay.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Triggers.BootTrigger.Delay.content\"}}},{\"name\":\"ScheduledTask.Triggers.BootTrigger.Enabled.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Triggers.BootTrigger.Enabled.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Triggers.BootTrigger.Enabled.content\"}}},{\"name\":\"ScheduledTask.Triggers.BootTrigger.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Triggers.BootTrigger.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Triggers.BootTrigger.id\"}}},{\"name\":\"ScheduledTask.Triggers.CalendarTrigger.Enabled.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Triggers.CalendarTrigger.Enabled.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Triggers.CalendarTrigger.Enabled.content\"}}},{\"name\":\"ScheduledTask.Triggers.CalendarTrigger.ScheduleByDay.DaysInterval.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Triggers.CalendarTrigger.ScheduleByDay.DaysInterval.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Triggers.CalendarTrigger.ScheduleByDay.DaysInterval.content\"}}},{\"name\":\"ScheduledTask.Triggers.CalendarTrigger.StartBoundary.content\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ScheduledTask.Triggers.TimeTrigger.Enabled.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Triggers.TimeTrigger.Enabled.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Triggers.TimeTrigger.Enabled.content\"}}},{\"name\":\"ScheduledTask.Triggers.TimeTrigger.RandomDelay.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Triggers.TimeTrigger.RandomDelay.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Triggers.TimeTrigger.RandomDelay.content\"}}},{\"name\":\"ScheduledTask.Triggers.TimeTrigger.Repetition.Interval.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Triggers.TimeTrigger.Repetition.Interval.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Triggers.TimeTrigger.Repetition.Interval.content\"}}},{\"name\":\"ScheduledTask.Triggers.TimeTrigger.Repetition.StopAtDurationEnd.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Triggers.TimeTrigger.Repetition.StopAtDurationEnd.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Triggers.TimeTrigger.Repetition.StopAtDurationEnd.content\"}}},{\"name\":\"ScheduledTask.Triggers.TimeTrigger.StartBoundary.content\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ScheduledTask.Triggers.TimeTrigger.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Triggers.TimeTrigger.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Triggers.TimeTrigger.id\"}}},{\"name\":\"ScheduledTask.Triggers.WnfStateChangeTrigger.Data.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Triggers.WnfStateChangeTrigger.Data.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Triggers.WnfStateChangeTrigger.Data.content\"}}},{\"name\":\"ScheduledTask.Triggers.WnfStateChangeTrigger.DataOffset.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Triggers.WnfStateChangeTrigger.DataOffset.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Triggers.WnfStateChangeTrigger.DataOffset.content\"}}},{\"name\":\"ScheduledTask.Triggers.WnfStateChangeTrigger.Enabled.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Triggers.WnfStateChangeTrigger.Enabled.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Triggers.WnfStateChangeTrigger.Enabled.content\"}}},{\"name\":\"ScheduledTask.Triggers.WnfStateChangeTrigger.StateName.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Triggers.WnfStateChangeTrigger.StateName.content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Triggers.WnfStateChangeTrigger.StateName.content\"}}},{\"name\":\"ScheduledTask.Triggers.WnfStateChangeTrigger.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.Triggers.WnfStateChangeTrigger.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.Triggers.WnfStateChangeTrigger.id\"}}},{\"name\":\"ScheduledTask.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.version\"}}},{\"name\":\"ScheduledTask.xmlns\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ScheduledTask.xmlns.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ScheduledTask.xmlns\"}}},{\"name\":\"SubjectLogonId\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TargetLogonId\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"activity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"activity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"activity_id\"}}},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.hostname\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"any_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"any_ip_geo.as_org\"}}},{\"name\":\"any_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"beat_hostname\"}}},{\"name\":\"beat_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"beat_name\"}}},{\"name\":\"beat_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"beat_version\"}}},{\"name\":\"computer_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"computer_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"computer_name\"}}},{\"name\":\"credentials_read\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"credentials_read.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"credentials_read\"}}},{\"name\":\"credentials_read_returned_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"credentials_read_returned_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"credentials_read_returned_code\"}}},{\"name\":\"credentials_read_returned_count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"credentials_read_returned_count.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"credentials_read_returned_count\"}}},{\"name\":\"credentials_read_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"credentials_read_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"credentials_read_type\"}}},{\"name\":\"destination.as.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.as.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.nat.geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.nat.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.nat.geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dsobject_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dsobject_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dsobject_domain\"}}},{\"name\":\"dst_host_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dst_host_name\"}}},{\"name\":\"dst_host_name_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host_name_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dst_host_name_id\"}}},{\"name\":\"dst_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_public\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_rfc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_is_ipv6\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_public\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_rfc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_is_ipv6\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_user_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_user_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dst_user_id\"}}},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"etl_pipeline\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"etl_processed_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_original_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event_status\"}}},{\"name\":\"file_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file_name\"}}},{\"name\":\"fingerprint_network_community_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint_process_command_line_mm3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impersonation_level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"impersonation_level\"}}},{\"name\":\"impersonation_level_value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level_value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"impersonation_level_value\"}}},{\"name\":\"keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"keywords\"}}},{\"name\":\"level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"level\"}}},{\"name\":\"log_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log_name\"}}},{\"name\":\"logon_authentication_package_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_authentication_package_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_authentication_package_name\"}}},{\"name\":\"logon_elevated_token\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_elevated_token.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_elevated_token\"}}},{\"name\":\"logon_elevated_token_value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_elevated_token_value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_elevated_token_value\"}}},{\"name\":\"logon_key_length\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_key_length.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_key_length\"}}},{\"name\":\"logon_privilege_list\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_privilege_list.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_privilege_list\"}}},{\"name\":\"logon_process_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_process_name\"}}},{\"name\":\"logon_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_type\"}}},{\"name\":\"logon_virtual_account\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_virtual_account.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_virtual_account\"}}},{\"name\":\"logon_virtual_account_value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_virtual_account_value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_virtual_account_value\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.area_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"meta_dst_ip_geo.as_org\"}}},{\"name\":\"meta_dst_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.area_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"meta_dst_nat_ip_geo.as_org\"}}},{\"name\":\"meta_dst_nat_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.dma_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_log_tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_log_tags.keyword\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"meta_log_tags\"}}},{\"name\":\"meta_process_command_line_has_net\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_has_non_ascii\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_length\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.area_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"meta_src_ip_geo.as_org\"}}},{\"name\":\"meta_src_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.dma_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.area_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"meta_src_nat_ip_geo.as_org\"}}},{\"name\":\"meta_src_nat_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.dma_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_target_user_name_is_machine\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_user_name_is_machine\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_user_reporter_name_is_machine\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.application\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_application_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_application_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_direction\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_direction.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network_direction\"}}},{\"name\":\"network_direction_value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_direction_value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network_direction_value\"}}},{\"name\":\"network_filter_rtid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_filter_rtid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network_filter_rtid\"}}},{\"name\":\"network_layer_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_layer_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network_layer_id\"}}},{\"name\":\"network_layer_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_layer_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network_layer_name\"}}},{\"name\":\"network_layer_name_value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_layer_name_value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network_layer_name_value\"}}},{\"name\":\"network_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst_nat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_log\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src_nat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_access_list\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_access_list.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_access_list\"}}},{\"name\":\"object_access_list_requested\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_access_list_requested.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_access_list_requested\"}}},{\"name\":\"object_access_mask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_access_mask.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_access_mask\"}}},{\"name\":\"object_access_mask_requested\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_access_mask_requested.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_access_mask_requested\"}}},{\"name\":\"object_access_reason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_access_reason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_access_reason\"}}},{\"name\":\"object_handle_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_handle_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_handle_id\"}}},{\"name\":\"object_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_name\"}}},{\"name\":\"object_new_sd\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_new_sd.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_new_sd\"}}},{\"name\":\"object_old_sd\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_old_sd.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_old_sd\"}}},{\"name\":\"object_operation_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_operation_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_operation_type\"}}},{\"name\":\"object_operation_type_value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_operation_type_value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_operation_type_value\"}}},{\"name\":\"object_privilege_list\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_privilege_list.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_privilege_list\"}}},{\"name\":\"object_properties\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_properties.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_properties\"}}},{\"name\":\"object_resource_attributes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_resource_attributes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_resource_attributes\"}}},{\"name\":\"object_restricted_sid_count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_restricted_sid_count.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_restricted_sid_count\"}}},{\"name\":\"object_server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_server\"}}},{\"name\":\"object_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_type\"}}},{\"name\":\"object_type_value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_type_value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_type_value\"}}},{\"name\":\"opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"opcode\"}}},{\"name\":\"process_command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_command_line\"}}},{\"name\":\"process_creation_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_current_directory\"}}},{\"name\":\"process_handle_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_handle_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_handle_id\"}}},{\"name\":\"process_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_mandatory_rid_label\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_mandatory_rid_label.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_mandatory_rid_label\"}}},{\"name\":\"process_mandatory_sid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_mandatory_sid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_mandatory_sid\"}}},{\"name\":\"process_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_name\"}}},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_parent_command_line\"}}},{\"name\":\"process_parent_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_parent_name\"}}},{\"name\":\"process_parent_path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_parent_path\"}}},{\"name\":\"process_path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_path\"}}},{\"name\":\"process_token_elevation_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_token_elevation_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_token_elevation_type\"}}},{\"name\":\"process_token_elevation_type_value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_token_elevation_type_value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_token_elevation_type_value\"}}},{\"name\":\"provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"provider_guid\"}}},{\"name\":\"record_number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reporter_logon_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scheduled_task_content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scheduled_task_content.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scheduled_task_content\"}}},{\"name\":\"scheduled_task_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scheduled_task_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scheduled_task_name\"}}},{\"name\":\"service_account_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_account_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"service_account_name\"}}},{\"name\":\"service_host_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"service_host_info\"}}},{\"name\":\"service_host_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"service_host_name\"}}},{\"name\":\"service_image_path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_image_path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"service_image_path\"}}},{\"name\":\"service_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"service_name\"}}},{\"name\":\"service_privilege_list\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_privilege_list.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"service_privilege_list\"}}},{\"name\":\"service_start_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_start_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"service_start_type\"}}},{\"name\":\"service_ticket_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_ticket_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"service_ticket_id\"}}},{\"name\":\"service_ticket_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_ticket_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"service_ticket_name\"}}},{\"name\":\"service_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"service_type\"}}},{\"name\":\"share_access_mask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_access_mask.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"share_access_mask\"}}},{\"name\":\"share_local_path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_local_path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"share_local_path\"}}},{\"name\":\"share_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"share_name\"}}},{\"name\":\"share_relative_target_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_relative_target_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"share_relative_target_name\"}}},{\"name\":\"source.as.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.as.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.nat.geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.nat.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.nat.geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source_name\"}}},{\"name\":\"src_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_public\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_rfc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_is_ipv6\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_public\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_rfc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_is_ipv6\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"name\":\"target_object_handle_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_object_handle_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_object_handle_id\"}}},{\"name\":\"target_process_handle_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_handle_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_process_handle_id\"}}},{\"name\":\"target_process_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_server_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_server_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_server_name\"}}},{\"name\":\"target_user_disabled_privilege_list\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_disabled_privilege_list.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_user_disabled_privilege_list\"}}},{\"name\":\"target_user_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_user_domain\"}}},{\"name\":\"target_user_enabled_privilege_list\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_enabled_privilege_list.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_user_enabled_privilege_list\"}}},{\"name\":\"target_user_logon_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_logon_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_user_logon_guid\"}}},{\"name\":\"target_user_logon_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_user_name\"}}},{\"name\":\"target_user_sid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_sid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_user_sid\"}}},{\"name\":\"task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"task\"}}},{\"name\":\"thread_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_new_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ticket_encryption_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ticket_encryption_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ticket_encryption_type\"}}},{\"name\":\"ticket_encryption_type_value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ticket_encryption_type_value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ticket_encryption_type_value\"}}},{\"name\":\"ticket_options\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ticket_options.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ticket_options\"}}},{\"name\":\"ticket_options_type_value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ticket_options_type_value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ticket_options_type_value\"}}},{\"name\":\"ticket_status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ticket_status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ticket_status\"}}},{\"name\":\"transaction_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"transaction_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"transaction_guid\"}}},{\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"type\"}}},{\"name\":\"user_access_list\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_access_list.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_access_list\"}}},{\"name\":\"user_access_reason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_access_reason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_access_reason\"}}},{\"name\":\"user_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_domain\"}}},{\"name\":\"user_group_membership\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_group_membership.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_group_membership\"}}},{\"name\":\"user_linked_logon_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_logon_guid\"}}},{\"name\":\"user_logon_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_name\"}}},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_reporter_domain\"}}},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_reporter_name\"}}},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_reporter_sid\"}}},{\"name\":\"user_session_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_sid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_sid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_sid\"}}},{\"name\":\"version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z_etl_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z_logstash_xml_success\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z_logstash_xml_success.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"z_logstash_xml_success\"}}},{\"name\":\"z_original_timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","timeFieldName":"@timestamp","title":"logs-endpoint-winevent-security-*"},"id":"logs-endpoint-winevent-security-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T09:18:27.480Z","version":"WzEyMCwxXQ=="} diff --git a/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_sysmon.ndjson b/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_sysmon.ndjson new file mode 100644 index 00000000..4bf4adf3 --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_sysmon.ndjson @@ -0,0 +1 @@ +{"attributes":{"fields":"[{\"name\":\"@event_date_creation\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@file_date_creation\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@file_previous_date_creation\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"OriginalFileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"OriginalFileName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"OriginalFileName\"}}},{\"name\":\"SubjectLogonId\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TargetLogonId\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"action\"}}},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.hostname\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"any_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"any_ip_geo.as_org\"}}},{\"name\":\"any_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"beat_hostname\"}}},{\"name\":\"beat_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"beat_version\"}}},{\"name\":\"destination.as.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.as.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.nat.geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.nat.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.nat.geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dst_host_name\"}}},{\"name\":\"dst_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_public\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_rfc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_is_ipv6\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_public\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_rfc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_is_ipv6\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dst_port_name\"}}},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"etl_pipeline\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"etl_processed_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_original_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event_type\"}}},{\"name\":\"file_company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file_company\"}}},{\"name\":\"file_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file_description\"}}},{\"name\":\"file_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file_name\"}}},{\"name\":\"file_product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file_product\"}}},{\"name\":\"file_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file_version\"}}},{\"name\":\"fingerprint_network_community_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint_process_command_line_mm3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_imphash\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_imphash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash_imphash\"}}},{\"name\":\"hash_md5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash_md5\"}}},{\"name\":\"hash_sha1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash_sha1\"}}},{\"name\":\"hash_sha256\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash_sha256\"}}},{\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host_name\"}}},{\"name\":\"keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"keywords\"}}},{\"name\":\"level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"level\"}}},{\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.level\"}}},{\"name\":\"log_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log_name\"}}},{\"name\":\"logon_process_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_process_name\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.area_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"meta_dst_ip_geo.as_org\"}}},{\"name\":\"meta_dst_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.area_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"meta_dst_nat_ip_geo.as_org\"}}},{\"name\":\"meta_dst_nat_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.dma_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_log_tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_log_tags.keyword\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"meta_log_tags\"}}},{\"name\":\"meta_process_command_line_has_net\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_has_non_ascii\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_length\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.area_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"meta_src_ip_geo.as_org\"}}},{\"name\":\"meta_src_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.dma_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.area_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"meta_src_nat_ip_geo.as_org\"}}},{\"name\":\"meta_src_nat_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.dma_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_target_user_name_is_machine\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_user_name_is_machine\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_user_reporter_name_is_machine\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_loaded\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_loaded.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"module_loaded\"}}},{\"name\":\"module_signed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.application\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_application_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_application_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst_nat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_log\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src_nat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_name\"}}},{\"name\":\"opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"opcode\"}}},{\"name\":\"pipe_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pipe_name\"}}},{\"name\":\"process_call_trace\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_call_trace.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_call_trace\"}}},{\"name\":\"process_command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_command_line\"}}},{\"name\":\"process_current_directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_current_directory\"}}},{\"name\":\"process_granted_access\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_guid\"}}},{\"name\":\"process_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_integrity_level\"}}},{\"name\":\"process_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_name\"}}},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_parent_command_line\"}}},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_parent_guid\"}}},{\"name\":\"process_parent_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_parent_name\"}}},{\"name\":\"process_parent_path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_parent_path\"}}},{\"name\":\"process_path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_path\"}}},{\"name\":\"provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"provider_guid\"}}},{\"name\":\"record_number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"registry_key_path\"}}},{\"name\":\"related.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reporter_logon_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"signature\"}}},{\"name\":\"signature_status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signature_status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"signature_status\"}}},{\"name\":\"signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"signed\"}}},{\"name\":\"source.as.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.as.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.nat.geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.nat.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.nat.geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source_name\"}}},{\"name\":\"src_host_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"src_host_name\"}}},{\"name\":\"src_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_public\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_rfc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_is_ipv6\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_public\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_rfc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_is_ipv6\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"src_port_name\"}}},{\"name\":\"sysmon_version\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sysmon_version\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"name\":\"target_process_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_process_guid\"}}},{\"name\":\"target_process_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_process_name\"}}},{\"name\":\"target_process_path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"target_process_path\"}}},{\"name\":\"task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"task\"}}},{\"name\":\"thread_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_new_id\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"type\"}}},{\"name\":\"user_account\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_account.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_account\"}}},{\"name\":\"user_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_domain\"}}},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_logon_guid\"}}},{\"name\":\"user_logon_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_name\"}}},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_reporter_domain\"}}},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_reporter_name\"}}},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_reporter_sid\"}}},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_reporter_type\"}}},{\"name\":\"user_session_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.api.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.api\"}}},{\"name\":\"winlog.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.channel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.channel\"}}},{\"name\":\"winlog.computer_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.computer_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.computer_name\"}}},{\"name\":\"winlog.event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.host_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.host_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.host_name\"}}},{\"name\":\"winlog.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.opcode\"}}},{\"name\":\"winlog.process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_guid\"}}},{\"name\":\"winlog.provider_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_name\"}}},{\"name\":\"winlog.record_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.task\"}}},{\"name\":\"winlog.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z_etl_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z_original_timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","timeFieldName":"@timestamp","title":"logs-endpoint-winevent-sysmon-*"},"id":"logs-endpoint-winevent-sysmon-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:27.819Z","version":"WzE2LDFd"} diff --git a/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_system.ndjson b/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_system.ndjson new file mode 100644 index 00000000..3c6fc542 --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_system.ndjson @@ -0,0 +1 @@ +{"attributes":{"timeFieldName":"@timestamp","title":"logs-endpoint-winevent-system-*"},"id":"logs-endpoint-winevent-system-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:28.949Z","version":"WzE3LDFd"} diff --git a/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_wmiactivity.ndjson b/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_wmiactivity.ndjson new file mode 100644 index 00000000..9ddaa70d --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/logs_endpoint_winevent_wmiactivity.ndjson @@ -0,0 +1 @@ +{"attributes":{"fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"SubjectLogonId\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TargetLogonId\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"User\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"User.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"User\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"activity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"activity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"activity_id\"}}},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.hostname\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"any_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"any_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"any_ip_geo.as_org\"}}},{\"name\":\"any_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"beat_hostname\"}}},{\"name\":\"beat_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"beat_version\"}}},{\"name\":\"destination.as.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.as.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.nat.geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.nat.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.nat.geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_public\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_rfc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_is_ipv6\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_public\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_rfc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_ip_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_is_ipv6\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_nat_port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"etl_pipeline\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"etl_processed_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_original_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file_name\"}}},{\"name\":\"fingerprint_network_community_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint_process_command_line_mm3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host_name\"}}},{\"name\":\"keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"keywords\"}}},{\"name\":\"level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"level\"}}},{\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.level\"}}},{\"name\":\"log_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log_name\"}}},{\"name\":\"logon_process_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"logon_process_name\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.area_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"meta_dst_ip_geo.as_org\"}}},{\"name\":\"meta_dst_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.area_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"meta_dst_nat_ip_geo.as_org\"}}},{\"name\":\"meta_dst_nat_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.dma_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_nat_ip_geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_nat_ip_geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_log_tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_log_tags.keyword\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"meta_log_tags\"}}},{\"name\":\"meta_process_command_line_has_net\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_has_non_ascii\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_process_command_line_length\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.area_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"meta_src_ip_geo.as_org\"}}},{\"name\":\"meta_src_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.dma_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_ip_geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_ip_geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.area_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.as_org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.as_org.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"meta_src_nat_ip_geo.as_org\"}}},{\"name\":\"meta_src_nat_ip_geo.asn\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.dma_code\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_src_nat_ip_geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_src_nat_ip_geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_target_user_name_is_machine\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_user_name_is_machine\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_user_reporter_name_is_machine\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.application\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_application_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_application_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_dst_nat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_log\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"not_ip_src_nat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"object_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"object_name\"}}},{\"name\":\"opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"opcode\"}}},{\"name\":\"process_command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_command_line\"}}},{\"name\":\"process_current_directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_current_directory\"}}},{\"name\":\"process_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_parent_command_line\"}}},{\"name\":\"process_parent_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_parent_path\"}}},{\"name\":\"process_path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process_path\"}}},{\"name\":\"provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"provider_guid\"}}},{\"name\":\"record_number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reporter_logon_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.as.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.as.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.nat.geo.continent_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.country_code2\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.country_code3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.latitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.nat.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.longitude\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.nat.geo.postal_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source_name\"}}},{\"name\":\"src_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_public\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_rfc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_is_ipv6\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_addr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_public\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_rfc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_ip_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_is_ipv6\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_nat_port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"task\"}}},{\"name\":\"thread_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_new_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"type\"}}},{\"name\":\"user_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_domain\"}}},{\"name\":\"user_logon_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_name\"}}},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_reporter_domain\"}}},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_reporter_name\"}}},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_reporter_sid\"}}},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_reporter_type\"}}},{\"name\":\"user_session_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.activity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.activity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.activity_id\"}}},{\"name\":\"winlog.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.api.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.api\"}}},{\"name\":\"winlog.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.channel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.channel\"}}},{\"name\":\"winlog.computer_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.computer_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.computer_name\"}}},{\"name\":\"winlog.event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.opcode\"}}},{\"name\":\"winlog.process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_guid\"}}},{\"name\":\"winlog.provider_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_name\"}}},{\"name\":\"winlog.record_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.task\"}}},{\"name\":\"wmi_client_machine\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_client_machine.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wmi_client_machine\"}}},{\"name\":\"wmi_component\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_component.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wmi_component\"}}},{\"name\":\"wmi_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wmi_id\"}}},{\"name\":\"wmi_operation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_operation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wmi_operation\"}}},{\"name\":\"wmi_possible_cause\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_possible_cause.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wmi_possible_cause\"}}},{\"name\":\"wmi_result_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_result_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wmi_result_code\"}}},{\"name\":\"wmi_xml_operation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_xml_operation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wmi_xml_operation\"}}},{\"name\":\"z_etl_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z_original_timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","timeFieldName":"@timestamp","title":"logs-endpoint-winevent-wmiactivity-*"},"id":"logs-endpoint-winevent-wmiactivity-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:29.886Z","version":"WzE4LDFd"} diff --git a/docker/helk-kibana/objects/index-pattern/logs_network.ndjson b/docker/helk-kibana/objects/index-pattern/logs_network.ndjson new file mode 100644 index 00000000..75fe3482 --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/logs_network.ndjson @@ -0,0 +1 @@ +{"attributes":{"timeFieldName":"@timestamp","title":"logs-network-*"},"id":"logs-network-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:30.931Z","version":"WzE5LDFd"} diff --git a/docker/helk-kibana/objects/index-pattern/logs_network_zeek.ndjson b/docker/helk-kibana/objects/index-pattern/logs_network_zeek.ndjson new file mode 100644 index 00000000..ae77a0c0 --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/logs_network_zeek.ndjson @@ -0,0 +1 @@ +{"attributes":{"timeFieldName":"@timestamp","title":"logs-network-zeek-*"},"id":"logs-network-zeek-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:31.984Z","version":"WzIwLDFd"} diff --git a/docker/helk-kibana/objects/index-pattern/mitre_attack.ndjson b/docker/helk-kibana/objects/index-pattern/mitre_attack.ndjson new file mode 100644 index 00000000..b05f84de --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/mitre_attack.ndjson @@ -0,0 +1 @@ +{"attributes":{"fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"Validation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Validation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"Validation\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"contributors\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"contributors.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"contributors\"}}},{\"name\":\"data_sources\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_sources.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data_sources\"}}},{\"name\":\"detectable_by_common_defenses\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"detectable_by_common_defenses.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"detectable_by_common_defenses\"}}},{\"name\":\"detectable_explanation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"detectable_explanation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"detectable_explanation\"}}},{\"name\":\"difficulty_explanation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"difficulty_explanation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"difficulty_explanation\"}}},{\"name\":\"difficulty_for_adversary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"difficulty_for_adversary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"difficulty_for_adversary\"}}},{\"name\":\"effective_permissions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"effective_permissions.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"effective_permissions\"}}},{\"name\":\"etl_pipeline\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"etl_pipeline.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"etl_pipeline\"}}},{\"name\":\"etl_processed_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_original_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_original_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event_original_message\"}}},{\"name\":\"group\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"group\"}}},{\"name\":\"group_aliases\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_aliases.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"group_aliases\"}}},{\"name\":\"group_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"group_description\"}}},{\"name\":\"group_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"group_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"group_id\"}}},{\"name\":\"host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host\"}}},{\"name\":\"matrix\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matrix.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"matrix\"}}},{\"name\":\"mitigation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mitigation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mitigation\"}}},{\"name\":\"mitigation_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mitigation_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mitigation_description\"}}},{\"name\":\"network_requirements\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_requirements.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network_requirements\"}}},{\"name\":\"path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"path\"}}},{\"name\":\"permissions_required\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"permissions_required.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"permissions_required\"}}},{\"name\":\"platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"platform.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"platform\"}}},{\"name\":\"relationship_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relationship_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"relationship_description\"}}},{\"name\":\"remote_support\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"remote_support.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"remote_support\"}}},{\"name\":\"software\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software\"}}},{\"name\":\"software_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software_description\"}}},{\"name\":\"software_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software_id\"}}},{\"name\":\"software_labels\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_labels.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software_labels\"}}},{\"name\":\"system_requirements\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"system_requirements.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"system_requirements\"}}},{\"name\":\"tactic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tactic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tactic\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"name\":\"technique\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"technique.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"technique\"}}},{\"name\":\"technique_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"technique_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"technique_description\"}}},{\"name\":\"technique_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"technique_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"technique_id\"}}},{\"name\":\"url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"url.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"url\"}}},{\"name\":\"z_etl_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z_etl_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"z_etl_version\"}}},{\"name\":\"z_original_timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","timeFieldName":"@timestamp","title":"mitre-attack-*"},"id":"mitre-attack-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:32.999Z","version":"WzIxLDFd"} diff --git a/docker/helk-kibana/objects/index-pattern/original.ndjson b/docker/helk-kibana/objects/index-pattern/original.ndjson new file mode 100644 index 00000000..64e2e6bd --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/original.ndjson @@ -0,0 +1 @@ +{"attributes":{"timeFieldName":"@timestamp","title":"original-*"},"id":"original-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:34.055Z","version":"WzIyLDFd"} diff --git a/docker/helk-kibana/objects/index-pattern/sysmon_join.ndjson b/docker/helk-kibana/objects/index-pattern/sysmon_join.ndjson new file mode 100644 index 00000000..9ce50e86 --- /dev/null +++ b/docker/helk-kibana/objects/index-pattern/sysmon_join.ndjson @@ -0,0 +1 @@ +{"attributes":{"timeFieldName":"@timestamp","title":"sysmon-join-*"},"id":"sysmon-join-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-04-21T08:46:35.107Z","version":"WzIzLDFd"} diff --git a/docker/helk-kibana/objects/map/Sysmon_Network_Geomap.ndjson b/docker/helk-kibana/objects/map/Sysmon_Network_Geomap.ndjson new file mode 100644 index 00000000..bd9e83c6 --- /dev/null +++ b/docker/helk-kibana/objects/map/Sysmon_Network_Geomap.ndjson @@ -0,0 +1 @@ +{"attributes":{"bounds":{"coordinates":[[[-180,70.28996],[-180,-58.04923],[180,-58.04923],[180,70.28996],[-180,70.28996]]],"type":"Polygon"},"description":"","layerListJSON":"[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"82c22688-21dd-4f61-ab5c-01d90292a6be\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"id\":\"f2fa5daa-e587-41c1-a13e-501c0729c556\",\"geoField\":\"meta_dst_ip_geo.location\",\"filterByMapBounds\":true,\"type\":\"ES_SEARCH\",\"tooltipProperties\":[],\"sortField\":\"\",\"sortOrder\":\"desc\",\"useTopHits\":false,\"topHitsSize\":1,\"applyGlobalQuery\":true,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbol\":{\"options\":{\"symbolizeAs\":\"circle\",\"symbolId\":\"airfield\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"6659cd3c-0553-46d5-9923-bdce39a12f0c\",\"label\":\"Dst_IP_Locations\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\"}]","mapStateJSON":"{\"zoom\":1.65,\"center\":{\"lon\":-12.96894,\"lat\":14.16405},\"timeFilters\":{\"from\":\"now-2y\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[]}","title":"Sysmon_Network_Geomap","uiStateJSON":"{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}"},"id":"07a52530-7e48-11ea-809d-5972b5df304f","migrationVersion":{"map":"7.6.0"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"layer_1_source_index_pattern","type":"index-pattern"}],"type":"map","updated_at":"2020-04-21T08:48:02.394Z","version":"WzEwNywxXQ=="} diff --git a/docker/helk-kibana/objects/search/Global_Discover.ndjson b/docker/helk-kibana/objects/search/Global_Discover.ndjson new file mode 100644 index 00000000..60434228 --- /dev/null +++ b/docker/helk-kibana/objects/search/Global_Discover.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["user_name","user_domain","process_name","host_name","log_name","process_guid","event_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Global_Discover","version":1},"id":"0e899740-1de3-11e8-8f1b-1b86647d4817","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:36.182Z","version":"WzI0LDFd"} diff --git a/docker/helk-kibana/objects/search/IOC_Discover.ndjson b/docker/helk-kibana/objects/search/IOC_Discover.ndjson new file mode 100644 index 00000000..8139b6d8 --- /dev/null +++ b/docker/helk-kibana/objects/search/IOC_Discover.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["user_name","user_domain","process_name","host_name","log_name","process_guid","event_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"IOC_Discover","version":1},"id":"a1397da0-799c-11ea-b256-972c6e4c701a","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T09:18:27.480Z","version":"WzEyOCwxXQ=="} diff --git a/docker/helk-kibana/objects/search/Sysmon_All_events.ndjson b/docker/helk-kibana/objects/search/Sysmon_All_events.ndjson new file mode 100644 index 00000000..8c0b8112 --- /dev/null +++ b/docker/helk-kibana/objects/search/Sysmon_All_events.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["action","host_name","process_guid","process_parent_guid","user_account","process_path"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon_All_events","version":1},"id":"bcafaac0-48f4-11e9-b62f-8f6921045c4c","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:38.296Z","version":"WzI2LDFd"} diff --git a/docker/helk-kibana/objects/search/Sysmon_Discover.ndjson b/docker/helk-kibana/objects/search/Sysmon_Discover.ndjson new file mode 100644 index 00000000..bb6d1af1 --- /dev/null +++ b/docker/helk-kibana/objects/search/Sysmon_Discover.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["host_name","user_name","user_domain","process_name","process_parent_name","process_guid"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon_Discover","version":1},"id":"2754df30-1de5-11e8-8f1b-1b86647d4817","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:39.294Z","version":"WzI3LDFd"} diff --git a/docker/helk-kibana/objects/search/Sysmon_Downloads_EventId_15.ndjson b/docker/helk-kibana/objects/search/Sysmon_Downloads_EventId_15.ndjson new file mode 100644 index 00000000..13522e4a --- /dev/null +++ b/docker/helk-kibana/objects/search/Sysmon_Downloads_EventId_15.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["host_name","process_path","event_id","process_guid","file_name"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"source_name: \\\"Microsoft-Windows-Sysmon\\\" AND event_id:15\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"source_name\",\"value\":\"Microsoft-Windows-Sysmon\",\"params\":{\"query\":\"Microsoft-Windows-Sysmon\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"source_name\":{\"query\":\"Microsoft-Windows-Sysmon\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon_Downloads-EventId 15","version":1},"id":"1a68e8a0-4348-11e9-a4c5-1717ba697d0d","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-endpoint-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"logs-endpoint-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:40.325Z","version":"WzI4LDFd"} diff --git a/docker/helk-kibana/objects/search/Sysmon_ExecutedCommands.ndjson b/docker/helk-kibana/objects/search/Sysmon_ExecutedCommands.ndjson new file mode 100644 index 00000000..dd7f818b --- /dev/null +++ b/docker/helk-kibana/objects/search/Sysmon_ExecutedCommands.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["host_name","event_id","user_account","process_guid","process_parent_command_line","process_command_line","file_description","file_product","file_company"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:1 AND (process_parent_name:\\\"CmD.exe\\\" OR process_parent_name:\\\"powershell.exe\\\" OR process_parent_name:\\\"wscript.exe\\\" OR process_parent_name:\\\"cscript.exe\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon_ExecutedCommands","version":1},"id":"a3878f20-4829-11e9-a85d-d748de0cd831","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:41.415Z","version":"WzI5LDFd"} diff --git a/docker/helk-kibana/objects/search/Sysmon_File_Creation___EventId_11.ndjson b/docker/helk-kibana/objects/search/Sysmon_File_Creation___EventId_11.ndjson new file mode 100644 index 00000000..69e38b5d --- /dev/null +++ b/docker/helk-kibana/objects/search/Sysmon_File_Creation___EventId_11.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["host_name","event_id","process_guid","process_path","file_name"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:11\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon_File Creation - EventId 11","version":1},"id":"1821dba0-4344-11e9-a4c5-1717ba697d0d","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-endpoint-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:42.447Z","version":"WzMwLDFd"} diff --git a/docker/helk-kibana/objects/search/Sysmon_Invalid_Drivers.ndjson b/docker/helk-kibana/objects/search/Sysmon_Invalid_Drivers.ndjson new file mode 100644 index 00000000..4390e4e1 --- /dev/null +++ b/docker/helk-kibana/objects/search/Sysmon_Invalid_Drivers.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["host_name","driver_loaded","signed","signature_status","signature"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:6\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":true,\"type\":\"phrase\",\"key\":\"signature_status\",\"value\":\"Valid\",\"params\":{\"query\":\"Valid\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"signature_status\":{\"query\":\"Valid\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon_Invalid Drivers","version":1},"id":"bc44bd30-4cd4-11e9-b05e-6fc957c1b917","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:43.526Z","version":"WzMxLDFd"} diff --git a/docker/helk-kibana/objects/search/Sysmon_Named_Pipes_EventId_17_18.ndjson b/docker/helk-kibana/objects/search/Sysmon_Named_Pipes_EventId_17_18.ndjson new file mode 100644 index 00000000..5ea8cc0f --- /dev/null +++ b/docker/helk-kibana/objects/search/Sysmon_Named_Pipes_EventId_17_18.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["host_name","process_guid","pipe_name","process_path","task"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:17 OR event_id:18\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon_Named Pipes-EventId 17,18","version":1},"id":"cc5bb4b0-4826-11e9-a85d-d748de0cd831","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:44.520Z","version":"WzMyLDFd"} diff --git a/docker/helk-kibana/objects/search/Sysmon_Network_Discover.ndjson b/docker/helk-kibana/objects/search/Sysmon_Network_Discover.ndjson new file mode 100644 index 00000000..16385105 --- /dev/null +++ b/docker/helk-kibana/objects/search/Sysmon_Network_Discover.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["host_name","user_domain","user_name","process_path","process_name","dst_ip_addr"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:3\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon_Network_Discover","version":1},"id":"754acc80-1de6-11e8-8f1b-1b86647d4817","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:45.566Z","version":"WzMzLDFd"} diff --git a/docker/helk-kibana/objects/search/Sysmon_Private_Network_Connections___EventId_3.ndjson b/docker/helk-kibana/objects/search/Sysmon_Private_Network_Connections___EventId_3.ndjson new file mode 100644 index 00000000..df89fcae --- /dev/null +++ b/docker/helk-kibana/objects/search/Sysmon_Private_Network_Connections___EventId_3.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["host_name","user_account","process_guid","process_path","src_ip_addr","src_port","dst_ip_addr","dst_port","meta_dst_ip_geo.city_name"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:3 AND (dst_ip_addr:[10.0.0.0 TO 10.255.255.255] OR dst_ip_addr:[192.168.0.0 TO 192.168.255.255] OR dst_ip_addr:[172.16.0.0 TO 172.31.255.255])\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":true,\"type\":\"phrase\",\"key\":\"src_ip_addr\",\"value\":\"239.255.255.250\",\"params\":{\"query\":\"239.255.255.250\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"src_ip_addr\":{\"query\":\"239.255.255.250\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon_Private Network Connections - EventId 3","version":1},"id":"159666e0-4ce9-11e9-b05e-6fc957c1b917","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-endpoint-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"logs-endpoint-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:46.611Z","version":"WzM0LDFd"} diff --git a/docker/helk-kibana/objects/search/Sysmon_Process_Creation___EventId1.ndjson b/docker/helk-kibana/objects/search/Sysmon_Process_Creation___EventId1.ndjson new file mode 100644 index 00000000..5550b4f4 --- /dev/null +++ b/docker/helk-kibana/objects/search/Sysmon_Process_Creation___EventId1.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["host_name","user_account","process_parent_guid","process_guid","process_parent_command_line","process_command_line","file_description","file_product","file_company"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:1\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","asc"]],"title":"Sysmon_Process Creation - EventId1","version":1},"id":"689ef060-4342-11e9-a4c5-1717ba697d0d","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:47.671Z","version":"WzM1LDFd"} diff --git a/docker/helk-kibana/objects/search/Sysmon_Public_Network_Connections___EventId_3.ndjson b/docker/helk-kibana/objects/search/Sysmon_Public_Network_Connections___EventId_3.ndjson new file mode 100644 index 00000000..42034c11 --- /dev/null +++ b/docker/helk-kibana/objects/search/Sysmon_Public_Network_Connections___EventId_3.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["host_name","user_account","process_guid","process_path","src_ip_addr","src_port","dst_ip_addr","dst_port","meta_dst_ip_geo.city_name","ipv6_src_addr","ipv6_dst_addr"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:3 AND (NOT dst_ip_addr: \\\"127.0.0.1\\\" AND NOT dst_ip_addr:[10.0.0.0 TO 10.255.255.255] AND NOT dst_ip_addr:[192.168.0.0 TO 192.168.255.255] AND NOT dst_ip_addr:[172.16.0.0 TO 172.31.255.255])\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon_Public Network Connections - EventId 3","version":1},"id":"5a792770-4343-11e9-a4c5-1717ba697d0d","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-endpoint-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:48.705Z","version":"WzM2LDFd"} diff --git a/docker/helk-kibana/objects/search/Sysmon_Registry_Events.ndjson b/docker/helk-kibana/objects/search/Sysmon_Registry_Events.ndjson new file mode 100644 index 00000000..0403e161 --- /dev/null +++ b/docker/helk-kibana/objects/search/Sysmon_Registry_Events.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["host_name","process_path","event_id","process_guid","event_type","registry_key_path","registry_key_value"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event_id:12 OR event_id:13 OR event_id:14\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon_Registry Events","version":1},"id":"db661470-4347-11e9-a4c5-1717ba697d0d","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-endpoint-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:49.761Z","version":"WzM3LDFd"} diff --git a/docker/helk-kibana/objects/search/Sysmon_WMI_Subscription_Events.ndjson b/docker/helk-kibana/objects/search/Sysmon_WMI_Subscription_Events.ndjson new file mode 100644 index 00000000..a43798bf --- /dev/null +++ b/docker/helk-kibana/objects/search/Sysmon_WMI_Subscription_Events.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["host_name","event_id","process_path","pipe_name","process_guid"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"source_name: \\\"Microsoft-Windows-Sysmon\\\" AND (event_id:19 OR event_id:20 OR event_id:21)\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon_WMI Subscription Events","version":1},"id":"4bb63750-4348-11e9-a4c5-1717ba697d0d","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-endpoint-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:50.849Z","version":"WzM4LDFd"} diff --git a/docker/helk-kibana/objects/search/Sysmon_all_Network_Connections___EventId_3.ndjson b/docker/helk-kibana/objects/search/Sysmon_all_Network_Connections___EventId_3.ndjson new file mode 100644 index 00000000..018fc647 --- /dev/null +++ b/docker/helk-kibana/objects/search/Sysmon_all_Network_Connections___EventId_3.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["host_name","user_account","process_guid","process_path","src_ip_addr","src_port","dst_ip_addr","dst_port","meta_dst_ip_geo.city_name","ipv6_src_addr","ipv6_dst_addr"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_id:3\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon_all Network Connections - EventId 3","version":1},"id":"aad50710-4d9e-11e9-9ebb-eb9011b9c659","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-endpoint-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:51.857Z","version":"WzM5LDFd"} diff --git a/docker/helk-kibana/objects/search/Sysmon_elastalert_alerts.ndjson b/docker/helk-kibana/objects/search/Sysmon_elastalert_alerts.ndjson new file mode 100644 index 00000000..d32c666c --- /dev/null +++ b/docker/helk-kibana/objects/search/Sysmon_elastalert_alerts.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["rule_name","match_body.host_name","match_body.num_hits","match_body.process_guid","match_body.user_account"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon_elastalert-alerts","version":1},"id":"c91f0df0-48ef-11e9-b62f-8f6921045c4c","migrationVersion":{"search":"7.4.0"},"references":[{"id":"elastalert_status","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:52.953Z","version":"WzQwLDFd"} diff --git a/docker/helk-kibana/objects/search/mitre_attack_discover.ndjson b/docker/helk-kibana/objects/search/mitre_attack_discover.ndjson new file mode 100644 index 00000000..e8a92143 --- /dev/null +++ b/docker/helk-kibana/objects/search/mitre_attack_discover.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["matrix","tactic","technique","technique_id","mitigation","group","group_id","software","software_id","relationship_description","data_sources","platform"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["_score","desc"]],"title":"mitre_attack_discover","version":1},"id":"89d14480-6f9a-11e8-8945-7d43ba9ddc77","migrationVersion":{"search":"7.4.0"},"references":[{"id":"mitre-attack-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:53.959Z","version":"WzQxLDFd"} diff --git a/docker/helk-kibana/objects/search/windows_login_events.ndjson b/docker/helk-kibana/objects/search/windows_login_events.ndjson new file mode 100644 index 00000000..b5c5bb5a --- /dev/null +++ b/docker/helk-kibana/objects/search/windows_login_events.ndjson @@ -0,0 +1 @@ +{"attributes":{"columns":["host_name","event_id","keywords","user_name","logon_type","user_reporter_domain"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"source_name: \\\"Microsoft-Windows-Security-Auditing\\\" AND (event_id:[4624 TO 4625] OR event_id:4634)\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"windows_login_events","version":1},"id":"ffb5aa00-4349-11e9-a4c5-1717ba697d0d","migrationVersion":{"search":"7.4.0"},"references":[{"id":"logs-endpoint-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-04-21T08:46:54.997Z","version":"WzQyLDFd"} diff --git a/docker/helk-kibana/objects/visualization/Global_Count.ndjson b/docker/helk-kibana/objects/visualization/Global_Count.ndjson new file mode 100644 index 00000000..6aaeddbc --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Global_Count.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Global_Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Global_Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"97478120-1dd7-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:46:56.061Z","version":"WzQzLDFd"} diff --git a/docker/helk-kibana/objects/visualization/Global_EventIDs.ndjson b/docker/helk-kibana/objects/visualization/Global_EventIDs.ndjson new file mode 100644 index 00000000..38c7bcab --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Global_EventIDs.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Global_EventIDs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Global_EventIDs\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_id\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"a5fe7110-1dd7-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:46:57.030Z","version":"WzQ0LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Global_Hashes_Sha256.ndjson b/docker/helk-kibana/objects/visualization/Global_Hashes_Sha256.ndjson new file mode 100644 index 00000000..48dc4521 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Global_Hashes_Sha256.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Global_Hashes_Sha256","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Global_Hashes_Sha256\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash_sha256.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"hash_sha256\"}}]}"},"id":"cb8b5280-1de2-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:46:58.202Z","version":"WzQ1LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Global_Host_Name.ndjson b/docker/helk-kibana/objects/visualization/Global_Host_Name.ndjson new file mode 100644 index 00000000..4ac14804 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Global_Host_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Global_Host_Name","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Global_Host_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"32f92e60-1dd9-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:46:59.227Z","version":"WzQ2LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Global_Logon_Type.ndjson b/docker/helk-kibana/objects/visualization/Global_Logon_Type.ndjson new file mode 100644 index 00000000..6f188a84 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Global_Logon_Type.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Global_Logon_Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Global_Logon_Type\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"logon_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"logon_type\"}}]}"},"id":"4dda3ea0-83b1-11ea-9c6c-fbcf2d331f22","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T12:52:44.525Z","version":"WzE0NCwxXQ=="} diff --git a/docker/helk-kibana/objects/visualization/Global_Process_Name.ndjson b/docker/helk-kibana/objects/visualization/Global_Process_Name.ndjson new file mode 100644 index 00000000..171c7893 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Global_Process_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Global_Process_Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Global_Process_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_name\"}}]}"},"id":"bf617710-1dd7-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:00.296Z","version":"WzQ3LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Global_Process_Parent_Name.ndjson b/docker/helk-kibana/objects/visualization/Global_Process_Parent_Name.ndjson new file mode 100644 index 00000000..4b145050 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Global_Process_Parent_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Global_Process_Parent_Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Global_Process_Parent_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_parent_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_parent_name\"}}]}"},"id":"24cc4b70-1dd8-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:01.311Z","version":"WzQ4LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Global_Service_Name.ndjson b/docker/helk-kibana/objects/visualization/Global_Service_Name.ndjson new file mode 100644 index 00000000..4230a286 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Global_Service_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Global_Service_Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Global_Service_Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"49e84990-7e43-11ea-809d-5972b5df304f","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-winevent-security-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:02.324Z","version":"WzQ5LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Global_User_Name.ndjson b/docker/helk-kibana/objects/visualization/Global_User_Name.ndjson new file mode 100644 index 00000000..39d74985 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Global_User_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Global_User_Name","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Global_User_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"45159070-1dd9-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:03.341Z","version":"WzUwLDFd"} diff --git a/docker/helk-kibana/objects/visualization/Global_dst_ip.ndjson b/docker/helk-kibana/objects/visualization/Global_dst_ip.ndjson new file mode 100644 index 00000000..1018634a --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Global_dst_ip.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Global_dst_ip","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Global_dst_ip\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dst_ip_addr\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"dst_ip_addr\"}}]}"},"id":"9b6fe330-1dd9-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:04.426Z","version":"WzUxLDFd"} diff --git a/docker/helk-kibana/objects/visualization/Global_process_command_line.ndjson b/docker/helk-kibana/objects/visualization/Global_process_command_line.ndjson new file mode 100644 index 00000000..ad152b68 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Global_process_command_line.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Global_process_command_line","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Global_process_command_line\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_command_line.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_command_line\"}}]}"},"id":"e351c080-1dd7-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:05.418Z","version":"WzUyLDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Count.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Count.ndjson new file mode 100644 index 00000000..92d02bc0 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Count.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sysmon_Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon_Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"40aab0b0-1de3-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:06.458Z","version":"WzUzLDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Elastalert_count.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Elastalert_count.ndjson new file mode 100644 index 00000000..94292b13 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Elastalert_count.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon_Elastalert-count","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_Elastalert-count\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule_name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"47b5abb0-48f0-11e9-b62f-8f6921045c4c","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"c91f0df0-48ef-11e9-b62f-8f6921045c4c","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-04-21T08:47:07.503Z","version":"WzU0LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_EventIDs.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_EventIDs.ndjson new file mode 100644 index 00000000..3d1fce4a --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_EventIDs.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sysmon_EventIDs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon_EventIDs\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_id\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"55e73e80-1de3-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:08.579Z","version":"WzU1LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Eventcount_per_host.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Eventcount_per_host.ndjson new file mode 100644 index 00000000..ea58a1e2 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Eventcount_per_host.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon_Eventcount-per-host","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_Eventcount-per-host\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"host_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"3c414620-48fc-11e9-b62f-8f6921045c4c","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"bcafaac0-48f4-11e9-b62f-8f6921045c4c","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-04-21T08:47:09.605Z","version":"WzU2LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_File_Name.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_File_Name.ndjson new file mode 100644 index 00000000..ccdebe93 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_File_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sysmon_File_Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_File_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"file_name\"}}]}"},"id":"1f8837d0-1de4-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:10.601Z","version":"WzU3LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Host_Name.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Host_Name.ndjson new file mode 100644 index 00000000..cc02e779 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Host_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sysmon_Host_Name","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon_Host_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"68484ab0-1de3-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:11.694Z","version":"WzU4LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Network_City_Name.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Network_City_Name.ndjson new file mode 100644 index 00000000..bf6803c3 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Network_City_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon_Network_City_Name","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon_Network_City_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"meta_dst_ip_geo.city_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"5895e6f0-1de7-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"754acc80-1de6-11e8-8f1b-1b86647d4817","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-04-21T08:47:12.752Z","version":"WzU5LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Network_Count.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Network_Count.ndjson new file mode 100644 index 00000000..c2d0fd84 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Network_Count.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon_Network_Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon_Network_Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"88ba6280-1de6-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"754acc80-1de6-11e8-8f1b-1b86647d4817","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-04-21T08:47:13.754Z","version":"WzYwLDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Network_Country_Name.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Network_Country_Name.ndjson new file mode 100644 index 00000000..55de05f7 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Network_Country_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon_Network_Country_Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_Network_Country_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"meta_dst_ip_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"meta_dst_ip_geo.country_name\"}}]}"},"id":"fea5c340-1de6-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"754acc80-1de6-11e8-8f1b-1b86647d4817","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-04-21T08:47:14.829Z","version":"WzYxLDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Network_Host_Name.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Network_Host_Name.ndjson new file mode 100644 index 00000000..1d687c6c --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Network_Host_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon_Network_Host_Name","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon_Network_Host_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"9d5cac20-1de6-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"754acc80-1de6-11e8-8f1b-1b86647d4817","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-04-21T08:47:15.874Z","version":"WzYyLDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Network_Port_Dst_Number.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Network_Port_Dst_Number.ndjson new file mode 100644 index 00000000..6b25516d --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Network_Port_Dst_Number.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon_Network_Port_Dst_Number","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_Network_Port_Dst_Number\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dst_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"dst_port\"}}]}"},"id":"8d4f5e80-1de7-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"754acc80-1de6-11e8-8f1b-1b86647d4817","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-04-21T08:47:16.954Z","version":"WzYzLDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Network_Process_Name.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Network_Process_Name.ndjson new file mode 100644 index 00000000..6655dfcf --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Network_Process_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon_Network_Process_Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_Network_Process_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_name\"}}]}"},"id":"e71b9bf0-1de6-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"754acc80-1de6-11e8-8f1b-1b86647d4817","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-04-21T08:47:18.010Z","version":"WzY0LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Network_User_Name.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Network_User_Name.ndjson new file mode 100644 index 00000000..98a1d3fe --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Network_User_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon_Network_User_Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_Network_User_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"user_name\"}}]}"},"id":"bd839c10-1de7-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"754acc80-1de6-11e8-8f1b-1b86647d4817","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-04-21T08:47:19.092Z","version":"WzY1LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Network_dst_ip.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Network_dst_ip.ndjson new file mode 100644 index 00000000..0a11b43f --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Network_dst_ip.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon_Network_dst_ip","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon_Network_dst_ip\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dst_ip_addr\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\"}}]}"},"id":"70cca1f0-1de7-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"754acc80-1de6-11e8-8f1b-1b86647d4817","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-04-21T08:47:20.076Z","version":"WzY2LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Pipe_Name.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Pipe_Name.ndjson new file mode 100644 index 00000000..4dcbdd04 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Pipe_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sysmon_Pipe_Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_Pipe_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"pipe_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"pipe_name\"}}]}"},"id":"2ff90cc0-1de4-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:21.123Z","version":"WzY3LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Process_Command_Line.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Process_Command_Line.ndjson new file mode 100644 index 00000000..0ea96a44 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Process_Command_Line.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sysmon_Process_Command_Line","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_Process_Command_Line\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_command_line.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_command_line\"}}]}"},"id":"b2b6b460-1de3-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:22.184Z","version":"WzY4LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Process_Granted_Access.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Process_Granted_Access.ndjson new file mode 100644 index 00000000..0e35dc88 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Process_Granted_Access.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sysmon_Process_Granted_Access","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_Process_Granted_Access\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_granted_access.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_granted_access\"}}]}"},"id":"601666f0-1de4-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:23.138Z","version":"WzY5LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Process_Name.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Process_Name.ndjson new file mode 100644 index 00000000..4cb35cf2 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Process_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sysmon_Process_Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_Process_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_name\"}}]}"},"id":"cb0bfe70-1de4-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:24.172Z","version":"WzcwLDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Process_Parent_Command_Line.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Process_Parent_Command_Line.ndjson new file mode 100644 index 00000000..35be6e92 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Process_Parent_Command_Line.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sysmon_Process_Parent_Command_Line","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_Process_Parent_Command_Line\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_parent_command_line.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_parent_command_line\"}}]}"},"id":"d36e8f20-1de3-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:25.220Z","version":"WzcxLDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Process_Parent_Name.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Process_Parent_Name.ndjson new file mode 100644 index 00000000..4166a105 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Process_Parent_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sysmon_Process_Parent_Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_Process_Parent_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_parent_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_parent_name\"}}]}"},"id":"f000dc10-1de3-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:26.272Z","version":"WzcyLDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Registry_Key_Path.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Registry_Key_Path.ndjson new file mode 100644 index 00000000..99924c51 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Registry_Key_Path.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sysmon_Registry_Key_Path","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_Registry_Key_Path\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"registry_key_path.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"registry_key_path\"}}]}"},"id":"4a347160-1de4-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:27.277Z","version":"WzczLDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Timelion_NetworkEvents_byUser.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Timelion_NetworkEvents_byUser.ndjson new file mode 100644 index 00000000..71d3c015 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Timelion_NetworkEvents_byUser.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"title":"Sysmon_Timelion_NetworkEvents_byUser","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon_Timelion_NetworkEvents_byUser\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(q=event_id:3, index=logs-endpoint-winevent-sysmon*, split=user_account.keyword:40).label(\\\"$1\\\", \\\"^.* > user_account.keyword:(\\\\S+) > .*\\\").title(\\\"Network Events by User\\\")\",\"interval\":\"15m\"},\"aggs\":[]}"},"id":"c0d3f7c0-483e-11e9-8770-35c0f1a2cce0","migrationVersion":{"visualization":"7.4.2"},"references":[],"type":"visualization","updated_at":"2020-04-21T08:47:28.346Z","version":"Wzc0LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Timelion_ProcessEvents_byProcessGuid.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Timelion_ProcessEvents_byProcessGuid.ndjson new file mode 100644 index 00000000..e62e8856 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Timelion_ProcessEvents_byProcessGuid.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"title":"Sysmon_Timelion_ProcessEvents_byProcessGuid","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon_Timelion_ProcessEvents_byProcessGuid\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(q=*, index=logs-endpoint-winevent-sysmon*, split=process_guid.keyword:500 ).label(\\\"$1\\\", \\\"^.* > process_guid.keyword:(\\\\S+) > .*\\\").title(\\\"Events by ProcessGuid\\\")\",\"interval\":\"15m\"},\"aggs\":[]}"},"id":"4d391470-48f3-11e9-b62f-8f6921045c4c","migrationVersion":{"visualization":"7.4.2"},"references":[],"type":"visualization","updated_at":"2020-04-21T08:47:29.414Z","version":"Wzc1LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Timelion_ProcessEvents_byUser.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Timelion_ProcessEvents_byUser.ndjson new file mode 100644 index 00000000..0abe729c --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Timelion_ProcessEvents_byUser.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"title":"Sysmon_Timelion_ProcessEvents_byUser","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon_Timelion_ProcessEvents_byUser\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(q=event_id:1, index=logs-endpoint-winevent-sysmon*, split=user_account.keyword:40).label(\\\"$1\\\", \\\"^.* > user_account.keyword:(\\\\S+) > .*\\\").title(\\\"Process Execution by User\\\")\",\"interval\":\"15m\"},\"aggs\":[]}"},"id":"cdd1ed10-483e-11e9-8770-35c0f1a2cce0","migrationVersion":{"visualization":"7.4.2"},"references":[],"type":"visualization","updated_at":"2020-04-21T08:47:30.439Z","version":"Wzc2LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Timelion_bySystem.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Timelion_bySystem.ndjson new file mode 100644 index 00000000..fb283b74 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Timelion_bySystem.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"title":"Sysmon_Timelion_bySystem","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon_Timelion_bySystem\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(q=*, index=logs-endpoint-winevent-sysmon*, split=host_name.keyword:40).label(\\\"$1\\\", \\\"^.* > beat_hostname.keyword:(\\\\S+) > .*\\\").title(\\\"Events per system timeline\\\")\",\"interval\":\"1h\"},\"aggs\":[]}"},"id":"ccec7dc0-48fc-11e9-b62f-8f6921045c4c","migrationVersion":{"visualization":"7.4.2"},"references":[],"type":"visualization","updated_at":"2020-04-21T08:47:31.465Z","version":"Wzc3LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Unique_Process_Name.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Unique_Process_Name.ndjson new file mode 100644 index 00000000..4eeeb142 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Unique_Process_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"event_id:1\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sysmon_Unique_Process_Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_Unique_Process_Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash_sha256.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"hash_sha256\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"process_name.keyword\",\"customLabel\":\"uniq process_name\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host_name.keyword\",\"customLabel\":\"uniq host_name\"}}]}"},"id":"fc7c21f0-1de5-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:32.486Z","version":"Wzc4LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_Unique_module_loaded.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_Unique_module_loaded.ndjson new file mode 100644 index 00000000..b82babee --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_Unique_module_loaded.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"event_id:7\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sysmon_Unique_module_loaded","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_Unique_module_loaded\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash_sha256.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"hash_sha256\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"module_loaded.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"module_loaded\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"module_loaded.keyword\",\"customLabel\":\"uniq module_loaded\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host_name.keyword\",\"customLabel\":\"uniq host_name\"}}]}"},"id":"c23c05f0-1de5-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:33.511Z","version":"Wzc5LDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_User_Name.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_User_Name.ndjson new file mode 100644 index 00000000..c564f7d9 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_User_Name.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sysmon_User_Name","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon_User_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"7c191380-1de3-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:34.534Z","version":"WzgwLDFd"} diff --git a/docker/helk-kibana/objects/visualization/Sysmon_module_loaded.ndjson b/docker/helk-kibana/objects/visualization/Sysmon_module_loaded.ndjson new file mode 100644 index 00000000..9b42fe9a --- /dev/null +++ b/docker/helk-kibana/objects/visualization/Sysmon_module_loaded.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sysmon_module_loaded","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon_module_loaded\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"module_loaded.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"module_loaded\"}}]}"},"id":"0c438260-1de4-11e8-8f1b-1b86647d4817","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"logs-endpoint-winevent-sysmon-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:35.578Z","version":"WzgxLDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_data_sources_techniques.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_data_sources_techniques.ndjson new file mode 100644 index 00000000..62ce3bb3 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_data_sources_techniques.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"mitre_attack_data_sources_techniques","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"mitre_attack_data_sources_techniques\",\"type\":\"table\",\"params\":{\"perPage\":25,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"technique_id.keyword\",\"customLabel\":\"techniques\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"data_sources.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"data_sources\"}}]}"},"id":"a7e62f40-6f99-11e8-8945-7d43ba9ddc77","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:36.559Z","version":"WzgyLDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_group_relationship.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_group_relationship.ndjson new file mode 100644 index 00000000..e065f606 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_group_relationship.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"mitre_attack_group_relationship","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"mitre_attack_group_relationship\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"group_id.keyword\",\"customLabel\":\"groups\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"relationship_description.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"relationship\"}}]}"},"id":"0067e580-7000-11e8-8d23-170b1a3fd248","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:37.673Z","version":"WzgzLDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_group_select.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_group_select.ndjson new file mode 100644 index 00000000..d391bcd2 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_group_select.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"mitre_attack_group_select","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"mitre_attack_group_select\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1528993307982\",\"fieldName\":\"group.keyword\",\"parent\":\"\",\"label\":\"Select Group\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"size\":200,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1529001453476\",\"fieldName\":\"technique.keyword\",\"parent\":\"1528993307982\",\"label\":\"techniques\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"size\":100,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1528994941328\",\"fieldName\":\"matrix.keyword\",\"parent\":\"\",\"label\":\"Select Matrix\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"size\":10,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}"},"id":"511297c0-6fef-11e8-8d23-170b1a3fd248","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"control_0_index_pattern","type":"index-pattern"},{"id":"mitre-attack-*","name":"control_1_index_pattern","type":"index-pattern"},{"id":"mitre-attack-*","name":"control_2_index_pattern","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:38.667Z","version":"Wzg0LDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_groups_matrices.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_groups_matrices.ndjson new file mode 100644 index 00000000..b72613a8 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_groups_matrices.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"mitre_attack_groups_matrices","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"mitre_attack_groups_matrices\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"group_id.keyword\",\"customLabel\":\"groups\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"matrix.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"matrix\"}}]}"},"id":"951b0410-6ff0-11e8-8d23-170b1a3fd248","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:39.682Z","version":"Wzg1LDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_groups_software_cloud.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_groups_software_cloud.ndjson new file mode 100644 index 00000000..eea7d0ed --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_groups_software_cloud.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"mitre_attack_groups_software_cloud","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"mitre_attack_groups_software_cloud\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":10,\"maxFontSize\":40,\"showLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"group_id.keyword\",\"customLabel\":\"groups\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"software.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"software\"}}]}"},"id":"0166a090-6fef-11e8-8d23-170b1a3fd248","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:40.705Z","version":"Wzg2LDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_groups_tactics.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_groups_tactics.ndjson new file mode 100644 index 00000000..a5ece5b4 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_groups_tactics.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"mitre_attack_groups_tactics","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"mitre_attack_groups_tactics\",\"type\":\"table\",\"params\":{\"perPage\":25,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"group_id.keyword\",\"customLabel\":\"groups\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"tactic.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"tactic\"}}]}"},"id":"d04821b0-6ffc-11e8-8d23-170b1a3fd248","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:41.692Z","version":"Wzg3LDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_groups_techniques.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_groups_techniques.ndjson new file mode 100644 index 00000000..f7a1fce0 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_groups_techniques.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"mitre_attack_groups_techniques","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"mitre_attack_groups_techniques\",\"type\":\"table\",\"params\":{\"perPage\":35,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"technique_id.keyword\",\"customLabel\":\"techniques\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"group.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"groups\"}}]}"},"id":"2653efa0-6f97-11e8-8945-7d43ba9ddc77","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:42.767Z","version":"Wzg4LDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_groups_techniques_bar.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_groups_techniques_bar.ndjson new file mode 100644 index 00000000..03d09ea4 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_groups_techniques_bar.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"mitre_attack_groups_techniques_bar","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"mitre_attack_groups_techniques_bar\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"groups\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"groups\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"group_id.keyword\",\"customLabel\":\"groups\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"technique.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"techniques\"}}]}"},"id":"db3dafc0-6fef-11e8-8d23-170b1a3fd248","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:43.791Z","version":"Wzg5LDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_mitigation_technique.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_mitigation_technique.ndjson new file mode 100644 index 00000000..1a7fb2f9 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_mitigation_technique.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"mitre_attack_mitigation_technique","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"mitre_attack_mitigation_technique\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"technique_id.keyword\",\"customLabel\":\"techniques\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mitigation.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"mitigation\"}}]}"},"id":"4b1fd360-6f94-11e8-8945-7d43ba9ddc77","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:44.805Z","version":"WzkwLDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_permissions_required.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_permissions_required.ndjson new file mode 100644 index 00000000..b6d6be0e --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_permissions_required.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"mitre_attack_permissions_required","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"mitre_attack_permissions_required\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"technique_id.keyword\",\"customLabel\":\"techniques\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"permissions_required.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"permissions_required\"}}]}"},"id":"5dcdeaf0-6f90-11e8-8945-7d43ba9ddc77","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:45.833Z","version":"WzkxLDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_select.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_select.ndjson new file mode 100644 index 00000000..dfd2ab65 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_select.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"mitre_attack_select","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"mitre_attack_select\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1528950139638\",\"fieldName\":\"matrix.keyword\",\"parent\":\"\",\"label\":\"Select Matrix\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1528951743018\",\"fieldName\":\"platform.keyword\",\"parent\":\"\",\"label\":\"Select Platform\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}"},"id":"c10c2a10-6f8a-11e8-8945-7d43ba9ddc77","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"control_0_index_pattern","type":"index-pattern"},{"id":"mitre-attack-*","name":"control_1_index_pattern","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:46.870Z","version":"WzkyLDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_software_groups.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_software_groups.ndjson new file mode 100644 index 00000000..956669f0 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_software_groups.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"mitre_attack_software_groups","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"mitre_attack_software_groups\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"groups\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"groups\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"group_id.keyword\",\"customLabel\":\"groups\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"software.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"software\"}}]}"},"id":"5bcad6b0-6f8a-11e8-8945-7d43ba9ddc77","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:48.238Z","version":"WzkzLDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_tactic_techniques.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_tactic_techniques.ndjson new file mode 100644 index 00000000..0d74ee11 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_tactic_techniques.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"mitre_attack_tactic_techniques","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"mitre_attack_tactic_techniques\",\"type\":\"table\",\"params\":{\"perPage\":20,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"technique_id.keyword\",\"customLabel\":\"techniques\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"tactic.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"tactic\"}}]}"},"id":"6cb1c1d0-6f91-11e8-8945-7d43ba9ddc77","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:49.063Z","version":"Wzk0LDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_technique_data_sources.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_technique_data_sources.ndjson new file mode 100644 index 00000000..e36fb55e --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_technique_data_sources.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"mitre_attack_technique_data_sources","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"mitre_attack_technique_data_sources\",\"type\":\"table\",\"params\":{\"perPage\":20,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"data_sources.keyword\",\"customLabel\":\"data_sources\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"technique.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":300,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"technique\"}}]}"},"id":"4e512810-6f92-11e8-8945-7d43ba9ddc77","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:50.057Z","version":"Wzk1LDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_technique_data_sources_cloud.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_technique_data_sources_cloud.ndjson new file mode 100644 index 00000000..952ddcfc --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_technique_data_sources_cloud.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"mitre_attack_technique_data_sources_cloud","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"mitre_attack_technique_data_sources_cloud\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":8,\"maxFontSize\":40,\"showLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"technique_id.keyword\",\"customLabel\":\"techniques\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"data_sources.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"data sources\"}}]}"},"id":"b0354ae0-6f8b-11e8-8945-7d43ba9ddc77","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:51.108Z","version":"Wzk2LDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_techniques_groups.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_techniques_groups.ndjson new file mode 100644 index 00000000..56855bb1 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_techniques_groups.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"mitre_attack_techniques_groups","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"mitre_attack_techniques_groups\",\"type\":\"table\",\"params\":{\"perPage\":25,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"group_id.keyword\",\"customLabel\":\"groups\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"technique.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"techniques\"}}]}"},"id":"43450a80-6ffc-11e8-8d23-170b1a3fd248","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:52.100Z","version":"Wzk3LDFd"} diff --git a/docker/helk-kibana/objects/visualization/mitre_attack_techniques_matrices.ndjson b/docker/helk-kibana/objects/visualization/mitre_attack_techniques_matrices.ndjson new file mode 100644 index 00000000..83054208 --- /dev/null +++ b/docker/helk-kibana/objects/visualization/mitre_attack_techniques_matrices.ndjson @@ -0,0 +1 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"mitre_attack_techniques_matrices","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"mitre_attack_techniques_matrices\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"technique_id.keyword\",\"customLabel\":\"techniques\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"matrix.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"matrices\"}}]}"},"id":"bf6e4e00-6f89-11e8-8945-7d43ba9ddc77","migrationVersion":{"visualization":"7.4.2"},"references":[{"id":"mitre-attack-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-04-21T08:47:53.148Z","version":"Wzk4LDFd"} diff --git a/docker/helk-kibana/scripts/kibana-export-objects.sh b/docker/helk-kibana/scripts/kibana-export-objects.sh new file mode 100755 index 00000000..546e5982 --- /dev/null +++ b/docker/helk-kibana/scripts/kibana-export-objects.sh @@ -0,0 +1,79 @@ +#!/bin/bash + +# HELK script: kibana-export-objects.sh +# HELK script description: Export all the saved objects from Kibana and saved them in separate files and grouped in a directory by type +# HELK build stage: Alpha +# Authors: Nate Guagenti (@neu5ron), Thomas Castronovo (@troplolBE) +# License: GPL-3.0 + +KIBANA_HOST="$1" +ELASTICSEARCH_CREDS="$2" +DIR=$3 + +exports=0 +failed=0 + +#Go to directory +cd $DIR + +#Cycle trough all the different object types +for item in config index-pattern search visualization dashboard url map canvas-workpad canvas-element timelion; do + first=1 + + #Cycle through all the saved objects of that category + for id in $(curl -sk -u "${ELASTICSEARCH_CREDS}" "${KIBANA_HOST}/api/saved_objects/_find?type=${item}&per_page=1000" | jq -r '.saved_objects[] | .id'); do + #Check first iteration + if [ $first -eq 1 ]; then + #Create and go to directory + mkdir -p ${item} + cd ${item} + first=0 + fi + #Request saved object + object=$(curl -sk -XPOST -u "${ELASTICSEARCH_CREDS}" \ + "${KIBANA_HOST}/api/saved_objects/_export" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d" + { \"objects\": + [ + { + \"type\": \"${item}\", + \"id\": \"${id}\" + } + ], + \"excludeExportDetails\": true, + \"includeReferencesDeep\": false + } + ") + #Check export went well + if [ $(echo "$object" | jq -r '.statusCode') == "400" ]; then + echo "Error while exporting ${id}..." + echo -e "Error:\n${object}" + failed=$(($failed+1)) + continue; + fi + exports=$(($exports+1)) + #Gather object name and object file + if [[ "$item" == "config" || "$item" == "index-pattern" ]]; then + filename=$(echo "$object" | jq -r '.id') + else + filename=$(echo "$object" | jq -r '.attributes.title') + fi + filename=${filename//[^A-Za-z0-9]/_} + filename=$(echo "$filename" | sed -E 's/^(.*?[^_]+)(_)*$/\1/g') + file="${filename}.ndjson" + + #Write to file + echo "Exporting ${item} named ${filename} as ${file}" > /dev/stderr + echo "$object" >> "$file" + done + if [ $(basename $(pwd)) == "${item}" ]; then + cd .. + fi +done + +echo "Successfully exported ${exports} objects !" +if [[ $failed -ne 0 ]]; then + echo "Failed to export ${failed} objects !" +fi diff --git a/docker/helk-kibana/scripts/kibana-import-objects.sh b/docker/helk-kibana/scripts/kibana-import-objects.sh new file mode 100755 index 00000000..0bb96abd --- /dev/null +++ b/docker/helk-kibana/scripts/kibana-import-objects.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +# HELK script: kibana-import-objects.sh +# HELK script description: Imports all the saved objects back to Kibana. +# HELK build stage: Alpha +# Author: Thomas Castronovo (@troplolBE), Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +DIR=/usr/share/kibana/objects +ARRAY=() + +created=0 +failed=0 + +#Function to import files to Kibana +#Argument 1 = File to import +#Argument 2 = Retry of import + +function importFile +{ + local file=${1} + local retry=${2} + + response=$( + curl -sk -XPOST -u "${ELASTICSEARCH_CREDS}" \ + "${KIBANA_HOST}/api/saved_objects/_import?overwrite=true" \ + -H "kbn-xsrf: true" \ + --form file=@"${file}" + ) + result=$(echo "${response}" | grep -w "success" | cut -d ',' -f 1 | cut -d ':' -f 2 | sed -E 's/[^-[:alnum:]]//g') + if [[ "${result}" == "true" ]]; then + created=$((created+1)) + echo "Successfuly imported ${item} named ${file}" + else + if [[ $retry -ne 1 ]]; then + fail="${DIR}/${item}/${file}" + ARRAY+=($fail) + else + failed=$((failed+1)) + fi + echo -e "Failed to import ${item} named ${file}: \n ${response}\n" + fi +} + +echo "Please be patient as we import 100+ custom dashboards, visualizations, and searches..." +#Go to the right directory to find objects +cd $DIR + +for item in config map canvas-workpad canvas-element lens query index-pattern search visualization dashboard url; do + cd ${item} 2>/dev/null || continue + + for file in *.ndjson; do + echo "$file" + importFile $file 0 + done + cd .. +done + +echo -e "Files that failed:\n${ARRAY[@]}" +echo "Re-trying to import the failed files..." + +echo "length of array is ${#ARRAY[@]}" +if [[ "${#ARRAY[@]}" -ne "0" ]]; then + for file in "${ARRAY[@]}"; do + echo "${file}" + importFile $file 1 + done +fi + +echo "Created: ${created}" +echo "Failed: ${failed}" diff --git a/docker/helk-kibana/scripts/kibana-setup-index_patterns.sh b/docker/helk-kibana/scripts/kibana-setup-index_patterns.sh index 903e44ab..3cedc072 100755 --- a/docker/helk-kibana/scripts/kibana-setup-index_patterns.sh +++ b/docker/helk-kibana/scripts/kibana-setup-index_patterns.sh @@ -16,25 +16,28 @@ HELK_ERROR_TAG="HELK-KIBANA-DOCKER-$TAG_NAME-ERROR:" TIME_FIELD="@timestamp" DEFAULT_INDEX_PATTERN="logs-endpoint-winevent-sysmon-*" declare -a index_patterns=( - "logs-*" - "logs-endpoint-winevent-sysmon-*" - "logs-endpoint-winevent-security-*" - "logs-endpoint-winevent-system-*" - "logs-endpoint-winevent-application-*" - "logs-endpoint-winevent-wmiactivity-*" - "logs-endpoint-winevent-powershell-*" - "mitre-attack-*" "elastalert_status" - "elastalert_status_status" "elastalert_status_error" - "elastalert_status_silence" "elastalert_status_past" - "sysmon-join-*" + "elastalert_status_silence" + "elastalert_status_status" + "indexme-*" + "logs-*" + "logs-endpoint-*" + "logs-endpoint-winevent-*" + "logs-endpoint-winevent-application-*" "logs-endpoint-winevent-etw-*" + "logs-endpoint-winevent-powershell-*" + "logs-endpoint-winevent-security-*" + "logs-endpoint-winevent-sysmon-*" + "logs-endpoint-winevent-system-*" + "logs-endpoint-winevent-wmiactivity-*" "logs-network-*" "logs-network-zeek-*" + "mitre-attack-*" "original-*" - "indexme-*" + "parse-failures-*" + "sysmon-join-*" ) echo "$HELK_INFO_TAG Creating Kibana index patterns.." diff --git a/docker/helk-kibana/scripts/kibana-setup-objects.sh b/docker/helk-kibana/scripts/kibana-setup-objects.sh deleted file mode 100755 index e9fb55c2..00000000 --- a/docker/helk-kibana/scripts/kibana-setup-objects.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# HELK script: kibana-setup-objects.sh -# HELK script description: Creates, loads, and updates Kibana objects such as Visualizations, Dashboards, etc... -# HELK build Stage: Alpha -# Author: Nate Guagenti (@neu5ron) -# License: GPL-3.0 \ No newline at end of file diff --git a/docker/helk-kibana/scripts/kibana-setup.sh b/docker/helk-kibana/scripts/kibana-setup.sh index 7e9a4486..a2868838 100755 --- a/docker/helk-kibana/scripts/kibana-setup.sh +++ b/docker/helk-kibana/scripts/kibana-setup.sh @@ -34,8 +34,9 @@ until [[ "$(curl -s -o /dev/null -w "%{http_code}" "${KIBANA_ACCESS}/status")" = done echo "$HELK_INFO_TAG Kibana server is up." -# *********** Creating Kibana index-patterns *************** -/usr/share/kibana/scripts/kibana-setup-index_patterns.sh +# *********** Importing saved objetcs into Kibana *************** +echo "$HELK_INFO_TAG Importing all the saved objects..." +/usr/share/kibana/scripts/kibana-import-objects.sh # *********** Set URL session store ********************* echo "$HELK_INFO_TAG Setting URL session store" @@ -47,19 +48,6 @@ curl -X POST -u "${ELASTICSEARCH_CREDS}" "$KIBANA_HOST/api/kibana/settings" -H ' } " -DIR=/usr/share/kibana/objects/dashboards -# *********** Loading dashboards *************** -echo "$HELK_INFO_TAG Loading Dashboards..." -for file in ${DIR}/*.json -do - echo "[++++++] Loading dashboard file ${file}" - until curl -X POST -s -o /dev/null -u "${ELASTICSEARCH_CREDS}" "${KIBANA_HOST}/api/kibana/dashboards/import" -H 'kbn-xsrf: true' \ - -H 'Content-type:application/json' -d @${file} - do - sleep 1 - done -done - # ******** Set Elastic License Variables *************** if [[ -n "$ELASTICSEARCH_PASSWORD" ]] && [[ -n "$ELASTICSEARCH_USERNAME" ]]; then # *********** Creating HELK User ********************* @@ -104,4 +92,4 @@ fi #echo "[+++] Updating Kibana Logo..." #cp -i /usr/share/kibana/custom/HELK.png /usr/share/kibana/optimize/bundles/HELK.png #cp -i /usr/share/kibana/optimize/bundles/commons.style.css /usr/share/kibana/optimize/bundles/commons.style.css_backup -#cp -i /usr/share/kibana/custom/commons.style.css /usr/share/kibana/optimize/bundles/commons.style.css \ No newline at end of file +#cp -i /usr/share/kibana/custom/commons.style.css /usr/share/kibana/optimize/bundles/commons.style.css diff --git a/docker/helk-ksql/sysmon-join.commands b/docker/helk-ksql/sysmon-join.commands index 11a92b6d..c61a66ca 100644 --- a/docker/helk-ksql/sysmon-join.commands +++ b/docker/helk-ksql/sysmon-join.commands @@ -1,11 +1,11 @@ -CREATE STREAM WINLOGBEAT_STREAM (source_name VARCHAR, type VARCHAR, task VARCHAR, log_name VARCHAR, computer_name VARCHAR, event_data STRUCT< UtcTime VARCHAR, ProcessGuid VARCHAR, ProcessId INTEGER, Image VARCHAR, FileVersion VARCHAR, Description VARCHAR, Product VARCHAR, Company VARCHAR, CommandLine VARCHAR, CurrentDirectory VARCHAR, User VARCHAR, LogonGuid VARCHAR, LogonId VARCHAR, TerminalSessionId INTEGER, IntegrityLevel VARCHAR, Hashes VARCHAR, ParentProcessGuid VARCHAR, ParentProcessId INTEGER, ParentImage VARCHAR, ParentCommandLine VARCHAR, Protocol VARCHAR, Initiated VARCHAR, SourceIsIpv6 VARCHAR, SourceIp VARCHAR, SourceHostname VARCHAR, SourcePort INTEGER, SourcePortName VARCHAR, DestinationIsIpv6 VARCHAR, DestinationIp VARCHAR, DestinationHostname VARCHAR, DestinationPort INTEGER, DestinationPortName VARCHAR>, event_id INTEGER) WITH (KAFKA_TOPIC='winlogbeat', VALUE_FORMAT='JSON'); +CREATE STREAM WINLOGBEAT_STREAM (source_name VARCHAR, type VARCHAR, task VARCHAR, log_name VARCHAR, host_name VARCHAR, event_data STRUCT< UtcTime VARCHAR, ProcessGuid VARCHAR, ProcessId INTEGER, Image VARCHAR, FileVersion VARCHAR, Description VARCHAR, Product VARCHAR, Company VARCHAR, CommandLine VARCHAR, CurrentDirectory VARCHAR, User VARCHAR, LogonGuid VARCHAR, LogonId VARCHAR, TerminalSessionId INTEGER, IntegrityLevel VARCHAR, Hashes VARCHAR, ParentProcessGuid VARCHAR, ParentProcessId INTEGER, ParentImage VARCHAR, ParentCommandLine VARCHAR, Protocol VARCHAR, Initiated VARCHAR, SourceIsIpv6 VARCHAR, SourceIp VARCHAR, SourceHostname VARCHAR, SourcePort INTEGER, SourcePortName VARCHAR, DestinationIsIpv6 VARCHAR, DestinationIp VARCHAR, DestinationHostname VARCHAR, DestinationPort INTEGER, DestinationPortName VARCHAR>, event_id INTEGER) WITH (KAFKA_TOPIC='winlogbeat', VALUE_FORMAT='JSON'); -CREATE STREAM WINLOGBEAT_STREAM_REKEY WITH (VALUE_FORMAT='JSON', PARTITIONS=1, TIMESTAMP='event_date_creation') AS SELECT STRINGTOTIMESTAMP(event_data->UtcTime, 'yyyy-MM-dd HH:mm:ss.SSS') AS event_date_creation, event_data->ProcessGuid AS process_guid, event_data->ProcessId AS process_id, event_data->Image AS process_path, event_data->FileVersion AS file_version, event_data->Description AS file_description, event_data->Company AS file_company, event_data->CommandLine AS process_command_line, event_data->CurrentDirectory AS process_current_directory, event_data->User AS user_account, event_data->LogonGuid AS user_logon_guid, event_data->LogonId AS user_logon_id, event_data->TerminalSessionId AS user_session_id, event_data->IntegrityLevel AS process_integrity_level, event_data->Hashes AS hashes, event_data->ParentProcessGuid AS parent_process_guid,event_data->ParentProcessId AS parent_process_id,event_data->ParentImage AS parent_process_path,event_data->ParentCommandLine AS parent_process_command_line,event_data->Protocol AS network_protocol,event_data->Initiated AS network_connection_initiated,event_data->SourceIsIpv6 AS src_is_ipv6,event_data->SourceIp AS src_ip_addr,event_data->SourceHostname AS src_host_name,event_data->SourcePort AS src_port,event_data->SourcePortName AS src_port_name,event_data->DestinationIsIpv6 AS dst_is_ipv6,event_data->DestinationIp AS dst_ip_addr,event_data->DestinationHostname AS dst_host_name,event_data->DestinationPort AS dst_port,event_data->DestinationPortName AS dst_port_name,event_id,source_name,log_name FROM WINLOGBEAT_STREAM WHERE source_name='Microsoft-Windows-Sysmon' PARTITION BY process_guid; +CREATE STREAM WINLOGBEAT_STREAM_REKEY WITH (VALUE_FORMAT='JSON', PARTITIONS=1, TIMESTAMP='event_original_time') AS SELECT STRINGTOTIMESTAMP(event_data->UtcTime, 'yyyy-MM-dd HH:mm:ss.SSS') AS event_original_time, event_data->ProcessGuid AS process_guid, event_data->ProcessId AS process_id, event_data->Image AS process_path, event_data->FileVersion AS file_version, event_data->Description AS file_description, event_data->Company AS file_company, event_data->CommandLine AS process_command_line, event_data->CurrentDirectory AS process_current_directory, event_data->User AS user_account, event_data->LogonGuid AS user_logon_guid, event_data->LogonId AS user_logon_id, event_data->TerminalSessionId AS user_session_id, event_data->IntegrityLevel AS process_integrity_level, event_data->Hashes AS hashes, event_data->ParentProcessGuid AS process_parent_guid,event_data->ParentProcessId AS process_parent_id,event_data->ParentImage AS process_parent_path,event_data->ParentCommandLine AS process_parent_command_line,event_data->Protocol AS network_protocol,event_data->Initiated AS network_connection_initiated,event_data->SourceIsIpv6 AS src_is_ipv6,event_data->SourceIp AS src_ip_addr,event_data->SourceHostname AS src_host_name,event_data->SourcePort AS src_port,event_data->SourcePortName AS src_port_name,event_data->DestinationIsIpv6 AS dst_is_ipv6,event_data->DestinationIp AS dst_ip_addr,event_data->DestinationHostname AS dst_host_name,event_data->DestinationPort AS dst_port,event_data->DestinationPortName AS dst_port_name,event_id,source_name,log_name FROM WINLOGBEAT_STREAM WHERE source_name='Microsoft-Windows-Sysmon' PARTITION BY process_guid; -CREATE STREAM SYSMON_PROCESS_CREATE WITH (VALUE_FORMAT='JSON', PARTITIONS=1, TIMESTAMP='event_date_creation')AS SELECT event_date_creation,process_guid,process_id,process_path,file_version,file_description,file_company,process_command_line,process_current_directory,user_account,user_logon_guid,user_logon_id,user_session_id,process_integrity_level,hashes,parent_process_guid,parent_process_id,parent_process_path,parent_process_command_line,event_id,source_name,log_name FROM WINLOGBEAT_STREAM_REKEY WHERE event_id=1; +CREATE STREAM SYSMON_PROCESS_CREATE WITH (VALUE_FORMAT='JSON', PARTITIONS=1, TIMESTAMP='event_original_time')AS SELECT event_original_time,process_guid,process_id,process_path,file_version,file_description,file_company,process_command_line,process_current_directory,user_account,user_logon_guid,user_logon_id,user_session_id,process_integrity_level,hashes,process_parent_guid,process_parent_id,process_parent_path,process_parent_command_line,event_id,source_name,log_name FROM WINLOGBEAT_STREAM_REKEY WHERE event_id=1; -CREATE STREAM SYSMON_NETWORK_CONNECT WITH (VALUE_FORMAT='JSON', PARTITIONS=1, TIMESTAMP='event_date_creation')AS SELECT event_date_creation,process_guid,process_id,process_path,user_account,network_protocol,network_connection_initiated,src_is_ipv6,src_ip_addr,src_host_name,src_port,src_port_name,dst_is_ipv6,dst_ip_addr,dst_host_name,dst_port,dst_port_name,event_id,source_name,log_name FROM WINLOGBEAT_STREAM_REKEY WHERE event_id=3; +CREATE STREAM SYSMON_NETWORK_CONNECT WITH (VALUE_FORMAT='JSON', PARTITIONS=1, TIMESTAMP='event_original_time')AS SELECT event_original_time,process_guid,process_id,process_path,user_account,network_protocol,network_connection_initiated,src_is_ipv6,src_ip_addr,src_host_name,src_port,src_port_name,dst_is_ipv6,dst_ip_addr,dst_host_name,dst_port,dst_port_name,event_id,source_name,log_name FROM WINLOGBEAT_STREAM_REKEY WHERE event_id=3; -CREATE TABLE SYSMON_PROCESS_CREATE_TABLE (event_date_creation VARCHAR,process_guid VARCHAR,process_id INTEGER,process_path VARCHAR,file_version VARCHAR,file_description VARCHAR,file_company VARCHAR,process_command_line VARCHAR,process_current_directory VARCHAR,user_account VARCHAR,user_logon_guid VARCHAR,user_logon_id VARCHAR,user_session_id INTEGER,process_integrity_level VARCHAR,hashes VARCHAR,parent_process_guid VARCHAR,parent_process_id INTEGER,parent_process_path VARCHAR,parent_process_command_line VARCHAR,event_id INTEGER,source_name VARCHAR,log_name VARCHAR) WITH (KAFKA_TOPIC='SYSMON_PROCESS_CREATE', VALUE_FORMAT='JSON', KEY='process_guid'); +CREATE TABLE SYSMON_PROCESS_CREATE_TABLE (event_original_time VARCHAR,process_guid VARCHAR,process_id INTEGER,process_path VARCHAR,file_version VARCHAR,file_description VARCHAR,file_company VARCHAR,process_command_line VARCHAR,process_current_directory VARCHAR,user_account VARCHAR,user_logon_guid VARCHAR,user_logon_id VARCHAR,user_session_id INTEGER,process_integrity_level VARCHAR,hashes VARCHAR,process_parent_guid VARCHAR,process_parent_id INTEGER,process_parent_path VARCHAR,process_parent_command_line VARCHAR,event_id INTEGER,source_name VARCHAR,log_name VARCHAR) WITH (KAFKA_TOPIC='SYSMON_PROCESS_CREATE', VALUE_FORMAT='JSON', KEY='process_guid'); -CREATE STREAM SYSMON_JOIN WITH (PARTITIONS=1) AS SELECT N.EVENT_DATE_CREATION, N.PROCESS_GUID, N.PROCESS_ID, N.PROCESS_PATH, N.USER_ACCOUNT,N.NETWORK_PROTOCOL, N.NETWORK_CONNECTION_INITIATED, N.SRC_IS_IPV6, N.SRC_IP_ADDR,N.SRC_HOST_NAME, N.SRC_PORT, N.SRC_PORT_NAME, N.DST_IS_IPV6, N.DST_IP_ADDR, N.DST_HOST_NAME,N.DST_PORT, N.DST_PORT_NAME, N.SOURCE_NAME, N.LOG_NAME,P.PROCESS_COMMAND_LINE, P.HASHES, P.PARENT_PROCESS_PATH, P.PARENT_PROCESS_COMMAND_LINE,P.USER_LOGON_GUID, P.USER_LOGON_ID, P.USER_SESSION_ID, P.PROCESS_CURRENT_DIRECTORY,P.PROCESS_INTEGRITY_LEVEL, P.PARENT_PROCESS_GUID, P.PARENT_PROCESS_ID FROM SYSMON_NETWORK_CONNECT N INNER JOIN SYSMON_PROCESS_CREATE_TABLE P ON N.PROCESS_GUID = P.PROCESS_GUID; \ No newline at end of file +CREATE STREAM SYSMON_JOIN WITH (PARTITIONS=1) AS SELECT N.EVENT_ORIGINAL_TIME, N.PROCESS_GUID, N.PROCESS_ID, N.PROCESS_PATH, N.USER_ACCOUNT,N.network_protocol, N.NETWORK_CONNECTION_INITIATED, N.SRC_IS_IPV6, N.SRC_IP_ADDR,N.SRC_HOST_NAME, N.SRC_PORT, N.SRC_PORT_NAME, N.DST_IS_IPV6, N.DST_IP_ADDR, N.DST_HOST_NAME,N.DST_PORT, N.DST_PORT_NAME, N.SOURCE_NAME, N.LOG_NAME,P.PROCESS_COMMAND_LINE, P.HASHES, P.PROCESS_PARENT_PATH, P.PROCESS_PARENT_COMMAND_LINE,P.USER_LOGON_GUID, P.USER_LOGON_ID, P.USER_SESSION_ID, P.PROCESS_CURRENT_DIRECTORY,P.PROCESS_INTEGRITY_LEVEL, P.PROCESS_PARENT_GUID, P.PROCESS_PARENT_ID FROM SYSMON_NETWORK_CONNECT N INNER JOIN SYSMON_PROCESS_CREATE_TABLE P ON N.PROCESS_GUID = P.PROCESS_GUID; \ No newline at end of file diff --git a/docker/helk-logstash/Dockerfile b/docker/helk-logstash/Dockerfile index 6a8dc5da..ba1e2ddb 100644 --- a/docker/helk-logstash/Dockerfile +++ b/docker/helk-logstash/Dockerfile @@ -6,7 +6,7 @@ # References: # https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_98.html -FROM docker.elastic.co/logstash/logstash:7.5.2 +FROM docker.elastic.co/logstash/logstash:7.6.2 LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g" LABEL description="Dockerfile base for the HELK Logstash." @@ -18,10 +18,10 @@ RUN printf "%s" "$(date +"%Y-%m-%d %T")" > "${plugins_time_file}" RUN chown logstash:logstash "${plugins_time_file}" COPY --chown=logstash:logstash plugins/helk-offline-logstash-codec_and_filter_plugins.zip /usr/share/logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip -COPY --chown=logstash:logstash plugins/helk-offline-logstash-input_and_output-plugins.zip /usr/share/logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip +COPY --chown=logstash:logstash plugins/helk-offline-logstash-input-plugins.zip /usr/share/logstash/plugins/helk-offline-logstash-input-plugins.zip +COPY --chown=logstash:logstash plugins/helk-offline-logstash-output-plugins.zip /usr/share/logstash/plugins/helk-offline-logstash-output-plugins.zip RUN logstash-plugin update \ && logstash-plugin install file:///usr/share/logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip \ - && logstash-plugin install file:///usr/share/logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip \ - && rm /usr/share/logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip \ - && rm /usr/share/logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip \ + && logstash-plugin install file:///usr/share/logstash/plugins/helk-offline-logstash-input-plugins.zip \ + && logstash-plugin install file:///usr/share/logstash/plugins/helk-offline-logstash-output-plugins.zip \ && rm -f /usr/share/logstash/pipeline/logstash.conf \ No newline at end of file diff --git a/docker/helk-logstash/config/pipelines.yml b/docker/helk-logstash/config/pipelines.yml index 1b1810cc..1256e0ba 100644 --- a/docker/helk-logstash/config/pipelines.yml +++ b/docker/helk-logstash/config/pipelines.yml @@ -1,4 +1,4 @@ - pipeline.id: main - path.config: "/usr/share/logstash/pipeline/" + path.config: "/usr/share/logstash/pipeline/*.conf" - pipeline.id: mordor path.config: "/usr/share/logstash/mordor_pipeline/" \ No newline at end of file diff --git a/docker/helk-logstash/output_templates/10-helk-logs-all-default.json b/docker/helk-logstash/output_templates/10-helk-logs-all-default.json new file mode 100644 index 00000000..7827d49e --- /dev/null +++ b/docker/helk-logstash/output_templates/10-helk-logs-all-default.json @@ -0,0 +1,93 @@ +{ + "order": 10, + "index_patterns": [ "logs-*" ], + "version": 2020042001, + "settings": { + "index": { + "mapping": { + "ignore_malformed": true, + "total_fields.limit": "10000", + "coerce": true + } + }, + "refresh_interval": "20s", + "number_of_replicas": 0, + "number_of_shards": 1 + }, + "mappings": { + "dynamic": "true", + "properties": { + "@timestamp": { + "type": "date" + }, + "@version": { + "type": "keyword" + }, + "z_original_timestamp": { + "type": "date" + }, + "meta_log_tags": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "z_logstash_type": { + "enabled": false + }, + "event_original_time": { + "type": "date" + }, + "event_recorded_time": { + "type": "date" + }, + "event_original_message": { + "type": "text", + "norms": false + }, + "event_vendor": { + "type": "keyword" + }, + "etl_pipeline": { + "type": "keyword" + }, + "etl_kafka_consumer_group": { + "type": "keyword" + }, + "etl_kafka_key": { + "type": "keyword" + }, + "etl_kafka_offset": { + "type": "long" + }, + "etl_kafka_partition": { + "type": "integer" + }, + "etl_kafka_time": { + "type": "date", + "format": "epoch_millis" + }, + "etl_kafka_topic": { + "type": "keyword" + }, + "etl_processed_time": { + "type": "date" + }, + "etl_host_agent_type": { + "type": "keyword" + }, + "etl_host_agent_uid": { + "type": "keyword" + }, + "etl_version": { + "type": "keyword" + }, + "message": { + "type": "alias", + "path": "event_original_message" + } + } + } +} diff --git a/docker/helk-logstash/output_templates/10-logs-all-default.json b/docker/helk-logstash/output_templates/10-logs-all-default.json deleted file mode 100644 index ab0a5b65..00000000 --- a/docker/helk-logstash/output_templates/10-logs-all-default.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "order": 10, - "index_patterns": [ "logs-*" ], - "version": 2019060301, - "settings": { - "index": { - "mapping": { - "ignore_malformed": true, - "total_fields.limit": "3750", - "coerce": true - } - }, - "refresh_interval": "30s", - "number_of_replicas": 0, - "number_of_shards": 1 - }, - "mappings": { - "dynamic": "true", - "dynamic_templates": [ - { - "strings": { - "match_mapping_type": "string", - "mapping": { - "type": "text", - "norms": false, - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - } - ], - "properties": { - "@timestamp": { - "type": "date" - }, - "@version": { - "type": "keyword" - }, - "log_ingest_timestamp": { - "type": "date" - }, - "meta_log_tags": { - "type": "text", - "norms": false, - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "z_logstash_type": { - "enabled": false - }, - "z_original_message": { - "enabled": false - }, - "z_logstash_pipeline": { - "enabled": false - } - } - } -} diff --git a/docker/helk-logstash/output_templates/11-helk-indexme.json b/docker/helk-logstash/output_templates/11-helk-indexme.json new file mode 100644 index 00000000..aa264f5a --- /dev/null +++ b/docker/helk-logstash/output_templates/11-helk-indexme.json @@ -0,0 +1,36 @@ +{ + "order": 11, + "index_patterns": [ "indexme-*" ], + "version": 2019073001, + "settings": { + "index": { + "mapping": { + "ignore_malformed": true, + "total_fields.limit": "5000", + "coerce": true + } + }, + "refresh_interval": "30s", + "number_of_replicas": 0, + "number_of_shards": 1 + }, + "mappings": { + "dynamic": "true", + "dynamic_templates": [ + { + "strings": { + "match_mapping_type": "string", + "mapping": { + "ignore_above": 12048, + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + ] + } +} diff --git a/docker/helk-logstash/output_templates/11-indexme.json b/docker/helk-logstash/output_templates/11-indexme.json deleted file mode 100644 index 5f7aafbc..00000000 --- a/docker/helk-logstash/output_templates/11-indexme.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "order": 11, - "index_patterns": [ "indexme-*" ], - "version": 2019052001, - "settings": { - "index": { - "mapping": { - "ignore_malformed": true, - "total_fields.limit": "5000", - "coerce": true - } - }, - "refresh_interval": "30s", - "number_of_replicas": 0, - "number_of_shards": 1 - }, - "mappings": { - "dynamic": "true" - } -} diff --git a/docker/helk-logstash/output_templates/12-helk-logs-all-other_ecs_fields.json b/docker/helk-logstash/output_templates/12-helk-logs-all-other_ecs_fields.json new file mode 100644 index 00000000..40608fd4 --- /dev/null +++ b/docker/helk-logstash/output_templates/12-helk-logs-all-other_ecs_fields.json @@ -0,0 +1,62 @@ +{ + "order": 12, + "index_patterns": [ "logs-*" ], + "version": 2020041901, + "mappings": { + "properties": { + "z_elastic_ecs": { + "properties": { + "ecs": { + "properties": { + "version": { + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "ephemeral_id": { + "type": "keyword" + }, + "hostname": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "type": "keyword" + }, + "code": { + "type": "long" + }, + "kind": { + "type": "keyword" + }, + "provider": { + "type": "keyword" + } + } + }, + "host": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + } + } + } +} diff --git a/docker/helk-logstash/output_templates/20-helk-logs-all.json b/docker/helk-logstash/output_templates/20-helk-logs-all.json new file mode 100644 index 00000000..0485189e --- /dev/null +++ b/docker/helk-logstash/output_templates/20-helk-logs-all.json @@ -0,0 +1,40 @@ +{ + "order": 20, + "index_patterns": [ "logs-*" ], + "version": 2020041901, + "mappings": { + "dynamic_templates": [ + { + "hashes": { + "match_mapping_type": "string", + "match": "hash*", + "mapping": { + "ignore_above": 2048, + "type": "keyword" + } + } + } + ], + "properties": { + "dst_original_value": { + "ignore_above": 32000, + "type": "keyword" + }, + "dst_nat_original_value": { + "ignore_above": 32000, + "type": "keyword" + }, + "host_uid": { + "type": "keyword" + }, + "src_original_value": { + "ignore_above": 32000, + "type": "keyword" + }, + "src_nat_original_value": { + "ignore_above": 32000, + "type": "keyword" + } + } + } +} diff --git a/docker/helk-logstash/output_templates/50-logs-winevent-all.json b/docker/helk-logstash/output_templates/50-helk-logs-winevent-all.json similarity index 52% rename from docker/helk-logstash/output_templates/50-logs-winevent-all.json rename to docker/helk-logstash/output_templates/50-helk-logs-winevent-all.json index eb902101..755edb49 100644 --- a/docker/helk-logstash/output_templates/50-logs-winevent-all.json +++ b/docker/helk-logstash/output_templates/50-helk-logs-winevent-all.json @@ -1,7 +1,7 @@ { "order": 50, "index_patterns": [ "logs-endpoint-winevent-*" ], - "version": 2019062301, + "version": 2019090101, "settings": { "analysis": { "analyzer": { @@ -46,22 +46,18 @@ "filter": [ "lowercase" ] } } - }, - "index": { - "mapping": { - "total_fields.limit": "3000" - } - }, - "refresh_interval": "30s" + } }, "mappings": { "properties":{ - "process_id":{"type":"integer"}, - "event_id":{"type":"integer"}, - "record_number":{"type":"long"}, + "event_id": { + "type":"long" + }, + "record_number":{ + "type":"long" + }, "keywords": { "type": "text", - "norms": false, "fields": { "keyword": { "type": "keyword" @@ -69,106 +65,190 @@ } }, "file_name": { - "type": "text", - "norms": false, "analyzer": "cli_n_file_analyzer", + "type": "text", "fields": { "keyword": { - "ignore_above": 7500, - "type": "keyword", - "eager_global_ordinals": true + "ignore_above": 32000, + "eager_global_ordinals": true, + "type": "keyword" } } }, "logon_process_name": { - "type": "text", - "norms": false, "analyzer": "cli_n_file_analyzer", + "type": "text", "fields": { "keyword": { - "ignore_above": 7500, - "type": "keyword", - "eager_global_ordinals": true + "ignore_above": 32000, + "eager_global_ordinals": true, + "type": "keyword" } } }, "object_name": { - "type": "text", - "norms": false, "analyzer": "cli_n_file_analyzer", + "type": "text", "fields": { "keyword": { - "ignore_above": 7500, + "ignore_above": 32000, "type": "keyword" } } }, "process_command_line": { - "type": "text", - "norms": false, "analyzer": "cli_n_file_analyzer", + "type": "text", "fields": { "keyword": { - "ignore_above": 7500, - "type": "keyword", - "eager_global_ordinals": true + "ignore_above": 32000, + "eager_global_ordinals": true, + "type": "keyword" } } }, "process_current_directory": { - "type": "text", - "norms": false, "analyzer": "cli_n_file_analyzer", + "type": "text", "fields": { "keyword": { - "ignore_above": 7500, + "ignore_above": 32000, + "eager_global_ordinals": true, "type": "keyword" } } }, "process_parent_path": { - "type": "text", - "norms": false, "analyzer": "cli_n_file_analyzer", + "type": "text", "fields": { "keyword": { - "ignore_above": 7500, - "type": "keyword", - "eager_global_ordinals": true + "ignore_above": 32000, + "eager_global_ordinals": true, + "type": "keyword" } } }, "process_parent_command_line": { - "type": "text", - "norms": false, "analyzer": "cli_n_file_analyzer", + "type": "text", "fields": { "keyword": { - "ignore_above": 7500, - "type": "keyword", - "eager_global_ordinals": true + "ignore_above": 32000, + "eager_global_ordinals": true, + "type": "keyword" } } }, "process_path": { - "type": "text", - "norms": false, "analyzer": "cli_n_file_analyzer", + "type": "text", "fields": { "keyword": { - "ignore_above": 7500, - "type": "keyword", - "eager_global_ordinals": true - } - } - }, - "process_target_id": { - "type": "long", - "fields": { - "keyword": { + "ignore_above": 32000, + "eager_global_ordinals": true, "type": "keyword" } } + }, + "object_access_mask": { + "type": "keyword" + }, + "process_id": { + "type":"long" + }, + "process_id_orig": { + "type":"keyword" + }, + "process_parent_id": { + "type":"long" + }, + "process_parent_id_orig": { + "type":"keyword" + }, + "process_granted_access": { + "type": "long" + }, + "process_granted_access_orig": { + "type": "keyword" + }, + "reporter_logon_id": { + "type": "long" + }, + "reporter_logon_id_orig": { + "type": "keyword" + }, + "target_process_id": { + "type": "long" + }, + "target_process_id_orig": { + "type": "keyword" + }, + "thread_id": { + "type": "long" + }, + "thread_id_orig": { + "type": "keyword" + }, + "thread_new_id": { + "type": "long" + }, + "thread_new_id_orig": { + "type": "keyword" + }, + "user_logon_id": { + "type": "long" + }, + "user_logon_id_orig": { + "type": "keyword" + }, + "user_session_id": { + "type":"long" + }, + "user_session_id_orig": { + "type":"keyword" + }, + "NewProcessId": { + "type": "long" + }, + "NewProcessId_orig": { + "type": "keyword" + }, + "ProcessId": { + "type": "long" + }, + "ProcessId_orig": { + "type": "keyword" + }, + "SubjectLogonId": { + "type": "long" + }, + "SubjectLogonId_orig": { + "type": "keyword" + }, + "TargetLogonId": { + "type": "long" + }, + "TargetLogonId_orig": { + "type": "keyword" + }, + "TargetProcessId": { + "type": "long" + }, + "TargetProcessId_orig": { + "type": "keyword" + }, + "ParentProcessId": { + "type": "long" + }, + "ParentProcessId_orig": { + "type": "keyword" + }, + "SourceProcessId": { + "type": "long" + }, + "SourceProcessId_orig": { + "type": "keyword" } } } diff --git a/docker/helk-logstash/output_templates/51-logs-winevent-winlogbeat-param-fields.json b/docker/helk-logstash/output_templates/51-helk-logs-winevent-winlogbeat-param-fields.json similarity index 75% rename from docker/helk-logstash/output_templates/51-logs-winevent-winlogbeat-param-fields.json rename to docker/helk-logstash/output_templates/51-helk-logs-winevent-winlogbeat-param-fields.json index 56169972..30d30f1f 100644 --- a/docker/helk-logstash/output_templates/51-logs-winevent-winlogbeat-param-fields.json +++ b/docker/helk-logstash/output_templates/51-helk-logs-winevent-winlogbeat-param-fields.json @@ -1,7 +1,7 @@ { "order": 51, "index_patterns": [ "logs-endpoint-winevent-*" ], - "version": 2019062301, + "version": 2019090101, "mappings": { "dynamic_templates": [ { @@ -10,11 +10,10 @@ "match": "^param\\d+$", "mapping": { "type": "text", - "norms": false, "fields": { "keyword": { - "type": "keyword", - "ignore_above": 2048 + "ignore_above": 32000, + "type": "keyword" } } } diff --git a/docker/helk-logstash/output_templates/60-powershell-direct-template.json b/docker/helk-logstash/output_templates/60-helk-powershell-direct.json similarity index 51% rename from docker/helk-logstash/output_templates/60-powershell-direct-template.json rename to docker/helk-logstash/output_templates/60-helk-powershell-direct.json index 42242740..ce1e953a 100644 --- a/docker/helk-logstash/output_templates/60-powershell-direct-template.json +++ b/docker/helk-logstash/output_templates/60-helk-powershell-direct.json @@ -1,10 +1,7 @@ { "order": 60, "index_patterns" : "logs-endpoint-powershell-direct-*", - "version": 2018080101, + "version": 2019090201, "mappings":{ - "properties":{ - "process_id":{"type":"integer"} - } } } \ No newline at end of file diff --git a/docker/helk-logstash/output_templates/60-winevent-application-template.json b/docker/helk-logstash/output_templates/60-helk-winevent-application.json similarity index 100% rename from docker/helk-logstash/output_templates/60-winevent-application-template.json rename to docker/helk-logstash/output_templates/60-helk-winevent-application.json diff --git a/docker/helk-logstash/output_templates/60-winevent-powershell-template.json b/docker/helk-logstash/output_templates/60-helk-winevent-powershell.json similarity index 94% rename from docker/helk-logstash/output_templates/60-winevent-powershell-template.json rename to docker/helk-logstash/output_templates/60-helk-winevent-powershell.json index 0afe85b8..f220d697 100644 --- a/docker/helk-logstash/output_templates/60-winevent-powershell-template.json +++ b/docker/helk-logstash/output_templates/60-helk-winevent-powershell.json @@ -1,7 +1,7 @@ { "order": 60, "index_patterns": [ "logs-endpoint-winevent-powershell-*" ], - "version": 2018080201, + "version": 2019102401, "mappings":{ "properties": { "powershell": { @@ -19,6 +19,16 @@ } } }, + "invocation": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, "line": { "type": "text", "norms": false, diff --git a/docker/helk-logstash/output_templates/60-helk-winevent-security.json b/docker/helk-logstash/output_templates/60-helk-winevent-security.json new file mode 100644 index 00000000..1377d4b0 --- /dev/null +++ b/docker/helk-logstash/output_templates/60-helk-winevent-security.json @@ -0,0 +1,12 @@ +{ + "order": 60, + "index_patterns": "logs-endpoint-winevent-security-*", + "version": 2019090201, + "mappings":{ + "properties":{ + "@date_new_time":{"type":"date"}, + "@date_previous_time":{"type":"date"}, + "version":{"type":"long"} + } + } +} \ No newline at end of file diff --git a/docker/helk-logstash/output_templates/60-helk-winevent-sysmon.json b/docker/helk-logstash/output_templates/60-helk-winevent-sysmon.json new file mode 100644 index 00000000..4a52e6ef --- /dev/null +++ b/docker/helk-logstash/output_templates/60-helk-winevent-sysmon.json @@ -0,0 +1,24 @@ +{ + "order": 60, + "index_patterns": [ "logs-endpoint-winevent-sysmon-*" ], + "version": 2020041901, + "mappings":{ + "properties":{ + "file_creation_time":{"type":"date"}, + "file_previous_creation_time":{"type":"date"}, + "network_initiated":{"type":"boolean"}, + "thread_new_id":{"type":"integer"}, + "module_signed":{"type":"boolean"}, + "process_parent_id":{"type":"long"}, + "sysmon_version": { + "type": "float", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "version":{"type":"integer"} + } + } +} diff --git a/docker/helk-logstash/output_templates/60-winevent-system-template.json b/docker/helk-logstash/output_templates/60-helk-winevent-system.json similarity index 100% rename from docker/helk-logstash/output_templates/60-winevent-system-template.json rename to docker/helk-logstash/output_templates/60-helk-winevent-system.json diff --git a/docker/helk-logstash/output_templates/60-winevent-wmiactivity-template.json b/docker/helk-logstash/output_templates/60-helk-winevent-wmiactivity.json similarity index 100% rename from docker/helk-logstash/output_templates/60-winevent-wmiactivity-template.json rename to docker/helk-logstash/output_templates/60-helk-winevent-wmiactivity.json diff --git a/docker/helk-logstash/output_templates/60-winevent-security-template.json b/docker/helk-logstash/output_templates/60-winevent-security-template.json deleted file mode 100644 index ba7a7f3d..00000000 --- a/docker/helk-logstash/output_templates/60-winevent-security-template.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "order": 60, - "index_patterns": "logs-endpoint-winevent-security-*", - "version": 2018080101, - "mappings":{ - "properties":{ - "@date_new_time":{"type":"date"}, - "@date_previous_time":{"type":"date"}, - "target_process_id":{"type":"integer"}, - "process_parent_id":{"type":"integer"}, - "user_session_id":{"type":"integer"}, - "src_port":{"type":"integer"}, - "dst_port":{"type":"integer"}, - "version":{"type":"integer"} - } - } -} \ No newline at end of file diff --git a/docker/helk-logstash/output_templates/60-winevent-sysmon-template.json b/docker/helk-logstash/output_templates/60-winevent-sysmon-template.json deleted file mode 100644 index 4dc98367..00000000 --- a/docker/helk-logstash/output_templates/60-winevent-sysmon-template.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "order": 60, - "index_patterns": [ "logs-endpoint-winevent-sysmon-*" ], - "version": 2019062301, - "settings": { - "index.refresh_interval": "5s" - }, - "mappings":{ - "properties":{ - "@event_date_creation":{"type":"date"}, - "@file_date_creation":{"type":"date"}, - "@file_previous_date_creation":{"type":"date"}, - "dst_port":{"type":"integer"}, - "src_port":{"type":"integer"}, - "network_initiated":{"type":"boolean"}, - "thread_new_id":{"type":"integer"}, - "module_signed":{"type":"boolean"}, - "process_parent_id":{"type":"integer"}, - "sysmon_version": { - "type": "float", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "target_process_id":{"type":"integer"}, - "user_session_id":{"type":"integer"}, - "thread_id":{"type":"integer"}, - "version":{"type":"integer"} - } - } -} diff --git a/docker/helk-logstash/output_templates/71-helk-indexme-zeek.json b/docker/helk-logstash/output_templates/71-helk-indexme-zeek.json new file mode 100644 index 00000000..ed2a872f --- /dev/null +++ b/docker/helk-logstash/output_templates/71-helk-indexme-zeek.json @@ -0,0 +1,47 @@ +{ + "order": 11, + "index_patterns": [ "indexme-zeek-*" ], + "version": 2020050201, + "settings": { + "index": { + "mapping": { + "ignore_malformed": true, + "total_fields.limit": "5000", + "coerce": true + } + }, + "refresh_interval": "30s", + "number_of_replicas": 0, + "number_of_shards": 1 + }, + "mappings": { + "dynamic": "true", + "dynamic_templates": [ + { + "strings": { + "match_mapping_type": "string", + "mapping": { + "ignore_above": 12048, + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "id.orig_h": { + "type": "ip" + }, + "id.resp_h": { + "type": "ip" + } + } + } +} diff --git a/docker/helk-logstash/output_templates/71-helk-network-zeek.json b/docker/helk-logstash/output_templates/71-helk-network-zeek.json new file mode 100644 index 00000000..45b656c3 --- /dev/null +++ b/docker/helk-logstash/output_templates/71-helk-network-zeek.json @@ -0,0 +1,7 @@ +{ + "order": 71, + "index_patterns": [ "logs-network-zeek-*" ], + "version": 2019092401, + "mappings":{ + } +} \ No newline at end of file diff --git a/docker/helk-logstash/output_templates/82-logs-not-ip.json b/docker/helk-logstash/output_templates/82-helk-logs-not-ip.json similarity index 100% rename from docker/helk-logstash/output_templates/82-logs-not-ip.json rename to docker/helk-logstash/output_templates/82-helk-logs-not-ip.json diff --git a/docker/helk-logstash/output_templates/88-logs-meta-enrichment-for-endpoints.json b/docker/helk-logstash/output_templates/88-helk-logs-meta-enrichment-for-endpoints.json similarity index 92% rename from docker/helk-logstash/output_templates/88-logs-meta-enrichment-for-endpoints.json rename to docker/helk-logstash/output_templates/88-helk-logs-meta-enrichment-for-endpoints.json index aceafd45..1c802832 100644 --- a/docker/helk-logstash/output_templates/88-logs-meta-enrichment-for-endpoints.json +++ b/docker/helk-logstash/output_templates/88-helk-logs-meta-enrichment-for-endpoints.json @@ -19,7 +19,7 @@ "meta_user_reporter_name_is_machine": { "type": "boolean" }, - "meta_user_target_name_is_machine": { + "meta_target_user_name_is_machine": { "type": "boolean" } } diff --git a/docker/helk-logstash/output_templates/88-logs-meta-enrichment-for-powershell.json b/docker/helk-logstash/output_templates/88-helk-logs-meta-enrichment-for-powershell.json similarity index 100% rename from docker/helk-logstash/output_templates/88-logs-meta-enrichment-for-powershell.json rename to docker/helk-logstash/output_templates/88-helk-logs-meta-enrichment-for-powershell.json diff --git a/docker/helk-logstash/output_templates/89-logs-fingerprints-for-endpoints.json b/docker/helk-logstash/output_templates/89-helk-logs-fingerprints-for-endpoints.json similarity index 100% rename from docker/helk-logstash/output_templates/89-logs-fingerprints-for-endpoints.json rename to docker/helk-logstash/output_templates/89-helk-logs-fingerprints-for-endpoints.json diff --git a/docker/helk-logstash/output_templates/89-logs-fingerprints-powershell.json b/docker/helk-logstash/output_templates/89-helk-logs-fingerprints-powershell.json similarity index 100% rename from docker/helk-logstash/output_templates/89-logs-fingerprints-powershell.json rename to docker/helk-logstash/output_templates/89-helk-logs-fingerprints-powershell.json diff --git a/docker/helk-logstash/output_templates/90-logs-not-ip.json b/docker/helk-logstash/output_templates/90-helk-logs-not-ip.json similarity index 100% rename from docker/helk-logstash/output_templates/90-logs-not-ip.json rename to docker/helk-logstash/output_templates/90-helk-logs-not-ip.json diff --git a/docker/helk-logstash/output_templates/91-helk-logs-network-fields.json b/docker/helk-logstash/output_templates/91-helk-logs-network-fields.json new file mode 100644 index 00000000..d190114e --- /dev/null +++ b/docker/helk-logstash/output_templates/91-helk-logs-network-fields.json @@ -0,0 +1,69 @@ +{ + "order": 91, + "index_patterns": [ "logs-*" ], + "version": 2019090201, + "mappings": { + "properties": { + "dst_port": { + "type": "long" + }, + "dst_nat_port": { + "type": "long" + }, + "src_port": { + "type": "long" + }, + "src_nat_port": { + "type": "long" + }, + "fingerprint_network_community_id": { + "type": "keyword" + }, + "network_application_name": { + "type": "keyword" + }, + "network_application_protocol": { + "type": "keyword" + }, + "network_protocol": { + "type": "keyword" + }, + "destination": { + "properties": { + "port": { + "type": "alias", + "path": "dst_port" + } + } + }, + "source": { + "properties": { + "port": { + "type": "alias", + "path": "src_port" + } + } + }, + "network": { + "properties": { + "application": { + "type": "alias", + "path": "network_application_name" + }, + "community_id": { + "type": "alias", + "path": "fingerprint_network_community_id" + }, + "protocol": { + "type": "alias", + "path": "network_application_protocol" + }, + "transport": { + "type": "alias", + "path": "network_protocol" + } + } + } + } + } +} \ No newline at end of file diff --git a/docker/helk-logstash/output_templates/91-logs-ip-dst-nat.json b/docker/helk-logstash/output_templates/91-logs-ip-dst-nat.json deleted file mode 100644 index 3a45a8a7..00000000 --- a/docker/helk-logstash/output_templates/91-logs-ip-dst-nat.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "order": 91, - "index_patterns": [ "logs-*" ], - "version": 20190603, - "mappings": { - "properties": { - "dst_nat_ip_addr": { - "type": "ip", - "copy_to": "any_ip_addr" - }, - "dst_nat_ip_public": { - "type": "boolean" - }, - "dst_nat_ip_rfc": { - "type": "keyword" - }, - "dst_nat_ip_type": { - "type": "keyword" - }, - "dst_nat_ip_version": { - "type": "keyword" - }, - "meta_dst_nat_ip_geo": { - "properties": { - "asn": { - "type": "integer", - "copy_to": "any_ip_geo.asn" - }, - "as_org": { - "type": "text", - "norms": false, - "copy_to": "any_ip_geo.as_org", - "fields": { - "keyword": { - "type": "keyword", - "eager_global_ordinals": true - } - } - }, - "country_code2": { - "type": "keyword" - }, - "country_code3": { - "type": "keyword" - }, - "country_name": { - "type": "keyword" - }, - "continent_code": { - "type": "keyword" - }, - "region_code": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "city_name": { - "type": "keyword" - }, - "postal_code": { - "type": "keyword" - }, - "latitude": { - "type": "keyword", - "index": false, - "doc_values": false - }, - "longitude": { - "type": "keyword", - "index": false, - "doc_values": false - }, - "dma_code": { - "type": "integer" - }, - "area_code": { - "type": "integer" - }, - "timezone": { - "type": "keyword", - "index": false - }, - "location": { - "type": "geo_point" - } - } - } - } - } -} \ No newline at end of file diff --git a/docker/helk-logstash/output_templates/91-logs-ip-dst.json b/docker/helk-logstash/output_templates/91-logs-ip-dst.json deleted file mode 100644 index 4ca3fdf5..00000000 --- a/docker/helk-logstash/output_templates/91-logs-ip-dst.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "order": 91, - "index_patterns": [ "logs-*" ], - "version": 20190603, - "mappings": { - "properties": { - "dst_ip_addr": { - "type": "ip", - "copy_to": "any_ip_addr" - }, - "dst_ip_public": { - "type": "boolean" - }, - "dst_ip_rfc": { - "type": "keyword" - }, - "dst_ip_type": { - "type": "keyword" - }, - "dst_ip_version": { - "type": "keyword" - }, - "meta_dst_ip_geo": { - "properties": { - "asn": { - "type": "integer", - "copy_to": "any_ip_geo.asn" - }, - "as_org": { - "type": "text", - "norms": false, - "copy_to": "any_ip_geo.as_org", - "fields": { - "keyword": { - "type": "keyword", - "eager_global_ordinals": true - } - } - }, - "country_code2": { - "type": "keyword" - }, - "country_code3": { - "type": "keyword" - }, - "country_name": { - "type": "keyword" - }, - "continent_code": { - "type": "keyword" - }, - "region_code": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "city_name": { - "type": "keyword" - }, - "postal_code": { - "type": "keyword" - }, - "latitude": { - "type": "keyword", - "index": false, - "doc_values": false - }, - "longitude": { - "type": "keyword", - "index": false, - "doc_values": false - }, - "dma_code": { - "type": "integer" - }, - "area_code": { - "type": "integer" - }, - "timezone": { - "type": "keyword", - "index": false - }, - "location": { - "type": "geo_point" - } - } - }, - "destination": { - "properties": { - "ip": { - "type": "alias", - "path": "dst_ip_addr" - } - } - } - } - } -} \ No newline at end of file diff --git a/docker/helk-logstash/output_templates/91-logs-ip-src-nat.json b/docker/helk-logstash/output_templates/91-logs-ip-src-nat.json deleted file mode 100644 index 56d81833..00000000 --- a/docker/helk-logstash/output_templates/91-logs-ip-src-nat.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "order": 91, - "index_patterns": [ "logs-*" ], - "version": 20190603, - "mappings": { - "properties": { - "src_nat_ip_addr": { - "type": "ip", - "copy_to": "any_ip_addr" - }, - "src_nat_ip_public": { - "type": "boolean" - }, - "src_nat_ip_rfc": { - "type": "keyword" - }, - "src_nat_ip_type": { - "type": "keyword" - }, - "src_nat_ip_version": { - "type": "keyword" - }, - "meta_src_nat_ip_geo": { - "properties": { - "asn": { - "type": "integer", - "copy_to": "any_ip_geo.asn" - }, - "as_org": { - "type": "text", - "norms": false, - "copy_to": "any_ip_geo.as_org", - "fields": { - "keyword": { - "type": "keyword", - "eager_global_ordinals": true - } - } - }, - "country_code2": { - "type": "keyword" - }, - "country_code3": { - "type": "keyword" - }, - "country_name": { - "type": "keyword" - }, - "continent_code": { - "type": "keyword" - }, - "region_code": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "city_name": { - "type": "keyword" - }, - "postal_code": { - "type": "keyword" - }, - "latitude": { - "type": "keyword", - "index": false, - "doc_values": false - }, - "longitude": { - "type": "keyword", - "index": false, - "doc_values": false - }, - "dma_code": { - "type": "integer" - }, - "area_code": { - "type": "integer" - }, - "timezone": { - "type": "keyword", - "index": false - }, - "location": { - "type": "geo_point" - } - } - } - } - } -} \ No newline at end of file diff --git a/docker/helk-logstash/output_templates/91-logs-ip-src.json b/docker/helk-logstash/output_templates/91-logs-ip-src.json deleted file mode 100644 index 86a5e964..00000000 --- a/docker/helk-logstash/output_templates/91-logs-ip-src.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "order": 91, - "index_patterns": [ "logs-*" ], - "version": 20190603, - "mappings": { - "properties": { - "src_ip_addr": { - "type": "ip", - "copy_to": "any_ip_addr" - }, - "src_ip_public": { - "type": "boolean" - }, - "src_ip_rfc": { - "type": "keyword" - }, - "src_ip_type": { - "type": "keyword" - }, - "src_ip_version": { - "type": "keyword" - }, - "meta_src_ip_geo": { - "properties": { - "asn": { - "type": "integer", - "copy_to": "any_ip_geo.asn" - }, - "as_org": { - "type": "text", - "norms": false, - "copy_to": "any_ip_geo.as_org", - "fields": { - "keyword": { - "type": "keyword", - "eager_global_ordinals": true - } - } - }, - "country_code2": { - "type": "keyword" - }, - "country_code3": { - "type": "keyword" - }, - "country_name": { - "type": "keyword" - }, - "continent_code": { - "type": "keyword" - }, - "region_code": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "city_name": { - "type": "keyword" - }, - "postal_code": { - "type": "keyword" - }, - "latitude": { - "type": "keyword", - "index": false, - "doc_values": false - }, - "longitude": { - "type": "keyword", - "index": false, - "doc_values": false - }, - "dma_code": { - "type": "integer" - }, - "area_code": { - "type": "integer" - }, - "timezone": { - "type": "keyword", - "index": false - }, - "location": { - "type": "geo_point" - } - } - }, - "source": { - "properties": { - "ip": { - "type": "alias", - "path": "src_ip_addr" - } - } - } - } - } -} \ No newline at end of file diff --git a/docker/helk-logstash/output_templates/92-helk-logs-ips.json b/docker/helk-logstash/output_templates/92-helk-logs-ips.json new file mode 100644 index 00000000..7bf1526b --- /dev/null +++ b/docker/helk-logstash/output_templates/92-helk-logs-ips.json @@ -0,0 +1,642 @@ +{ + "order": 92, + "index_patterns": [ "logs-*" ], + "version": 2020041401, + "mappings": { + "properties": { + "dst_ip_addr": { + "type": "ip", + "copy_to": "any_ip_addr", + "fields": { + "keyword": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dst_ip_public": { + "type": "boolean" + }, + "dst_ip_rfc": { + "type": "keyword" + }, + "dst_ip_type": { + "type": "keyword" + }, + "dst_ip_version": { + "type": "keyword" + }, + "dst_is_ipv6": { + "type": "boolean" + }, + "dst_nat_ip_addr": { + "type": "ip", + "copy_to": "any_ip_addr", + "fields": { + "keyword": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dst_nat_ip_public": { + "type": "boolean" + }, + "dst_nat_ip_rfc": { + "type": "keyword" + }, + "dst_nat_ip_type": { + "type": "keyword" + }, + "dst_nat_ip_version": { + "type": "keyword" + }, + "dst_nat_is_ipv6": { + "type": "boolean" + }, + "src_ip_addr": { + "type": "ip", + "copy_to": "any_ip_addr", + "fields": { + "keyword": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "src_ip_public": { + "type": "boolean" + }, + "src_ip_rfc": { + "type": "keyword" + }, + "src_ip_type": { + "type": "keyword" + }, + "src_ip_version": { + "type": "keyword" + }, + "src_is_ipv6": { + "type": "boolean" + }, + "src_nat_ip_addr": { + "type": "ip", + "copy_to": "any_ip_addr", + "fields": { + "keyword": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "src_nat_ip_public": { + "type": "boolean" + }, + "src_nat_ip_rfc": { + "type": "keyword" + }, + "src_nat_ip_type": { + "type": "keyword" + }, + "src_nat_ip_version": { + "type": "keyword" + }, + "src_nat_is_ipv6": { + "type": "boolean" + }, + "meta_dst_ip_geo": { + "properties": { + "asn": { + "type": "integer", + "copy_to": "any_ip_geo.asn" + }, + "as_org": { + "copy_to": "any_ip_geo.as_org", + "type": "text", + "analyzer": "standard", + "fields": { + "keyword": { + "eager_global_ordinals": true, + "type": "keyword" + } + } + }, + "country_code2": { + "type": "keyword" + }, + "country_code3": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "region_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "city_name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "latitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "longitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "dma_code": { + "type": "integer" + }, + "area_code": { + "type": "integer" + }, + "timezone": { + "type": "keyword", + "index": false + }, + "location": { + "type": "geo_point" + } + } + }, + "meta_dst_nat_ip_geo": { + "properties": { + "asn": { + "type": "integer", + "copy_to": "any_ip_geo.asn" + }, + "as_org": { + "copy_to": "any_ip_geo.as_org", + "type": "text", + "fields": { + "keyword": { + "eager_global_ordinals": true, + "type": "keyword" + } + } + }, + "country_code2": { + "type": "keyword" + }, + "country_code3": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "region_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "city_name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "latitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "longitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "dma_code": { + "type": "integer" + }, + "area_code": { + "type": "integer" + }, + "timezone": { + "type": "keyword", + "index": false + }, + "location": { + "type": "geo_point" + } + } + }, + "meta_src_ip_geo": { + "properties": { + "asn": { + "type": "integer", + "copy_to": "any_ip_geo.asn" + }, + "as_org": { + "copy_to": "any_ip_geo.as_org", + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "eager_global_ordinals": true + } + } + }, + "country_code2": { + "type": "keyword" + }, + "country_code3": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "region_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "city_name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "latitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "longitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "dma_code": { + "type": "integer" + }, + "area_code": { + "type": "integer" + }, + "timezone": { + "type": "keyword", + "index": false + }, + "location": { + "type": "geo_point" + } + } + }, + "meta_src_nat_ip_geo": { + "properties": { + "asn": { + "type": "integer", + "copy_to": "any_ip_geo.asn" + }, + "as_org": { + "copy_to": "any_ip_geo.as_org", + "type": "text", + "fields": { + "keyword": { + "eager_global_ordinals": true, + "type": "keyword" + } + } + }, + "country_code2": { + "type": "keyword" + }, + "country_code3": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "region_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "city_name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "latitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "longitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "dma_code": { + "type": "integer" + }, + "area_code": { + "type": "integer" + }, + "timezone": { + "type": "keyword", + "index": false + }, + "location": { + "type": "geo_point" + } + } + }, + "destination": { + "properties": { + "ip": { + "type": "alias", + "path": "dst_ip_addr" + }, + "as": { + "properties": { + "number": { + "type": "alias", + "path": "meta_dst_ip_geo.asn" + }, + "organization": { + "properties": { + "name": { + "type": "alias", + "path": "meta_dst_ip_geo.as_org" + } + } + } + } + }, + "geo": { + "properties": { + "continent_code": { + "type": "alias", + "path": "meta_dst_ip_geo.continent_code" + }, + "country_code2": { + "type": "alias", + "path": "meta_dst_ip_geo.country_code2" + }, + "country_code3": { + "type": "alias", + "path": "meta_dst_ip_geo.country_code3" + }, + "country_name": { + "type": "alias", + "path": "meta_dst_ip_geo.country_name" + }, + "latitude": { + "type": "alias", + "path": "meta_dst_ip_geo.latitude" + }, + "location": { + "type": "alias", + "path": "meta_dst_ip_geo.location" + }, + "longitude": { + "type": "alias", + "path": "meta_dst_ip_geo.longitude" + }, + "postal_code": { + "type": "alias", + "path": "meta_dst_ip_geo.postal_code" + }, + "region_name": { + "type": "alias", + "path": "meta_dst_ip_geo.region_name" + }, + "timezone": { + "type": "alias", + "path": "meta_dst_ip_geo.timezone" + } + } + }, + "nat": { + "properties": { + "ip": { + "type": "alias", + "path": "dst_nat_ip_addr" + }, + "as": { + "properties": { + "number": { + "type": "alias", + "path": "meta_dst_nat_ip_geo.asn" + }, + "organization": { + "properties": { + "name": { + "type": "alias", + "path": "meta_dst_nat_ip_geo.as_org" + } + } + } + } + }, + "geo": { + "properties": { + "continent_code": { + "type": "alias", + "path": "meta_dst_nat_ip_geo.continent_code" + }, + "country_code2": { + "type": "alias", + "path": "meta_dst_nat_ip_geo.country_code2" + }, + "country_code3": { + "type": "alias", + "path": "meta_dst_nat_ip_geo.country_code3" + }, + "country_name": { + "type": "alias", + "path": "meta_dst_nat_ip_geo.country_name" + }, + "latitude": { + "type": "alias", + "path": "meta_dst_nat_ip_geo.latitude" + }, + "location": { + "type": "alias", + "path": "meta_dst_nat_ip_geo.location" + }, + "longitude": { + "type": "alias", + "path": "meta_dst_nat_ip_geo.longitude" + }, + "postal_code": { + "type": "alias", + "path": "meta_dst_nat_ip_geo.postal_code" + }, + "region_name": { + "type": "alias", + "path": "meta_dst_nat_ip_geo.region_name" + }, + "timezone": { + "type": "alias", + "path": "meta_dst_nat_ip_geo.timezone" + } + } + } + } + } + } + }, + "source": { + "properties": { + "ip": { + "type": "alias", + "path": "src_ip_addr" + }, + "as": { + "properties": { + "number": { + "type": "alias", + "path": "meta_src_ip_geo.asn" + }, + "organization": { + "properties": { + "name": { + "type": "alias", + "path": "meta_src_ip_geo.as_org" + } + } + } + } + }, + "geo": { + "properties": { + "continent_code": { + "type": "alias", + "path": "meta_src_ip_geo.continent_code" + }, + "country_code2": { + "type": "alias", + "path": "meta_src_ip_geo.country_code2" + }, + "country_code3": { + "type": "alias", + "path": "meta_src_ip_geo.country_code3" + }, + "country_name": { + "type": "alias", + "path": "meta_src_ip_geo.country_name" + }, + "latitude": { + "type": "alias", + "path": "meta_src_ip_geo.latitude" + }, + "location": { + "type": "alias", + "path": "meta_src_ip_geo.location" + }, + "longitude": { + "type": "alias", + "path": "meta_src_ip_geo.longitude" + }, + "postal_code": { + "type": "alias", + "path": "meta_src_ip_geo.postal_code" + }, + "region_name": { + "type": "alias", + "path": "meta_src_ip_geo.region_name" + }, + "timezone": { + "type": "alias", + "path": "meta_src_ip_geo.timezone" + } + } + }, + "nat": { + "properties": { + "ip": { + "type": "alias", + "path": "src_nat_ip_addr" + }, + "as": { + "properties": { + "number": { + "type": "alias", + "path": "meta_src_nat_ip_geo.asn" + }, + "organization": { + "properties": { + "name": { + "type": "alias", + "path": "meta_src_nat_ip_geo.as_org" + } + } + } + } + }, + "geo": { + "properties": { + "continent_code": { + "type": "alias", + "path": "meta_src_nat_ip_geo.continent_code" + }, + "country_code2": { + "type": "alias", + "path": "meta_src_nat_ip_geo.country_code2" + }, + "country_code3": { + "type": "alias", + "path": "meta_src_nat_ip_geo.country_code3" + }, + "country_name": { + "type": "alias", + "path": "meta_src_nat_ip_geo.country_name" + }, + "latitude": { + "type": "alias", + "path": "meta_src_nat_ip_geo.latitude" + }, + "location": { + "type": "alias", + "path": "meta_src_nat_ip_geo.location" + }, + "longitude": { + "type": "alias", + "path": "meta_src_nat_ip_geo.longitude" + }, + "postal_code": { + "type": "alias", + "path": "meta_src_nat_ip_geo.postal_code" + }, + "region_name": { + "type": "alias", + "path": "meta_src_nat_ip_geo.region_name" + }, + "timezone": { + "type": "alias", + "path": "meta_src_nat_ip_geo.timezone" + } + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/docker/helk-logstash/output_templates/93-logs-ipv6-dst-nat.json b/docker/helk-logstash/output_templates/93-logs-ipv6-dst-nat.json deleted file mode 100644 index ab14f926..00000000 --- a/docker/helk-logstash/output_templates/93-logs-ipv6-dst-nat.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "order": 91, - "index_patterns": [ "nonexist" ], - "version": 2019060301 -} \ No newline at end of file diff --git a/docker/helk-logstash/output_templates/93-logs-ipv6-dst.json b/docker/helk-logstash/output_templates/93-logs-ipv6-dst.json deleted file mode 100644 index ab14f926..00000000 --- a/docker/helk-logstash/output_templates/93-logs-ipv6-dst.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "order": 91, - "index_patterns": [ "nonexist" ], - "version": 2019060301 -} \ No newline at end of file diff --git a/docker/helk-logstash/output_templates/93-logs-ipv6-src-nat.json b/docker/helk-logstash/output_templates/93-logs-ipv6-src-nat.json deleted file mode 100644 index ab14f926..00000000 --- a/docker/helk-logstash/output_templates/93-logs-ipv6-src-nat.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "order": 91, - "index_patterns": [ "nonexist" ], - "version": 2019060301 -} \ No newline at end of file diff --git a/docker/helk-logstash/output_templates/93-logs-ipv6-src.json b/docker/helk-logstash/output_templates/93-logs-ipv6-src.json deleted file mode 100644 index ab14f926..00000000 --- a/docker/helk-logstash/output_templates/93-logs-ipv6-src.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "order": 91, - "index_patterns": [ "nonexist" ], - "version": 2019060301 -} \ No newline at end of file diff --git a/docker/helk-logstash/output_templates/99-helk-logs-all-dynamic_templates.json b/docker/helk-logstash/output_templates/99-helk-logs-all-dynamic_templates.json new file mode 100644 index 00000000..a71004e4 --- /dev/null +++ b/docker/helk-logstash/output_templates/99-helk-logs-all-dynamic_templates.json @@ -0,0 +1,24 @@ +{ + "order": 99, + "index_patterns": [ "logs-*" ], + "version": 2020042501, + "mappings": { + "dynamic": "true", + "dynamic_templates": [ + { + "strings": { + "match_mapping_type": "string", + "mapping": { + "type": "text", + "fields": { + "keyword": { + "ignore_above": 32000, + "type": "keyword" + } + } + } + } + } + ] + } +} diff --git a/docker/helk-logstash/output_templates/99-logs-any-fields.json b/docker/helk-logstash/output_templates/99-helk-logs-any-fields.json similarity index 62% rename from docker/helk-logstash/output_templates/99-logs-any-fields.json rename to docker/helk-logstash/output_templates/99-helk-logs-any-fields.json index f0c95505..25c6ae58 100644 --- a/docker/helk-logstash/output_templates/99-logs-any-fields.json +++ b/docker/helk-logstash/output_templates/99-helk-logs-any-fields.json @@ -1,7 +1,7 @@ { "order": 99, "index_patterns": [ "logs-*" ], - "version": 2019060301, + "version": 2019090101, "mappings": { "properties": { "any_ip_addr": { @@ -15,13 +15,15 @@ }, "as_org": { "type": "text", - "norms": false + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } } } }, - "fingerprint_network_community_id": { - "type": "keyword" - }, "related": { "properties": { "ip": { @@ -29,14 +31,6 @@ "path": "any_ip_addr" } } - }, - "network": { - "properties": { - "community_id": { - "type": "alias", - "path": "fingerprint_network_community_id" - } - } } } } diff --git a/docker/helk-logstash/output_templates/990-helk-cloned-logs.json b/docker/helk-logstash/output_templates/990-helk-cloned-logs.json new file mode 100644 index 00000000..85432bae --- /dev/null +++ b/docker/helk-logstash/output_templates/990-helk-cloned-logs.json @@ -0,0 +1,59 @@ +{ + "order": 990, + "index_patterns": [ + "original-logs-clone-*" + ], + "version": 2019101801, + "settings": { + "index": { + "codec": "best_compression", + "mapping": { + "total_fields.limit": "10000" + } + }, + "refresh_interval": "35s", + "number_of_replicas": 0, + "number_of_shards": 5 + }, + "mappings": { + "dynamic": "true", + "dynamic_templates": [ + { + "strings": { + "match_mapping_type": "string", + "mapping": { + "type": "keyword", + "doc_values": false, + "norms": false + } + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "cloned": { + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "log_hash": { + "type": "keyword", + "doc_values": false + }, + "type": { + "type": "keyword" + } + } + } + } + } +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/0002-kafka-input.conf b/docker/helk-logstash/pipeline/0002-kafka-input.conf index 076d7429..6a84d0c7 100644 --- a/docker/helk-logstash/pipeline/0002-kafka-input.conf +++ b/docker/helk-logstash/pipeline/0002-kafka-input.conf @@ -9,25 +9,17 @@ input { topics => ["winlogbeat","winevent","SYSMON_JOIN","filebeat"] decorate_events => true codec => "json" + #max_poll_records => 500 ############################# HELK Kafka Group Consumption ############################# - # Enable logstash to not continously restart consumption of docs/logs it already has. However if you need it to, then change the 'group_id' value to something else (ex: could be a simple value like '100_helk_logstash') - enable_auto_commit => "true" - # During group_id or client_id changes, the kafka clinet will consume from earliest document so as not to lose data + # Enable logstash to not continuously restart consumption of docs/logs it already has. However if you need it to, then change the 'group_id' value to something else (ex: could be a simple value like '100_helk_logstash') + enable_auto_commit => true + # During group_id or client_id changes, the kafka client will consume from earliest document so as not to lose data auto_offset_reset => "earliest" # If you have multiple logstash instances, this is your ID so that each instance consumes a slice of the Kafka pie. # No need to change this unless you know what your doing and for some reason have the need group_id => "helk_logstash" - # Change to number of Kafka partitions, only change/set if scaling on large environment & customized your Kafka paritions + # Change to number of Kafka partitions, only change/set if scaling on large environment & customized your Kafka partitions # Default value is 1, read documentation for more info: https://www.elastic.co/guide/en/logstash/current/plugins-inputs-kafka.html#plugins-inputs-kafka-consumer_threads consumer_threads => 2 - ############################# HELK Optimizing Throughput ############################# - #fetch_min_bytes => "1024" - #request_timeout_ms => "40000" - ############################# HELK Optimizing Availability ############################# - #connections_max_idle_ms => "540000" - #session_timeout_ms => "30000" - #max_poll_interval_ms => "300000" - ############################# - #max_poll_records => "500" } } \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/0006-kafka-zeek-input.conf b/docker/helk-logstash/pipeline/0006-kafka-zeek-input.conf new file mode 100644 index 00000000..e2a94b13 --- /dev/null +++ b/docker/helk-logstash/pipeline/0006-kafka-zeek-input.conf @@ -0,0 +1,25 @@ +# HELK Kafka input conf file for Zeek and Corelight events +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g), Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +input { + kafka { + bootstrap_servers => "helk-kafka-broker:9092" + topics => [ "zeek" ] + decorate_events => true + # Do NOT set codec so we can set it later and before than copy the "message" field + #codec => "json" + # Enable logstash to not continuously restart consumption of docs/logs it already has. However if you need it to, then change the 'group_id' value to something else (ex: could be a simple value like '100_helk_logstash') + enable_auto_commit => true + # During group_id or client_id changes, the kafka client will consume from earliest document so as not to lose data + auto_offset_reset => "earliest" + # If you have multiple logstash instances, this is your ID so that each instance consumes a slice of the Kafka pie. + # No need to change this unless you know what your doing and for some reason have the need + group_id => "helk_logstash_zeek" + # Change to number of Kafka partitions, only change/set if scaling on large environment & customized your Kafka partitions + # Default value is 1, read documentation for more info: https://www.elastic.co/guide/en/logstash/current/plugins-inputs-kafka.html#plugins-inputs-kafka-consumer_threads + consumer_threads => 2 + #max_poll_records => 500 + } +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/0011-syslog-tcp-input.conf b/docker/helk-logstash/pipeline/0011-syslog-tcp-input.conf new file mode 100644 index 00000000..74b1b55c --- /dev/null +++ b/docker/helk-logstash/pipeline/0011-syslog-tcp-input.conf @@ -0,0 +1,65 @@ +# HELK Syslog TCP input conf +# HELK build Stage: Alpha +# Author: Nate Guagenti (@neu5ron) +# License: GPL-3.0 +input { + + #tcp { + #port => 514 + #type => "syslog-unknown" + #add_field => { + #"etl_pipeline" => "0001" + #"etl_input_port" => 514 + #"etl_input_protocol" => "tcp" + #} + #} + + tcp { + port => 5514 + type => "unknown" + add_field => { + "etl_input_port" => 5514 + "etl_input_protocol" => "tcp" + "etl_input_application_protocol" => "syslog" + "etl_pipeline" => "tcp-input-unknown" + } + #id => "syslog-tcp-5514-0001" + } + + tcp { + port => 8515 + type => "cisco-asa" + add_field => { + "etl_input_port" => 8515 + "etl_input_protocol" => "tcp" + "etl_input_application_protocol" => "syslog" + "etl_pipeline" => "syslog-tcp-input-cisco-asa" + } + #id => "syslog-tcp-8515-0001" + } + + tcp { + port => 8516 + type => "syslog-paloalto" + add_field => { + "etl_input_port" => 8516 + "etl_input_protocol" => "tcp" + "etl_input_application_protocol" => "syslog" + "etl_pipeline" => "syslog-tcp-input-paloalto" + } + #id => "syslog-tcp-8516-0001" + } + + tcp { + port => 8517 + type => "cisco-ise" + add_field => { + "etl_input_port" => 8517 + "etl_input_protocol" => "tcp" + "etl_input_application_protocol" => "syslog" + "etl_pipeline" => "syslog-tcp-input-cisco-ise" + } + #id => "syslog-tcp-8515-0001" + } + +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/0011-syslog-udp-input.conf b/docker/helk-logstash/pipeline/0011-syslog-udp-input.conf new file mode 100644 index 00000000..4a72289e --- /dev/null +++ b/docker/helk-logstash/pipeline/0011-syslog-udp-input.conf @@ -0,0 +1,65 @@ +# HELK Syslog UDP input conf +# HELK build Stage: Alpha +# Author: Nate Guagenti (@neu5ron) +# License: GPL-3.0 +input { + + #udp { + #port => 514 + #type => "syslog-unknown" + #add_field => { + #"etl_pipeline" => "0001" + #"etl_input_port" => 514 + #"etl_input_protocol" => "udp" + #} + #} + + udp { + port => 5514 + type => "unknown" + add_field => { + "etl_input_port" => 5514 + "etl_input_protocol" => "udp" + "etl_input_application_protocol" => "syslog" + "etl_pipeline" => "udp-input-unknown" + } + #id => "syslog-udp-5514-0001" + } + + udp { + port => 8515 + type => "cisco-asa" + add_field => { + "etl_input_port" => 8515 + "etl_input_protocol" => "udp" + "etl_input_application_protocol" => "syslog" + "etl_pipeline" => "syslog-udp-input-cisco-asa" + } + #id => "syslog-udp-8515-0001" + } + + udp { + port => 8516 + type => "syslog-paloalto" + add_field => { + "etl_input_port" => 8516 + "etl_input_protocol" => "udp" + "etl_input_application_protocol" => "syslog" + "etl_pipeline" => "syslog-udp-input-paloalto" + } + #id => "syslog-udp-8516-0001" + } + + udp { + port => 8517 + type => "cisco-ise" + add_field => { + "etl_input_port" => 8517 + "etl_input_protocol" => "udp" + "etl_input_application_protocol" => "syslog" + "etl_pipeline" => "syslog-udp-input-cisco-ise" + } + #id => "syslog-udp-8515-0001" + } + +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/0098-all-filter.conf b/docker/helk-logstash/pipeline/0098-all-filter.conf index b8dd7c61..c7c97fb2 100644 --- a/docker/helk-logstash/pipeline/0098-all-filter.conf +++ b/docker/helk-logstash/pipeline/0098-all-filter.conf @@ -1,19 +1,28 @@ # HELK All filter conf file # HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g) +# Author: Roberto Rodriguez (@Cyb3rWard0g), Nate Guagenti (@neu5ron) # License: GPL-3.0 filter { if [message] { mutate { add_field => { - "z_logstash_pipeline" => "0098" - "log_ingest_timestamp" => "%{@timestamp}" + "etl_pipeline" => "all-filter-0098" + "etl_version" => "2020.04.19.01" } - copy => { - "message" => "z_original_message" - "type" => "z_logstash_type" + rename => { + #"[@metadata][kafka][consumer_group]" => "etl_kafka_consumer_group" + #"[@metadata][kafka][key]" => "etl_kafka_key" + "[@metadata][kafka][offset]" => "etl_kafka_offset" + "[@metadata][kafka][partition]" => "etl_kafka_partition" + "[@metadata][kafka][timestamp]" => "etl_kafka_time" + "[@metadata][kafka][topic]" => "etl_kafka_topic" } + copy => { "message" => "event_original_message" } + } + ruby { + code => "event.set('etl_processed_time', Time.now().utc);" + add_field => { "etl_pipeline" => "all-add_processed_timestamp" } } } } \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/0099-all-fingerprint-hash-filter.conf b/docker/helk-logstash/pipeline/0099-all-fingerprint-hash-filter.conf index 23d8603d..2caaccbe 100644 --- a/docker/helk-logstash/pipeline/0099-all-fingerprint-hash-filter.conf +++ b/docker/helk-logstash/pipeline/0099-all-fingerprint-hash-filter.conf @@ -21,7 +21,7 @@ filter { concatenate_sources => true target => "[@metadata][log_hash]" method => "SHA1" - add_field => { "z_logstash_pipeline" => "fingerprint-0099-001" } + add_field => { "etl_pipeline" => "fingerprint-0099-001" } } } # Winlogbeat 7.x @@ -32,12 +32,14 @@ filter { "[winlog][computer_name]", "@timestamp", "[winlog][channel]", - "[winlog][event_id]" + "[winlog][event_id]", + "[winlog][process][thread][id]", + "[winlog][provider_name]" ] concatenate_sources => true target => "[@metadata][log_hash]" method => "SHA1" - add_field => { "z_logstash_pipeline" => "fingerprint-winlogbeats7" } + add_field => { "etl_pipeline" => "fingerprint-winlogbeats7" } } } @@ -54,7 +56,7 @@ filter { concatenate_sources => true target => "[@metadata][log_hash]" method => "SHA1" - add_field => { "z_logstash_pipeline" => "fingerprint-0099-002" } + add_field => { "etl_pipeline" => "fingerprint-0099-002" } } } @@ -63,21 +65,30 @@ filter { source => "message" target => "[@metadata][log_hash]" method => "SHA1" - add_field => { "z_logstash_pipeline" => "fingerprint-0099-003" } + add_field => { "etl_pipeline" => "fingerprint-0099-003" } } } - else if [z_original_message] { + else if [Message] { fingerprint { - source => "z_original_message" + source => "Message" target => "[@metadata][log_hash]" method => "SHA1" - add_field => { "z_logstash_pipeline" => "fingerprint-0099-005" } + add_field => { "etl_pipeline" => "fingerprint-0099-004" } + } + } + + else if [event_original_message] { + fingerprint { + source => "event_original_message" + target => "[@metadata][log_hash]" + method => "SHA1" + add_field => { "etl_pipeline" => "fingerprint-0099-005" } } } ## Scenario of no message field for, create custom one concatenating some values to guarantee unique fingerprint - #TONOTE: can use this value in z_logstash_pipeline to see if this event is hit + #TONOTE: can use this value in etl_pipeline to see if this event is hit # 6.x beats else if [beat] { # Use this custom for this event @@ -86,7 +97,7 @@ filter { concatenate_all_fields => true target => "[@metadata][log_hash]" method => "SHA1" - add_field => { "z_logstash_pipeline" => "fingerprint-0099-006" } + add_field => { "etl_pipeline" => "fingerprint-0099-006" } } } # 7.x beats @@ -97,7 +108,18 @@ filter { concatenate_all_fields => true target => "[@metadata][log_hash]" method => "SHA1" - add_field => { "z_logstash_pipeline" => "fingerprint-beats7-missing-message-field" } + add_field => { "etl_pipeline" => "fingerprint-beats7-missing-message-field" } + } + } + # Catch all hash + else { + # Use this custom for this event + mutate { add_field => { "meta_log_tags" => "warning catch all fingerprint hash" } } + fingerprint { + concatenate_all_fields => true + target => "[@metadata][log_hash]" + method => "SHA1" + add_field => { "etl_pipeline" => "fingerprint-catch_all" } } } diff --git a/docker/helk-logstash/pipeline/0301-nxlog-winevent-to-json-filter.conf b/docker/helk-logstash/pipeline/0301-nxlog-winevent-to-json-filter.conf new file mode 100644 index 00000000..97ed4c33 --- /dev/null +++ b/docker/helk-logstash/pipeline/0301-nxlog-winevent-to-json-filter.conf @@ -0,0 +1,18 @@ +# HELK nxlog to json filter +# HELK build Stage: Alpha +# Author: Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +filter { + + if [type] == "nxlog-winevent" { + json { + source => "message" + tag_on_failure => [ "_parsefailure", "parsefailure-critical", "parsefailure-json_codec" ] + remove_field => [ "message", "type" ] + add_field => { "etl_pipeline" => "json-0301-001" } + skip_on_invalid_json => true + } + } + +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/0301-nxlog-winevent-to-json.conf b/docker/helk-logstash/pipeline/0301-nxlog-winevent-to-json.conf deleted file mode 100644 index 3c139072..00000000 --- a/docker/helk-logstash/pipeline/0301-nxlog-winevent-to-json.conf +++ /dev/null @@ -1,17 +0,0 @@ -# HELK nxlog to json filter -# HELK build Stage: Alpha -# Author: Nate Guagenti (@neu5ron) -# License: GPL-3.0 - -filter { - - if [z_logstash_type] == "nxlog-winevent" { - json { - source => "message" - tag_on_failure => [ "_jsonparsefailure", "_parsefailure", "_jsonparsefailure_0301" ] - remove_field => [ "message", "type" ] - add_field => { "z_logstash_pipeline" => "json-0301-001" } - } - } - -} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1010-winevent-winlogbeats-filter.conf b/docker/helk-logstash/pipeline/1010-winevent-winlogbeats-filter.conf index 53a5739c..9a7701e9 100644 --- a/docker/helk-logstash/pipeline/1010-winevent-winlogbeats-filter.conf +++ b/docker/helk-logstash/pipeline/1010-winevent-winlogbeats-filter.conf @@ -23,16 +23,26 @@ filter { " tag_on_exception => "ruby_exception_winlogbeat_6_cleanup" add_field => { - "beat_hostname" => "%{[beat][hostname]}" - "beat_version" => "%{[beat][version]}" - "beat_name" => "%{[beat][name]}" - "z_logstash_pipeline" => "winlogbeat_6-field_nest_cleanup" + "etl_pipeline" => "winlogbeat_6-field_nest_cleanup" "[@metadata][helk_parsed]" => "yes" } remove_field => [ "[beat]" ] } + mutate { + add_field => { + "event_original_time" => "%{@timestamp}" + "etl_pipeline" => "winlogbeat_6-general_cleanup" + } + rename => { + "computer_name" => "host_name" + "[beat][hostname]" => "beat_hostname" + "[beat][version]" => "beat_version" + "[beat][name]" => "beat_name" + } + } } - # Winlogbeat 7.x + #TODO: if ever needing to distinguish minor versions between 7 or 8 (ie: if major change from say 7.7.2 and 7.8.1) then use `agent.version` for the logic to accomplish what is needed + # Winlogbeat >= 7.x else if [agent][type] == "winlogbeat" { ruby { code => ' @@ -81,27 +91,30 @@ filter { # Finally remove the nest completely event.remove("[winlog][user_data]") ' - tag_on_exception => "ruby_exception_winlogbeat_7-cleanup" + tag_on_exception => "ruby_exception_winlogbeat_7_and_above-cleanup" add_field => { - "z_logstash_pipeline" => "winlogbeat_7-field_nest_cleanup" + "etl_pipeline" => "winlogbeat_7_and_above-field_nest_cleanup" "[@metadata][helk_parsed]" => "yes" } } - # Also, for continuity copy the new fields for Winlogbeat 7 back to the original field names (Winlogbeat 6.x and before). However, lets keep them - for future or anyone else doing something different. + # NOT ANYMORE -> # Also, for continuity copy the new fields for Winlogbeat 7 back to the original field names (Winlogbeat 6.x and before). However, lets keep them - for future or anyone else doing something different. mutate { - copy => { + rename => { + "[agent][ephemeral_id]" => "etl_host_agent_ephemeral_uid" "[agent][hostname]" => "beat_hostname" + "[agent][id]" => "etl_host_agent_uid" "[agent][name]" => "beat_name" + "[agent][type]" => "etl_host_agent_type" "[agent][version]" => "beat_version" - "[event][timezone]" => "beat_timezone" - "[log][level]" => "level" "[error][message]" => "message_error" "[event][original]" => "xml" - "[process][executable]" => "[process][exe]" + "[event][timezone]" => "beat_timezone" + "[host][name]" => "[z_elastic_ecs][host][name]" + "[log][level]" => "level" "[winlog][activity_id]" => "activity_id" "[winlog][api]" => "type" "[winlog][channel]" => "log_name" - "[winlog][computer_name]" => "computer_name" + "[winlog][computer_name]" => "host_name" "[winlog][event_id]" => "event_id" "[winlog][keywords]" => "keywords" "[winlog][provider_guid]" => "provider_guid" @@ -112,9 +125,26 @@ filter { "[winlog][record_id]" => "record_number" "[winlog][task]" => "task" "[winlog][version]" => "version" + # Should not be implemented unless ECS enabled, in that case needs handled elsewhere#"[process][executable]" => "[process][exe]" + } + #remove_field => [ "[winlog]", "[host]" ] + add_field => { + "event_original_time" => "%{@timestamp}" + "etl_pipeline" => "winlogbeat_7_and_above-field_cleanups" } - remove_field => [ "[host]" ] - add_field => { "z_logstash_pipeline" => "winlogbeat_7-copy_to_originals" } } + # Rename nested fields that still may be around, don't want to just remove encase later on things are added + mutate { + rename => { + "[agent]" => "[z_elastic_ecs][agent]" + "[ecs]" => "[z_elastic_ecs][ecs]" + "[event]" => "[z_elastic_ecs][event]" + "[host]" => "[z_elastic_ecs][host]" + "[log]" => "[z_elastic_ecs][log]" + "[user]" => "[z_elastic_ecs][user]" + "[winlog]" => "[z_elastic_ecs][winlog]" + } + } + } } \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1050-nxlog-winevent-to-winlogbeats-merge-filter.conf b/docker/helk-logstash/pipeline/1050-nxlog-winevent-to-winlogbeats-merge-filter.conf index 228099a5..9fcbdbc8 100644 --- a/docker/helk-logstash/pipeline/1050-nxlog-winevent-to-winlogbeats-merge-filter.conf +++ b/docker/helk-logstash/pipeline/1050-nxlog-winevent-to-winlogbeats-merge-filter.conf @@ -4,13 +4,12 @@ # License: GPL-3.0 filter { - # Some Basic Merges of NXLog Windows Events field names, using copy -- so don't sweat it ;), to Winlogbeats names, so that the rest of the pipeline can work for NXLog and or winlogbeats windows logs - if [z_logstash_type] == "nxlog-winevent" { + if [type] == "nxlog-winevent" { mutate { copy => { - "Hostname" => "computer_name" + "Hostname" => "host_name" "EventID" => "event_id" "Channel" => "log_name" "SourceName" => "source_name" @@ -25,12 +24,10 @@ filter { } add_field => { "type" => "wineventlog" - "z_logstash_pipeline" => "mutate-1050-0001" + "etl_pipeline" => "mutate-1050-0001" "[@metadata][helk_parsed]" => "yes" } - rename => { "Message" => "message" } } } - } \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1051-nxlog-winevent-winevent-filter.conf b/docker/helk-logstash/pipeline/1051-nxlog-winevent-winevent-filter.conf new file mode 100644 index 00000000..cd1e3170 --- /dev/null +++ b/docker/helk-logstash/pipeline/1051-nxlog-winevent-winevent-filter.conf @@ -0,0 +1,28 @@ +# HELK NXLog Windows Event Log Specific Filter +# HELK build Stage: Alpha +# Author: Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +filter { + if [type] == "nxlog-winevent" { + + mutate { + rename => { + "EventReceivedTime" => "event_recorded_time" + "Message" => "message" + } + } + + date { + match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ] + target => "@timestamp" + tag_on_failure => [ "_parsefailure", "parsefailure-critical", "parsefailure-date-@timestamp", "parsefailure-date-nxlog-winevent-EventTime" ] + add_field => { + "etl_pipeline" => "nxlog-winevent-date_conversion-EventTime" + "event_original_time" => "%{@timestamp}" + } + remove_field => [ "EventTime" ] + } + + } +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1090-helk-ecs_to_ossem-filter.conf b/docker/helk-logstash/pipeline/1090-helk-ecs_to_ossem-filter.conf new file mode 100644 index 00000000..6b005019 --- /dev/null +++ b/docker/helk-logstash/pipeline/1090-helk-ecs_to_ossem-filter.conf @@ -0,0 +1,42 @@ +# HELK ecs-to-ossem filter conf +# HELK build Stage: Alpha +# Author: Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +filter { + # Network common fields + if [source] or [destination] or [network] { + mutate { + rename => { + "[destination][bytes]" => "dst_bytes" + "[destination][ip]" => "dst_ip_addr" + "[destination][packets]" => "dst_packets" + "[destination][port]" => "dst_port" + "[http][request][body][bytes]" => "http_request_body_bytes" + "[http][request][method]" => "http_request_method" + "[http][request][referrer]" => "http_referrer_original" + "[http][response][body][bytes]" => "http_response_body_bytes" + "[http][response][status_code]" => "http_status_code" + "[http][version]" => "http_version" + "[network][application]" => "network_application_name" + "[network][community_id]" => "fingerprint_network_community_id" + "[network][protocol]" => "network_application_protocol" + "[network][transport]" => "network_protocol" + "[source][bytes]" => "src_bytes" + "[source][ip]" => "src_ip_addr" + "[source][port]" => "src_port" + "[url][domain]" => "url_host_name" + "[url][extension]" => "url_extension" + "[url][fragment]" => "url_fragment" + "[url][original]" => "url_original" + "[url][path]" => "url_path" + "[url][port]" => "url_port" + "[url][password]" => "url_user_password" + "[url][scheme]" => "url_scheme" + "[url][username]" => "url_user_name" + "[user_agent][original]" => "user_agent_original" + } + add_field => { "etl_pipeline" => "ecs_fields_rename_to_ossem" } + } + } +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1500-winevent-cleanup-no-dashes-only-values-filter.conf b/docker/helk-logstash/pipeline/1500-winevent-cleanup-no-dashes-only-values-filter.conf index 134ad131..69dd0891 100644 --- a/docker/helk-logstash/pipeline/1500-winevent-cleanup-no-dashes-only-values-filter.conf +++ b/docker/helk-logstash/pipeline/1500-winevent-cleanup-no-dashes-only-values-filter.conf @@ -5,7 +5,7 @@ filter { if [event_id] { - mutate { add_field => { "z_logstash_pipeline" => "1500" } } + mutate { add_field => { "etl_pipeline" => "1500" } } # Remove specific keys/fields that have "-"/dash has the only value values # Command Line will be done later on in pipeline because it is all sorts of random fields especially when we custom parse some event IDs diff --git a/docker/helk-logstash/pipeline/1521-winevent-conversions-ip-conversions-basic-filter.conf b/docker/helk-logstash/pipeline/1521-winevent-conversions-ip-conversions-basic-filter.conf index cf0e431c..c13d0ec8 100644 --- a/docker/helk-logstash/pipeline/1521-winevent-conversions-ip-conversions-basic-filter.conf +++ b/docker/helk-logstash/pipeline/1521-winevent-conversions-ip-conversions-basic-filter.conf @@ -6,37 +6,18 @@ filter { # Use this to determine if windows event log or not (for now, until we are properly marking all windows log types as something like "log_type: winevent") if [event_id] { - mutate { add_field => { "z_logstash_pipeline" => "1521" } } # Since Sysmon may be the most common EventIDs with IPs lets do that first. This will contain source and destination IPs. # Seen in the following EventIDs (not necessarily exhaustive) # Microsoft-Windows-Sysmon/Operational:3 # Parse "SourceIp" field and then afterwards if it exists then the DestinationIp should exist as well (see note above) if [SourceIp] { - if [SourceIsIpv6] == 'false' { - mutate { - rename => { "SourceIp" => "src_ip_addr" } - } - } - else { - mutate { - rename => { "SourceIp" => "ipv6_src_addr" } - } - } - # Parse "DestinationIp" field - # Seen in the following EventIDs (not necessarily exhaustive) - # Microsoft-Windows-Sysmon/Operational:3 - if [DestinationIp] { - if [DestinationIsIpv6] == 'false' { - mutate { - rename => { "DestinationIp" => "dst_ip_addr" } - } - } - else { - mutate { - rename => { "DestinationIp" => "ipv6_dst_addr" } - } + mutate { + rename => { + "SourceIp" => "src_ip_addr" + "DestinationIp" => "dst_ip_addr" } + add_field => { "etl_pipeline" => "winevent-ip_conversion-SourceIp_and_DestinationIp" } } } @@ -48,8 +29,12 @@ filter { # Seen in the following EventIDs (not necessarily exhaustive) # Security:4624, Security:4625, Security:4648, Security:4770, Security:4771, Security:4768, Security:4769, Security:5140, Security:5145 if [IpAddress] { + mutate { copy => { "IpAddress" => "src_original_value" } } if [IpAddress] =~ "^\d{1,3}\." { - mutate { rename => { "IpAddress" => "src_ip_addr" } } + mutate { + rename => { "IpAddress" => "src_ip_addr" } + add_field => { "etl_pipeline" => "winevent-ip_conversion-IpAddress" } + } } else { # First try to match IPv6 & IPv4 combined @@ -58,17 +43,19 @@ filter { match => { "IpAddress" => [ - "%{IPV6:ipv6_src_addr} %{IPV4:src_ip_addr}", - "%{IPV6:ipv6_src_addr}" + "%{IPV6:src_ip_addr}:%{IPV4:src_ip_addr}", + "%{IPV6:src_ip_addr}", + "%{IPV6:src_ip_addr} %{IPV4:src_ip_addr}" ] } keep_empty_captures => false named_captures_only => true - tag_on_failure => [ "_IpAddress_grokparsefailure", "_grokparsefailure", "_parsefailure", "_windows_ip_parsefailure" ] + tag_on_failure => [ "_parsefailure", "parsefailure-grok-IpAddress" ] tag_on_timeout => "_groktimeout" # Timeout .250 seconds timeout_millis => 250 remove_field => [ "IpAddress" ] + add_field => { "etl_pipeline" => "winevent-ip_conversion-grok-IpAddress" } } } } @@ -77,34 +64,48 @@ filter { # Seen in the following EventIDs (not necessarily exhaustive) # Security:5152,5154,5156,5157,5158 else if [SourceAddress] { - mutate { rename => { "SourceAddress" => "src_ip_addr" } } + mutate { + rename => { "SourceAddress" => "src_ip_addr" } + add_field => { "etl_pipeline" => "winevent-ip_conversion-SourceAddress" } + } } # Parse "ClientAddress" field # Seen in the following EventIDs (not necessarily exhaustive) - # Security:4778,4779 + # Security:4778,4779,4825 else if [ClientAddress] { - mutate { rename => { "ClientAddress" => "src_ip_addr" } } + mutate { + rename => { "ClientAddress" => "src_ip_addr" } + add_field => { "etl_pipeline" => "winevent-ip_conversion-ClientAddress" } + } } # Parse "ClientIPAddress" field # Seen in the following EventIDs (not necessarily exhaustive) # Citrix-XenDesktop-BrokerMonitor/Operational:4,5,44,45 else if [ClientIPAddress] { - mutate { rename => { "ClientIPAddress" => "src_ip_addr" } } + mutate { + rename => { "ClientIPAddress" => "src_ip_addr" } + add_field => { "etl_pipeline" => "winevent-ip_conversion-ClientIPAddress" } + } } # Parse "ClientIP" field # Seen in the following EventIDs (not necessarily exhaustive) # Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational:131 else if [ClientIP] { + mutate { copy => { "ClientIP" => "src_original_value" } } # First lets substitute any characters that have been seen that would cause bad parsing/values - mutate { gsub => [ "ClientIP", "[\[\]]", "" ] } + mutate { + gsub => [ "ClientIP", "[\[\]]", "" ] + add_field => { "etl_pipeline" => "winevent-ip_conversion-gsub-ClientIP" } + } if [ClientIP] =~ "^\d{1,3}\." { dissect { mapping => { "ClientIP" => "%{src_ip_addr}:%{port_src}" } - tag_on_failure => [ "_dissectfailure", "_parsefailure" ] + tag_on_failure => [ "_parsefailure", "parsefailure-dissect-ClientIP" ] remove_field => [ "ClientIP" ] + add_field => { "etl_pipeline" => "winevent-ip_conversion-dissect-ClientIP" } } } } @@ -113,7 +114,10 @@ filter { # Seen in the following EventIDs (not necessarily exhaustive) # Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational:139,140 else if [IPString] { - mutate { rename => { "IPString" => "src_ip_addr" } } + mutate { + rename => { "IPString" => "src_ip_addr" } + add_field => { "etl_pipeline" => "winevent-ip_conversion-IPString" } + } } #### ^ DONE w/ All Src IP parsing #### @@ -123,28 +127,40 @@ filter { # Seen in the following EventIDs (not necessarily exhaustive) # Application:1039 SourceName Citrix Broker Service if [DestAddress] { - mutate { rename => { "DestAddress" => "dst_ip_addr" } } + mutate { + rename => { "DestAddress" => "dst_ip_addr" } + add_field => { "etl_pipeline" => "winevent-ip_conversion-DestAddress" } + } } # Parse "LaunchedViaIPAddress" field # Seen in the following EventIDs (not necessarily exhaustive) # Citrix-XenDesktop-BrokerMonitor/Operational:4,5,44,45 else if [LaunchedViaIPAddress] { - mutate { rename => { "LaunchedViaIPAddress" => "dst_ip_addr" } } + mutate { + rename => { "LaunchedViaIPAddress" => "dst_ip_addr" } + add_field => { "etl_pipeline" => "winevent-ip_conversion-LaunchedViaIPAddress" } + } } # Parse "MachineIpAddress" field # Seen in the following EventIDs (not necessarily exhaustive) # Citrix-XenDesktop-BrokerMonitor/Operational:10 else if [MachineIpAddress] { - mutate { rename => { "MachineIpAddress" => "dst_ip_addr" } } + mutate { + rename => { "MachineIpAddress" => "dst_ip_addr" } + add_field => { "etl_pipeline" => "winevent-ip_conversion-MachineIpAddress" } + } } # Parse "ipAddress" field # Seen in the following EventIDs (not necessarily exhaustive) # Application:1039 SourceName Citrix Broker Service else if [ipAddress] { - mutate { rename => { "ipAddress" => "dst_ip_addr" } } + mutate { + rename => { "ipAddress" => "dst_ip_addr" } + add_field => { "etl_pipeline" => "winevent-ip_conversion-ipAddress" } + } } # Parse "Value" field @@ -153,18 +169,31 @@ filter { # Only perform on the above EIDs because otherwise it may be values that are incomprehensible else if [Value] and [log_name] =~ /^[mM]icrosoft\-[wW]indows\-[tT]erminal[sS]ervices\-[rdp|RDP][cC]lient\/[oO]perational$/ { if [event_id] == 1102 { - mutate { rename => { "Value" => "dst_ip_addr" } } + mutate { + rename => { "Value" => "dst_ip_addr" } + add_field => { "etl_pipeline" => "winevent-ip_conversion-1102-Value" } + } } else if [event_id] == 1024 { - mutate { rename => { "Value" => "dst_ip_addr" } } + mutate { + rename => { "Value" => "dst_ip_addr" } + add_field => { "etl_pipeline" => "winevent-ip_conversion-1024-Value" } + } } } # Parse "TargetServer" field - # Seen in the following EventIDs (not necessarily exhaustive) + # Seen in the following EventIDs (not necessarily exhaustive)IbPK6g # Security:5378 else if [TargetServer] { - mutate { gsub => [ "TargetServer", "TERMSRV\/", "" ] } - mutate { rename => { "TargetServer" => "dst_ip_addr" } } + mutate { + rename => { "TargetServer" => "dst_ip_addr" } + copy => { "dst_ip_addr" => "dst_original_value" } + add_field => { "etl_pipeline" => "winevent-ip_conversion-TargetServer" } + } + mutate { + gsub => [ "dst_ip_addr", "^(.*?)\/", "" ] + add_field => { "etl_pipeline" => "winevent-ip_conversion-gsub-TargetServer" } + } } #### ^ DONE w/ All Dst IP parsing #### @@ -174,7 +203,10 @@ filter { # Seen in the following EventIDs (not necessarily exhaustive) # Citrix-XenDesktop-BrokerMonitor/Operational:4,44 if [ConnectedViaIPAddress] { - mutate { rename => { "ConnectedViaIPAddress" => "dst_nat_ip_addr" } } + mutate { + rename => { "ConnectedViaIPAddress" => "dst_nat_ip_addr" } + add_field => { "etl_pipeline" => "winevent-ip_conversion-ConnectedViaIPAddress" } + } } #### ^ DONE w/ All Dst NAT IP parsing #### } diff --git a/docker/helk-logstash/pipeline/1522-winevent-cleanup-lowercasing-windows-filter.conf b/docker/helk-logstash/pipeline/1522-winevent-cleanup-lowercasing-windows-filter.conf index 7f265c71..ab7ca04f 100644 --- a/docker/helk-logstash/pipeline/1522-winevent-cleanup-lowercasing-windows-filter.conf +++ b/docker/helk-logstash/pipeline/1522-winevent-cleanup-lowercasing-windows-filter.conf @@ -7,7 +7,7 @@ filter { if [event_id] { - mutate { add_field => { "z_logstash_pipeline" => "1522" } } + mutate { add_field => { "etl_pipeline" => "1522" } } mutate { lowercase => [ diff --git a/docker/helk-logstash/pipeline/1523-winevent-process-name-filter.conf b/docker/helk-logstash/pipeline/1523-winevent-process-name-filter.conf deleted file mode 100644 index 70f72ec3..00000000 --- a/docker/helk-logstash/pipeline/1523-winevent-process-name-filter.conf +++ /dev/null @@ -1,60 +0,0 @@ -# HELK process-name-filter filter conf -# HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g) -# License: GPL-3.0 - -filter { - if [event_id] { - if [Image] { - mutate { - add_field => { "z_logstash_pipeline" => "1523_1" } - rename => { "Image" => "process_path" } - } - } - if [Application] { - mutate { - add_field => { "z_logstash_pipeline" => "1523_2" } - rename => { "Application" => "process_path" } - } - } - if [NewProcessName] { - mutate { - add_field => { "z_logstash_pipeline" => "1523_3" } - rename => { "NewProcessName" => "process_path" } - } - } - if [ProcessName] { - mutate { - add_field => { "z_logstash_pipeline" => "1523_4" } - rename => { "ProcessName" => "process_path" } - } - } - if [ParentProcessName] { - mutate { - add_field => { "z_logstash_pipeline" => "1523_5" } - rename => { "ParentProcessName" => "process_parent_path" } - } - } - if [ParentImage] { - mutate { - add_field => { "z_logstash_pipeline" => "1523_6" } - rename => { "ParentImage" => "process_parent_path" } - } - } - if [TargetImage] { - mutate { - add_field => { "z_logstash_pipeline" => "1523_7" } - rename => { "TargetImage" => "process_target_path" } - } - } - if [SourceImage] { - mutate { - add_field => { "z_logstash_pipeline" => "1523_8" } - rename => { "SourceImage" => "process_path" } - } - } - if [ProdessName] { - mutate { rename => { "ProdessName" => "process_path" } } - } - } -} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1524-winevent-logon-ids-conversions-filter.conf b/docker/helk-logstash/pipeline/1524-winevent-logon-ids-conversions-filter.conf new file mode 100644 index 00000000..c1fa69fa --- /dev/null +++ b/docker/helk-logstash/pipeline/1524-winevent-logon-ids-conversions-filter.conf @@ -0,0 +1,37 @@ +# HELK logon-ids-conversions filter conf +# HELK build Stage: Alpha +# Author: Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +filter { + if [event_id] { + if [SubjectLogonId] =~ /^0x/ { + ruby { + code => 'event.set("SubjectLogonId", event.get("SubjectLogonId").gsub(/^0x/, "").to_s.hex)' + tag_on_exception => "_rubyexception-SubjectLogonId-hex2dec" + add_field => { "etl_pipeline" => "SubjectLogonId-hex2dec" } + } + } + if [TargetLogonId] =~ /^0x/ { + ruby { + code => 'event.set("TargetLogonId", event.get("TargetLogonId").gsub(/^0x/, "").to_s.hex)' + tag_on_exception => "_rubyexception-TargetLogonId-hex2dec" + add_field => { "etl_pipeline" => "TargetLogonId-hex2dec" } + } + } + if [LogonId] =~ /^0x/ { + ruby { + code => 'event.set("LogonId", event.get("LogonId").gsub(/^0x/, "").to_s.hex)' + tag_on_exception => "_rubyexception-LogonId-hex2dec" + add_field => { "etl_pipeline" => "LogonId-hex2dec" } + } + } + if [TargetLinkedLogonId] =~ /^0x/ { + ruby { + code => 'event.set("TargetLinkedLogonId", event.get("TargetLinkedLogonId").gsub(/^0x/, "").to_s.hex)' + tag_on_exception => "_rubyexception-TargetLinkedLogonId-hex2dec" + add_field => { "etl_pipeline" => "TargetLinkedLogonId-hex2dec" } + } + } + } +} diff --git a/docker/helk-logstash/pipeline/1524-winevent-process-ids-filter.conf b/docker/helk-logstash/pipeline/1524-winevent-process-ids-filter.conf deleted file mode 100644 index a5560279..00000000 --- a/docker/helk-logstash/pipeline/1524-winevent-process-ids-filter.conf +++ /dev/null @@ -1,75 +0,0 @@ -# HELK process-ids filter conf -# HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g) -# License: GPL-3.0 - -filter { - if [event_id] { - if [ProcessId] { - mutate { - add_field => { "z_logstash_pipeline" => "1524_2" } - rename => { "ProcessId" => "process_id" } - } - } - if [NewProcessId] { - mutate { - add_field => { "z_logstash_pipeline" => "1524_3" } - rename => { "NewProcessId" => "process_id" } - } - } - if [ParentProcessId] { - mutate { - add_field => { "z_logstash_pipeline" => "1524_5" } - rename => { "ParentProcessId" => "process_parent_id" } - } - } - if [ProcessGuid] { - mutate { - add_field => { "z_logstash_pipeline" => "1524_6" } - rename => { "ProcessGuid" => "process_guid" } - } - } - if [ParentProcessGuid] { - mutate { - add_field => { "z_logstash_pipeline" => "1524_7" } - rename => { "ParentProcessGuid" => "process_parent_guid" } - } - } - if [SourceProcessGuid] { - mutate { - add_field => { "z_logstash_pipeline" => "1524_8" } - rename => { "SourceProcessGuid" => "process_guid" } - } - } - if [SourceProcessGUID] { - mutate { - add_field => { "z_logstash_pipeline" => "1524_9" } - rename => { "SourceProcessGUID" => "process_guid" } - } - } - if [SourceProcessId] { - mutate { - add_field => { "z_logstash_pipeline" => "1524_11" } - rename => { "SourceProcessId" => "process_id" } - } - } - if [TargetProcessGuid] { - mutate { - add_field => { "z_logstash_pipeline" => "1524_12" } - rename => { "TargetProcessGuid" => "process_target_guid" } - } - } - if [TargetProcessGUID] { - mutate { - add_field => { "z_logstash_pipeline" => "1524_13" } - rename => { "TargetProcessGUID" => "process_target_guid" } - } - } - if [TargetProcessId] { - mutate { - add_field => { "z_logstash_pipeline" => "1524_15" } - rename => { "TargetProcessId" => "process_target_id" } - } - } - } -} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1531-winevent-sysmon-filter.conf b/docker/helk-logstash/pipeline/1531-winevent-sysmon-filter.conf index a152c7ca..26da23ee 100644 --- a/docker/helk-logstash/pipeline/1531-winevent-sysmon-filter.conf +++ b/docker/helk-logstash/pipeline/1531-winevent-sysmon-filter.conf @@ -5,14 +5,28 @@ filter { if [log_name] =~ /^[mM]icrosoft\-[wW]indows\-[sS]ysmon\/[oO]perational$/ { - mutate { add_field => { "z_logstash_pipeline" => "1531" } } + mutate { + add_field => { + "event_timezone" => "UTC" + "etl_pipeline" => "winevent-sysmon-all-1531" + "[@metadata][index_name]" => "sysmon" + } + # Sysmon uses its own timestamp using the field `UtcTime` + rename => { "event_original_time" => "event_recorded_time" } + } + date { + timezone => "UTC" + match => [ "UtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ] + target=> "@timestamp" + tag_on_failure => [ "_parsefailure", "parsefailure-critical", "parsefailure-date-@timestamp", "parsefailure-date-sysmon-UtcTime" ] + add_field => { "event_original_time" => "%{@timestamp}" } + } mutate { rename => { "[user][domain]" => "user_reporter_domain" "[user][identifier]" => "user_reporter_sid" "[user][name]" => "user_reporter_name" "[user][type]" => "user_reporter_type" - "computer_name" => "host_name" } } if [RuleName] { @@ -36,7 +50,8 @@ filter { if [User] { grok { match => { "User" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" } - tag_on_failure => [ "_User__grokparsefailure", "_grokparsefailure", "_parsefailure" ] + add_field => { "etl_pipeline" => "sysmon-all-extract_domain_and_user_name" } + tag_on_failure => [ "_parsefailure", "parsefailure-grok-User-extract_domain_and_user_name" ] } } if [event_id] == 1 { @@ -61,23 +76,28 @@ filter { if [event_id] == 2 { mutate { add_field => { "action" => "filecreatetime" } - rename => { "TargetFilename" => "file_name" } + rename => { + "TargetFilename" => "file_name" + "Image" => "process_path" + } } } if [event_id] == 3 { mutate { add_field => { "action" => "networkconnect" } + # IPv6 vs IPv4 checking is done elsewhere, therefore 'DestinationIsIpv6' and 'SourceIsIpv6' are kept as is. rename => { + "DestinationIsIpv6" => "dst_is_ipv6" "DestinationHostname" => "dst_host_name" "DestinationPort" => "dst_port" "DestinationPortName" => "dst_port_name" - "DestinationIsIpv6" => "dst_is_ipv6" "Initiated" => "network_initiated" "Protocol" => "network_protocol" + "SourceIsIpv6" => "src_is_ipv6" "SourceHostname" => "src_host_name" "SourcePort" => "src_port" "SourcePortName" => "src_port_name" - "SourceIsIpv6" => "src_is_ipv6" + "Image" => "process_path" } } } @@ -91,6 +111,16 @@ filter { } } } + if [event_id] == 5 { + mutate { + add_field => { "action" => "processterminated" } + rename => { + "ProcessGuid" => "process_guid" + "ProcessId" => "process_id" + "Image" => "process_path" + } + } + } if [event_id] == 6 { mutate { add_field => { "action" => "driverload" } @@ -115,6 +145,7 @@ filter { "Product" => "file_product" "Company" => "file_company" "OriginalFileName " => "file_name_original" + "Image" => "process_path" } } } @@ -123,16 +154,25 @@ filter { add_field => { "action" => "createremotethread" } rename => { "NewThreadId" => "thread_new_id" + "SourceProcessGuid" => "process_guid" + "SourceProcessId" => "process_id" "StartAddress" => "thread_start_address" "StartFunction" => "thread_start_function" "StartModule" => "thread_start_module" + "SourceImage" => "process_path" + "TargetProcessGuid" => "target_process_guid" + "TargetProcessId" => "target_process_id" + "TargetImage" => "target_process_path" } } } if [event_id] == 9 { mutate { add_field => { "action" => "rawaccessread" } - rename => { "Device" => "device_name" } + rename => { + "Device" => "device_name" + "Image" => "process_path" + } } } if [event_id] == 10 { @@ -142,13 +182,18 @@ filter { "CallTrace" => "process_call_trace" "GrantedAccess" => "process_granted_access" "SourceThreadId" => "thread_id" + "SourceImage" => "process_path" + "TargetImage" => "target_process_path" } } } if [event_id] == 11 { mutate { add_field => { "action" => "filecreate" } - rename => { "TargetFilename" => "file_name" } + rename => { + "TargetFilename" => "file_name" + "Image" => "process_path" + } } } if [event_id] == 12 or [event_id] == 13 or [event_id] == 14 { @@ -159,6 +204,7 @@ filter { "TargetObject" => "registry_key_path" "Details" => "registry_key_value" "NewName" => "registry_key_new_name" + "Image" => "process_path" } } } @@ -168,6 +214,7 @@ filter { rename => { "TargetFilename" => "file_name" "Hash" => "hash" + "Image" => "process_path" } } } @@ -186,12 +233,13 @@ filter { } } } - if [event_id] == 18 or [event_id] == 17 { + if [event_id] == 17 or [event_id] == 18 { mutate { add_field => { "action" => "pipeevent" } rename => { "EventType" => "event_type" "PipeName" => "pipe_name" + "Image" => "process_path" } } } @@ -234,29 +282,32 @@ filter { mutate { add_field => { "action" => "dnsquery" } rename => { - "QueryName" => "dns_query_name" + "QueryName" => "dst_host_name" "QueryStatus" => "dns_query_status" "QueryResults" => "dns_query_results" + "Image" => "process_path" } + copy => { "dst_host_name" => "dns_query_name" } + add_tag => [ "backwards_compatibility for winevent:Sysmon:22 field:dns_query_name" ] + } } - date { - timezone => "UTC" - match => [ "UtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ] - target=> "@event_date_creation" - tag_on_failure => [ "_sysmon_UtcTime_datefailure", "_sysmon_datefailure", "_dateparsefailure" ] + if [event_id] == 255 { + mutate { + add_field => { "action" => "error" } + } } date { timezone => "UTC" match => [ "CreationUtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ] - target => "@file_date_creation" - tag_on_failure => [ "_sysmon_CreationUtcTime_datefailure", "_sysmon_datefailure", "_dateparsefailure" ] + target => "file_creation_time" + tag_on_failure => [ "_parsefailure", "parsefailure-date-file_creation_time", "parsefailure-date-sysmon-CreationUtcTime" ] } date { timezone => "UTC" match => [ "PreviousCreationUtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ] - target => "@file_previous_date_creation" - tag_on_failure => [ "_sysmon_PreviousCreationUtcTime_datefailure", "_sysmon_datefailure", "_dateparsefailure" ] + target => "file_previous_creation_time" + tag_on_failure => [ "_parsefailure", "parsefailure-date-file_previous_creation_time", "parsefailure-date-sysmon-PreviousCreationUtcTime" ] } mutate { rename => { "User" => "user_account" } diff --git a/docker/helk-logstash/pipeline/1532-winevent-security-filter.conf b/docker/helk-logstash/pipeline/1532-winevent-security-filter.conf index e2725f6b..85318e5a 100644 --- a/docker/helk-logstash/pipeline/1532-winevent-security-filter.conf +++ b/docker/helk-logstash/pipeline/1532-winevent-security-filter.conf @@ -5,7 +5,21 @@ filter { if [log_name] =~ /^[sS]ecurity$/ { - mutate { add_field => { "z_logstash_pipeline" => "1532" } } + mutate { + add_field => { + "etl_pipeline" => "winevent-security-all-1532" + "[@metadata][index_name]" => "security" + } + } + if [event_id] == 4610 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4610.md + mutate { + rename => { + "AuthenticationPackageName" => "logon_authentication_package_name" + } + add_field => { "etl_pipeline" => "winevent_security-4610-ossem" } + } + } if [event_id] == 4611 { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4611.md mutate { @@ -16,6 +30,16 @@ filter { "SubjectLogonId" => "user_logon_id" "LogonProcessName" => "logon_process_name" } + add_field => { "etl_pipeline" => "winevent_security-4610-ossem" } + } + } + if [event_id] == 4614 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4614.md + mutate { + rename => { + "NotificationPackageName" => "logon_notification_package_name" + } + add_field => { "etl_pipeline" => "winevent_security-4614-ossem" } } } if [event_id] == 4616 { @@ -31,6 +55,15 @@ filter { } } } + if [event_id] == 4622 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4622.md + mutate { + rename => { + "SecurityPackageName" => "logon_security_package_name" + } + add_field => { "etl_pipeline" => "winevent_security-4622-ossem" } + } + } if [event_id] == 4624 { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4624.md mutate { @@ -40,7 +73,6 @@ filter { "SubjectDomainName" => "user_reporter_domain" "SubjectLogonId" => "reporter_logon_id" "TargetLogonId" => "user_logon_id" - "LogonType" => "logon_type" "RestrictedAdminMode" => "logon_restricted_adminmode" "VirtualAccount" => "logon_virtual_account" "ElevatedToken" => "logon_elevated_token" @@ -59,6 +91,7 @@ filter { "TransmittedServices" => "logon_transmitted_services" "LmPackageName" => "logon_package_name" "KeyLength" => "logon_key_length" + "ProcessName" => "process_path" } } if "logon_elevated_token" == "Yes"{ @@ -73,7 +106,6 @@ filter { "SubjectUserName" => "user_reporter_name" "SubjectDomainName" => "user_reporter_domain" "SubjectLogonId" => "reporter_logon_id" - "LogonType" => "logon_type" "TargetUserName" => "user_name" "TargetDomainName" => "user_domain" "TargetUserSid" => "user_sid" @@ -87,6 +119,7 @@ filter { "FailureReason" => "logon_failure_reason" "Status" => "event_status" "SubStatus" => "event_sub_status" + "ProcessName" => "process_path" } } if "logon_elevated_token" == "Yes"{ @@ -102,7 +135,6 @@ filter { "SubjectDomainName" => "user_reporter_domain" "SubjectLogonId" => "reporter_logon_id" "TargetLogonId" => "user_logon_id" - "LogonType" => "logon_type" "TargetUserName" => "user_name" "TargetDomainName" => "user_domain" "TargetUserSid" => "user_sid" @@ -118,7 +150,6 @@ filter { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4634.md mutate { rename => { - "LogonType" => "logon_type" "TargetDomainName" => "user_domain" "TargetLogonId" => "user_logon_id" "TargetUserName" => "user_name" @@ -146,16 +177,41 @@ filter { "SubjectDomainName" => "user_domain" "SubjectLogonId" => "user_logon_id" "LogonGuid" => "user_logon_guid" - "TargetUserName" => "user_target_name" - "TargetDomainName" => "user_target_domain" - "TargetLogonId" => "user_target_logon_id" - "TargetServerName" => "service_host_name" + "TargetUserName" => "target_user_name" + "TargetDomainName" => "target_user_domain" + "TargetLogonId" => "target_user_logon_id" + "TargetServerName" => "target_server_name" "TargetInfo" => "service_host_info" - "TargetLogonGuid" => "user_target_logon_guid" + "TargetLogonGuid" => "target_user_logon_guid" "IpPort" => "src_port" + "ProcessName" => "process_path" + } + copy => { + "target_server_name" => "service_host_name" } } } + if [event_id] == 4649 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4649.md + mutate { + rename => { + "AuthenticationPackageName" => "logon_authentication_package_name" + "LogonProcessName" => "logon_process_name" + "ProcessId" => "process_id" + "ProcessName" => "process_path" + "RequestType" => "ticket_request_type" + "SubjectDomainName" => "user_reporter_domain" + "SubjectLogonId" => "user_reporter_logon_id" + "SubjectUserSid" => "user_reporter_sid" + "SubjectUserName" => "user_reporter_name" + "TargetDomainName" => "user_domain" + "TargetUserName" => "user_name" + "TransmittedServices" => "logon_transmitted_services" + "WorkstationName" => "src_host_name" + } + add_field => { "etl_pipeline" => "winevent_security-4649-ossem" } + } + } if [event_id] == 4656 { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4656.md mutate { @@ -164,17 +220,18 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "AccessList" => "object_access_list_requested" - "AccessMask" => "object_access_mask_requested" + "AccessList" => "object_access_list" + "AccessMask" => "object_access_mask" "AccessReason" => "object_access_reason" "ObjectName" => "object_name" "ObjectServer" => "object_server" "ObjectType" => "object_type" - "HandleId" => "object_access_handle_id" + "HandleId" => "object_handle_id" "PrivilegeList" => "object_privilege_list" - "TransactionId" => "object_transaction_guid" + "TransactionId" => "transaction_guid" "ResourceAttributes" => "object_resource_attributes" "RestrictedSidCount" => "object_restricted_sid_count" + "ProcessName" => "process_path" } } } @@ -186,15 +243,25 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "ObjectName" => "object_name" - "ObjectValueName" => "object_value_name" - "HandleId" => "object_access_handle_id" + "ObjectName" => "registry_key_path" + "ObjectValueName" => "registry_key_value_name" + "HandleId" => "object_handle_id" "OperationType" => "object_operation_type" "OldValueType" => "object_value_old_type" - "OldValue" => "object_value_old" - "NewValueType" => "object_value_new_type" - "NewValue" => "object_value_new" + "OldValue" => "registry_value_old_data" + "NewValueType" => "registry_key_value_type" + "NewValue" => "registry_key_value_data" + "ProcessName" => "process_path" } + copy => { + "registry_key_path" => "object_name" + "registry_key_value_data" => "object_value_new" + "registry_key_value_name" => "object_value_name" + "registry_key_value_type" => "object_value_new_type" + "registry_value_old_data" => "object_value_old" + "ticket_status" => "event_status" + } + add_field => { "etl_pipeline" => "winevent_security-4657-ossem" } } } if [event_id] == 4658 { @@ -206,7 +273,7 @@ filter { "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" "ObjectServer" => "object_server" - "HandleId" => "object_access_handle_id" + "HandleId" => "object_handle_id" } } } @@ -220,14 +287,15 @@ filter { "ObjectName" => "object_name" "ObjectServer" => "object_server" "ObjectType" => "object_type" - "HandleId" => "object_access_handle_id" - "TransactionId" => "object_transaction_guid" - "AccessList" => "object_access_list_requested" - "AccessMask" => "object_access_mask_requested" + "HandleId" => "object_handle_id" + "TransactionId" => "transaction_guid" + "AccessList" => "object_access_list" + "AccessMask" => "object_access_mask" + "ProcessName" => "process_path" } } } - if [event_id] == 4660 or [event_id] == 4661 or [event_id] == 4662 or [event_id] == 4663 { + if [event_id] in [ 4660, 4661, 4662, 4663 ] { # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4660 # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4661.md # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4662.md @@ -239,20 +307,20 @@ filter { "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" "Properties" => "object_properties" - "AccessMask" => "object_access_mask_requested" - "HandleId" => "object_access_handle_id" + "AccessMask" => "object_access_mask" + "HandleId" => "object_handle_id" "ObjectName" => "object_name" "ObjectServer" => "object_server" "ObjectType" => "object_type" "AdditionalInfo2" => "object_additional_info2" "OperationType" => "object_operation_type" "AdditionalInfo" => "object_additional_info" - "AccessList" => "object_access_list_requested" + "AccessList" => "object_access_list" "ResourceAttributes" => "object_resource_attributes" - "AccessReason" => "object_access_reason" "PrivilegeList" => "object_privilege_list" - "TransactionId" => "object_transaction_guid" + "TransactionId" => "transaction_guid" "RestrictedSidCount" => "object_restricted_sid_count" + "ProcessName" => "process_path" } } } @@ -264,12 +332,13 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "HandleId" => "object_access_handle_id" - "NewSd" => "object_new_sddl" + "HandleId" => "object_handle_id" + "NewSd" => "object_new_sd" "ObjectName" => "object_name" "ObjectServer" => "object_server" "ObjectType" => "object_type" - "OldSd" => "object_old_sddl" + "OldSd" => "object_old_sd" + "ProcessName" => "process_path" } } } @@ -277,7 +346,7 @@ filter { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4672.md mutate { rename => { - "PrivilegeList" => "logon_privileges_assigned" + "PrivilegeList" => "logon_privilege_list" "SubjectDomainName" => "user_domain" "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" @@ -307,8 +376,8 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "AccessMask" => "object_access_mask_requested" - "HandleId" => "object_access_handle_id" + "AccessMask" => "object_access_mask" + "HandleId" => "object_handle_id" "ObjectName" => "object_name" "ObjectServer" => "object_server" "ObjectType" => "object_type" @@ -324,9 +393,10 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "TransactionId" => "object_transaction_guid" + "TransactionId" => "transaction_guid" "NewState" => "object_transaction_new_state" "ResourceManager" => "object_transaction_resource_manager" + "ProcessName" => "process_path" } } } @@ -335,16 +405,19 @@ filter { mutate { rename => { "CommandLine" => "process_command_line" + "MandatoryLabel" => "process_mandatory_sid" + "NewProcessId" => "process_id" + "NewProcessName" => "process_path" + "ParentProcessName" => "process_parent_path" + "ProcessId" => "process_parent_id" "SubjectDomainName" => "user_domain" "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "TargetDomainName" => "user_principal_domain" - "TargetUserSid" => "user_principal_sid" - "TargetUserName" => "user_principal_name" - "TargetLogonId" => "user_principal_id" - "MandatoryLabel" => "process_mandatory_sid" - "ProcessId" => "process_parent_id" + "TargetDomainName" => "target_user_domain" + "TargetUserSid" => "target_user_sid" + "TargetUserName" => "target_user_name" + "TargetLogonId" => "target_user_logon_id" "TokenElevationType" => "process_token_elevation_type" } } @@ -358,6 +431,7 @@ filter { "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" "Status" => "event_status" + "ProcessName" => "process_path" } } } @@ -365,17 +439,42 @@ filter { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4690.md mutate { rename => { + "ProcessId" => "reporter_process_id" "SubjectDomainName" => "user_domain" "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "SourceHandleId" => "process_handle_id" + "SourceHandleId" => "object_handle_id" "SourceProcessId" => "process_id" - "TargetHandleId" => "process_target_handle_id" - "TargetProcessId" => "process_target_id" + "TargetHandleId" => "target_object_handle_id" + "TargetProcessId" => "target_process_id" + } + #TODO: Keep backwards compatibility for now + copy => { + "object_handle_id" => "process_handle_id" + "target_object_handle_id" => "target_process_handle_id" } } } + if [event_id] == 4696 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4696.md + mutate { + rename => { + "ProcessId" => "process_id" + "ProcessName" => "process_path" + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetDomainName" => "target_user_domain" + "TargetUserSid" => "target_user_sid" + "TargetUserName" => "target_user_name" + "TargetLogonId" => "target_user_logon_id" + "TargetProcessName" => "target_process_path" + } + add_field => { "etl_pipeline" => "winevent_security-4696-ossem" } + } + } if [event_id] == 4697 { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4697.md mutate { @@ -390,10 +489,15 @@ filter { "ServiceStartType" => "service_start_type" "ServiceType" => "service_type" } + add_field => { "etl_pipeline" => "winevent_security-4697-ossem" } } } - if [event_id] == 4698 { + if [event_id] in [ 4698, 4699, 4700, 4701, 4702 ] { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4698.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4709.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4700.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4701.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4702.md mutate { rename => { "SubjectDomainName" => "user_domain" @@ -401,19 +505,19 @@ filter { "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" "TaskName" => "scheduled_task_name" + "TaskContent" => "scheduled_task_content" + "TaskContentNew" => "scheduled_task_content" } + add_field => { "etl_pipeline" => "winevent_security-other_object_access_scheduled_tasks-ossem" } } } if [event_id] == 4701 or [event_id] == 4702 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4701.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4702.md mutate { rename => { "SubjectDomainName" => "user_domain" "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "TaskContentNew" => "task_new_content" "TaskName" => "task_name" } } @@ -426,12 +530,12 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "TargetDomainName" => "user_target_domain" - "TargetLogonId" => "user_target_logon_id" - "TargetUserSid" => "user_target_sid" - "TargetUserName" => "user_target_name" - "DisabledPrivilegeList" => "user_target_disabled_privilege_list" - "EnabledPrivilegeList" => "user_target_enabled_privilege_list" + "TargetDomainName" => "target_user_domain" + "TargetLogonId" => "target_user_logon_id" + "TargetUserSid" => "target_user_sid" + "TargetUserName" => "target_user_name" + "DisabledPrivilegeList" => "target_user_disabled_privilege_list" + "EnabledPrivilegeList" => "target_user_enabled_privilege_list" } } } @@ -443,42 +547,55 @@ filter { "SubjectUserName" => "user_name" "SubjectDomainName" => "user_domain" "SubjectLogonId" => "user_logon_id" - "TargetSid" => "user_target_sid" - "PrivilegeList" => "user_target_privilege_list" + "TargetSid" => "target_user_sid" + "PrivilegeList" => "user_privilege_list" } + copy => { "user_privilege_list" => "target_user_privilege_list" } } } - if [event_id] == 4719 { + if [event_id] in [ 4715, 4719, 4817, 4902, 4904, 4905, 4906, 4907, 4908, 4912 ] { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4715.md # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4719.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4817.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4902.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4904.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4905.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4906.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4907.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4908.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4912.md + #TODO: for now no sense of renaming PuaCount and PuaPolicyId because exist in no other event logs mutate { rename => { - "SubjectDomainName" => "user_domain" - "SubjectLogonId" => "user_logon_id" - "SubjectUserName" => "user_name" - "SubjectUserSid" => "user_sid" "AuditPolicyChanges" => "policy_changes" + "AuditSourceName" => "event_source_name" "CategoryId" => "policy_category_id" + "CrashOnAuditFailValue" => "crash_on_audit_fail_value" + "EventSourceId" => "event_source_id" + "HandleId" => "object_handle_id" + "NewSd" => "object_new_sd" + "ObjectName" => "object_name" + "ObjectServer" => "object_server" + "ObjectType" => "object_type" + "OldSd" => "object_old_sd" + "ProcessId" => "process_id" + "ProcessName" => "process_path" + "SidList" => "sid_list" "SubcategoryGuid" => "policy_subcategory_guid" "SubcategoryId" => "policy_subcategory_id" - } - } - } - if [event_id] == 4724 or [event_id] == 4725 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4724.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4725.md - mutate { - rename => { "SubjectDomainName" => "user_domain" "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "TargetDomainName" => "user_target_domain" - "TargetSid" => "user_target_sid" - "TargetUserName" => "user_target_name" } + add_field => { "etl_pipeline" => "winevent_security-audit_audit_policy_change-ossem" } } } - if [event_id] == 4726 { + if [event_id] in [ 4722, 4723, 4724, 4725, 4726 ] { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4722.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4723.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4724.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4725.md # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4726.md mutate { rename => { @@ -486,45 +603,54 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "TargetDomainName" => "user_target_domain" - "TargetSid" => "user_target_sid" - "TargetUserName" => "user_target_name" + "TargetDomainName" => "target_user_domain" + "TargetSid" => "target_user_sid" + "TargetUserName" => "target_user_name" "PrivilegeList" => "user_privilege_list" } + add_field => { "etl_pipeline" => "winevent_security-4722_4723_4724_4725_4726-ossem" } } } - if [event_id] == 4728 or [event_id] == 4729 { + if [event_id] in [ 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4764 ] { + #TODO:use OSSEM links for this from now on mutate { rename => { + "GroupTypeChange" => "group_type_change" + "MemberName" => "target_user_name" + "MemberSid" => "target_user_sid" + "PrivilegeList" => "user_privilege_list" "SubjectDomainName" => "user_domain" + "SamAccountName" => "group_sam_name" + "SidHistory" => "group_sid_history" "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" "TargetDomainName" => "group_domain" "TargetSid" => "group_sid" "TargetUserName" => "group_name" - "MemberName" => "group_member_name" - "MemberSid" => "group_member_sid" - "PrivilegeList" => "group_privilege_list" } + add_field => { "etl_pipeline" => "winevent_security-audit_security_group_management-ossem" } } } - if [event_id] == 4732 or [event_id] == 4733 or [event_id] == 4735 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4733.md + if [event_id] in [ 4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763 ] { + #TODO:use OSSEM links for this from now on mutate { rename => { + "GroupTypeChange" => "group_type_change" + "MemberName" => "target_user_name" + "MemberSid" => "target_user_sid" + "PrivilegeList" => "user_privilege_list" "SubjectDomainName" => "user_domain" + "SamAccountName" => "group_sam_name" + "SidHistory" => "group_sid_history" "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" "TargetDomainName" => "group_domain" "TargetSid" => "group_sid" "TargetUserName" => "group_name" - "MemberName" => "group_member_name" - "MemberSid" => "group_member_sid" - "PrivilegeList" => "group_privilege_list" } + add_field => { "etl_pipeline" => "winevent_security-audit_distribution_group_management-ossem" } } } if [event_id] == 4738 or [event_id] == 4720 { @@ -536,29 +662,91 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "TargetDomainName" => "user_target_domain" - "TargetSid" => "user_target_sid" - "TargetUserName" => "user_target_name" - "AccountExpires" => "user_attribute_account_expires" - "AllowedToDelegateTo" => "user_attribute_allowed_todelegate" - "DisplayName" => "user_attribute_display_name" + "TargetDomainName" => "target_user_domain" + "TargetSid" => "target_user_sid" + "TargetUserName" => "target_user_name" + "AccountExpires" => "target_user_account_expires" + "AllowedToDelegateTo" => "target_user_allowed_to_delegate" + "DisplayName" => "target_user_display" "Dummy" => "user_attribute_dummy" - "HomeDirectory" => "user_attribute_home_directory" - "HomePath" => "user_attribute_home_path" - "LogonHours" => "user_attribute_logon_hours" - "NewUacValue" => "user_attribute_new_uacvalue" - "OldUacValue" => "user_attribute_old_uacvalue" - "PasswordLastSet" => "user_attribute_password_lastset" - "PrimaryGroupId" => "user_attribute_primary_group_id" - "PrivilegeList" => "user_attribute_privilege_list" - "ProfilePath" => "user_attribute_profile_path" - "SamAccountName" => "user_attribute_samaccount_name" - "ScriptPath" => "user_attribute_script_path" - "SidHistory" => "user_attribute_sid_history" - } - } - } - if [event_id] == 4768 or [event_id] == 4769 or [event_id] == 4770 or [event_id] == 4771 { + "HomeDirectory" => "target_user_home_directory" + "HomePath" => "target_user_home_path" + "LogonHours" => "target_user_logon_hours" + "NewUacValue" => "target_user_new_uac_value" + "OldUacValue" => "target_user_old_uac_value" + "PasswordLastSet" => "target_user_account_expires" + "PrimaryGroupId" => "target_user_primary_group_id" + "PrivilegeList" => "user_privilege_list" + "ProfilePath" => "target_user_profile_path" + "SamAccountName" => "target_user_sam_name" + "ScriptPath" => "target_user_script_path" + "SidHistory" => "target_user_sid_history" + "UserPrincipalName" => "target_user_principal_name" + "UserAccountControl" => "target_user_account_control" + "UserParameters" => "target_user_parameters" + "UserWorkstations" => "target_user_workstations" + + } + add_field => { "etl_pipeline" => "winevent_security-4720_4738-ossem" } + } + } + if [event_id] in [ 4740, 4767 ] { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4740.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4767.md + mutate { + rename => { + "SubjectDomainName" => "user_reporter_domain" + "SubjectLogonId" => "user_reporter_logon_id" + "SubjectUserName" => "user_reporter_name" + "SubjectUserSid" => "user_reporter_sid" + "TargetDomainName" => "user_domain" + "TargetSid" => "user_sid" + "TargetUserName" => "user_name" + } + add_field => { "etl_pipeline" => "winevent_security-4740_4767-ossem" } + } + } + if [event_id] in [ 4741, 4742, 4743 ] { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4741.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4742.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4743.md + mutate { + rename => { + "AccountExpires" => "target_host_account_expires" + "AllowedToDelegateTo" => "target_host_allowed_to_delegate" + "ComputerAccountChange" => "computer_account_change" + "DisplayName" => "target_host_display_name" + "DnsHostName" => "target_host_dns_host_name" + "HomeDirectory" => "target_host_home_directory" + "HomePath" => "target_host_home_path" + "LogonHours" => "target_host_logon_hours" + "NewUacValue" => "target_host_new_uac_value" + "OldUacValue" => "target_host_old_uac_value" + "PasswordLastSet" => "target_host_password_last_set" + "PrimaryGroupId" => "target_host_primary_group_id" + "PrivilegeList" => "user_privilege_list" + "ProcessId" => "process_id" + "ProfilePath" => "target_host_profile_path" + "SamAccountName" => "target_host_sam_name" + "ScriptPath" => "target_host_script_path" + "ServicePrincipalNames" => "target_host_service_principal_names" + "SidHistory" => "target_host_sid_history" + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetDomainName" => "target_host_domain" + "TargetSid" => "target_host_sid" + "TargetUserName" => "target_host_name" + "UserAccountControl" => "target_host_user_account_control" + "UserParameters" => "target_host_user_paremeters" + "UserPrincipalName" => "target_host_principal_name" + "UserWorkstations" => "target_host_workstations" + } + add_field => { "etl_pipeline" => "winevent_security-4741_4742_4743-ossem" } + } + } + if [event_id] in [ 4768, 4769, 4770, 4771, 4772, 4773 ] { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4768.md # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4769.md # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4771.md @@ -571,17 +759,22 @@ filter { "LogonGuid" => "user_logon_guid" "ServiceName" => "service_ticket_name" "ServiceSid" => "service_ticket_id" - "Status" => "event_status" + "Status" => "ticket_status" "TicketEncryptionType" => "ticket_encryption_type" "TicketOptions" => "ticket_options" "FailureCode" => "ticket_failure_code" - "TransmittedServices" => "service_ticket_requested" "TargetSid" => "user_sid" } + copy => { + "service_name" => "service_ticket_name" + "ticket_status" => "event_status" + } + add_field => { "etl_pipeline" => "winevent_security-4768_4769_4770_4771_4772_4773-ossem" } } } - if [event_id] == 4776 { + if [event_id] == 4776 or [event_id] == 4777 { # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4777 mutate { rename => { "PackageName" => "logon_authentication_package_name" @@ -591,6 +784,81 @@ filter { } } } + if [event_id] in [ 4778, 4779 ] { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4778.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4779.md + mutate { + rename => { + "AccountName" => "user_name" + "AccountDomain" => "user_domain" + "LogonID" => "user_logon_id" + "SessionName" => "session_name" + "ClientName" => "src_host_name" + } + add_field => { "etl_pipeline" => "winevent_security-4778_4779-ossem" } + } + } + if [event_id] == 4781 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4781.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetSid" => "target_user_sid" + "TargetDomainName" => "target_user_domain" + "NewTargetUserName" => "target_user_new_name" + "OldTargetUserName" => "target_user_old_name" + } + add_field => { "etl_pipeline" => "winevent_security-4781-ossem" } + } + } + if [event_id] in [ 4782, 4793 ] { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4782.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4793.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetUserName" => "target_user_name" + "Workstation" => "source_host_name" + "Status" => "event_status" + } + add_field => { "etl_pipeline" => "winevent_security-4782_4793-ossem" } + } + } + if [event_id] == 4794 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4794.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "Workstation" => "source_host_name" + "Status" => "event_status" + } + add_field => { "etl_pipeline" => "winevent_security-4794-ossem" } + } + } + if [event_id] == 4797 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4797.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetDomainName" => "target_domain_name" + "TargetUserName" => "target_user_name" + "Workstation" => "source_host_name" + } + add_field => { "etl_pipeline" => "winevent_security-4797-ossem" } + } + } if [event_id] == 4798 { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4798.md mutate { @@ -601,10 +869,12 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "TargetDomainName" => "user_domain_enumerated" - "TargetSid" => "user_sid_enumerated" - "TargetUserName" => "user_name_enumerated" + "TargetDomainName" => "target_user_domain" + "TargetSid" => "target_user_sid" + "TargetUserName" => "target_user_name" } + remove_field => [ "ProcessID" ] + add_field => { "etl_pipeline" => "winevent_security-4798-ossem" } } } if [event_id] == 4799 { @@ -617,13 +887,15 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "TargetDomainName" => "group_domain_enumerated" - "TargetSid" => "group_sid_enumerated" - "TargetUserName" => "group_name_enumerated" + "TargetDomainName" => "group_domain" + "TargetSid" => "group_sid" + "TargetUserName" => "group_name" } + remove_field => [ "ProcessID" ] + add_field => { "etl_pipeline" => "winevent_security-4799-ossem" } } } - if [event_id] == 4800 or [event_id] == 4801 { + if [event_id] in [ 4800, 4801, 4802, 4803 ] { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4800.md # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4801.md mutate { @@ -634,23 +906,18 @@ filter { "TargetLogonId" => "user_logon_id" "SessionId" => "user_session_id" } + add_field => { "etl_pipeline" => "winevent_security-4800_4801_4802_4803-ossem" } } } - if [event_id] == 4907 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4907.md + if [event_id] == 4825 { + # https://github.com/hunters-forge/OSSEM/blob/master/data_dictionaries/windows/security/events/event-4825.md mutate { rename => { - "SubjectDomainName" => "user_domain" - "SubjectLogonId" => "user_logon_id" - "SubjectUserName" => "user_name" - "SubjectUserSid" => "user_sid" - "HandleId" => "object_access_handle_id" - "NewSd" => "object_new_sddl" - "ObjectName" => "object_name" - "ObjectServer" => "object_server" - "ObjectType" => "object_type" - "OldSd" => "object_old_sddl" + "AccountDomain" => "user_domain" + "AccountName" => "user_name" + "LogonID" => "user_logon_id" } + add_field => { "etl_pipeline" => "winevent_security-4825-ossem" } } } if [event_id] == 4956 { @@ -671,7 +938,7 @@ filter { } } } - if [event_id] == 5058 or [event_id] == 5059 or [event_id] == 5061 { + if [event_id] in [ 5058, 5059, 5061 ] { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5058.md # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5059.md # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5061.md @@ -693,8 +960,12 @@ filter { } } } - if [event_id] == 5136 or [event_id] == 5137 { + if [event_id] in [5136, 5137, 5138, 5139, 5141, 5169, 5170] { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5136.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5137.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5138.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5139.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5141.md mutate { rename => { "SubjectDomainName" => "user_domain" @@ -703,7 +974,7 @@ filter { "SubjectUserSid" => "user_sid" "OpCorrelationID" => "dsoperation_correlation_id" "AppCorrelationID" => "dsoperation_app_correlation_id" - "DSName" => "dsobject_domain" + "DSName" => "host_domain" "DSType" => "dsobject_domain_type" "ObjectDN" => "dsobject_dn" "ObjectGUID" => "dsobject_guid" @@ -712,11 +983,19 @@ filter { "AttributeSyntaxOID" => "dsobject_attribute_type" "AttributeValue" => "dsobject_attribute_value" "OperationType" => "dsoperation_type" + "NewObjectDN" => "dsobject_new_dn" + "OldObjectDN" => "dsobject_old_dn" } + copy => { "host_domain" => "dsobject_domain" } + #TODO:not renaming TreeDelete for now + add_field => { "etl_pipeline" => "winevent_security-audit_directory_service_changes-ossem" } } } - if [event_id] == 5140 or [event_id] == 5145 { + if [event_id] in [ 5140, 5142, 5143, 5144, 5145 ] { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5140.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5142.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5143.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5144.md # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5145.md mutate { rename => { @@ -724,18 +1003,46 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "AccessList" => "object_access_list_requested" - "AccessMask" => "object_access_mask_requested" + "AccessList" => "user_access_list" + "AccessMask" => "share_access_mask" "AccessReason" => "user_access_reason" "IpPort" => "src_port" "ObjectType" => "object_type" "RelativeTargetName" => "share_relative_target_name" "ShareLocalPath" => "share_local_path" "ShareName" => "share_name" + "OldRemark" => "share_old_remark" + "NewRemark" => "share_new_remark" + "OldMaxUsers" => "share_old_max_users" + "NewMaxUsers" => "share_new_max_users" + "OldShareFlags" => "share_old_flags" + "NewShareFlags" => "share_new_flags" + "OldSD" => "share_old_sd" + "NewSD" => "share_new_sd" } + copy => { "user_access_list" => "object_access_list_requested" } + copy => { "share_access_mask" => "object_access_mask_requested" } + copy => { "user_access_reason" => "dsobject_domain" } } } - if [event_id] == 5152 or [event_id] == 5154 or [event_id] == 5156 or [event_id] == 5158 or [event_id] == 5157 { + if [event_id] == 5168 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5168.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "SpnName" => "spn_name" + "ErrorCode" => "error_code" + "ServerNames" => "server_names" + "ConfiguredNames" => "configured_names" + "IpAddresses" => "ip_addresses" + } + } + } + + if [event_id] in [ 5152, 5154, 5156, 5157, 5158 ] { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5152.md # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5154.md # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5156.md @@ -756,6 +1063,35 @@ filter { } } } + if [event_id] in [ 5376, 5377 ] { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5376.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5377.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + } + add_field => { "etl_pipeline" => "winevent_security-5376_5377-ossem" } + } + } + if [event_id] == 5378 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5378.md + mutate { + rename => { + "Package" => "logon_security_package_name" + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetServer" => "target_server_name" + "UserUPN" => "user_identity" + "CredType" => "user_cred_type" + } + add_field => { "etl_pipeline" => "winevent_security-5378-ossem" } + } + } if [event_id] == 5379 { mutate { rename => { @@ -781,8 +1117,8 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "AccessList" => "object_access_list_requested" - "AccessMask" => "object_access_mask_requested" + "AccessList" => "object_access_list" + "AccessMask" => "object_access_mask" "AccessReason" => "user_access_reason" "IpPort" => "src_port" "ObjectType" => "object_type" @@ -836,6 +1172,160 @@ filter { } } } - mutate { rename => { "computer_name" => "host_name" } } + if [event_id] == 4626 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4626.md + mutate { + rename => { + "DeviceClaims" => "logon_device_claims" + "EventCountTotal" => "event_count_total" + "EventIdx" => "event_sequence_id" + "SubjectDomainName" => "user_reporter_domain" + "SubjectLogonId" => "user_reporter_logon_id" + "SubjectUserName" => "user_reporter_name" + "SubjectUserSid" => "user_reporter_sid" + "TargetDomainName" => "user_domain" + "TargetLogonId" => "user_id" + "TargetUserName" => "user_name" + "TargetUserSid" => "user_sid" + "UserClaims" => "logon_user_claims" + } + add_field => { "etl_pipeline" => "winevent_security-4626-ossem" } + } + } + if [event_id] == 4664 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4664.md + mutate { + rename => { + "FileName" => "file_name" + "LinkName" => "file_link_name" + "TransactionId" => "transaction_guid" + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + } + add_field => { "etl_pipeline" => "winevent_security-4664-ossem" } + } + } + if [event_id] == 5632 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5632.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "SSID" => "wireless_ssid" + "Identity" => "user_identity" + "PeerMac" => "host_peer_mac" + "LocalMac" => "host_local_mac" + "IntfGuid" => "host_interface_guid" + "ReasonCode" => "event_reason_code" + "ReasonText" => "event_reason_text" + "ErrorCode" => "event_error_code" + "EAPReasonCode" => "event_reason_code_eap" + "EapRootCauseString" => "event_root_cause_string_eap" + "EAPErrorCode" => "event_error_code_eap" + } + add_field => { "etl_pipeline" => "winevent_security-5632-ossem" } + copy => { + "host_local_mac" => "src_mac" + "host_peer_mac" => "dst_mac" + } + } + } + else if [event_id] == 5633 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5633.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "InterfaceName" => "host_interface_name" + "Identity" => "user_identity" + "ReasonCode" => "event_reason_code" + "ReasonText" => "event_reason_text" + "ErrorCode" => "event_error_code" + } + add_field => { "etl_pipeline" => "winevent_security-5633-ossem" } + } + } + else if [event_id] == 5051 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5051.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "FileName" => "file_name" + "VirtualFileName" => "virtual_file_name" + } + add_field => { "etl_pipeline" => "winevent_security-5051-ossem" } + } + } + else if [event_id] == 4964 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4964.md + mutate { + rename => { + "LogonGuid" => "user_logon_guid" + "SidList" => "target_user_sid_list" + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetDomainName" => "target_user_domain" + "TargetLogonGuid" => "target_user_logon_guid" + "TargetLogonId" => "target_user_logon_id" + "TargetUserName" => "target_user_name" + "TargetUserSid" => "target_user_sid" + } + add_field => { "etl_pipeline" => "winevent_security-4964-ossem" } + } + } + else if [event_id] in [ 4774, 4775 ] { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4774 + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4775 + mutate { + rename => { + "ClientUserName" => "user_name" + "MappedName" => "target_user_name" + "MappingBy" => "logon_authentication_package_name" + } + add_field => { "etl_pipeline" => "winevent_security-4774_4775-ossem" } + } + } + else if [event_id] in [ 4882, 4883 ] { + mutate { + #TODO: leaving out RequestId and SecuritySettings until able to get good example logs + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + } + add_field => { "etl_pipeline" => "winevent_security-4882_4883-ossem" } + } + } + else if [event_id] in [ 4692, 4693, 4694, 4695 ] { + mutate { + rename => { + "RecoveryServer" => "target_host_name" + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + } + #TODO:keeping backwards compatibility + copy => { + "RecoveryKeyId" => "recovery_key_id" + "MasterKeyId" => "master_key_id" + "FailureReason" => "event_failure_reason" + "RecoveryReason" => "recovery_key_reason" + } + add_field => { "etl_pipeline" => "winevent_security-audit_dpapi_activity-ossem" } + } + } } } \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1533-winevent-system-filter.conf b/docker/helk-logstash/pipeline/1533-winevent-system-filter.conf index 6c867c64..e9a05d5d 100644 --- a/docker/helk-logstash/pipeline/1533-winevent-system-filter.conf +++ b/docker/helk-logstash/pipeline/1533-winevent-system-filter.conf @@ -4,8 +4,13 @@ # License: GPL-3.0 filter { - if [log_name]=~ /^[sS]ystem$/ { - mutate { add_field => { "z_logstash_pipeline" => "1533" } } + if [log_name] =~ /^[sS]ystem$/ { + mutate { + add_field => { + "etl_pipeline" => "winevent-system-all-1533" + "[@metadata][index_name]" => "system" + } + } if [event_id] == 7045 { # https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for_11.html mutate { @@ -35,7 +40,6 @@ filter { "[user][identifier]" => "user_reporter_sid" "[user][name]" => "user_reporter_name" "[user][type]" => "user_reporter_type" - "computer_name" => "host_name" } } } diff --git a/docker/helk-logstash/pipeline/1534-winevent-application-filter.conf b/docker/helk-logstash/pipeline/1534-winevent-application-filter.conf index 46a15da6..6bb3dd55 100644 --- a/docker/helk-logstash/pipeline/1534-winevent-application-filter.conf +++ b/docker/helk-logstash/pipeline/1534-winevent-application-filter.conf @@ -5,8 +5,13 @@ filter { if [log_name] =~ /^[aA]pplication$/ { - if [source_name] == "Microsoft-Windows-Security-SPP"{ - mutate { add_field => { "z_logstash_pipeline" => "1534" } } + mutate { + add_field => { + "etl_pipeline" => "winevent-application-all-1534" + "[@metadata][index_name]" => "application" + } + } + if [source_name] == "Microsoft-Windows-Security-SPP" { if [event_id] == 16384 { mutate { rename => { @@ -16,6 +21,5 @@ filter { } } } - mutate { rename => { "computer_name" => "host_name" } } - } + } } \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1535-winevent-wmiactivity-filter.conf b/docker/helk-logstash/pipeline/1535-winevent-wmiactivity-filter.conf index 0b4356f0..1596f472 100644 --- a/docker/helk-logstash/pipeline/1535-winevent-wmiactivity-filter.conf +++ b/docker/helk-logstash/pipeline/1535-winevent-wmiactivity-filter.conf @@ -5,20 +5,20 @@ filter { if [log_name] =~ /^[mM]icrosoft\-[wW]indows\-(wmi|WMI)\-[aA]ctivity\/[oO]perational$/ { - mutate { add_field => { "z_logstash_pipeline" => "1535" } } mutate { rename => { "[user][domain]" => "user_reporter_domain" "[user][identifier]" => "user_reporter_sid" "[user][name]" => "user_reporter_name" "[user][type]" => "user_reporter_type" - "computer_name" => "host_name" } + add_field => { "etl_pipeline" => "wmi-user_field_renames" } } if [User] { grok { match => { "User" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" } - tag_on_failure => [ "_User_grokparsefailure", "_grokparsefailure", "_parsefailure" ] + add_field => { "etl_pipeline" => "wmi-all-extract_domain_and_user_name" } + tag_on_failure => [ "_parsefailure", "parsefailure-grok-User-extract_domain_and_user_name" ] } } @@ -62,6 +62,7 @@ filter { "ProviderPath" => "wmi_provider_path" "xml_name" => "wmi_xml_operation" # Should always be "Operation_StartedOperational" } + add_field => { "etl_pipeline" => "wmi-event_id_5857_rename" } } } @@ -108,6 +109,7 @@ filter { "PossibleCause" => "wmi_possible_cause" "xml_name" => "wmi_xml_operation" # Should always be "Operation_ClientFailure" } + add_field => { "etl_pipeline" => "wmi-event_id-5858-field_rename" } } } @@ -152,6 +154,7 @@ filter { "PossibleCause" => "wmi_possible_cause" "xml_name" => "wmi_xml_operation" # Should always be "Operation_EssStarted" } + add_field => { "etl_pipeline" => "wmi-event_id-5859-field_rename" } } } @@ -194,6 +197,7 @@ filter { "PossibleCause" => "wmi_possible_cause" "xml_name" => "wmi_xml_operation" # Should always be "Operation_TemporaryEssStarted" } + add_field => { "etl_pipeline" => "wmi-event_id-5860-field_rename" } } } @@ -233,11 +237,10 @@ filter { "PossibleCause" => "wmi_possible_cause" "xml_name" => "wmi_xml_operation" # Should always be "Operation_ESStoConsumerBinding" } + add_field => { "etl_pipeline" => "wmi-event_id-5861-field_rename" } } } - # Common to all events - mutate { convert => { "process_id" => "integer" } } } } diff --git a/docker/helk-logstash/pipeline/1541-winevent-process-name-split.conf b/docker/helk-logstash/pipeline/1541-winevent-process-name-split.conf deleted file mode 100644 index ebf11f30..00000000 --- a/docker/helk-logstash/pipeline/1541-winevent-process-name-split.conf +++ /dev/null @@ -1,45 +0,0 @@ -# HELK process-name-split filter conf -# HELK build Stage: Alpha -# Author: Rodriguez (@Cyb3rWard0g) -# License: GPL-3.0 - -filter { - if [event_id] { - if [process_path] { - mutate { add_field => { "z_logstash_pipeline" => "1541_1" } } - if [process_path] !~ /.*\\.*/ { - mutate { copy => {"process_path" => "process_name"} } - } - else { - grok { - match => { "process_path" => ".*\\%{GREEDYDATA:process_name}" } - tag_on_failure => [ "_process_path__grokparsefailure", "_grokparsefailure", "_parsefailure" ] - } - } - } - if [process_parent_path] { - mutate { add_field => { "z_logstash_pipeline" => "1541_2" } } - if [process_parent_path] !~ /.*\\.*/ { - mutate { copy => {"process_parent_path" => "process_parent_name"} } - } - else { - grok { - match => { "process_parent_path" => ".*\\%{GREEDYDATA:process_parent_name}" } - tag_on_failure => [ "_process_parent_path_grokparsefailure", "_grokparsefailure", "_parsefailure" ] - } - } - } - if [process_target_path] { - mutate { add_field => { "z_logstash_pipeline" => "1541_3" } } - if [process_target_path] !~ /.*\\.*/ { - mutate { copy => {"process_target_path" => "process_target_name"} } - } - else{ - grok { - match => { "process_target_path" => ".*\\%{GREEDYDATA:process_target_name}" } - tag_on_failure => [ "_process_target_path__grokparsefailure", "_grokparsefailure", "_parsefailure" ] - } - } - } - } -} diff --git a/docker/helk-logstash/pipeline/1542-winevent-process-ids-conversions-filter.conf b/docker/helk-logstash/pipeline/1542-winevent-process-ids-conversions-filter.conf new file mode 100644 index 00000000..47d633f5 --- /dev/null +++ b/docker/helk-logstash/pipeline/1542-winevent-process-ids-conversions-filter.conf @@ -0,0 +1 @@ +#file is now located at 1592-winevent-conversions-catchall-process-ids-filter.conf diff --git a/docker/helk-logstash/pipeline/1542-winevent-process-ids-conversions.conf b/docker/helk-logstash/pipeline/1542-winevent-process-ids-conversions.conf deleted file mode 100644 index 24eb1e68..00000000 --- a/docker/helk-logstash/pipeline/1542-winevent-process-ids-conversions.conf +++ /dev/null @@ -1,43 +0,0 @@ -# HELK process-ids-conversions filter conf -# HELK build Stage: Alpha -# Author: Nate Guagenti (@neu5ron) Roberto Rodriguez (@Cyb3rWard0g) -# License: GPL-3.0 - -filter { - if [event_id] { - if [process_id] =~ /^0x/ { - mutate { add_field => { "z_logstash_pipeline" => "1542_1" } } - mutate { gsub => [ "process_id", "0x", "" ]} - ruby { - code => "event.set('process_id', event.get('process_id').to_s.hex)" - tag_on_exception => "_rubyexception_1542_1" - } - } - if [parent_process_id] =~ /^0x/ { - mutate { add_field => { "z_logstash_pipeline" => "1542_2" } } - mutate { gsub => [ "parent_process_id", "0x", "" ]} - ruby { - code => "event.set('parent_process_id', event.get('parent_process_id').to_s.hex)" - tag_on_exception => "_rubyexception_1542_2" - } - } - if [process_target_id] =~ /^0x/ { - mutate { add_field => { "z_logstash_pipeline" => "1542_3" } } - mutate { gsub => [ "process_target_id", "0x", "" ]} - ruby { - code => "event.set('process_target_id', event.get('process_target_id').to_s.hex)" - tag_on_exception => "_rubyexception_1542_3" - } - } - if [process_granted_access] =~ /^0x/ { - mutate { - gsub => [ "process_granted_access", "0x", "" ] - add_field => { "z_logstash_pipeline" => "process_granted_access_hex2dec" } - } - ruby { - code => "event.set('process_granted_access', event.get('process_granted_access').to_s.hex)" - tag_on_exception => "_rubyexception_process_granted_access_hex2dec" - } - } - } -} diff --git a/docker/helk-logstash/pipeline/1543-winevent-user-ids-conversions-filter.conf b/docker/helk-logstash/pipeline/1543-winevent-user-ids-conversions-filter.conf new file mode 100644 index 00000000..23ef81d9 --- /dev/null +++ b/docker/helk-logstash/pipeline/1543-winevent-user-ids-conversions-filter.conf @@ -0,0 +1,2 @@ +#Reference new location of "1524-winevent-logon-ids-conversions.conf" +#Until we properly delete files, which is very tedious to prevent from impacting an exisiting implementation, this file is overwritten instead of deleted. diff --git a/docker/helk-logstash/pipeline/1543-winevent-user-ids-conversions.conf b/docker/helk-logstash/pipeline/1543-winevent-user-ids-conversions.conf deleted file mode 100644 index a4cc658b..00000000 --- a/docker/helk-logstash/pipeline/1543-winevent-user-ids-conversions.conf +++ /dev/null @@ -1,17 +0,0 @@ -# HELK user-ids-conversions filter conf -# HELK build Stage: Alpha -# Author: Nate Guagenti (@neu5ron) -# License: GPL-3.0 - -filter { - if [event_id] { - if [user_logon_id] =~ /^0x/ { - mutate { add_field => { "z_logstash_pipeline" => "1543_1" } } - mutate { gsub => [ "user_logon_id", "0x", "" ]} - ruby { - code => "event.set('user_logon_id', event.get('user_logon_id').to_s.hex)" - tag_on_exception => "_rubyexception_1543_1" - } - } - } -} diff --git a/docker/helk-logstash/pipeline/1544-winevent-cleanup-other.conf b/docker/helk-logstash/pipeline/1544-winevent-cleanup-other.conf deleted file mode 100644 index 6ed00ee2..00000000 --- a/docker/helk-logstash/pipeline/1544-winevent-cleanup-other.conf +++ /dev/null @@ -1,51 +0,0 @@ -# HELK winevent-cleanup-other filter conf -# HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g), Nate Guagenti (@neu5ron) -# License: GPL-3.0 - -filter { - if [event_id] { - if [user_logon_guid] { - mutate { - add_field => { "z_logstash_pipeline" => "1544_1" } - gsub => [ "user_logon_guid", "[{}]", "" ] - } - } - if [provider_guid] { - mutate { - add_field => { "z_logstash_pipeline" => "1544_2" } - gsub => [ "provider_guid", "[{}]", "" ] - } - } - if [process_guid] { - mutate { - add_field => { "z_logstash_pipeline" => "1544_3" } - gsub => [ "process_guid", "[{}]", "" ] - } - } - if [process_parent_guid] { - mutate { - add_field => { "z_logstash_pipeline" => "1544_4" } - gsub => [ "process_parent_guid", "[{}]", "" ] - } - } - if [process_target_guid] { - mutate { - add_field => { "z_logstash_pipeline" => "1544_5" } - gsub => [ "process_target_guid", "[{}]", "" ] - } - } - if [message] { - mutate { - add_field => { "z_logstash_pipeline" => "1544_7" } - remove_field => [ "message" ] - } - } - if [user_target_logon_guid] { - mutate { - add_field => { "z_logstash_pipeline" => "1544_9" } - gsub => [ "user_target_logon_guid", "[{}]", "" ] - } - } - } -} diff --git a/docker/helk-logstash/pipeline/1545-winevent-security-conversions.conf b/docker/helk-logstash/pipeline/1545-winevent-security-conversions-filter.conf similarity index 93% rename from docker/helk-logstash/pipeline/1545-winevent-security-conversions.conf rename to docker/helk-logstash/pipeline/1545-winevent-security-conversions-filter.conf index d2aece38..4581078c 100644 --- a/docker/helk-logstash/pipeline/1545-winevent-security-conversions.conf +++ b/docker/helk-logstash/pipeline/1545-winevent-security-conversions-filter.conf @@ -6,7 +6,7 @@ filter { if [log_name] =~ /^[sS]ecurity$/ { if [event_id] == 4624 { - mutate { add_field => { "z_logstash_pipeline" => "1545_1" } } + mutate { add_field => { "etl_pipeline" => "1545_1" } } translate { field => "[impersonation_level]" destination => "[impersonation_level_value]" @@ -48,7 +48,7 @@ filter { } if [event_status] or [event_sub_status] { if [event_id] == 4625 { - mutate { add_field => { "z_logstash_pipeline" => "1545_2" } } + mutate { add_field => { "etl_pipeline" => "1545_2" } } translate { field => "[event_status]" destination => "[event_status_value]" @@ -108,7 +108,7 @@ filter { mutate { copy => { "event_status_value" => "event_status" } } } if [event_id] == 4776 { - mutate { add_field => { "z_logstash_pipeline" => "1545_5" } } + mutate { add_field => { "etl_pipeline" => "1545_5" } } translate { field => "[event_status]" destination => "[event_status_value]" @@ -131,7 +131,7 @@ filter { } } if [event_id] == 4662 and [object_server] == "DS" { - mutate { add_field => { "z_logstash_pipeline" => "1545_3" } } + mutate { add_field => { "etl_pipeline" => "1545_3" } } mutate { gsub => [ "object_type", "%{}", "" ] } translate { field => "[object_type]" @@ -150,7 +150,7 @@ filter { } # https://social.technet.microsoft.com/Forums/windows/en-US/bf693b49-1dd5-45ee-84cf-4a417e5b35ec/run-as-admin-event-log?forum=winserverDS if [event_id] == 4688 { - mutate { add_field => { "z_logstash_pipeline" => "1545_4" } } + mutate { add_field => { "etl_pipeline" => "1545_4" } } translate { field => "[process_token_elevation_type]" destination => "[process_token_elevation_type_value]" @@ -177,7 +177,7 @@ filter { } } if [event_id] == 5061 { - mutate { add_field => { "z_logstash_pipeline" => "1545_6" } } + mutate { add_field => { "etl_pipeline" => "1545_6" } } translate { field => "[key_type]" destination => "[key_type_value]" @@ -196,7 +196,7 @@ filter { } } if [event_id] == 5152 or [event_id] == 5154 or [event_id] == 5156 or [event_id] == 5158 or [event_id] == 5157 { - mutate { add_field => { "z_logstash_pipeline" => "1545_7" } } + mutate { add_field => { "etl_pipeline" => "1545_7" } } translate { field => "[network_layer_name]" destination => "[network_layer_name_value]" @@ -218,12 +218,12 @@ filter { fallback => "Unknown" } } - if [object_access_list_requested] { + if [object_access_list] { if [event_id] == 4659 { - mutate { add_field => { "z_logstash_pipeline" => "1545_8" } } + mutate { add_field => { "etl_pipeline" => "1545_8" } } translate { - field => "[object_access_list_requested]" - destination => "[object_access_list_requested_value]" + field => "[object_access_list]" + destination => "[object_access_list_value]" dictionary => { "%%1537" => "DELETE" } @@ -232,7 +232,7 @@ filter { } } if [event_id] == 4768 or [event_id] == 4769 or [event_id] == 4770 or [event_id] == 4771 { - mutate { add_field => { "z_logstash_pipeline" => "1545_9" } } + mutate { add_field => { "etl_pipeline" => "1545_9" } } translate { field => "[ticket_encryption_type]" destination => "[ticket_encryption_type_value]" @@ -292,7 +292,7 @@ filter { } } if [event_id] == 5058 or [event_id] == 5059 or [event_id] == 5061 { - mutate { add_field => { "z_logstash_pipeline" => "1545_10" } } + mutate { add_field => { "etl_pipeline" => "1545_10" } } translate { field => "[key_type]" destination => "[key_type_value]" @@ -313,8 +313,8 @@ filter { } } if [dsobject_domain_type] { - if [event_id] == 5136 or [event_id] == 5137 { - mutate { add_field => { "z_logstash_pipeline" => "1545_11" } } + if [event_id] in [ 5136, 5137, 5138, 5139, 5141 ] { + mutate { add_field => { "etl_pipeline" => "1545_11" } } translate { field => "[dsobject_domain_type]" destination => "[dsobject_domain_type_value]" @@ -326,7 +326,7 @@ filter { } } if [event_id] == 5379 { - mutate { add_field => { "z_logstash_pipeline" => "1545_12" } } + mutate { add_field => { "etl_pipeline" => "1545_12" } } translate { field => "[object_operation_type]" destination => "[object_operation_type_value]" diff --git a/docker/helk-logstash/pipeline/1590-winevent-rename-catchall-general-filter.conf b/docker/helk-logstash/pipeline/1590-winevent-rename-catchall-general-filter.conf new file mode 100644 index 00000000..e7bf05e6 --- /dev/null +++ b/docker/helk-logstash/pipeline/1590-winevent-rename-catchall-general-filter.conf @@ -0,0 +1,17 @@ +# HELK general catchall rename of various fields filter conf +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g), Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +filter { + if [event_id] { + + mutate { + rename => { + "LogonType" => "logon_type" + } + add_field => { "etl_pipeline" => "general_rename-various_global_options" } + } + + } +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1590-winevent-rename-catchall-process-guids-filter.conf b/docker/helk-logstash/pipeline/1590-winevent-rename-catchall-process-guids-filter.conf new file mode 100644 index 00000000..583b02ad --- /dev/null +++ b/docker/helk-logstash/pipeline/1590-winevent-rename-catchall-process-guids-filter.conf @@ -0,0 +1,52 @@ +# HELK process-guids catchall rename filter conf +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g), Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +filter { + if [event_id] { + + # process_guid + if [ProcessGuid] { + mutate { + rename => { "ProcessGuid" => "process_guid" } + add_field => { "etl_pipeline" => "general_rename-ProcessGuid" } + } + } + if [SourceProcessGUID] { + mutate { + rename => { "SourceProcessGUID" => "process_guid" } + add_field => { "etl_pipeline" => "general_rename-SourceProcessGUID" } + } + } + if [SourceProcessGuid] { + mutate { + rename => { "SourceProcessGuid" => "process_guid" } + add_field => { "etl_pipeline" => "general_rename-SourceProcessGuid" } + } + } + + # process_parent_guid + if [ParentProcessGuid] { + mutate { + rename => { "ParentProcessGuid" => "process_parent_guid" } + add_field => { "etl_pipeline" => "general_rename-ParentProcessGuid" } + } + } + + # target_process_guid + if [TargetProcessGuid] { + mutate { + rename => { "TargetProcessGuid" => "target_process_guid" } + add_field => { "etl_pipeline" => "general_rename-TargetProcessGuid" } + } + } + if [TargetProcessGUID] { + mutate { + rename => { "TargetProcessGUID" => "target_process_guid" } + add_field => { "etl_pipeline" => "general_rename-TargetProcessGUID" } + } + } + + } +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1590-winevent-rename-catchall-process-ids-filter.conf b/docker/helk-logstash/pipeline/1590-winevent-rename-catchall-process-ids-filter.conf new file mode 100644 index 00000000..9e0ca58f --- /dev/null +++ b/docker/helk-logstash/pipeline/1590-winevent-rename-catchall-process-ids-filter.conf @@ -0,0 +1,48 @@ +# HELK process-ids catchall rename filter conf +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g), Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +filter { + if [event_id] { + + # process_id + if [ProcessId] { + mutate { + rename => { "ProcessId" => "process_id" } + add_field => { "etl_pipeline" => "general_rename-ProcessId" } + } + } + if [NewProcessId] { + # There should be no name collisions between NewProcessId & ProcessId. Haven't seen NewProcessId in any other Event other than Security:4688, and that is normalized before this file. + mutate { + rename => { "NewProcessId" => "process_id" } + add_field => { "etl_pipeline" => "general_rename-NewProcessId" } + } + } + if [SourceProcessId] { + # There should be no name collisions between SourceProcessId & ProcessId. Haven't seen SourceProcessId in any other Event other than Sysmon:8, and that is normalized before this + mutate { + rename => { "SourceProcessId" => "process_id" } + add_field => { "etl_pipeline" => "general_rename-SourceProcessId" } + } + } + + # process_parent_id + if [ParentProcessId] { + mutate { + rename => { "ParentProcessId" => "process_parent_id" } + add_field => { "etl_pipeline" => "general_rename-ParentProcessId" } + } + } + + # target_process_id + if [TargetProcessId] { + mutate { + rename => { "TargetProcessId" => "target_process_id" } + add_field => { "etl_pipeline" => "general_rename-TargetProcessId" } + } + } + + } +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1590-winevent-rename-catchall-processes-filter.conf b/docker/helk-logstash/pipeline/1590-winevent-rename-catchall-processes-filter.conf new file mode 100644 index 00000000..aa9325c3 --- /dev/null +++ b/docker/helk-logstash/pipeline/1590-winevent-rename-catchall-processes-filter.conf @@ -0,0 +1,87 @@ +# HELK process-name-filter filter conf +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g), Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +filter { + if [event_id] { + + # process_path + if [Image] { + mutate { + rename => { "Image" => "process_path" } + add_field => { "etl_pipeline" => "general_rename-Image" } + } + } + if [Application] { + mutate { + rename => { "Application" => "process_path" } + add_field => { "etl_pipeline" => "general_rename-Application" } + } + } + if [SourceImage] { + mutate { + rename => { "SourceImage" => "process_path" } + add_field => { "etl_pipeline" => "general_rename-SourceImage" } + } + } + if [ProdessName] { + mutate { + rename => { "ProdessName" => "process_path" } + add_field => { "etl_pipeline" => "general_rename-ProdessName" } + } + } + if [NewProcessName] { + mutate { + rename => { "NewProcessName" => "process_path" } + add_field => { "etl_pipeline" => "general_rename-NewProcessName" } + } + } + if [ProcessName] { + mutate { + rename => { "ProcessName" => "process_path" } + add_field => { "etl_pipeline" => "general_rename-ProcessName" } + } + } + if [processPath] { + mutate { + rename => { "processPath" => "process_path" } + add_field => { "etl_pipeline" => "general_rename-processPath" } + } + } + if [ProcessPath] { + mutate { + rename => { "ProcessPath" => "process_path" } + add_field => { "etl_pipeline" => "general_rename-ProcessPath" } + } + } + + # process_parent_path + if [ParentProcessName] { + mutate { + rename => { "ParentProcessName" => "process_parent_path" } + add_field => { "etl_pipeline" => "general_rename-ParentProcessName" } + } + } + if [ParentImage] { + mutate { + rename => { "ParentImage" => "process_parent_path" } + add_field => { "etl_pipeline" => "general_rename-ParentImage" } + } + } + + # target_process_path + if [TargetImage] { + mutate { + rename => { "TargetImage" => "target_process_path" } + add_field => { "etl_pipeline" => "general_rename-TargetImage" } + } + } + if [TargetProcessName] { + mutate { + rename => { "TargetProcessName" => "target_process_path" } + add_field => { "etl_pipeline" => "general_rename-TargetProcessName" } + } + } + } +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1592-winevent-conversions-catchall-process-ids-filter.conf b/docker/helk-logstash/pipeline/1592-winevent-conversions-catchall-process-ids-filter.conf new file mode 100644 index 00000000..838a24e6 --- /dev/null +++ b/docker/helk-logstash/pipeline/1592-winevent-conversions-catchall-process-ids-filter.conf @@ -0,0 +1,113 @@ +# HELK process-ids catchall conversion filter conf +# HELK build Stage: Alpha +# Author: Nate Guagenti (@neu5ron), Roberto Rodriguez (@Cyb3rWard0g) +# License: GPL-3.0 + +filter { + if [event_id] { + + if [process_id] =~ /^0x/ { + ruby { + code => ' + event.set("process_id_orig", event.get("process_id")) + event.set("process_id", event.get("process_id").gsub(/^0x/, "").to_s.hex) + ' + tag_on_exception => "_rubyexception-process_id-hex2dec" + add_field => { "etl_pipeline" => "process_id-hex2dec" } + } + } + if [process_parent_id] =~ /^0x/ { + ruby { + code => ' + event.set("process_parent_id_orig", event.get("process_parent_id")) + event.set("process_parent_id", event.get("process_parent_id").gsub(/^0x/, "").to_s.hex) + ' + tag_on_exception => "_rubyexception-process_parent_id-hex2dec" + add_field => { "etl_pipeline" => "process_parent_id-hex2dec" } + } + } + if [target_process_id] =~ /^0x/ { + ruby { + code => ' + event.set("target_process_id_orig", event.get("target_process_id")) + event.set("target_process_id", event.get("target_process_id").gsub(/^0x/, "").to_s.hex) + ' + tag_on_exception => "_rubyexception-target_process_id-hex2dec" + add_field => { "etl_pipeline" => "target_process_id-hex2dec" } + } + } + if [process_granted_access] =~ /^0x/ { + ruby { + code => ' + event.set("process_granted_access_orig", event.get("process_granted_access")) + event.set("process_granted_access", event.get("process_granted_access").gsub(/^0x/, "").to_s.hex) + ' + tag_on_exception => "_rubyexception-process_granted_access-hex2dec" + add_field => { "etl_pipeline" => "process_granted_access-hex2dec" } + } + } + if [process_parent_id] =~ /^0x/ { + ruby { + code => ' + event.set("process_parent_id_orig", event.get("process_parent_id")) + event.set("process_parent_id", event.get("process_parent_id").gsub(/^0x/, "").to_s.hex) + ' + tag_on_exception => "_rubyexception-process_parent_id-hex2dec" + add_field => { "etl_pipeline" => "process_parent_id-hex2dec" } + } + } + + # Rest of previous process fields if they weren't renamed, then we still want to convert to decimal + if [ProcessId] =~ /^0x/ { + ruby { + code => ' + event.set("ProcessId_orig", event.get("ProcessId")) + event.set("ProcessId", event.get("ProcessId").gsub(/^0x/, "").to_s.hex) + ' + tag_on_exception => "_rubyexception-ProcessId-hex2dec" + add_field => { "etl_pipeline" => "ProcessId-hex2dec" } + } + } + if [NewProcessId] =~ /^0x/ { + ruby { + code => ' + event.set("NewProcessId_orig", event.get("NewProcessId")) + event.set("NewProcessId", event.get("NewProcessId").gsub(/^0x/, "").to_s.hex) + ' + tag_on_exception => "_rubyexception-NewProcessId-hex2dec" + add_field => { "etl_pipeline" => "NewProcessId-hex2dec" } + } + } + if [SourceProcessId] =~ /^0x/ { + ruby { + code => ' + event.set("SourceProcessId_orig", event.get("SourceProcessId")) + event.set("SourceProcessId", event.get("SourceProcessId").gsub(/^0x/, "").to_s.hex) + ' + tag_on_exception => "_rubyexception-SourceProcessId-hex2dec" + add_field => { "etl_pipeline" => "SourceProcessId-hex2dec" } + } + } + if [ParentProcessId] =~ /^0x/ { + ruby { + code => ' + event.set("ParentProcessId_orig", event.get("ParentProcessId")) + event.set("ParentProcessId", event.get("ParentProcessId").gsub(/^0x/, "").to_s.hex) + ' + tag_on_exception => "_rubyexception-ParentProcessId-hex2dec" + add_field => { "etl_pipeline" => "ParentProcessId-hex2dec" } + } + } + if [TargetProcessId] =~ /^0x/{ + ruby { + code => ' + event.set("TargetProcessId_orig", event.get("TargetProcessId")) + event.set("TargetProcessId", event.get("TargetProcessId").gsub(/^0x/, "").to_s.hex) + ' + tag_on_exception => "_rubyexception-TargetProcessId-hex2dec" + add_field => { "etl_pipeline" => "TargetProcessId-hex2dec" } + } + } + + } +} diff --git a/docker/helk-logstash/pipeline/1593-winevent-process-path-split-to-name-filter.conf b/docker/helk-logstash/pipeline/1593-winevent-process-path-split-to-name-filter.conf new file mode 100644 index 00000000..d5a52b2c --- /dev/null +++ b/docker/helk-logstash/pipeline/1593-winevent-process-path-split-to-name-filter.conf @@ -0,0 +1,58 @@ +# HELK process-name-split filter conf +# HELK build Stage: Alpha +# Author: Rodriguez (@Cyb3rWard0g) +# License: GPL-3.0 + +filter { + if [event_id] { + + if [process_path] { + if [process_path] !~ /.*\\.*/ { + mutate { + copy => {"process_path" => "process_name"} + add_field => { "etl_pipeline" => "split-process_path-copy-process_name" } + } + } + else { + grok { + match => { "process_path" => ".*\\%{GREEDYDATA:process_name}" } + add_field => { "etl_pipeline" => "split-process_path-grok-process_name" } + tag_on_failure => [ "_parsefailure", "parsefailure-grok-process_name-extract_path" ] + } + } + } + + if [process_parent_path] { + if [process_parent_path] !~ /.*\\.*/ { + mutate { + copy => {"process_parent_path" => "process_parent_name"} + add_field => { "etl_pipeline" => "split-process_parent_path-copy-process_parent_name" } + } + } + else { + grok { + match => { "process_parent_path" => ".*\\%{GREEDYDATA:process_parent_name}" } + add_field => { "etl_pipeline" => "split-process_parent_path-grok-process_parent_name" } + tag_on_failure => [ "_parsefailure", "parsefailure-grok-process_parent_path-extract_path_01" ] + } + } + } + + if [target_process_path] { + if [target_process_path] !~ /.*\\.*/ { + mutate { + copy => {"target_process_path" => "target_process_name"} + add_field => { "etl_pipeline" => "split-target_process_path-copy-target_process_name" } + } + } + else { + grok { + match => { "target_process_path" => ".*\\%{GREEDYDATA:target_process_name}" } + add_field => { "etl_pipeline" => "split-target_process_path-grok-target_process_name" } + tag_on_failure => [ "_parsefailure", "parsefailure-grok-target_process_path-extract_path_01" ] + } + } + } + + } +} diff --git a/docker/helk-logstash/pipeline/1594-winevent-cleanup-catchall-guids-filter.conf b/docker/helk-logstash/pipeline/1594-winevent-cleanup-catchall-guids-filter.conf new file mode 100644 index 00000000..006c3073 --- /dev/null +++ b/docker/helk-logstash/pipeline/1594-winevent-cleanup-catchall-guids-filter.conf @@ -0,0 +1,45 @@ +# HELK winevent-cleanup-guids filter conf +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g), Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +filter { + if [event_id] { + if [user_logon_guid] { + mutate { + gsub => [ "user_logon_guid", "[{}]", "" ] + add_field => { "etl_pipeline" => "user_logon_guid-cleanup" } + } + } + if [provider_guid] { + mutate { + gsub => [ "provider_guid", "[{}]", "" ] + add_field => { "etl_pipeline" => "provider_guid-cleanup" } + } + } + if [process_guid] { + mutate { + gsub => [ "process_guid", "[{}]", "" ] + add_field => { "etl_pipeline" => "process_guid-cleanup" } + } + } + if [process_parent_guid] { + mutate { + gsub => [ "process_parent_guid", "[{}]", "" ] + add_field => { "etl_pipeline" => "process_parent_guid-cleanup" } + } + } + if [target_process_guid] { + mutate { + gsub => [ "target_process_guid", "[{}]", "" ] + add_field => { "etl_pipeline" => "target_process_guid-cleanup" } + } + } + if [target_user_logon_guid] { + mutate { + gsub => [ "target_user_logon_guid", "[{}]", "" ] + add_field => { "etl_pipeline" => "target_user_logon_guid-cleanup" } + } + } + } +} diff --git a/docker/helk-logstash/pipeline/2511-winevent-powershell-filter.conf b/docker/helk-logstash/pipeline/2511-winevent-powershell-filter.conf index 851b87c4..9574923e 100644 --- a/docker/helk-logstash/pipeline/2511-winevent-powershell-filter.conf +++ b/docker/helk-logstash/pipeline/2511-winevent-powershell-filter.conf @@ -5,9 +5,15 @@ filter { if [source_name] == "Microsoft-Windows-PowerShell" or [source_name] == "PowerShell" { + mutate { + add_field => { + "etl_pipeline" => "winevent-powershell-all-2511" + "[@metadata][index_name]" => "powershell" + } + } if [event_id] == 4103 { - mutate { add_field => { "z_logstash_pipeline" => "2511_1" } } + mutate { add_field => { "etl_pipeline" => "powershell-4103-2511" } } mutate { add_field => { "PayloadInvocation" => "%{Payload}" @@ -57,7 +63,6 @@ filter { field_split => "\n" value_split => ":" allow_duplicate_values => false - target => "[powershell]" include_keys => [ "CommandInvocation" ] } ruby { @@ -110,6 +115,7 @@ filter { mutate { rename => { "CommandName" => "[powershell][command][name]" + "CommandInvocation" => "[powershell][command][invocation]" "CommandPath" => "[powershell][command][path]" "CommandType" => "[powershell][command][type]" "ConnectedUser" => "[powershell][connected_user]" @@ -144,7 +150,7 @@ filter { } if [event_id] == 4104 { - mutate { add_field => { "z_logstash_pipeline" => "2511_2" } } + mutate { add_field => { "etl_pipeline" => "powershell-4104-2511" } } if [ScriptBlockText] { mutate { remove_field => [ "message" ] } } @@ -158,7 +164,7 @@ filter { keep_empty_captures => false named_captures_only => true # Sometimes the ScriptBlockText literally could be empty, so you may see this in _grokparesfailure and would then cause a ruby failure below. - tag_on_failure => [ "_grokparsefailure", "_parsefailure" ] + tag_on_failure => [ "_parsefailure", "parsefailure-grok-powershell_4104_01" ] tag_on_timeout => "_groktimeout" # Timeout 1.5 seconds timeout_millis => 1500 @@ -166,7 +172,7 @@ filter { } } - if "_parsefailure" not in [tags] { + if "parsefailure-grok-powershell_4104_01" not in [tags] { # Get the length of the ScriptBlockText and some other hunts/fingerprints ruby { code => " @@ -184,8 +190,8 @@ filter { event.set('[@metadata][powershell_scriptblock_text_length]', ps_script_block_length) end " - add_field => { "z_logstash_pipeline" => "ruby-2511-002" } - tag_on_exception => "_rubyexception_2511_002" + add_field => { "etl_pipeline" => "ruby-2511-002" } + tag_on_exception => "_rubyexception_2511_002" } } @@ -237,10 +243,5 @@ filter { ] } } - mutate { - rename => { - "computer_name" => "host_name" - } - } } } \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/2512-winevent-security-schtasks-filter.conf b/docker/helk-logstash/pipeline/2512-winevent-security-schtasks-filter.conf index 64abf467..f02a8f1b 100644 --- a/docker/helk-logstash/pipeline/2512-winevent-security-schtasks-filter.conf +++ b/docker/helk-logstash/pipeline/2512-winevent-security-schtasks-filter.conf @@ -4,27 +4,21 @@ # License: GPL-3.0 filter { - if [log_name] =~ /^[sS]ecurity$/ { - # event_id 4698 for Created Scheduled Task - if [event_id] == 4698 { - mutate { add_field => { "z_logstash_pipeline" => "2512" } } - # Copy original message field incase we bork/mess it up - mutate { copy => { "z_original_message" => "deleteme" } } - # #TONOTE: encoding is UTF-16 - # Need to remove everything before "\s+ "ScheduledTask" - suppress_empty => true - force_array => false - force_content => true - remove_namespaces => true - store_xml => true - add_field => { "z_logstash_xml_success" => "true" } - } + if [scheduled_task_content] { + # Copy original message field incase we bork/mess it up + mutate { copy => { "scheduled_task_content" => "deleteme" } } + # #TONOTE: encoding is UTF-16 + xml { + source => "deleteme" + target => "ScheduledTask" + suppress_empty => true + force_array => false + force_content => true + remove_namespaces => true + store_xml => true + add_field => { "etl_pipeline" => "winevent-ScheduledTask-xml-parsing" } + } + # HASH without Registration Info # The following are the only to tabs/things in a Scheduled Task that may have multiple entries # So we want to make them into a list @@ -35,18 +29,20 @@ filter { #TODO:hunt if Registration Author is different than Prinicpal User :) #TODO:Hash #TODO:lowercase ScheduledTask.Actions.Exec.WorkingDirectory AND ScheduledTask.Triggers.EventTrigger.Subscription.QueryList.Query.Path AND ScheduledTask.Triggers.EventTrigger.Subscription.QueryList.Query.Select.Path - if [z_logstash_xml_success] { - mutate { - remove_field => [ "TaskContent", "Message", "deleteme", "[ScheduledTask][Settings]", "[ScheduledTask][xmlns]" ] - } + + if "winevent-ScheduledTask-xml-parsing" in [etl_pipeline] { + mutate { + # remove_field => [ "TaskContent", "Message", "deleteme", "[ScheduledTask][Settings]", "[ScheduledTask][xmlns]" ] + remove_field => [ "Message", "deleteme" ] } - # Else move it to something else - else { - mutate { - add_field => { "z_logstash_xml_success" => "false" } - remove_field => [ "TaskContent", "deleteme", "ScheduledTask", "Message" ] - } + } + # Else keep as is using what we copied beforehand + else { + mutate { + add_tag => [ "_parsefailure", "parsefailure-winevent-ScheduledTask-xml-parsing" ] + remove_field => [ "deleteme", "ScheduledTask", "Message" ] } } + } } \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/3101-zeek_corelight-all-filter.conf b/docker/helk-logstash/pipeline/3101-zeek_corelight-all-filter.conf new file mode 100644 index 00000000..25eb312a --- /dev/null +++ b/docker/helk-logstash/pipeline/3101-zeek_corelight-all-filter.conf @@ -0,0 +1,143 @@ +# HELK Zeek and Corelight main/all configuration +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g), Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +filter { + if [etl_kafka_topic] == "zeek" or [etl_kafka_topic] =~ "^corelight" { + + # (Original event) message field kept + if [message] { + # original event kept but not already JSON expanded + if ![ts] { + json { + source => "message" + tag_on_failure => [ "_parsefailure", "parsefailure-critical", "parsefailure-json_codec" ] + remove_field => [ "message" ] + add_field => { "etl_pipeline" => "zeek-json-conversion" } + skip_on_invalid_json => true + } + } + # else, original event kept but JSON already applied nothing to do + } + + # It's in the zeek kafka topic, but for some reason has no fields the way it should + else if ![ts] { + mutate { + add_field => { "etl_pipeline" => "zeek-format-unkown" } + add_tag => [ "parsefailure-critical" ] + } + } + # else JSON already applied nothing to do + + # Corelight specific, Corelight can be distinguished from open source zeek simply by the difference that corelight has the field `_write_ts` + if [_write_ts] { + mutate { + add_field => { "event_vendor" => "Corelight" } + } + date { + match => [ "_write_ts", "ISO8601" ] + timezone => "UTC" + target => "event_recorded_time" + remove_field => "_write_ts" + tag_on_failure => [ "_parsefailure", "parsefailure-date-event_recorded_time", "parsefailure-date-_write_ts" ] + add_field => { "etl_pipeline" => "zeek-corelight-date-_write_ts" } + } + } + + # Perform date conversion + if [event_vendor] == "Corelight" { + # Corelight already converts Unix TS so need to perform differently than opensource + date { + match => [ "ts", "ISO8601" ] + timezone => "UTC" + target => "@timestamp" + remove_field => "ts" + tag_on_failure => [ "_parsefailure", "parsefailure-critical", "parsefailure-date-@timestamp", "parsefailure-date-corelight-ts" ] + add_field => { + "event_original_time" => "%{@timestamp}" + "etl_pipeline" => "zeek_corelight_timestamp" + } + } + } + else { + # Zeek uses UNIX/EPOCH timestamp + date { + match => [ "ts", "UNIX" ] + timezone => "UTC" + target => "@timestamp" + remove_field => "ts" + tag_on_failure => [ "_parsefailure", "parsefailure-critical", "parsefailure-date-@timestamp", "parsefailure-date-zeek-ts" ] + add_field => { + "etl_pipeline" => "zeek_timestamp" + } + } + } + + # + #mutate { + # add_field => { + # "event_log" => "zeek" + # } + #} + # + # + # + ## Event Type + #mutate { + # add_field => { + # "event_type" => "network" + # # "[@metadata][index_name]" => "network" + # } + #} + #mutate { + # add_field => { + # "event_type" => "miscellaneous" + # # "[@metadata][index_name]" => "miscellaneous" + # } + #} + #mutate { + # add_field => { + # "event_type" => "detection" + # # "[@metadata][index_name]" => "detection" + # } + #} + #mutate { + # add_field => { + # "event_type" => "miscellaneous" + # # "[@metadata][index_name]" => "miscellaneous" + # } + #} + #mutate { + # add_field => { + # "event_type" => "netcontrol" + # # "[@metadata][index_name]" => "netcontrol" + # } + #} + #mutate { + # add_field => { + # "event_type" => "observations" + # # "[@metadata][index_name]" => "observations" + # } + #} + #mutate { + # add_field => { + # "event_type" => "files" + # # "[@metadata][index_name]" => "files" + # } + #} + #mutate { + # add_field => { + # "event_type" => "diagnostics" + # # "[@metadata][index_name]" => "diagnostics" + # } + #} + #mutate { + # add_field => { + # "event_type" => "unknown" + # # "[@metadata][index_name]" => "unknown" + # } + #} + + } +} diff --git a/docker/helk-logstash/pipeline/8012-dst-ip-cleanups-filter.conf b/docker/helk-logstash/pipeline/8012-dst-ip-cleanups-filter.conf index 673a1cf3..3d38c41d 100644 --- a/docker/helk-logstash/pipeline/8012-dst-ip-cleanups-filter.conf +++ b/docker/helk-logstash/pipeline/8012-dst-ip-cleanups-filter.conf @@ -1,2 +1,2 @@ -# Reference new location of "8112-dst-ip-filter.conf" -# Until we properly delete files, which is very tedious to prevent from impacting an exisiting implementation, this file is overwritten instead of deleted. \ No newline at end of file +#Reference new location of "8112-dst-ip-filter.conf" +#Until we properly delete files, which is very tedious to prevent from impacting an exisiting implementation, this file is overwritten instead of deleted. diff --git a/docker/helk-logstash/pipeline/8013-src-ip-cleanups-filter.conf b/docker/helk-logstash/pipeline/8013-src-ip-cleanups-filter.conf index 8016909d..6ecc2c73 100644 --- a/docker/helk-logstash/pipeline/8013-src-ip-cleanups-filter.conf +++ b/docker/helk-logstash/pipeline/8013-src-ip-cleanups-filter.conf @@ -1,2 +1,2 @@ -# Reference new location of "8113-src-ip-filter.conf" -# Until we properly delete files, which is very tedious to prevent from impacting an exisiting implementation, this file is overwritten instead of deleted. \ No newline at end of file +#Reference new location of "8113-src-ip-filter.conf" +#Until we properly delete files, which is very tedious to prevent from impacting an exisiting implementation, this file is overwritten instead of deleted. diff --git a/docker/helk-logstash/pipeline/8014-dst-nat-ip-cleanups-filter.conf b/docker/helk-logstash/pipeline/8014-dst-nat-ip-cleanups-filter.conf index 9087f911..aa99b0be 100644 --- a/docker/helk-logstash/pipeline/8014-dst-nat-ip-cleanups-filter.conf +++ b/docker/helk-logstash/pipeline/8014-dst-nat-ip-cleanups-filter.conf @@ -1,2 +1,2 @@ -# Reference new location of "8114-dst-nat-ip-filter.conf" -# Until we properly delete files, which is very tedious to prevent from impacting an exisiting implementation, this file is overwritten instead of deleted. \ No newline at end of file +#Reference new location of "8114-dst-nat-ip-filter.conf" +#Until we properly delete files, which is very tedious to prevent from impacting an exisiting implementation, this file is overwritten instead of deleted. diff --git a/docker/helk-logstash/pipeline/8015-src-nat-ip-cleanups-filter.conf b/docker/helk-logstash/pipeline/8015-src-nat-ip-cleanups-filter.conf index c4d5b93c..4d20d6e2 100644 --- a/docker/helk-logstash/pipeline/8015-src-nat-ip-cleanups-filter.conf +++ b/docker/helk-logstash/pipeline/8015-src-nat-ip-cleanups-filter.conf @@ -1,2 +1,2 @@ -# Reference new location of "8115-src-nat-ip-filter.conf" -# Until we properly delete files, which is very tedious to prevent from impacting an exisiting implementation, this file is overwritten instead of deleted. \ No newline at end of file +#Reference new location of "8115-src-nat-ip-filter.conf" +#Until we properly delete files, which is very tedious to prevent from impacting an exisiting implementation, this file is overwritten instead of deleted. diff --git a/docker/helk-logstash/pipeline/8112-dst-ip-filter.conf b/docker/helk-logstash/pipeline/8112-dst-ip-filter.conf index 55905ce3..ec556a5f 100644 --- a/docker/helk-logstash/pipeline/8112-dst-ip-filter.conf +++ b/docker/helk-logstash/pipeline/8112-dst-ip-filter.conf @@ -14,22 +14,27 @@ filter { script_params => { "parent_field" => "dst" "ip" => "dst_ip_addr" + "is_ipv6" => "dst_is_ipv6" } tag_on_exception => "_rubyexception-all-dst_ip_clean_and_public" + add_field => { "etl_pipeline" => "dst_ip_addr_clean_and_public" } } # If still has valid IP(s) after cleanup if [dst_ip_addr] { #TODO:eventually support geo/asn on all IPs if array, right now just is only one (and not if first IP is private and second is public it will do on first one per doc on using logstash geoip plugin ) - if [@metadata][dst_ip_addr][number_of_ip_addresses] == 1 { + #if [@metadata][dst_ip_addr][number_of_ip_addresses] == 1 { # Only perform geo enrichment if is a public IP - if [dst_ip_public] { + if [dst_ip_public] == "true" { geoip { source => "dst_ip_addr" target => "meta_dst_ip_geo" default_database_type => "City" # #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory. cache_size => 90000 - add_field => { "[@metadata][dst_ip_addr_geo_location_successful]" => "true" } + add_field => { + "[@metadata][dst_ip_addr_geo_location_successful]" => "true" + "etl_pipeline" => "dst_ip_addr_geo_city" + } #fields => [ # "city_name", # "continent_code", @@ -47,6 +52,7 @@ filter { "[meta_dst_ip_geo][ip]", "[meta_dst_ip_geo][real_region_name]" ] + tag_on_failure => [ "_parsefailure", "_geoip_lookup_failure", "parsefailure-geoip-city-dst_ip_addr" ] } geoip { source => "dst_ip_addr" @@ -54,11 +60,15 @@ filter { default_database_type => "ASN" # #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory. cache_size => 90000 - add_field => { "[@metadata][dst_ip_addr_geo_asn_successful]" => "true" } + add_field => { + "[@metadata][dst_ip_addr_geo_asn_successful]" => "true" + "etl_pipeline" => "dst_ip_addr_geo_asn" + } remove_field => [ "[meta_dst_ip_geo][ip]" ] + tag_on_failure => [ "_parsefailure", "_geoip_lookup_failure", "parsefailure-geoip-asn-dst_ip_addr" ] } } - } + #} } } diff --git a/docker/helk-logstash/pipeline/8113-src-ip-filter.conf b/docker/helk-logstash/pipeline/8113-src-ip-filter.conf index 0220ae7b..6511eac3 100644 --- a/docker/helk-logstash/pipeline/8113-src-ip-filter.conf +++ b/docker/helk-logstash/pipeline/8113-src-ip-filter.conf @@ -14,22 +14,27 @@ filter { script_params => { "parent_field" => "src" "ip" => "src_ip_addr" + "is_ipv6" => "src_is_ipv6" } tag_on_exception => "_rubyexception-all-src_ip_clean_and_public" + add_field => { "etl_pipeline" => "src_ip_addr_clean_and_public" } } # If still has valid IP(s) after cleanup if [src_ip_addr] { #TODO:eventually support geo/asn on all IPs if array, right now just is only one (and not if first IP is private and second is public it will do on first one per doc on using logstash geoip plugin ) - if [@metadata][src_ip_addr][number_of_ip_addresses] == 1 { + #if [@metadata][src_ip_addr][number_of_ip_addresses] == 1 { # Only perform geo enrichment if is a public IP - if [src_ip_public] { + if [src_ip_public] == "true" { geoip { source => "src_ip_addr" target => "meta_src_ip_geo" default_database_type => "City" # #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory. cache_size => 90000 - add_field => { "[@metadata][src_ip_addr_geo_location_successful]" => "true" } + add_field => { + "[@metadata][src_ip_addr_geo_location_successful]" => "true" + "etl_pipeline" => "src_ip_addr_geo_city" + } #fields => [ # "city_name", # "continent_code", @@ -47,6 +52,7 @@ filter { "[meta_src_ip_geo][ip]", "[meta_src_ip_geo][real_region_name]" ] + tag_on_failure => [ "_parsefailure", "_geoip_lookup_failure", "parsefailure-geoip-city-src_ip_addr" ] } geoip { source => "src_ip_addr" @@ -54,11 +60,15 @@ filter { default_database_type => "ASN" # #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory. cache_size => 90000 - add_field => { "[@metadata][src_ip_addr_geo_asn_successful]" => "true" } + add_field => { + "[@metadata][src_ip_addr_geo_asn_successful]" => "true" + "etl_pipeline" => "src_ip_addr_geo_asn" + } remove_field => [ "[meta_src_ip_geo][ip]" ] + tag_on_failure => [ "_parsefailure", "_geoip_lookup_failure", "parsefailure-geoip-asn-src_ip_addr" ] } } - } + #} } } diff --git a/docker/helk-logstash/pipeline/8114-dst-nat-ip-filter.conf b/docker/helk-logstash/pipeline/8114-dst-nat-ip-filter.conf index 2f837b6b..07c40a0e 100644 --- a/docker/helk-logstash/pipeline/8114-dst-nat-ip-filter.conf +++ b/docker/helk-logstash/pipeline/8114-dst-nat-ip-filter.conf @@ -14,22 +14,27 @@ filter { script_params => { "parent_field" => "dst" "ip" => "dst_nat_ip_addr" + "is_ipv6" => "dst_nat_is_ipv6" } tag_on_exception => "_rubyexception-all-dst_nat_ip_clean_and_public" + add_field => { "etl_pipeline" => "dst_nat_ip_addr_clean_and_public" } } # If still has valid IP(s) after cleanup if [dst_nat_ip_addr] { #TODO:eventually support geo/asn on all IPs if array, right now just is only one (and not if first IP is private and second is public it will do on first one per doc on using logstash geoip plugin ) if [@metadata][dst_nat_ip_addr][number_of_ip_addresses] == 1 { # Only perform geo enrichment if is a public IP - if [dst_nat_ip_public] { + if [dst_nat_ip_public] == 'true' { geoip { source => "dst_nat_ip_addr" target => "meta_dst_nat_ip_geo" default_database_type => "City" # #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory. cache_size => 90000 - add_field => { "[@metadata][dst_nat_ip_addr_geo_location_successful]" => "true" } + add_field => { + "[@metadata][dst_nat_ip_addr_geo_location_successful]" => "true" + "etl_pipeline" => "dst_nat_ip_addr_geo_city" + } #fields => [ # "city_name", # "continent_code", @@ -47,6 +52,7 @@ filter { "[meta_dst_nat_ip_geo][ip]", "[meta_dst_nat_ip_geo][real_region_name]" ] + tag_on_failure => [ "_parsefailure", "_geoip_lookup_failure", "parsefailure-geoip-city-dst_nat_ip_addr" ] } geoip { source => "dst_nat_ip_addr" @@ -54,8 +60,12 @@ filter { default_database_type => "ASN" # #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory. cache_size => 90000 - add_field => { "[@metadata][dst_nat_ip_addr_geo_asn_successful]" => "true" } - remove_field => [ "[meta_dst_nat_ip_geo][ip]" ] + add_field => { + "[@metadata][dst_nat_ip_addr_geo_asn_successful]" => "true" + "etl_pipeline" => "dst_nat_ip_addr_geo_asn" + } + remove_field => ["[meta_dst_nat_ip_geo][ip]" ] + tag_on_failure => [ "_parsefailure", "_geoip_lookup_failure", "parsefailure-geoip-asn-dst_nat_ip_addr" ] } } } diff --git a/docker/helk-logstash/pipeline/8115-src-nat-ip-filter.conf b/docker/helk-logstash/pipeline/8115-src-nat-ip-filter.conf index 77f600d2..db2db77a 100644 --- a/docker/helk-logstash/pipeline/8115-src-nat-ip-filter.conf +++ b/docker/helk-logstash/pipeline/8115-src-nat-ip-filter.conf @@ -14,22 +14,27 @@ filter { script_params => { "parent_field" => "src" "ip" => "src_nat_ip_addr" + "is_ipv6" => "src_nat_is_ipv6" } tag_on_exception => "_rubyexception-all-src_nat_ip_clean_and_public" + add_field => { "etl_pipeline" => "dst_nat_ip_addr_clean_and_public" } } # If still has valid IP(s) after cleanup if [src_nat_ip_addr] { #TODO:eventually support geo/asn on all IPs if array, right now just is only one (and not if first IP is private and second is public it will do on first one per doc on using logstash geoip plugin ) if [@metadata][src_nat_ip_addr][number_of_ip_addresses] == 1 { # Only perform geo enrichment if is a public IP - if [src_nat_ip_public] { + if [src_nat_ip_public] == 'true' { geoip { source => "src_nat_ip_addr" target => "meta_src_nat_ip_geo" default_database_type => "City" # #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory. cache_size => 90000 - add_field => { "[@metadata][src_nat_ip_addr_geo_location_successful]" => "true" } + add_field => { + "[@metadata][src_nat_ip_addr_geo_location_successful]" => "true" + "etl_pipeline" => "src_nat_ip_addr_geo_city" + } #fields => [ # "city_name", # "continent_code", @@ -47,6 +52,7 @@ filter { "[meta_src_nat_ip_geo][ip]", "[meta_src_nat_ip_geo][real_region_name]" ] + tag_on_failure => [ "_parsefailure", "_geoip_lookup_failure", "parsefailure-geoip-city-src_nat_ip_addr" ] } geoip { source => "src_nat_ip_addr" @@ -54,8 +60,12 @@ filter { default_database_type => "ASN" # #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory. cache_size => 90000 - add_field => { "[@metadata][src_nat_ip_addr_geo_asn_successful]" => "true" } + add_field => { + "[@metadata][src_nat_ip_addr_geo_asn_successful]" => "true" + "etl_pipeline" => "src_nat_ip_addr_geo_city" + } remove_field => [ "[meta_src_nat_ip_geo][ip]" ] + tag_on_failure => [ "_parsefailure", "_geoip_lookup_failure", "parsefailure-geoip-asn-src_nat_ip_addr" ] } } } diff --git a/docker/helk-logstash/pipeline/8211-winevent-hostname-cleanups.conf b/docker/helk-logstash/pipeline/8211-winevent-hostname-cleanups-filter.conf similarity index 60% rename from docker/helk-logstash/pipeline/8211-winevent-hostname-cleanups.conf rename to docker/helk-logstash/pipeline/8211-winevent-hostname-cleanups-filter.conf index f9fe680a..4a2c12f0 100644 --- a/docker/helk-logstash/pipeline/8211-winevent-hostname-cleanups.conf +++ b/docker/helk-logstash/pipeline/8211-winevent-hostname-cleanups-filter.conf @@ -7,13 +7,11 @@ filter { if [event_id] { mutate { lowercase => [ - "computer_name", "dst_host_name", "src_host_name", - "host_name", - "[winlog][computer_name]" + "host_name" ] - add_field => { "z_logstash_pipeline" => "winevent-hostname-cleanup" } + add_field => { "etl_pipeline" => "winevent-hostname-cleanup" } } } } diff --git a/docker/helk-logstash/pipeline/8251-helk-domains-and-hostnames-enrichments_and_additions-filter.conf b/docker/helk-logstash/pipeline/8251-helk-domains-and-hostnames-enrichments_and_additions-filter.conf new file mode 100644 index 00000000..d9229996 --- /dev/null +++ b/docker/helk-logstash/pipeline/8251-helk-domains-and-hostnames-enrichments_and_additions-filter.conf @@ -0,0 +1,23 @@ +# HELK Hostnames and Domains Enrichments and Additions +# HELK build Stage: Alpha +# Author: Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +filter { + # Copy some values that could be dst_host_name if dst_host_name doesn't exist and those variables do + if [target_server_name] and ![dst_host_name] { + mutate { + copy => { "target_server_name" => "dst_host_name" } + } + } + if [target_host_name] and ![dst_host_name] { + mutate { + copy => { "target_host_name" => "dst_host_name" } + } + } + if [service_name] and ![dst_host_name] { + mutate { + copy => { "service_name" => "dst_host_name" } + } + } +} diff --git a/docker/helk-logstash/pipeline/8291-winevent-username-final-modifcations.conf b/docker/helk-logstash/pipeline/8291-winevent-username-final-modifcations-filter.conf similarity index 60% rename from docker/helk-logstash/pipeline/8291-winevent-username-final-modifcations.conf rename to docker/helk-logstash/pipeline/8291-winevent-username-final-modifcations-filter.conf index f0af75bf..711735a8 100644 --- a/docker/helk-logstash/pipeline/8291-winevent-username-final-modifcations.conf +++ b/docker/helk-logstash/pipeline/8291-winevent-username-final-modifcations-filter.conf @@ -11,7 +11,7 @@ filter { mutate { add_field => { "meta_user_name_is_machine" => true - "z_logstash_pipeline" => "winevent-user_name-is-machine-account" + "etl_pipeline" => "winevent-user_name-is-machine-account" } } } @@ -19,7 +19,7 @@ filter { mutate { add_field => { "meta_user_name_is_machine" => false - "z_logstash_pipeline" => "winevent-user_name-is-machine-account" + "etl_pipeline" => "winevent-user_name-is-machine-account" } } } @@ -30,7 +30,7 @@ filter { mutate { add_field => { "meta_user_reporter_name_is_machine" => true - "z_logstash_pipeline" => "winevent-user_reporter_name-is-machine-account" + "etl_pipeline" => "winevent-user_reporter_name-is-machine-account" } } } @@ -38,26 +38,26 @@ filter { mutate { add_field => { "meta_user_reporter_name_is_machine" => false - "z_logstash_pipeline" => "winevent-user_reporter_name-is-machine-account" + "etl_pipeline" => "winevent-user_reporter_name-is-machine-account" } } } } - if [user_target_name] { - if [user_target_name] =~ "\$$" { + if [target_user_name] { + if [target_user_name] =~ "\$$" { mutate { add_field => { - "meta_user_target_name_is_machine" => true - "z_logstash_pipeline" => "winevent-user_target_name-is-machine-account" + "meta_target_user_name_is_machine" => true + "etl_pipeline" => "winevent-target_user_name-is-machine-account" } } } else { mutate { add_field => { - "meta_user_target_name_is_machine" => false - "z_logstash_pipeline" => "winevent-user_target_name-is-machine-account" + "meta_target_user_name_is_machine" => false + "etl_pipeline" => "winevent-target_user_name-is-machine-account" } } } diff --git a/docker/helk-logstash/pipeline/8801-meta-command_line-enrichment_and_additions-filter.conf b/docker/helk-logstash/pipeline/8801-meta-command_line-enrichment_and_additions-filter.conf index b79eb3f9..90eba7a2 100644 --- a/docker/helk-logstash/pipeline/8801-meta-command_line-enrichment_and_additions-filter.conf +++ b/docker/helk-logstash/pipeline/8801-meta-command_line-enrichment_and_additions-filter.conf @@ -30,7 +30,7 @@ filter { event.set('meta_process_command_line_length', cli_length) end " - add_field => { "z_logstash_pipeline" => "ruby-8801-0001" } + add_field => { "etl_pipeline" => "ruby-8801-0001" } tag_on_exception => "_rubyexception_8801_0001" } diff --git a/docker/helk-logstash/pipeline/8802-meta-powershell-enrichment_and_additions-filter.conf b/docker/helk-logstash/pipeline/8802-meta-powershell-enrichment_and_additions-filter.conf index 43cc30de..be31d83f 100644 --- a/docker/helk-logstash/pipeline/8802-meta-powershell-enrichment_and_additions-filter.conf +++ b/docker/helk-logstash/pipeline/8802-meta-powershell-enrichment_and_additions-filter.conf @@ -33,4 +33,5 @@ filter { } } } + } \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/8901-fingerprints-command_line-filter.conf b/docker/helk-logstash/pipeline/8901-fingerprints-command_line-filter.conf index a9407f36..ecd8188f 100644 --- a/docker/helk-logstash/pipeline/8901-fingerprints-command_line-filter.conf +++ b/docker/helk-logstash/pipeline/8901-fingerprints-command_line-filter.conf @@ -14,7 +14,7 @@ filter { method => "MURMUR3" target => "fingerprint_process_command_line_mm3" key => "logstash" - add_field => { "z_logstash_pipeline" => "fingerprint-8901-001" } + add_field => { "etl_pipeline" => "fingerprint-8901-001" } } } diff --git a/docker/helk-logstash/pipeline/8902-fingerprints-powershell.conf b/docker/helk-logstash/pipeline/8902-fingerprints-powershell-filter.conf similarity index 86% rename from docker/helk-logstash/pipeline/8902-fingerprints-powershell.conf rename to docker/helk-logstash/pipeline/8902-fingerprints-powershell-filter.conf index daafb2dd..b96284ff 100644 --- a/docker/helk-logstash/pipeline/8902-fingerprints-powershell.conf +++ b/docker/helk-logstash/pipeline/8902-fingerprints-powershell-filter.conf @@ -14,7 +14,7 @@ filter { method => "MURMUR3" target => "fingerprint_powershell_param_value_mm3" key => "logstash" - add_field => { "z_logstash_pipeline" => "fingerprint-8902-001" } + add_field => { "etl_pipeline" => "fingerprint-8902-001" } } } @@ -24,7 +24,7 @@ filter { method => "SHA1" target => "fingerprint_powershell_scriptblock_text_sha1" key => "logstash" - add_field => { "z_logstash_pipeline" => "fingerprint-8902-002" } + add_field => { "etl_pipeline" => "fingerprint-8902-002" } } } diff --git a/docker/helk-logstash/pipeline/8911-fingerprints-network_community_id-filter.conf b/docker/helk-logstash/pipeline/8911-fingerprints-network_community_id-filter.conf new file mode 100644 index 00000000..907fae92 --- /dev/null +++ b/docker/helk-logstash/pipeline/8911-fingerprints-network_community_id-filter.conf @@ -0,0 +1,26 @@ +# HELK community-id filter conf +# HELK build Stage: Alpha +# Author: Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +filter { + # Because other versions of network community ID are already renamed to HELK naming, check to make sure this field does NOT already exist + if ![fingerprint_network_community_id] { + # Lookup community id event's containing network parameters + if [src_ip_addr] and [dst_ip_addr] and [network_protocol] and [dst_port] and [src_port] and [@metadata][src_ip_addr][number_of_ip_addresses] == 1 and [@metadata][dst_ip_addr][number_of_ip_addresses] == 1 { + ruby { + path => "/usr/share/logstash/pipeline/ruby/community-id.rb" + script_params => { + "source_ip_field" => "src_ip_addr" + "dest_ip_field" => "dst_ip_addr" + "source_port_field" => "src_port" + "dest_port_field" => "dst_port" + "protocol_field" => "network_protocol" + "target_field" => "fingerprint_network_community_id" + } + add_field => { "etl_pipeline" => "community_id_addition" } + tag_on_exception => "_rubyexception-community_id" + } + } + } +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/8911-fingerprints-network_community_id.conf b/docker/helk-logstash/pipeline/8911-fingerprints-network_community_id.conf deleted file mode 100644 index 6cf820a9..00000000 --- a/docker/helk-logstash/pipeline/8911-fingerprints-network_community_id.conf +++ /dev/null @@ -1,22 +0,0 @@ -# HELK community-id filter conf -# HELK build Stage: Alpha -# Author: Nate Guagenti (@neu5ron) -# License: GPL-3.0 - -filter { - # Lookup community id event's containing network parameters - if [src_ip_addr] and [dst_ip_addr] and [network_protocol] and [dst_port] and [src_port] and [@metadata][src_ip_addr][number_of_ip_addresses] == 1 and [@metadata][dst_ip_addr][number_of_ip_addresses] == 1 { - ruby { - path => "/usr/share/logstash/pipeline/ruby/community-id.rb" - script_params => { - "source_ip_field" => "src_ip_addr" - "dest_ip_field" => "dst_ip_addr" - "source_port_field" => "src_port" - "dest_port_field" => "dst_port" - "protocol_field" => "network_protocol" - "target_field" => "fingerprint_network_community_id" - } - tag_on_exception => "_rubyexception-community_id" - } - } -} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/8999-final-parse-detection-and-cleanup-filter.conf b/docker/helk-logstash/pipeline/8999-final-parse-detection-and-cleanup-filter.conf new file mode 100644 index 00000000..9adb3fff --- /dev/null +++ b/docker/helk-logstash/pipeline/8999-final-parse-detection-and-cleanup-filter.conf @@ -0,0 +1,32 @@ +# HELK Final Cleanup and Critical Parsing Failure Determination +# HELK build Stage: Alpha +# Author: Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +filter { + + # Successful parse of event/log + if "parsefailure-critical" not in [tags] { + if "all-filter-0098" in [etl_pipeline] { + # message field has previously been copied and kept, so remove it. also its an alias, so we still get compatibility if users are using "message" certaing places, so we can also prevent conflicts by doing this since the field is an alias + if [message] { + mutate { + remove_field => [ "message" ] + add_field => { "etl_pipeline" => "final-cleanup-message_field" } + } + } + } + } + # Unsucessful parse of event/log + else { + mutate { + update => { + "[@metadata][helk_parsed]" => "no" + } + add_field => { + "[@metadata][parse-failure]" => "yes" + } + } + } + +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/9960-winevent-bits-output.conf b/docker/helk-logstash/pipeline/9949-winevent-main-output.conf similarity index 57% rename from docker/helk-logstash/pipeline/9960-winevent-bits-output.conf rename to docker/helk-logstash/pipeline/9949-winevent-main-output.conf index 2b0d84f8..d1976994 100644 --- a/docker/helk-logstash/pipeline/9960-winevent-bits-output.conf +++ b/docker/helk-logstash/pipeline/9949-winevent-main-output.conf @@ -1,13 +1,13 @@ -# HELK bits output conf file +# HELK winevent-main output conf file # HELK build Stage: Alpha # Author: Roberto Rodriguez (@Cyb3rWard0g) # License: GPL-3.0 output { - if [log_name] == "Microsoft-Windows-Bits-Client/Operational" and [@metadata][helk_parsed] == "yes" { + if [@metadata][index_name] and [event_id] and [@metadata][helk_parsed] == "yes" { elasticsearch { hosts => ["helk-elasticsearch:9200"] - index => "logs-endpoint-winevent-bits-%{+YYYY.MM.dd}" + index => "logs-endpoint-winevent-%{[@metadata][index_name]}-%{+YYYY.MM.dd}" document_id => "%{[@metadata][log_hash]}" user => 'elastic' #password => 'elasticpassword' diff --git a/docker/helk-logstash/pipeline/9950-winevent-sysmon-output.conf b/docker/helk-logstash/pipeline/9950-winevent-sysmon-output.conf index f40d97b5..1853ed4c 100644 --- a/docker/helk-logstash/pipeline/9950-winevent-sysmon-output.conf +++ b/docker/helk-logstash/pipeline/9950-winevent-sysmon-output.conf @@ -1,16 +1,2 @@ -# HELK sysmon output conf file -# HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g) -# License: GPL-3.0 - -output { - if [log_name] =~ /^[mM]icrosoft\-[wW]indows\-[sS]ysmon\/[oO]perational$/ and [@metadata][helk_parsed] == "yes" { - elasticsearch { - hosts => ["helk-elasticsearch:9200"] - index => "logs-endpoint-winevent-sysmon-%{+YYYY.MM.dd}" - document_id => "%{[@metadata][log_hash]}" - user => 'elastic' - #password => 'elasticpassword' - } - } -} \ No newline at end of file +#Moved to docker/helk-logstash/pipeline/9949-winevent-main-output.conf +#Until we properly delete files, which is very tedious to prevent from impacting an exisiting implementation, this file is overwritten instead of deleted. diff --git a/docker/helk-logstash/pipeline/9951-winevent-security-output.conf b/docker/helk-logstash/pipeline/9951-winevent-security-output.conf index 11b531f4..1853ed4c 100644 --- a/docker/helk-logstash/pipeline/9951-winevent-security-output.conf +++ b/docker/helk-logstash/pipeline/9951-winevent-security-output.conf @@ -1,16 +1,2 @@ -# HELK winevent-security output conf file -# HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g) -# License: GPL-3.0 - -output { - if [log_name] =~ /^[sS]ecurity$/ and [@metadata][helk_parsed] == "yes" { - elasticsearch { - hosts => ["helk-elasticsearch:9200"] - index => "logs-endpoint-winevent-security-%{+YYYY.MM.dd}" - document_id => "%{[@metadata][log_hash]}" - user => 'elastic' - #password => 'elasticpassword' - } - } -} \ No newline at end of file +#Moved to docker/helk-logstash/pipeline/9949-winevent-main-output.conf +#Until we properly delete files, which is very tedious to prevent from impacting an exisiting implementation, this file is overwritten instead of deleted. diff --git a/docker/helk-logstash/pipeline/9952-winevent-system-output.conf b/docker/helk-logstash/pipeline/9952-winevent-system-output.conf index 71640cf1..1853ed4c 100644 --- a/docker/helk-logstash/pipeline/9952-winevent-system-output.conf +++ b/docker/helk-logstash/pipeline/9952-winevent-system-output.conf @@ -1,16 +1,2 @@ -# HELK winevent-system output conf file -# HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g) -# License: GPL-3.0 - -output { - if [log_name] =~ /^[sS]ystem$/ and [@metadata][helk_parsed] == "yes" { - elasticsearch { - hosts => ["helk-elasticsearch:9200"] - index => "logs-endpoint-winevent-system-%{+YYYY.MM.dd}" - document_id => "%{[@metadata][log_hash]}" - user => 'elastic' - #password => 'elasticpassword' - } - } -} \ No newline at end of file +#Moved to docker/helk-logstash/pipeline/9949-winevent-main-output.conf +#Until we properly delete files, which is very tedious to prevent from impacting an exisiting implementation, this file is overwritten instead of deleted. diff --git a/docker/helk-logstash/pipeline/9953-winevent-application-output.conf b/docker/helk-logstash/pipeline/9953-winevent-application-output.conf index c58a420d..1853ed4c 100644 --- a/docker/helk-logstash/pipeline/9953-winevent-application-output.conf +++ b/docker/helk-logstash/pipeline/9953-winevent-application-output.conf @@ -1,16 +1,2 @@ -# HELK winevent-application output conf file -# HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g) -# License: GPL-3.0 - -output { - if [log_name]=~ /^[aA]pplication$/ and [@metadata][helk_parsed] == "yes" { - elasticsearch { - hosts => ["helk-elasticsearch:9200"] - index => "logs-endpoint-winevent-application-%{+YYYY.MM.dd}" - document_id => "%{[@metadata][log_hash]}" - user => 'elastic' - #password => 'elasticpassword' - } - } -} \ No newline at end of file +#Moved to docker/helk-logstash/pipeline/9949-winevent-main-output.conf +#Until we properly delete files, which is very tedious to prevent from impacting an exisiting implementation, this file is overwritten instead of deleted. diff --git a/docker/helk-logstash/pipeline/9954-winevent-powershell-output.conf b/docker/helk-logstash/pipeline/9954-winevent-powershell-output.conf index de5c6db4..1853ed4c 100644 --- a/docker/helk-logstash/pipeline/9954-winevent-powershell-output.conf +++ b/docker/helk-logstash/pipeline/9954-winevent-powershell-output.conf @@ -1,16 +1,2 @@ -# HELK powershell output conf file -# HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g) -# License: GPL-3.0 - -output { - if [source_name] == "Microsoft-Windows-PowerShell" or [source_name] == "PowerShell" and [@metadata][helk_parsed] == "yes" { - elasticsearch { - hosts => ["helk-elasticsearch:9200"] - index => "logs-endpoint-winevent-powershell-%{+YYYY.MM.dd}" - document_id => "%{[@metadata][log_hash]}" - user => 'elastic' - #password => 'elasticpassword' - } - } -} \ No newline at end of file +#Moved to docker/helk-logstash/pipeline/9949-winevent-main-output.conf +#Until we properly delete files, which is very tedious to prevent from impacting an exisiting implementation, this file is overwritten instead of deleted. diff --git a/docker/helk-logstash/pipeline/9959-winevent-codeintegrity-output.conf b/docker/helk-logstash/pipeline/9959-winevent-codeintegrity-output.conf deleted file mode 100644 index f6ee11a3..00000000 --- a/docker/helk-logstash/pipeline/9959-winevent-codeintegrity-output.conf +++ /dev/null @@ -1,16 +0,0 @@ -# HELK code integrity output conf file -# HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g) -# License: GPL-3.0 - -output { - if [log_name] == "Microsoft-Windows-CodeIntegrity/Operational" and [@metadata][helk_parsed] == "yes" { - elasticsearch { - hosts => ["helk-elasticsearch:9200"] - index => "logs-endpoint-winevent-codeintegrity-%{+YYYY.MM.dd}" - document_id => "%{[@metadata][log_hash]}" - user => 'elastic' - #password => 'elasticpassword' - } - } -} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/9961-winevent-dns-client-output.conf b/docker/helk-logstash/pipeline/9961-winevent-dns-client-output.conf deleted file mode 100644 index ad5fb674..00000000 --- a/docker/helk-logstash/pipeline/9961-winevent-dns-client-output.conf +++ /dev/null @@ -1,16 +0,0 @@ -# HELK dns client output conf file -# HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g) -# License: GPL-3.0 - -output { - if [log_name] == "Microsoft-Windows-DNS-Client/Operational" and [@metadata][helk_parsed] == "yes" { - elasticsearch { - hosts => ["helk-elasticsearch:9200"] - index => "logs-endpoint-winevent-dns-client-%{+YYYY.MM.dd}" - document_id => "%{[@metadata][log_hash]}" - user => 'elastic' - #password => 'elasticpassword' - } - } -} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/9962-winevent-firewall-advanced-output.conf b/docker/helk-logstash/pipeline/9962-winevent-firewall-advanced-output.conf deleted file mode 100644 index ee12d515..00000000 --- a/docker/helk-logstash/pipeline/9962-winevent-firewall-advanced-output.conf +++ /dev/null @@ -1,16 +0,0 @@ -# HELK firewall advanced output conf file -# HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g) -# License: GPL-3.0 - -output { - if [log_name] == "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" and [@metadata][helk_parsed] == "yes" { - elasticsearch { - hosts => ["helk-elasticsearch:9200"] - index => "logs-endpoint-winevent-firewall-advanced-%{+YYYY.MM.dd}" - document_id => "%{[@metadata][log_hash]}" - user => 'elastic' - #password => 'elasticpassword' - } - } -} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/9990-winevent-catchall-output.conf b/docker/helk-logstash/pipeline/9990-winevent-catchall-output.conf index 2dd5774c..72d930f8 100644 --- a/docker/helk-logstash/pipeline/9990-winevent-catchall-output.conf +++ b/docker/helk-logstash/pipeline/9990-winevent-catchall-output.conf @@ -1,3 +1,8 @@ +# HELK Catchall index for the rest of windows logs +# HELK build Stage: Alpha +# Author: Nate Guagenti (@neu5ron) +# License: GPL-3.0 + output { if [@metadata][helk_parsed] == "yes" and [log_name] != "Microsoft-Windows-Sysmon/Operational" and [log_name] != "Security" and [log_name] != "System" and [log_name] != "Application" and [source_name] != "Microsoft-Windows-PowerShell" and [source_name] != "PowerShell" and [source] != "/var/log/osquery/osqueryd.results.log" and [@metadata][kafka][topic] != "SYSMON_JOIN" and [@metadata][helk_input_source] != "mitre_attack" { elasticsearch { diff --git a/docker/helk-logstash/pipeline/9998-catch_all-output.conf b/docker/helk-logstash/pipeline/9998-catch_all-output.conf index 817db970..1703463d 100644 --- a/docker/helk-logstash/pipeline/9998-catch_all-output.conf +++ b/docker/helk-logstash/pipeline/9998-catch_all-output.conf @@ -1,11 +1,70 @@ +# HELK Catchall for unparsed logs, critical parse failure logs that could be destructive to database, and additional future usage for simple outputs +# HELK build Stage: Alpha +# Author: Nate Guagenti (@neu5ron) +# License: GPL-3.0 + + output { - if [@metadata][helk_parsed] != "yes" and [source] != "/var/log/osquery/osqueryd.results.log" and [@metadata][kafka][topic] != "SYSMON_JOIN" and [@metadata][helk_input_source] != "mitre_attack"{ + + # NO critical errors in parsing + if [@metadata][parse-failure] != "yes" { + + # Zeek/Corelight + if [event_log] == "zeek" { + elasticsearch { + hosts => ["helk-elasticsearch:9200"] + index => "logs-network-zeek-%{+YYYY.MM.dd}" + #document_id => "%{[@metadata][log_hash]}" + user => 'elastic' + #password => 'elasticpassword' + } + } + + # Unparsed syslog + else if [@metadata][helk_parsed] != "yes" and [etl_input_application_name] =~ "^syslog" { + elasticsearch { + hosts => ["helk-elasticsearch:9200"] + index => "indexme-syslog-%{etl_input_port}-%{+YYYY.MM.dd}" + document_id => "%{[@metadata][log_hash]}" + user => 'elastic' + #password => 'elasticpassword' + } + } + + # Not in schema yet + else if [@metadata][helk_parsed] != "yes" and [source] != "/var/log/osquery/osqueryd.results.log" and [@metadata][kafka][topic] != "SYSMON_JOIN" and [@metadata][helk_input_source] != "mitre_attack" and [type] != "clone" { + # Zeek temporary not in schema + if [event_log] == "zeek" { + elasticsearch { + hosts => ["helk-elasticsearch:9200"] + index => "indexme-zeek-%{+YYYY.MM.dd}" + # document_id => "%{[@metadata][log_hash]}" + user => 'elastic' + #password => 'elasticpassword' + } + } + else { + elasticsearch { + hosts => ["helk-elasticsearch:9200"] + index => "indexme-%{+YYYY.MM.dd}" + # document_id => "%{[@metadata][log_hash]}" + user => 'elastic' + #password => 'elasticpassword' + } + } + } + + } + + # Critical parse failure + else { elasticsearch { hosts => ["helk-elasticsearch:9200"] - index => "indexme-%{+YYYY.MM.dd}" + index => "parse-failures-%{+YYYY.MM.dd}" # document_id => "%{[@metadata][log_hash]}" user => 'elastic' #password => 'elasticpassword' } } -} \ No newline at end of file + +} diff --git a/docker/helk-logstash/pipeline/disabled/0100-all-clone-event-filter.DISABLED b/docker/helk-logstash/pipeline/disabled/0100-all-clone-event-filter.DISABLED new file mode 100644 index 00000000..6f85fe8d --- /dev/null +++ b/docker/helk-logstash/pipeline/disabled/0100-all-clone-event-filter.DISABLED @@ -0,0 +1,54 @@ +# HELK All clone event conf +# HELK build Stage: Alpha +# Author: Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +#TODO: File needs revisited after changes to `1010-winevent-winlogbeats-filter.conf` + +filter { + + ## Only clone events that have been previously hashed and not mitre attack matrix + if [@metadata][log_hash] and [@metadata][helk_input_source] != "mitre_attack" { + clone { + clones => [ "clone" ] + add_field => { + "[cloned][agent][type]" => "%{[agent][type]}" + "[@metadata][cloned][etl_processed_time]" => "%{etl_processed_time}" + "[cloned][@timestamp]" => "%{@timestamp}" + "[cloned][message]" => "%{message}" + "[@metadata][helk_parsed]" => "no" + } + remove_field => [ + "@timestamp", + "[agent][type]", + "etl_pipeline", + "etl_processed_time", + "event_original_message", + "message", + "meta_log_tags", + "event_original_time" + ] + } + if [type] == "clone" { + # create a full fledge hash/clone + #TODO:good luck creating a full fledge clone without removing empheral agent ids and event.created and all sorts of other things + #fingerprint { + # concatenate_all_fields => true + # target => "[@metadata][clone][log_hash]" + # method => "SHA1" + # add_field => { + # "[cloned][log_hash]" => "%{[@metadata][log_hash]}" + # } + #} + mutate { + rename => { "type" => "[cloned][type]" } + } + # rewrite timestamp + date { + match => [ "[@metadata][cloned][etl_processed_time]", "ISO8601" ] + target => "@timestamp" + } + } + } + +} diff --git a/docker/helk-logstash/pipeline/disabled/9997-clone-output.DISABLED b/docker/helk-logstash/pipeline/disabled/9997-clone-output.DISABLED new file mode 100644 index 00000000..9028f25b --- /dev/null +++ b/docker/helk-logstash/pipeline/disabled/9997-clone-output.DISABLED @@ -0,0 +1,11 @@ +output { + if [type] == "clone" { + elasticsearch { + hosts => ["helk-elasticsearch:9200"] + index => "original-logs-clone-%{+YYYY.ww}" + #document_id => "%{[@metadata][clone][log_hash]}" + user => 'elastic' + #password => 'elasticpassword' + } + } +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/ruby/community-id.rb b/docker/helk-logstash/pipeline/ruby/community-id.rb index ffc1cdc0..ab90f003 100644 --- a/docker/helk-logstash/pipeline/ruby/community-id.rb +++ b/docker/helk-logstash/pipeline/ruby/community-id.rb @@ -1,3 +1,4 @@ +# Author: Derek Ditch (@dcode), Nate Guagenti (@neu5ron) require 'socket' require 'digest' require 'base64' @@ -91,7 +92,7 @@ def filter(event) end end - # Retreive the fields + # Retrieve the fields src_ip = event.get("#{@source_ip}") src_p = event.get("#{@source_port}").to_i dst_ip = event.get("#{@dest_ip}") diff --git a/docker/helk-logstash/pipeline/ruby/ip_clean_and_public.rb b/docker/helk-logstash/pipeline/ruby/ip_clean_and_public.rb index 28c7df87..8d7bd2eb 100644 --- a/docker/helk-logstash/pipeline/ruby/ip_clean_and_public.rb +++ b/docker/helk-logstash/pipeline/ruby/ip_clean_and_public.rb @@ -1,3 +1,4 @@ +# Author: Nate Guagenti (@neu5ron) require "set" require "ipaddr" IPv6Privatecidr = [ "fc00::/7", "fe80::/10", "ff00::/8", "2001:db8::/32", "2001:20::/28", "::1/128", "::/128", "100::/64", "64:ff9b::/96" ] @@ -6,11 +7,20 @@ def register(params) @parent_field = params["parent_field"] @orig_ip_address = params["ip"] + @orig_is_ipv6 = params["is_ipv6"] end def filter(event) ip_addresses = event.get(@orig_ip_address) + # Check if IPv6 determination is already made + ip_addresses_is_ipv6 = event.get(@orig_is_ipv6) + if ip_addresses_is_ipv6.nil? + ip_addresses_is_ipv6 = Array.new + else + ip_addresses_is_ipv6 = [ ip_addresses_is_ipv6 ] + end + ip_addresses_public = Array.new ip_addresses_type = Array.new ip_addresses_rfc = Array.new @@ -27,12 +37,12 @@ def filter(event) for ip_address in ip_addresses #### General Cleanup - # Remove qouted + # Remove quoted ip_address = ip_address.delete("'") ip_address = ip_address.delete("\"") # Remove ending "." ip_address = ip_address.chomp - # Remove preceeding "."# Don't ask.. reverse + chomp + reverse up to 16 times faster + # Remove preceding "."# Don't ask.. reverse + chomp + reverse up to 16 times faster ip_address = ip_address.reverse.chomp(".").reverse # Remove ending or beginning whitespace ip_address = ip_address.lstrip.rstrip @@ -44,7 +54,7 @@ def filter(event) # IPv4 ip_address_length = ip_address.length if !ip_address.include?(":") && !( /[a-z]/ === ip_address ) && ip_address_length <= 15 && ip_address_length >= 7 - # Remove any preceeding zeroes in each octet + # Remove any preceding zeroes in each octet temp_ip = Array.new ip_address.split(".").each do |octet| octet = octet.to_i.to_s @@ -59,49 +69,49 @@ def filter(event) # Private/RFC1918 if ip_address.start_with?( "10.", "192.168." ) - ip_public = false + ip_public = "false" ip_type = "private" ip_rfc = "RFC_1918" # (Local)link-local RFC3927 elsif ip_address.start_with?( "169.254." ) - ip_public = false + ip_public = "false" ip_type = "local" ip_rfc = "RFC_3927" # Loopback RFC1122-3.2.1.3 elsif ip_address.start_with?( "127." ) - ip_public = false + ip_public = "false" ip_type = "loopback" ip_rfc = "RFC_1122-3.2.1.3" # RFC1700 elsif ip_address.start_with?("0.") - ip_public = false + ip_public = "false" ip_type = "reserved_as_a_source_address_only" ip_rfc = "RFC_1700" # IPv6 to IP4 anycast RFC3068 elsif ip_address.start_with?( "192.88.99." ) - ip_public = false + ip_public = "false" ip_type = "6to4" ip_rfc = "RFC_3068" # IPv6 to IP4 anycast RFC7535 elsif ip_address.start_with?( "192.31.196." ) - ip_public = false + ip_public = "false" ip_type = "as112-v4" ip_rfc = "RFC_3068" # IPv6 to IP4 anycast RFC7450, "Automatic Multicast Tunneling" elsif ip_address.start_with?( "192.52.193" ) - ip_public = false + ip_public = "false" ip_type = "amt" ip_rfc = "RFC_7450" # Reserved RFC6890, RFC1122-3.2.1.3, RFC2544, RFC5737 elsif ip_address.start_with?( "0.", "192.0.0.", "192.0.1.", "192.0.2.", "192.18.", "192.19.", "198.51.100.", "203.0.113." ) - ip_public = false + ip_public = "false" ip_type = "reserved" ip_rfc = [ "RFCRFC_19186890", "RFCRFC_19181122-3.2.1.3", "RFCRFC_19182544", "RFCRFC_19185737" ] @@ -109,11 +119,11 @@ def filter(event) elsif ip_address.start_with?( "172." ) # Check if 2nd octet is in range(between) 16 to 31 if ip_address.split(".")[1].to_i.between?(16,31) - ip_public = false + ip_public = "false" ip_type = "private" ip_rfc = "RFC_1918" else - ip_public = true + ip_public = "true" ip_type = "public" ip_rfc = "RFC_1366" end @@ -122,11 +132,11 @@ def filter(event) elsif ip_address.start_with?( "100." ) # Check if 2nd octet is in range(between) 64 to 127 if ip_address.split(".")[1].to_i.between?(64,127) - ip_public = false + ip_public = "false" ip_type = "private" ip_rfc = "RFC_1918" else - ip_public = true + ip_public = "true" ip_type = "public" ip_rfc = "RFC_1366" end @@ -135,31 +145,32 @@ def filter(event) elsif ip_address.start_with?( "2" ) # Broadcast if ip_address == "255.255.255.255" - ip_public = false + ip_public = "false" ip_type = "broadcast" ip_rfc = "RFC_8190" # Multicast # Check if 1st octet is in range(between) 224 to 255 elsif ip_address.split(".")[0].to_i.between?(224,255) - ip_public = false + ip_public = "false" ip_type = "multicast" ip_rfc = "RFC_1112" else - ip_public = true + ip_public = "true" ip_type = "public" ip_rfc = "RFC_1366" end # RFC1366, Public/Routable else - ip_public = true + ip_public = "true" ip_type = "public" ip_rfc = "RFC_1366" end # set parameters clean_ip_addresses.push(ip_address) version_ip_addresses.push("4") + ip_addresses_is_ipv6.push("false") ip_addresses_public.push(ip_public) ip_addresses_type.push(ip_type) ip_addresses_rfc.push(ip_rfc) @@ -172,20 +183,26 @@ def filter(event) begin ip_address_check = IPAddr.new(ip_address) # Public IP Check - ip_public = true + ip_public = "true" temp_ip_check = "zDamTyILGeKD4H0.IbPK6g" IPv6Privatecidr.each do |i_p| cidr = IPAddr.new(i_p) if cidr.include?(ip_address_check) - ip_public = false + ip_public = "false" end end # set parameters #TODO:eventually set to real type(rfc description) and real rfc (rfc code) - ip_type = "n/a" - ip_rfc = "n/a" + if ip_address == "::1" + ip_type = "loopback" + ip_rfc = "RFC_4291" + else + ip_type = "n/a" + ip_rfc = "n/a" + end clean_ip_addresses.push(ip_address) version_ip_addresses.push("6") + ip_addresses_is_ipv6.push("true") ip_addresses_public.push(ip_public) ip_addresses_type.push(ip_type) ip_addresses_rfc.push(ip_rfc) @@ -207,6 +224,7 @@ def filter(event) # Use to make array versus non array if number_of_ip_addresses == 1 event.set("#{@parent_field}_ip_version", version_ip_addresses[0]) + event.set("#{@parent_field}_is_ipv6", ip_addresses_is_ipv6[0]) event.set("#{@parent_field}_ip_public", ip_addresses_public[0]) event.set("#{@parent_field}_ip_type", ip_addresses_type[0]) event.set("#{@parent_field}_ip_rfc", ip_addresses_rfc[0]) @@ -215,6 +233,7 @@ def filter(event) else event.set("#{@parent_field}_ip_version", version_ip_addresses) + event.set("#{@parent_field}_is_ipv6", ip_addresses_is_ipv6) event.set("#{@parent_field}_ip_public", ip_addresses_public) event.set("#{@parent_field}_ip_type", ip_addresses_type) event.set("#{@parent_field}_ip_rfc", ip_addresses_rfc) diff --git a/docker/helk-logstash/plugins/Gemfile b/docker/helk-logstash/plugins/Gemfile index 0156fa78..4d2bb02f 100644 --- a/docker/helk-logstash/plugins/Gemfile +++ b/docker/helk-logstash/plugins/Gemfile @@ -6,7 +6,7 @@ gem "logstash-core", :path => "./logstash-core" gem "logstash-core-plugin-api", :path => "./logstash-core-plugin-api" gem "atomic", "~> 1" gem "builder", "~> 3" -gem "json", "~> 1.8.3" +gem "json", "~> 1" gem "paquet", "~> 0.2" gem "pleaserun", "~>0.0.28" gem "rake", "~> 12" @@ -58,8 +58,6 @@ gem "logstash-filter-fingerprint" gem "logstash-filter-geoip" gem "logstash-filter-grok" gem "logstash-filter-http" -gem "logstash-filter-jdbc_static" -gem "logstash-filter-jdbc_streaming" gem "logstash-filter-json" gem "logstash-filter-kv" gem "logstash-filter-memcached" @@ -87,7 +85,6 @@ gem "logstash-input-generator" gem "logstash-input-heartbeat" gem "logstash-input-http" gem "logstash-input-http_poller" -gem "logstash-input-jdbc" gem "logstash-input-jms" gem "logstash-input-pipe" gem "logstash-input-redis" @@ -100,6 +97,7 @@ gem "logstash-input-syslog" gem "logstash-input-tcp" gem "logstash-input-udp" gem "logstash-input-unix" +gem "logstash-integration-jdbc" gem "logstash-integration-kafka" gem "logstash-integration-rabbitmq" gem "logstash-output-csv" @@ -129,3 +127,10 @@ gem "logstash-filter-metricize" gem "logstash-input-lumberjack" gem "logstash-input-wmi" gem "logstash-output-syslog" +gem "logstash-input-cloudwatch" +gem "logstash-input-google_cloud_storage" +gem "logstash-input-google_pubsub" +gem "logstash-input-s3-sns-sqs" +gem "logstash-output-google_bigquery" +gem "logstash-output-google_cloud_storage" +gem "logstash-output-google_pubsub" diff --git a/docker/helk-logstash/plugins/Gemfile.lock b/docker/helk-logstash/plugins/Gemfile.lock deleted file mode 100644 index 683111f9..00000000 --- a/docker/helk-logstash/plugins/Gemfile.lock +++ /dev/null @@ -1,747 +0,0 @@ -PATH - remote: logstash-core-plugin-api - specs: - logstash-core-plugin-api (2.1.16-java) - logstash-core (= 7.5.2) - -PATH - remote: logstash-core - specs: - logstash-core (7.5.2-java) - chronic_duration (~> 0.10) - clamp (~> 0.6) - concurrent-ruby (~> 1) - elasticsearch (~> 5) - filesize (~> 0.2) - gems (~> 1) - i18n (~> 1) - jrjackson (= 0.4.11) - jruby-openssl (~> 0.10) - manticore (~> 0.6) - minitar (~> 0.8) - pry (~> 0.12) - puma (3.12.2) - rack (~> 1, >= 1.6.11) - rubyzip (~> 1) - sinatra (~> 1, >= 1.4.6) - stud (~> 0.0.19) - thread_safe (~> 0.3.6) - treetop (~> 1) - -GEM - remote: https://rubygems.org/ - specs: - addressable (2.7.0) - public_suffix (>= 2.0.2, < 5.0) - arr-pm (0.0.10) - cabin (> 0) - atomic (1.1.101-java) - avl_tree (1.2.1) - atomic (~> 1.1) - avro (1.9.1) - multi_json - awesome_print (1.7.0) - aws-eventstream (1.0.3) - aws-sdk (2.11.434) - aws-sdk-resources (= 2.11.434) - aws-sdk-core (2.11.434) - aws-sigv4 (~> 1.0) - jmespath (~> 1.0) - aws-sdk-resources (2.11.434) - aws-sdk-core (= 2.11.434) - aws-sdk-v1 (1.67.0) - json (~> 1.4) - nokogiri (~> 1) - aws-sigv4 (1.1.0) - aws-eventstream (~> 1.0, >= 1.0.2) - back_pressure (1.0.0) - backports (3.15.0) - belzebuth (0.2.3) - childprocess - benchmark-ips (2.7.2) - bindata (2.4.4) - builder (3.2.4) - cabin (0.9.0) - childprocess (0.9.0) - ffi (~> 1.0, >= 1.0.11) - chronic_duration (0.10.6) - numerizer (~> 0.1.1) - ci_reporter (2.0.0) - builder (>= 2.1.2) - ci_reporter_rspec (1.0.0) - ci_reporter (~> 2.0) - rspec (>= 2.14, < 4) - clamp (0.6.5) - coderay (1.1.2) - concurrent-ruby (1.1.5) - crack (0.4.3) - safe_yaml (~> 1.0.0) - dalli (2.7.10) - diff-lcs (1.3) - dotenv (2.7.5) - edn (1.1.1) - elasticsearch (5.0.5) - elasticsearch-api (= 5.0.5) - elasticsearch-transport (= 5.0.5) - elasticsearch-api (5.0.5) - multi_json - elasticsearch-transport (5.0.5) - faraday - multi_json - faraday (0.15.4) - multipart-post (>= 1.2, < 3) - ffi (1.12.1-java) - filesize (0.2.0) - fivemat (1.3.7) - flores (0.0.7) - fpm (1.3.3) - arr-pm (~> 0.0.9) - backports (>= 2.6.2) - cabin (>= 0.6.0) - childprocess - clamp (~> 0.6) - ffi - json (>= 1.7.7) - gem_publisher (1.5.0) - gems (1.2.0) - gene_pool (1.5.0) - concurrent-ruby (>= 1.0) - google-protobuf (3.5.0.pre-java) - hashdiff (1.0.0) - hitimes (1.3.1-java) - i18n (1.8.2) - concurrent-ruby (~> 1.0) - insist (1.0.0) - jar-dependencies (0.4.0) - jls-grok (0.11.5) - cabin (>= 0.6.0) - jls-lumberjack (0.0.26) - concurrent-ruby - jmespath (1.4.0) - jrjackson (0.4.11-java) - jruby-jms (1.3.0-java) - gene_pool - semantic_logger - jruby-openssl (0.10.2-java) - jruby-stdin-channel (0.2.0-java) - jruby-win32ole (0.8.5) - json (1.8.6-java) - json-schema (2.8.1) - addressable (>= 2.4) - kramdown (1.14.0) - logstash-codec-avro (3.2.3-java) - avro - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-codec-cef (6.1.0-java) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-codec-collectd (3.0.8) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-codec-dots (3.0.6) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-codec-edn (3.0.6) - edn - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-codec-edn_lines (3.0.6) - edn - logstash-codec-line - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-codec-es_bulk (3.0.8) - logstash-codec-line - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-codec-fluent (3.3.0-java) - logstash-core-plugin-api (>= 1.60, <= 2.99) - msgpack (~> 1.1) - logstash-codec-gzip_lines (3.0.4) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-codec-json (3.0.5) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-codec-json_lines (3.0.6) - logstash-codec-line (>= 2.1.0) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-codec-line (3.0.8) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-codec-msgpack (3.0.7-java) - logstash-core-plugin-api (>= 1.60, <= 2.99) - msgpack (~> 1.1) - logstash-codec-multiline (3.0.10) - jls-grok (~> 0.11.1) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-patterns-core - logstash-codec-netflow (4.2.1) - bindata (>= 1.5.0) - logstash-core-plugin-api (~> 2.0) - logstash-codec-nmap (0.0.21) - logstash-core-plugin-api (>= 1.60, <= 2.99) - ruby-nmap (~> 0.8.0) - logstash-codec-plain (3.0.6) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-codec-protobuf (1.2.2) - google-protobuf (= 3.5.0.pre) - logstash-core-plugin-api (>= 1.60, <= 2.99) - ruby-protocol-buffers - logstash-codec-rubydebug (3.0.6) - awesome_print (= 1.7.0) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-devutils (1.3.6-java) - fivemat - gem_publisher - insist (= 1.0.0) - kramdown (= 1.14.0) - logstash-core-plugin-api (>= 2.0, <= 2.99) - minitar - rake - rspec (~> 3.0) - rspec-wait - stud (>= 0.0.20) - logstash-filter-aggregate (2.9.1) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-alter (3.0.3) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-anonymize (3.0.6) - logstash-core-plugin-api (>= 1.60, <= 2.99) - murmurhash3 - logstash-filter-bytes (1.0.2) - logstash-core-plugin-api (~> 2.0) - logstash-filter-cidr (3.1.3-java) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-cipher (4.0.0) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-clone (4.0.0) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-csv (3.0.10) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-date (3.1.9) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-de_dot (1.0.4) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-dissect (1.2.0) - jar-dependencies - logstash-core-plugin-api (>= 2.1.1, <= 2.99) - logstash-filter-dns (3.1.3) - logstash-core-plugin-api (>= 1.60, <= 2.99) - lru_redux (~> 1.1.0) - logstash-filter-drop (3.0.5) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-elasticsearch (3.7.0) - elasticsearch (>= 5.0.3) - logstash-core-plugin-api (>= 1.60, <= 2.99) - manticore (~> 0.6) - logstash-filter-fingerprint (3.2.1) - logstash-core-plugin-api (>= 1.60, <= 2.99) - murmurhash3 - logstash-filter-geoip (6.0.3-java) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-grok (4.2.0) - jls-grok (~> 0.11.3) - logstash-core (>= 5.6.0) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-patterns-core - stud (~> 0.0.22) - logstash-filter-http (1.0.2) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-mixin-http_client (>= 5.0.0, < 9.0.0) - logstash-filter-i18n (3.0.3-java) - i18n (>= 0.6.6) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-jdbc_static (1.1.0) - logstash-core-plugin-api (>= 1.60, <= 2.99) - rufus-scheduler (< 3.5) - sequel - tzinfo - tzinfo-data - logstash-filter-jdbc_streaming (1.0.10) - logstash-core-plugin-api (>= 1.60, <= 2.99) - lru_redux - sequel - logstash-filter-json (3.1.0) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-json_encode (3.0.3-java) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-kv (4.4.0) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-memcached (1.0.1) - dalli (~> 2.7) - logstash-core-plugin-api (~> 2.0) - logstash-filter-metricize (3.0.3-java) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-metrics (4.0.6) - logstash-core-plugin-api (>= 1.60, <= 2.99) - metriks - thread_safe - logstash-filter-mutate (3.5.0) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-prune (3.0.4) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-ruby (3.1.5) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-sleep (3.0.6) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-split (3.1.8) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-syslog_pri (3.0.5) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-throttle (4.0.4) - atomic - logstash-core-plugin-api (>= 1.60, <= 2.99) - thread_safe - logstash-filter-translate (3.2.3) - logstash-core-plugin-api (>= 1.60, <= 2.99) - rufus-scheduler - logstash-filter-truncate (1.0.4) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-urldecode (3.0.6) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-useragent (3.2.4-java) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-uuid (3.0.5) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-xml (4.0.7) - logstash-core-plugin-api (>= 1.60, <= 2.99) - nokogiri - xml-simple - logstash-input-azure_event_hubs (1.1.2) - logstash-codec-json - logstash-codec-plain - logstash-core-plugin-api (~> 2.0) - stud (>= 0.0.22) - logstash-input-beats (6.0.5-java) - concurrent-ruby (~> 1.0) - jar-dependencies (~> 0.3, >= 0.3.4) - logstash-codec-multiline (>= 2.0.5) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - thread_safe (~> 0.3.5) - logstash-input-dead_letter_queue (1.1.5) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-input-elasticsearch (4.5.0) - elasticsearch (>= 5.0.3) - faraday (~> 0.15.4) - logstash-codec-json - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - manticore (~> 0.6) - rufus-scheduler - sequel - tzinfo - tzinfo-data - logstash-input-exec (3.3.3) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - rufus-scheduler - stud (~> 0.0.22) - logstash-input-file (4.1.13) - addressable - logstash-codec-multiline (~> 3.0) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-input-generator (3.0.6) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-input-heartbeat (3.0.7) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - stud - logstash-input-http (3.3.2-java) - jar-dependencies (~> 0.3, >= 0.3.4) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-input-http_poller (5.0.1) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-mixin-http_client (~> 7) - rufus-scheduler (~> 3.0.9) - stud (~> 0.0.22) - logstash-input-jdbc (4.3.19) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - rufus-scheduler - sequel - tzinfo - tzinfo-data - logstash-input-jms (3.1.2-java) - jruby-jms (>= 1.2.0) - logstash-codec-json (~> 3.0) - logstash-codec-plain (~> 3.0) - logstash-core-plugin-api (>= 1.60, <= 2.99) - semantic_logger (< 4.0.0) - logstash-input-lumberjack (3.1.6) - concurrent-ruby - jls-lumberjack (~> 0.0.26) - logstash-codec-multiline (~> 3.0) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-input-pipe (3.0.7) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - stud (~> 0.0.22) - logstash-input-redis (3.5.0) - logstash-codec-json - logstash-core-plugin-api (>= 1.60, <= 2.99) - redis (~> 4) - logstash-input-s3 (3.4.1) - logstash-core-plugin-api (>= 2.1.12, <= 2.99) - logstash-mixin-aws (>= 4.3.0) - stud (~> 0.0.18) - logstash-input-snmp (1.2.1) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - stud (>= 0.0.22, < 0.1.0) - logstash-input-snmptrap (3.0.6) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - snmp - logstash-input-sqs (3.1.2) - logstash-codec-json - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-mixin-aws (>= 4.3.0) - logstash-input-stdin (3.2.6) - concurrent-ruby - jruby-stdin-channel - logstash-codec-line - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-input-syslog (3.4.1) - concurrent-ruby - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-date - logstash-filter-grok - stud (>= 0.0.22, < 0.1.0) - thread_safe - logstash-input-tcp (6.0.3-java) - logstash-codec-json - logstash-codec-json_lines - logstash-codec-line - logstash-codec-multiline - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-input-udp (3.3.4) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - stud (~> 0.0.22) - logstash-input-unix (3.0.7) - logstash-codec-line - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-input-wmi (3.0.4-java) - jruby-win32ole - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-integration-kafka (10.0.0-java) - logstash-codec-json - logstash-codec-plain - logstash-core (>= 6.5.0) - logstash-core-plugin-api (>= 1.60, <= 2.99) - stud (>= 0.0.22, < 0.1.0) - logstash-integration-rabbitmq (7.0.2-java) - back_pressure (~> 1.0) - logstash-codec-json - logstash-core (>= 6.5.0) - logstash-core-plugin-api (>= 1.60, <= 2.99) - march_hare (~> 4.0) - stud (~> 0.0.22) - logstash-mixin-aws (4.3.0) - aws-sdk (~> 2) - aws-sdk-v1 (>= 1.61.0) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-mixin-http_client (7.0.0) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - manticore (>= 0.5.2, < 1.0.0) - logstash-output-csv (3.0.8) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-json - logstash-input-generator - logstash-output-file - logstash-output-elastic_app_search (1.0.0) - logstash-codec-plain - logstash-core-plugin-api (~> 2.0) - logstash-output-elasticsearch (10.3.1-java) - cabin (~> 0.6) - logstash-core-plugin-api (>= 1.60, <= 2.99) - manticore (>= 0.5.4, < 1.0.0) - stud (~> 0.0, >= 0.0.17) - logstash-output-email (4.1.1) - logstash-core-plugin-api (>= 1.60, <= 2.99) - mail (~> 2.6.3) - mime-types (< 3) - mustache (>= 0.99.8) - logstash-output-file (4.2.6) - logstash-codec-json_lines - logstash-codec-line - logstash-core-plugin-api (>= 2.0.0, < 2.99) - logstash-output-http (5.2.4) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-mixin-http_client (>= 6.0.0, < 8.0.0) - logstash-output-lumberjack (3.1.7) - jls-lumberjack (>= 0.0.26) - logstash-core-plugin-api (>= 1.60, <= 2.99) - stud - logstash-output-null (3.0.5) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-output-pipe (3.0.6) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-output-redis (5.0.0) - logstash-core-plugin-api (>= 1.60, <= 2.99) - redis (~> 4) - stud - logstash-output-s3 (4.2.0) - concurrent-ruby - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-mixin-aws (>= 4.3.0) - stud (~> 0.0.22) - logstash-output-sns (4.0.7) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-mixin-aws (>= 1.0.0) - logstash-output-sqs (6.0.0) - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-mixin-aws (>= 4.3.0) - logstash-output-stdout (3.1.4) - logstash-codec-rubydebug - logstash-core-plugin-api (>= 1.60.1, < 2.99) - logstash-output-syslog (3.0.5) - logstash-codec-plain - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-output-tcp (6.0.0) - logstash-codec-json - logstash-core-plugin-api (>= 1.60, <= 2.99) - stud - logstash-output-udp (3.1.0) - logstash-codec-json - logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-patterns-core (4.1.2) - logstash-core-plugin-api (>= 1.60, <= 2.99) - lru_redux (1.1.0) - mail (2.6.6) - mime-types (>= 1.16, < 4) - manticore (0.6.4-java) - openssl_pkcs8_pure - march_hare (4.1.1-java) - method_source (0.9.2) - metriks (0.9.9.8) - atomic (~> 1.0) - avl_tree (~> 1.2.0) - hitimes (~> 1.1) - mime-types (2.99.3) - minitar (0.9) - msgpack (1.3.1-java) - multi_json (1.14.1) - multipart-post (2.1.1) - murmurhash3 (0.1.6-java) - mustache (0.99.8) - nokogiri (1.10.7-java) - numerizer (0.1.1) - octokit (4.14.0) - sawyer (~> 0.8.0, >= 0.5.3) - openssl_pkcs8_pure (0.0.0.2) - paquet (0.2.1) - pleaserun (0.0.30) - cabin (> 0) - clamp - dotenv - insist - mustache (= 0.99.8) - stud - polyglot (0.3.5) - pry (0.12.2-java) - coderay (~> 1.1.0) - method_source (~> 0.9.0) - spoon (~> 0.0) - public_suffix (4.0.3) - puma (3.12.2) - rack (1.6.12) - rack-protection (1.5.5) - rack - rack-test (1.1.0) - rack (>= 1.0, < 3) - rake (12.3.3) - redis (4.1.3) - rprogram (0.3.2) - rspec (3.9.0) - rspec-core (~> 3.9.0) - rspec-expectations (~> 3.9.0) - rspec-mocks (~> 3.9.0) - rspec-core (3.9.1) - rspec-support (~> 3.9.1) - rspec-expectations (3.9.0) - diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.9.0) - rspec-mocks (3.9.1) - diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.9.0) - rspec-support (3.9.2) - rspec-wait (0.0.9) - rspec (>= 3, < 4) - ruby-nmap (0.8.0) - nokogiri (~> 1.3) - rprogram (~> 0.3) - ruby-progressbar (1.10.1) - ruby-protocol-buffers (1.6.1) - rubyzip (1.3.0) - rufus-scheduler (3.0.9) - tzinfo - safe_yaml (1.0.5) - sawyer (0.8.2) - addressable (>= 2.3.5) - faraday (> 0.8, < 2.0) - semantic_logger (3.4.1) - concurrent-ruby (~> 1.0) - sequel (5.28.0) - sinatra (1.4.8) - rack (~> 1.5) - rack-protection (~> 1.4) - tilt (>= 1.3, < 3) - snmp (1.3.2) - spoon (0.0.6) - ffi - stud (0.0.23) - thread_safe (0.3.6-java) - tilt (2.0.10) - treetop (1.6.10) - polyglot (~> 0.3) - tzinfo (2.0.1) - concurrent-ruby (~> 1.0) - tzinfo-data (1.2019.3) - tzinfo (>= 1.0.0) - webmock (3.7.6) - addressable (>= 2.3.6) - crack (>= 0.3.2) - hashdiff (>= 0.4.0, < 2.0.0) - xml-simple (1.1.5) - -PLATFORMS - java - -DEPENDENCIES - atomic (~> 1) - belzebuth - benchmark-ips - builder (~> 3) - childprocess (~> 0.9) - ci_reporter_rspec (~> 1) - flores (~> 0.0.6) - fpm (~> 1.3.3) - gems (~> 1) - json (~> 1.8.3) - json-schema (~> 2) - logstash-codec-avro - logstash-codec-cef - logstash-codec-collectd - logstash-codec-dots - logstash-codec-edn - logstash-codec-edn_lines - logstash-codec-es_bulk - logstash-codec-fluent - logstash-codec-gzip_lines - logstash-codec-json - logstash-codec-json_lines - logstash-codec-line - logstash-codec-msgpack - logstash-codec-multiline - logstash-codec-netflow - logstash-codec-nmap - logstash-codec-plain - logstash-codec-protobuf - logstash-codec-rubydebug - logstash-core! - logstash-core-plugin-api! - logstash-devutils (~> 1) - logstash-filter-aggregate - logstash-filter-alter - logstash-filter-anonymize - logstash-filter-bytes - logstash-filter-cidr - logstash-filter-cipher - logstash-filter-clone - logstash-filter-csv - logstash-filter-date - logstash-filter-de_dot - logstash-filter-dissect - logstash-filter-dns - logstash-filter-drop - logstash-filter-elasticsearch - logstash-filter-fingerprint - logstash-filter-geoip - logstash-filter-grok - logstash-filter-http - logstash-filter-i18n - logstash-filter-jdbc_static - logstash-filter-jdbc_streaming - logstash-filter-json - logstash-filter-json_encode - logstash-filter-kv - logstash-filter-memcached - logstash-filter-metricize - logstash-filter-metrics - logstash-filter-mutate - logstash-filter-prune - logstash-filter-ruby - logstash-filter-sleep - logstash-filter-split - logstash-filter-syslog_pri - logstash-filter-throttle - logstash-filter-translate - logstash-filter-truncate - logstash-filter-urldecode - logstash-filter-useragent - logstash-filter-uuid - logstash-filter-xml - logstash-input-azure_event_hubs - logstash-input-beats - logstash-input-dead_letter_queue - logstash-input-elasticsearch - logstash-input-exec - logstash-input-file - logstash-input-generator - logstash-input-heartbeat - logstash-input-http - logstash-input-http_poller - logstash-input-jdbc - logstash-input-jms - logstash-input-lumberjack - logstash-input-pipe - logstash-input-redis - logstash-input-s3 - logstash-input-snmp - logstash-input-snmptrap - logstash-input-sqs - logstash-input-stdin - logstash-input-syslog - logstash-input-tcp - logstash-input-udp - logstash-input-unix - logstash-input-wmi - logstash-integration-kafka - logstash-integration-rabbitmq - logstash-output-csv - logstash-output-elastic_app_search - logstash-output-elasticsearch - logstash-output-email - logstash-output-file - logstash-output-http - logstash-output-lumberjack - logstash-output-null - logstash-output-pipe - logstash-output-redis - logstash-output-s3 - logstash-output-sns - logstash-output-sqs - logstash-output-stdout - logstash-output-syslog - logstash-output-tcp - logstash-output-udp - octokit (~> 4) - paquet (~> 0.2) - pleaserun (~> 0.0.28) - rack-test - rake (~> 12) - rspec (~> 3.5) - ruby-progressbar (~> 1) - rubyzip (~> 1) - stud (~> 0.0.22) - webmock (~> 3) - -BUNDLED WITH - 1.17.3 diff --git a/docker/helk-logstash/plugins/README.md b/docker/helk-logstash/plugins/README.md index 55d61f19..96ec6121 100644 --- a/docker/helk-logstash/plugins/README.md +++ b/docker/helk-logstash/plugins/README.md @@ -1,99 +1,114 @@ # Follow these steps to get the latest plugins for HELK install scripts and to document them. -**Make sure to use a standalone version of logstash aka the zip/tar.gz version.** - -1. Update existing plugins +1. + Download the zip file of logstash: https://www.elastic.co/downloads/logstash +1. Unzip the logstash download and then change into directory. Make sure to change the variable `Logstash_Version=` to the file name that was downloaded ```bash - ./bin/logstash-plugin update + Logstash_Version='logstash-7.6.2' + unzip $Logstash_Version + mv $Logstash_Version logstash-binary + cd logstash-binary ``` -1. Using the standalone version of logstash, change into its directory +1. Update existing plugins ```bash - cd logstash-standalone/ + ./bin/logstash-plugin update ``` 1. Remove some unnecessary plugins ```bash - ./bin/logstash-plugin remove logstash-input-couchdb_changes && - ./bin/logstash-plugin remove logstash-input-gelf && - ./bin/logstash-plugin remove logstash-input-ganglia && - ./bin/logstash-plugin remove logstash-input-graphite && - ./bin/logstash-plugin remove logstash-input-imap && - ./bin/logstash-plugin remove logstash-input-twitter && - ./bin/logstash-plugin remove logstash-output-cloudwatch && - ./bin/logstash-plugin remove logstash-output-graphite && - ./bin/logstash-plugin remove logstash-output-nagios && - ./bin/logstash-plugin remove logstash-output-webhdfs && - ./bin/logstash-plugin remove logstash-codec-graphite + ./bin/logstash-plugin remove logstash-input-couchdb_changes; + ./bin/logstash-plugin remove logstash-input-gelf; + ./bin/logstash-plugin remove logstash-input-ganglia; + ./bin/logstash-plugin remove logstash-input-graphite; + ./bin/logstash-plugin remove logstash-input-imap; + ./bin/logstash-plugin remove logstash-input-twitter; + ./bin/logstash-plugin remove logstash-output-graphite; + ./bin/logstash-plugin remove logstash-output-nagios; + ./bin/logstash-plugin remove logstash-output-webhdfs; + ./bin/logstash-plugin remove logstash-codec-graphite; ``` 1. Install the logstash codec plugins ```bash - ./bin/logstash-plugin install logstash-codec-avro && - ./bin/logstash-plugin install logstash-codec-es_bulk && - ./bin/logstash-plugin install logstash-codec-cef && - ./bin/logstash-plugin install logstash-codec-gzip_lines && - ./bin/logstash-plugin install logstash-codec-json && - ./bin/logstash-plugin install logstash-codec-json_lines && - ./bin/logstash-plugin install logstash-codec-netflow && - ./bin/logstash-plugin install logstash-codec-nmap && - ./bin/logstash-plugin install logstash-codec-protobuf + ./bin/logstash-plugin install \ + logstash-codec-avro \ + logstash-codec-es_bulk \ + logstash-codec-cef \ + logstash-codec-gzip_lines \ + logstash-codec-json \ + logstash-codec-json_lines \ + logstash-codec-netflow \ + logstash-codec-nmap \ + logstash-codec-protobuf ``` 1. Install the logstash filter plugins ```bash - ./bin/logstash-plugin install logstash-filter-alter && - ./bin/logstash-plugin install logstash-filter-bytes && - ./bin/logstash-plugin install logstash-filter-cidr && - ./bin/logstash-plugin install logstash-filter-cipher && - ./bin/logstash-plugin install logstash-filter-clone && - ./bin/logstash-plugin install logstash-filter-csv && - ./bin/logstash-plugin install logstash-filter-de_dot && - ./bin/logstash-plugin install logstash-filter-dissect && - ./bin/logstash-plugin install logstash-filter-dns && - ./bin/logstash-plugin install logstash-filter-elasticsearch && - ./bin/logstash-plugin install logstash-filter-fingerprint && - ./bin/logstash-plugin install logstash-filter-geoip && - ./bin/logstash-plugin install logstash-filter-i18n && - ./bin/logstash-plugin install logstash-filter-jdbc_static && - ./bin/logstash-plugin install logstash-filter-jdbc_streaming && - ./bin/logstash-plugin install logstash-filter-json && - ./bin/logstash-plugin install logstash-filter-json_encode && - ./bin/logstash-plugin install logstash-filter-kv && - ./bin/logstash-plugin install logstash-filter-memcached && - ./bin/logstash-plugin install logstash-filter-metricize && - ./bin/logstash-plugin install logstash-filter-prune && - ./bin/logstash-plugin install logstash-filter-translate && - ./bin/logstash-plugin install logstash-filter-urldecode && - ./bin/logstash-plugin install logstash-filter-useragent && - ./bin/logstash-plugin install logstash-filter-xml - ``` + ./bin/logstash-plugin install \ + logstash-filter-alter \ + logstash-filter-bytes \ + logstash-filter-cidr \ + logstash-filter-cipher \ + logstash-filter-clone \ + logstash-filter-csv \ + logstash-filter-de_dot \ + logstash-filter-dissect \ + logstash-filter-dns \ + logstash-filter-elasticsearch \ + logstash-filter-fingerprint \ + logstash-filter-geoip \ + logstash-filter-i18n \ + logstash-filter-json \ + logstash-filter-json_encode \ + logstash-filter-kv \ + logstash-filter-memcached \ + logstash-filter-metricize \ + logstash-filter-prune \ + logstash-filter-translate \ + logstash-filter-urldecode \ + logstash-filter-useragent \ + logstash-filter-xml 1. Install the logstash integration plugins ```bash - ./bin/logstash-plugin install logstash-integration-kafka && - ./bin/logstash-plugin install logstash-integration-rabbitmq + ./bin/logstash-plugin install \ + logstash-integration-kafka \ + logstash-integration-rabbitmq \ + logstash-integration-jdbc ``` 1. Install the logstash input plugins ```bash - ./bin/logstash-plugin install logstash-input-beats && - ./bin/logstash-plugin install logstash-input-elasticsearch && - ./bin/logstash-plugin install logstash-input-file && - ./bin/logstash-plugin install logstash-input-jdbc && - ./bin/logstash-plugin install logstash-input-lumberjack && - ./bin/logstash-plugin install logstash-input-snmp && - ./bin/logstash-plugin install logstash-input-snmptrap && - ./bin/logstash-plugin install logstash-input-syslog && - ./bin/logstash-plugin install logstash-input-tcp && - ./bin/logstash-plugin install logstash-input-udp && - ./bin/logstash-plugin install logstash-input-wmi + ./bin/logstash-plugin install \ + logstash-input-azure_event_hubs \ + logstash-input-beats \ + logstash-input-cloudwatch \ + logstash-input-elasticsearch \ + logstash-input-file \ + logstash-input-lumberjack \ + logstash-input-google_cloud_storage \ + logstash-input-google_pubsub \ + logstash-input-s3-sns-sqs \ + logstash-input-snmp \ + logstash-input-snmptrap \ + logstash-input-syslog \ + logstash-input-tcp \ + logstash-input-udp \ + logstash-input-wmi ``` 1. Install the logstash output plugins ```bash - ./bin/logstash-plugin install logstash-output-csv && - ./bin/logstash-plugin install logstash-output-elasticsearch && - ./bin/logstash-plugin install logstash-output-email && - ./bin/logstash-plugin install logstash-output-lumberjack && - ./bin/logstash-plugin install logstash-output-nagios && - ./bin/logstash-plugin install logstash-output-stdout && - ./bin/logstash-plugin install logstash-output-syslog && - ./bin/logstash-plugin install logstash-output-tcp && - ./bin/logstash-plugin install logstash-output-udp + ./bin/logstash-plugin install \ + logstash-output-cloudwatch \ + logstash-output-csv \ + logstash-output-elasticsearch \ + logstash-output-email \ + logstash-output-google_bigquery \ + logstash-output-google_cloud_storage \ + logstash-output-google_pubsub \ + logstash-output-lumberjack \ + logstash-output-nagios \ + logstash-output-s3 \ + logstash-output-sns \ + logstash-output-stdout \ + logstash-output-syslog \ + logstash-output-tcp \ + logstash-output-udp ``` 1. Update the plugins... again... ```bash @@ -113,7 +128,7 @@ ./bin/logstash-plugin remove logstash-output-nagios 2> /dev/null; ./bin/logstash-plugin remove logstash-output-webhdfs 2> /dev/null ``` -1. List the plugins and corresponding versions, then add the output to [logstash-plugin-information.yml](logstash-plugin-information.yml) +1. List the plugins and corresponding versions, then add the output to [logstash-plugin-information.yml](logstash-plugin-information.txt) ```bash ./bin/logstash-plugin list --verbose @@ -121,14 +136,16 @@ 1. Package the plugins ```bash ./bin/logstash-plugin prepare-offline-pack --output helk-offline-logstash-codec_and_filter_plugins.zip --overwrite logstash-codec-* logstash-filter-* && - ./bin/logstash-plugin prepare-offline-pack --output helk-offline-logstash-input_and_output-plugins.zip --overwrite logstash-input-* logstash-output-* + ./bin/logstash-plugin prepare-offline-pack --output helk-offline-logstash-input-plugins.zip --overwrite logstash-input-* && + ./bin/logstash-plugin prepare-offline-pack --output helk-offline-logstash-output-plugins.zip --overwrite logstash-output-* ``` 1. Hash the packaged plugins ```bash sha512sum helk-offline-logstash-codec_and_filter_plugins.zip > helk-offline-logstash-codec_and_filter_plugins.zip.sha512 && - sha512sum helk-offline-logstash-input_and_output-plugins.zip > helk-offline-logstash-input_and_output-plugins.zip.sha512 + sha512sum helk-offline-logstash-input-plugins.zip > helk-offline-logstash-input-plugins.zip.sha512 && + sha512sum helk-offline-logstash-output-plugins.zip > helk-offline-logstash-output-plugins.zip.sha512 ``` 2. Move the plugins and files, via your preferred method, to `HELK/docker/helk-logstash/plugins/` ```bash - cp helk-offline* Gemfile Gemfile.lock HELK/docker/helk-logstash/plugins/ + cp helk-offline* Gemfile ../ ``` \ No newline at end of file diff --git a/docker/helk-logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip b/docker/helk-logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip index 81485a9b..67cf447c 100644 Binary files a/docker/helk-logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip and b/docker/helk-logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip differ diff --git a/docker/helk-logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip.sha512 b/docker/helk-logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip.sha512 index 6c44d243..a29738b0 100644 --- a/docker/helk-logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip.sha512 +++ b/docker/helk-logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip.sha512 @@ -1 +1 @@ -ef8e327f7b1390343ba8c917a7658e25ad4b164caa4e03d6f080f26cee31aa917253949e292305cc1262bbed70221976c21c512f01a6e52878769abf6fb26080 helk-offline-logstash-codec_and_filter_plugins.zip +b61fc823fdb41a0c026db7b00d135dd5b3af6009e83d497ed825cedff98239ac4e2fd6845c40ef46b83f6cc5f75fe098ade68e865835e77b2f6cce40ca016a58 helk-offline-logstash-codec_and_filter_plugins.zip diff --git a/docker/helk-logstash/plugins/helk-offline-logstash-input-plugins.zip b/docker/helk-logstash/plugins/helk-offline-logstash-input-plugins.zip new file mode 100644 index 00000000..c8488ff7 Binary files /dev/null and b/docker/helk-logstash/plugins/helk-offline-logstash-input-plugins.zip differ diff --git a/docker/helk-logstash/plugins/helk-offline-logstash-input-plugins.zip.sha512 b/docker/helk-logstash/plugins/helk-offline-logstash-input-plugins.zip.sha512 new file mode 100644 index 00000000..784760d7 --- /dev/null +++ b/docker/helk-logstash/plugins/helk-offline-logstash-input-plugins.zip.sha512 @@ -0,0 +1 @@ +a52e9015799f115df25218b1e13deb21927aaf6f52bb072cf8793478b7704aeefaef448c4b446b7d0a3ad9d8c50751261e462f1c827e5a965ab06d2f3361ea60 helk-offline-logstash-input-plugins.zip diff --git a/docker/helk-logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip.sha512 b/docker/helk-logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip.sha512 deleted file mode 100644 index 23b231d4..00000000 --- a/docker/helk-logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip.sha512 +++ /dev/null @@ -1 +0,0 @@ -ab93d642b2456b56de2d1dca74ad1993ff9f5f6c9bae0abc2088c3e99e3f4b89181d6ae39bf19a8ae3d702cbc3281db0de1ab84558fc9562c93f768dc5285c4f helk-offline-logstash-input_and_output-plugins.zip diff --git a/docker/helk-logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip b/docker/helk-logstash/plugins/helk-offline-logstash-output-plugins.zip similarity index 76% rename from docker/helk-logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip rename to docker/helk-logstash/plugins/helk-offline-logstash-output-plugins.zip index 9c9760f0..a25e0f39 100644 Binary files a/docker/helk-logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip and b/docker/helk-logstash/plugins/helk-offline-logstash-output-plugins.zip differ diff --git a/docker/helk-logstash/plugins/helk-offline-logstash-output-plugins.zip.sha512 b/docker/helk-logstash/plugins/helk-offline-logstash-output-plugins.zip.sha512 new file mode 100644 index 00000000..d068d15b --- /dev/null +++ b/docker/helk-logstash/plugins/helk-offline-logstash-output-plugins.zip.sha512 @@ -0,0 +1 @@ +302fce6eebf01fdeb7a9c56c42ebde99956569c27e5cb6c61ddbc5a3b0b193a1c02e4a8d20dcdb1afed2272828ff26b54f539476598392b7ee71f02cc93a42cc helk-offline-logstash-output-plugins.zip diff --git a/docker/helk-logstash/plugins/logstash-plugin-information.yml b/docker/helk-logstash/plugins/logstash-plugin-information.txt similarity index 72% rename from docker/helk-logstash/plugins/logstash-plugin-information.yml rename to docker/helk-logstash/plugins/logstash-plugin-information.txt index d2047a97..ede89b85 100644 --- a/docker/helk-logstash/plugins/logstash-plugin-information.yml +++ b/docker/helk-logstash/plugins/logstash-plugin-information.txt @@ -1,5 +1,5 @@ logstash-codec-avro (3.2.3) -logstash-codec-cef (6.1.0) +logstash-codec-cef (6.1.1) logstash-codec-collectd (3.0.8) logstash-codec-dots (3.0.6) logstash-codec-edn (3.0.6) @@ -28,20 +28,18 @@ logstash-filter-csv (3.0.10) logstash-filter-date (3.1.9) logstash-filter-de_dot (1.0.4) logstash-filter-dissect (1.2.0) -logstash-filter-dns (3.1.3) +logstash-filter-dns (3.1.4) logstash-filter-drop (3.0.5) -logstash-filter-elasticsearch (3.7.0) +logstash-filter-elasticsearch (3.7.1) logstash-filter-fingerprint (3.2.1) logstash-filter-geoip (6.0.3) -logstash-filter-grok (4.2.0) +logstash-filter-grok (4.3.0) logstash-filter-http (1.0.2) logstash-filter-i18n (3.0.3) -logstash-filter-jdbc_static (1.1.0) -logstash-filter-jdbc_streaming (1.0.10) logstash-filter-json (3.1.0) logstash-filter-json_encode (3.0.3) logstash-filter-kv (4.4.0) -logstash-filter-memcached (1.0.1) +logstash-filter-memcached (1.0.2) logstash-filter-metricize (3.0.3) logstash-filter-metrics (4.0.6) logstash-filter-mutate (3.5.0) @@ -56,49 +54,59 @@ logstash-filter-truncate (1.0.4) logstash-filter-urldecode (3.0.6) logstash-filter-useragent (3.2.4) logstash-filter-uuid (3.0.5) -logstash-filter-xml (4.0.7) -logstash-input-azure_event_hubs (1.1.2) -logstash-input-beats (6.0.5) +logstash-filter-xml (4.1.0) +logstash-input-azure_event_hubs (1.2.2) +logstash-input-beats (6.0.9) +logstash-input-cloudwatch (2.2.4) logstash-input-dead_letter_queue (1.1.5) -logstash-input-elasticsearch (4.5.0) +logstash-input-elasticsearch (4.6.0) logstash-input-exec (3.3.3) -logstash-input-file (4.1.13) +logstash-input-file (4.1.17) logstash-input-generator (3.0.6) +logstash-input-google_cloud_storage (0.11.1) +logstash-input-google_pubsub (1.2.1) logstash-input-heartbeat (3.0.7) -logstash-input-http (3.3.2) +logstash-input-http (3.3.4) logstash-input-http_poller (5.0.1) -logstash-input-jdbc (4.3.19) logstash-input-jms (3.1.2) logstash-input-lumberjack (3.1.6) logstash-input-pipe (3.0.7) -logstash-input-redis (3.5.0) -logstash-input-s3 (3.4.1) -logstash-input-snmp (1.2.1) +logstash-input-redis (3.5.1) +logstash-input-s3 (3.5.0) +logstash-input-s3-sns-sqs (2.1.1) +logstash-input-snmp (1.2.2) logstash-input-snmptrap (3.0.6) logstash-input-sqs (3.1.2) logstash-input-stdin (3.2.6) logstash-input-syslog (3.4.1) -logstash-input-tcp (6.0.3) +logstash-input-tcp (6.0.5) logstash-input-udp (3.3.4) logstash-input-unix (3.0.7) logstash-input-wmi (3.0.4) -logstash-integration-kafka (10.0.0) +logstash-integration-jdbc (5.0.1) + ├── logstash-input-jdbc + ├── logstash-filter-jdbc_streaming + └── logstash-filter-jdbc_static +logstash-integration-kafka (10.1.0) ├── logstash-input-kafka └── logstash-output-kafka -logstash-integration-rabbitmq (7.0.2) +logstash-integration-rabbitmq (7.0.3) ├── logstash-input-rabbitmq └── logstash-output-rabbitmq logstash-output-csv (3.0.8) logstash-output-elastic_app_search (1.0.0) -logstash-output-elasticsearch (10.3.1) +logstash-output-elasticsearch (10.4.1) logstash-output-email (4.1.1) logstash-output-file (4.2.6) +logstash-output-google_bigquery (4.1.3) +logstash-output-google_cloud_storage (4.1.0) +logstash-output-google_pubsub (1.0.2) logstash-output-http (5.2.4) logstash-output-lumberjack (3.1.7) logstash-output-null (3.0.5) logstash-output-pipe (3.0.6) logstash-output-redis (5.0.0) -logstash-output-s3 (4.2.0) +logstash-output-s3 (4.3.1) logstash-output-sns (4.0.7) logstash-output-sqs (6.0.0) logstash-output-stdout (3.1.4) diff --git a/docker/helk-logstash/scripts/logstash-entrypoint.sh b/docker/helk-logstash/scripts/logstash-entrypoint.sh index 73260595..95d2b31f 100755 --- a/docker/helk-logstash/scripts/logstash-entrypoint.sh +++ b/docker/helk-logstash/scripts/logstash-entrypoint.sh @@ -6,10 +6,16 @@ # Author: Roberto Rodriguez (@Cyb3rWard0g) # License: GPL-3.0 +RED='\033[0;31m' +CYAN='\033[0;36m' +WAR='\033[1;33m' +STD='\033[0m' + # *********** Helk log tagging variables *************** # For more efficient script editing/reading, and also if/when we switch to different install script language -HELK_LOGSTASH_INFO_TAG="[HELK-LOGSTASH-DOCKER-INSTALLATION-INFO]" -HELK_ERROR_TAG="[HELK-LOGSTASH-DOCKER-INSTALLATION-ERROR]" +HELK_INFO_TAG="${CYAN}[HELK-LOGSTASH-DOCKER-INSTALLATION-INFO]${STD}" +HELK_ERROR_TAG="${RED}[HELK-LOGSTASH-DOCKER-INSTALLATION-ERROR]${STD}" +HELK_WARNING_TAG="${WAR}[HELK-LOGSTASH-DOCKER-INSTALLATION-WARNING]${STD}" # *********** Environment Variables *************** DIR=/usr/share/logstash/output_templates @@ -17,38 +23,38 @@ DIR=/usr/share/logstash/output_templates if [[ -z "$ES_HOST" ]]; then ES_HOST=helk-elasticsearch fi -echo "$HELK_LOGSTASH_INFO_TAG Setting Elasticsearch server name to $ES_HOST" +echo -e "${HELK_INFO_TAG} Setting Elasticsearch server name to $ES_HOST" if [[ -z "$ES_PORT" ]]; then ES_PORT=9200 fi -echo "$HELK_LOGSTASH_INFO_TAG Setting Elasticsearch server port to $ES_PORT" +echo -e "${HELK_INFO_TAG} Setting Elasticsearch server port to $ES_PORT" if [[ -n "$ELASTIC_PASSWORD" ]]; then if [[ -z "$ELASTIC_USERNAME" ]]; then ELASTIC_USERNAME=elastic fi - echo "$HELK_LOGSTASH_INFO_TAG Setting Elasticsearch username to $ELASTIC_USERNAME" - ELASTICSEARCH_ACCESS=http://$ELASTIC_USERNAME:"${ELASTIC_PASSWORD}"@$ES_HOST:$ES_PORT + echo -e "${HELK_INFO_TAG} Setting Elasticsearch username to $ELASTIC_USERNAME" + ELASTICSEARCH_ACCESS="http://${ELASTIC_USERNAME}:${ELASTIC_PASSWORD}@${ES_HOST}:${ES_PORT}" else - ELASTICSEARCH_ACCESS=http://$ES_HOST:$ES_PORT + ELASTICSEARCH_ACCESS="http://${ES_HOST}:${ES_PORT}" fi CLUSTER_SETTINGS=' { "persistent": { "search.max_open_scroll_context": 15000, - "indices.breaker.request.limit" : "70%", + "indices.breaker.request.limit" : "90%", "cluster.max_shards_per_node": 3000 }, "transient": { "search.max_open_scroll_context": 15000, - "indices.breaker.request.limit" : "70%", + "indices.breaker.request.limit" : "90%", "cluster.max_shards_per_node": 3000 } } ' -TestHELKDataWindowsSysmon000001='{"type":"wineventlog","user_reporter_type":"User","src_ip_type":"private","user_account":"nt authority\\test helk data","meta_user_name_is_machine":"false","provider_guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","host_name":"test-helk-data.local","agent":{"type":"winlogbeat","id":"5ef4b480-a7e2-4bba-b1af-b2a6eba8312d","ephemeral_id":"bfdeead4-32b9-4251-9ba3-b4dcd7d1e786","hostname":"test-helk-data","version":"7.3.1"},"version":5,"process_guid":"A69770E2-4C0C-5D63-0000-0010C0F50000","network_protocol":"tcp","event_id":3,"log_name":"Microsoft-Windows-Sysmon/Operational","src_ip_version":"4","src_host_name":"test-helk-data.local","@event_date_creation":"1990-12-18T16:55:26.674Z","src_ip_public":"false","dst_ip_rfc":"RFC_1918","event":{"kind":"event","action":"Network connection detected (rule: NetworkConnect)","created":"1990-12-18T20:25:48.470Z","code":3},"src_ip_rfc":"RFC_1918","process_id":"976","user_reporter_name":"SYSTEM","dst_host_name":"test-helk-data2.local","dst_ip_version":"4","src_ip_addr":"10.66.6.121","z_original_timestamp":"1990-12-18T20:25:46.516Z","thread_id":1304,"src_port":"58570","src_is_ipv6":"false","user_domain":"nt authority","dst_ip_addr":"10.66.6.21","ecs":{"version":"1.0.1"},"opcode":"Info","dst_port":"5985","process_name":"svchost.exe","record_number":124793,"winlog":{"channel":"Microsoft-Windows-Sysmon/Operational","provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","opcode":"Info","record_id":124793,"process":{"thread":{"id":1304},"pid":1432},"task":"Network connection detected (rule: NetworkConnect)","host_name":"test-helk-data.local","version":5,"provider_name":"Microsoft-Windows-Sysmon","event_id":3,"api":"wineventlog"},"etl_processed_timestamp":"2015-10-07T19:07:50.302Z","dst_ip_type":"private","dst_is_ipv6":"false","level":"information","action":"networkconnect","@version":"1","process_path":"c:\\windows\\system32\\svchost.exe","user_name":"network service","source_name":"Microsoft-Windows-Sysmon","dst_ip_public":"false","user_reporter_sid":"S-1-5-18","event_original_message":"test helk data","etl_pipeline":["all-filter-0098","fingerprint-winlogbeats7","winlogbeat_7-field_nest_cleanup","winlogbeat_7-copy_to_originals","1500","1521","1522","1523_1","1524_2","1524_6","1531","1541_1","1544_2","1544_3","1544_6","1544_7","1544_8","dst_ip_addr_clean_and_public","src_ip_addr_clean_and_public","winevent-hostname-cleanup","winevent-user_name-is-machine-account","winevent-user_reporter_name-is-machine-account","copy-8802-001","copy-8802-002"],"beat_hostname":"test-helk-data","log":{"level":"information"},"user_reporter_domain":"NT AUTHORITY","meta_user_reporter_name_is_machine":"false","fingerprint_network_community_id":"1:EeVyZ07VGj1n0rld+xCLFdM+u8M=","@timestamp":"1990-12-18T20:25:46.516Z","task":"Network connection detected (rule: NetworkConnect)","network_initiated":"true","beat_version":"7.3.1"}' +TestHELKDataWindowsSysmon000001='{ "user_reporter_name": "SYSTEM", "task": "Network connection detected (rule: NetworkConnect)", "src_ip_addr": "10.66.6.21", "event_original_time": "1990-12-18T16:48:25.255Z", "src_host_name": "dc001.adtest.local", "z_elastic_ecs": { "agent": {}, "ecs": { "version": "1.4.0" }, "host": {}, "log": {}, "user": {}, "winlog": { "process": { "thread": {} } }, "event": { "code": 3, "action": "Network connection detected (rule: NetworkConnect)", "created": "1990-12-18T16:48:25.178Z", "kind": "event", "provider": "Microsoft-Windows-Sysmon" } }, "@version": "1", "level": "information", "dst_host_name": "dc001.adtest.local", "meta_user_reporter_name_is_machine": "false", "provider_guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", "process_guid": "E3D58CDF-15D7-5EA3-0000-00100BA90000", "thread_id": 2012, "etl_host_agent_ephemeral_uid": "14800797-e165-4fae-82ec-ba775b9a701d", "meta_user_name_is_machine": "false", "network_initiated": "true", "type": "wineventlog", "process_name": "svchost.exe", "user_account": "nt authority\\system", "dst_ip_public": "false", "src_ip_rfc": "RFC_1918", "etl_kafka_time": 1587746903462, "user_reporter_type": "User", "version": 5, "dst_port_name": "ldap", "dst_ip_rfc": "RFC_1918", "user_reporter_domain": "NT AUTHORITY", "etl_pipeline": [ "all-filter-0098", "all-add_processed_timestamp", "fingerprint-winlogbeats7", "winlogbeat_7_and_above-field_nest_cleanup", "winlogbeat_7_and_above-field_cleanups", "1500", "winevent-ip_conversion-SourceIp_and_DestinationIp", "1522", "winevent-sysmon-all-1531", "sysmon-all-extract_domain_and_user_name", "general_rename-various_global_options", "general_rename-ProcessGuid", "general_rename-ProcessId", "split-process_path-grok-process_name", "provider_guid-cleanup", "process_guid-cleanup", "dst_ip_addr_clean_and_public", "src_ip_addr_clean_and_public", "winevent-hostname-cleanup", "winevent-user_name-is-machine-account", "winevent-user_reporter_name-is-machine-account", "community_id_addition", "final-cleanup-message_field" ], "dst_ip_version": "4", "log_name": "Microsoft-Windows-Sysmon/Operational", "beat_hostname": "dc001", "action": "networkconnect", "fingerprint_network_community_id": "1:OKneuB7CFUFGGAm2Q/+z6KsUL1g=", "src_ip_type": "private", "event_recorded_time": "1990-12-18T16:48:23.462Z", "@timestamp": "1990-12-18T16:48:25.255Z", "etl_version": "2020.04.19.01", "etl_processed_time": "1990-12-18T16:49:50.748Z", "event_id": 3, "beat_version": "7.6.2", "dst_is_ipv6": "false", "dst_ip_type": "private", "etl_kafka_offset": 80540, "process_path": "c:\\windows\\system32\\svchost.exe", "src_ip_public": "false", "process_id": "952", "host_name": "dc001.adtest.local", "etl_kafka_topic": "winlogbeat", "user_reporter_sid": "S-1-5-18", "event_original_message": "Network connection detected:\nRuleName: \nUtcTime: 1990-12-18 16:48:25.255\nProcessGuid: {E3D58CDF-15D7-5EA3-0000-00100BA90000}\nProcessId: 952\nImage: C:\\Windows\\System32\\svchost.exe\nUser: NT AUTHORITY\\SYSTEM\nProtocol: tcp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 10.66.6.21\nSourceHostname: dc001.adtest.local\nSourcePort: 49257\nSourcePortName: \nDestinationIsIpv6: false\nDestinationIp: 10.66.6.21\nDestinationHostname: dc001.adtest.local\nDestinationPort: 389\nDestinationPortName: ldap", "record_number": 1273339, "dst_port": "389", "user_name": "system", "etl_kafka_partition": 0, "user_domain": "nt authority", "src_port": "49257", "event_timezone": "UTC", "network_protocol": "tcp", "etl_host_agent_type": "winlogbeat", "dst_ip_addr": "10.66.6.21", "opcode": "Info", "src_ip_version": "4", "etl_host_agent_uid": "234807a0-422e-4022-a2c9-dfdfd08bcde5", "src_is_ipv6": "false", "source_name": "Microsoft-Windows-Sysmon" }' KIBANA_INDEX_PRIORITY='{"index.priority":100}' @@ -57,7 +63,7 @@ if [[ -n "$ELASTIC_PASSWORD" ]]; then # ****** Updating Pipeline configs *********** for config in /usr/share/logstash/pipeline/*-output.conf do - echo "$HELK_LOGSTASH_INFO_TAG Updating pipeline config $config..." + echo -e "${HELK_INFO_TAG} Updating pipeline config $config..." sed -i "s/\(#\)\{0,1\}password \=>.*$/password \=> \'${ELASTIC_PASSWORD}\'/g" "${config}" done fi @@ -65,58 +71,58 @@ fi # *********** Check if Elasticsearch is up *************** while true do - ES_STATUS_CODE=$(curl -s -o /dev/null -w "%{http_code}" $ELASTICSEARCH_ACCESS) - if [ "$ES_STATUS_CODE" -eq 200 ]; then - echo "$HELK_LOGSTASH_INFO_TAG Connected successfully to elasticsearch URI.." + ES_STATUS_CODE=$(curl -s -o /dev/null -w "%{http_code}" ${ELASTICSEARCH_ACCESS}) + if [[ "$ES_STATUS_CODE" -eq 200 ]]; then + echo -e "${HELK_INFO_TAG} Connected successfully to elasticsearch URI.." break else - echo "$HELK_LOGSTASH_INFO_TAG Waiting for elasticsearch URI to be accessible.." + echo -e "${HELK_INFO_TAG} Waiting for elasticsearch URI to be accessible.." fi sleep 5 done # ********** Uploading templates to Elasticsearch ******* -echo "$HELK_LOGSTASH_INFO_TAG Uploading templates for field & value mappings and index settings to elasticsearch .." +echo -e "${HELK_INFO_TAG} Uploading templates for field & value mappings and index settings to elasticsearch .." for file in "${DIR}"/*.json; do template_name=$(echo "$file" | sed -r ' s/^.*\/[0-9]+\-//' | sed -r ' s/\.json$//') - echo "$HELK_LOGSTASH_INFO_TAG Uploading $template_name template to elasticsearch.." - until [[ "$(curl -s -o /dev/null -w '%{http_code}' -X POST $ELASTICSEARCH_ACCESS/_template/"$template_name" -d@"${file}" -H 'Content-Type: application/json')" == "200" ]]; do - echo "$HELK_LOGSTASH_INFO_TAG Retrying uploading $template_name" + echo -e "${HELK_INFO_TAG} Uploading $template_name template to elasticsearch.." + until [[ "$(curl -s -o /dev/null -w '%{http_code}' -X POST ${ELASTICSEARCH_ACCESS}/_template/"$template_name" -d@"${file}" -H 'Content-Type: application/json')" == "200" ]]; do + echo -e "${HELK_WARNING_TAG} Retrying uploading $template_name" sleep 2 done done # ******** Cluster Settings *************** -echo "$HELK_LOGSTASH_INFO_TAG Configuring elasticsearch cluster settings.." -until [[ "$(curl -s -o /dev/null -w '%{http_code}' -X PUT $ELASTICSEARCH_ACCESS/_cluster/settings -H 'Content-Type: application/json' -d "$CLUSTER_SETTINGS")" == "200" ]]; do - echo "$HELK_LOGSTASH_INFO_TAG Retrying cluster settings" +echo -e "${HELK_INFO_TAG} Configuring elasticsearch cluster settings.." +until [[ "$(curl -s -o /dev/null -w '%{http_code}' -X PUT ${ELASTICSEARCH_ACCESS}/_cluster/settings -H 'Content-Type: application/json' -d "$CLUSTER_SETTINGS")" == "200" ]]; do + echo -e "${HELK_WARNING_TAG} Retrying cluster settings" sleep 2 done # *********** Set Kibana Index Priority *************** -echo "$HELK_LOGSTASH_INFO_TAG Configuring elasticsearch cluster settings.." +echo -e "${HELK_INFO_TAG} Configuring elasticsearch cluster settings.." until [[ "$(curl -s -o /dev/null -w '%{http_code}' -X PUT "${ELASTICSEARCH_ACCESS}/.kiban*/_settings" -H 'Content-Type: application/json' -d "$KIBANA_INDEX_PRIORITY")" == "200" ]]; do - echo "$HELK_LOGSTASH_INFO_TAG Retrying Kibana index priority" + echo -e "${HELK_WARNING_TAG} Retrying Kibana index priority" sleep 2 done # ******** Create Data For Kibana Experience *************** -echo "$HELK_LOGSTASH_INFO_TAG Setting up additional Kibana/UI experience parameter.." -until [[ "$(curl -s -o /dev/null -w '%{http_code}' -X POST $ELASTICSEARCH_ACCESS/logs-endpoint-winevent-sysmon-1990.12.18/_doc/TestHELKDataWindowsSysmon000001 -H 'Content-Type: application/json' -d "$TestHELKDataWindowsSysmon000001")" == "200" ]]; do - echo "$HELK_LOGSTASH_INFO_TAG Retrying uploading data for kibana experience" +echo -e "${HELK_INFO_TAG} Setting up additional Kibana/UI experience parameter.." +until [[ "$(curl -s -o /dev/null -w '%{http_code}' -X POST ${ELASTICSEARCH_ACCESS}/logs-endpoint-winevent-sysmon-1990.12.18/_doc/TestHELKDataWindowsSysmon000001 -H 'Content-Type: application/json' -d "$TestHELKDataWindowsSysmon000001")" == "200" ]]; do + echo -e "${HELK_WARNING_TAG} Retrying uploading data for kibana experience" sleep 2 done # ********** Install Plugins ***************** -echo "$HELK_LOGSTASH_INFO_TAG Checking Logstash plugins.." +echo -e "${HELK_INFO_TAG} Checking Logstash plugins.." # check if has been 30 days since plugins have been updated if test -f "$plugins_time_file"; then plugins_last_time=$(date -d "$(<"$plugins_time_file")" '+%s') plugins_current_time=$(date -d "$(<"$plugins_time_file")" '+%s') plugins_day_diff=$(( ( plugins_current_time - plugins_last_time )/(60*60*24) )) - if [ "$plugins_day_diff" -ge 30 ]; then + if [[ "$plugins_day_diff" -ge 30 ]]; then plugins_oudated="yes" - echo "$HELK_LOGSTASH_INFO_TAG Plugins have not been updated in over 30 days.." + echo -e "${HELK_INFO_TAG} Plugins have not been updated in over 30 days.." else plugins_oudated="no" fi @@ -126,28 +132,28 @@ fi # Test a few plugins determine if probably all already installed if ( logstash-plugin list 2> /dev/null | grep 'logstash-filter-prune' ) && ( logstash-plugin list 2> /dev/null | grep 'logstash-input-wmi' ); then plugins_previous_install="yes" - echo "$HELK_LOGSTASH_INFO_TAG Plugins from previous install detected.." + echo -e "${HELK_INFO_TAG} Plugins from previous install detected.." else plugins_previous_install="no" - echo "$HELK_LOGSTASH_INFO_TAG Plugins from previous install not detected.." - echo "$HELK_LOGSTASH_INFO_TAG Updating Logstash plugins over the internet for first run.." + echo -e "${HELK_INFO_TAG} Plugins from previous install not detected.." + echo -e "${HELK_INFO_TAG} Updating Logstash plugins over the internet for first run.." logstash-plugin update fi # If have not been updated in X time or not installed at all.. then install them -if [ $plugins_previous_install = "no" ] || [ $plugins_oudated = "yes" ]; then - if [ -f "/usr/share/logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip" ] && [ -f "/usr/share/logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip" ]; then - echo "$HELK_LOGSTASH_INFO_TAG Installing Logstash plugins via offline package.." +if [[ ${plugins_previous_install} = "no" ]] || [[ ${plugins_oudated} = "yes" ]]; then + if [[ -f "/usr/share/logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip" ]] && [[ -f "/usr/share/logstash/plugins/helk-offline-logstash-input-plugins.zip" ]] && [[ -f "/usr/share/logstash/plugins/helk-offline-logstash-output-plugins.zip" ]]; then + echo -e "${HELK_INFO_TAG} Installing Logstash plugins via offline package.." logstash-plugin install file:///usr/share/logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip - logstash-plugin install file:///usr/share/logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip + logstash-plugin install file:///usr/share/logstash/plugins/helk-offline-logstash-input-plugins.zip + logstash-plugin install file:///usr/share/logstash/plugins/helk-offline-logstash-output-plugins.zip else - echo "$HELK_LOGSTASH_INFO_TAG Installing logstash plugins over the internet.." - logstash-plugin install logstash-codec-avro logstash-codec-es_bulk logstash-codec-cef logstash-codec-gzip_lines logstash-codec-json logstash-codec-json_lines logstash-codec-netflow logstash-codec-nmap logstash-codec-protobuf logstash-filter-alter logstash-filter-bytes logstash-filter-cidr logstash-filter-cipher logstash-filter-clone logstash-filter-csv logstash-filter-de_dot logstash-filter-dissect logstash-filter-dns logstash-filter-elasticsearch logstash-filter-fingerprint logstash-filter-geoip logstash-filter-i18n logstash-filter-jdbc_static logstash-filter-jdbc_streaming logstash-filter-json logstash-filter-json_encode logstash-filter-kv logstash-filter-memcached logstash-filter-metricize logstash-filter-prune logstash-filter-translate logstash-filter-urldecode logstash-filter-useragent logstash-filter-xml logstash-input-beats logstash-input-elasticsearch logstash-input-file logstash-input-jdbc logstash-input-lumberjack logstash-input-snmptrap logstash-input-syslog logstash-input-tcp logstash-input-udp logstash-input-wmi logstash-output-csv logstash-output-elasticsearch logstash-output-email logstash-output-lumberjack logstash-output-nagios logstash-output-stdout logstash-output-syslog logstash-output-tcp logstash-output-udp - echo "$HELK_LOGSTASH_INFO_TAG Updating Logstash plugins over the internet.." - logstash-plugin update + echo -e "${HELK_ERROR_TAG} Logstash plugins not detected.." + echo -e "${HELK_INFO_TAG} Please open a github ticket" + exit 1 fi printf "%s" "$(date +"%Y-%m-%d %T")" > "$plugins_time_file" else - echo "$HELK_LOGSTASH_INFO_TAG Logstash plugins already installed and up to date.." + echo -e "${HELK_INFO_TAG} Logstash plugins already installed and up to date.." fi # ********* Setting LS_JAVA_OPTS *************** @@ -155,56 +161,66 @@ if [[ -z "$LS_JAVA_OPTS" ]]; then while true; do # Check using more accurate MB AVAILABLE_MEMORY=$(awk '/MemAvailable/{printf "%.f", $2/1024}' /proc/meminfo) - if [ "$AVAILABLE_MEMORY" -ge 900 ] && [ "$AVAILABLE_MEMORY" -le 1000 ]; then + if [[ "$AVAILABLE_MEMORY" -ge 700 ]] && [[ "$AVAILABLE_MEMORY" -le 999 ]]; then + echo -e "${HELK_WARNING_TAG} Low memory available to the docker container. There is only ${AVAILABLE_MEMORY}MBs." + LS_MEMORY="200m" + LS_MEMORY_HIGH="600m" + elif [[ "$AVAILABLE_MEMORY" -ge 1000 ]] && [[ "$AVAILABLE_MEMORY" -le 1599 ]]; then + LS_MEMORY="300m" + LS_MEMORY_HIGH="850m" + elif [[ "$AVAILABLE_MEMORY" -ge 1600 ]] && [[ "$AVAILABLE_MEMORY" -le 1999 ]]; then LS_MEMORY="400m" LS_MEMORY_HIGH="1000m" - elif [ "$AVAILABLE_MEMORY" -ge 1001 ] && [ "$AVAILABLE_MEMORY" -le 3000 ]; then - LS_MEMORY="700m" - LS_MEMORY_HIGH="1300m" - elif [ "$AVAILABLE_MEMORY" -gt 3000 ]; then + elif [[ "$AVAILABLE_MEMORY" -ge 2000 ]] && [[ "$AVAILABLE_MEMORY" -le 2999 ]]; then + LS_MEMORY="600m" + LS_MEMORY_HIGH="1000m" + elif [[ "$AVAILABLE_MEMORY" -ge 3000 ]] && [[ "$AVAILABLE_MEMORY" -le 4999 ]]; then + LS_MEMORY="600m" + LS_MEMORY_HIGH="1500m" + elif [[ "$AVAILABLE_MEMORY" -gt 5000 ]]; then # Set high & low, so logstash doesn't use everything unnecessarily, it will usually flux up and down in usage -- and doesn't "severely" despite what everyone seems to believe LS_MEMORY="$(( AVAILABLE_MEMORY / 4 ))m" LS_MEMORY_HIGH="$(( AVAILABLE_MEMORY / 2 ))m" - if [ "$AVAILABLE_MEMORY" -gt 31000 ]; then + if [[ "$AVAILABLE_MEMORY" -gt 31000 ]]; then LS_MEMORY="8000m" LS_MEMORY_HIGH="31000m" fi else - echo "$HELK_ERROR_TAG $LS_MEMORY MB is not enough memory for Logstash yet.." - sleep 1 + echo -e "${HELK_WARNING_TAG} ${LS_MEMORY}MBs is not enough memory for Logstash yet.." + sleep 5 fi export LS_JAVA_OPTS="${HELK_LOGSTASH_JAVA_OPTS} -Xms${LS_MEMORY} -Xmx${LS_MEMORY_HIGH} " break done fi -echo "$HELK_LOGSTASH_INFO_TAG Setting LS_JAVA_OPTS to $LS_JAVA_OPTS" +echo -e "${HELK_INFO_TAG} Setting LS_JAVA_OPTS to $LS_JAVA_OPTS" # ********* Setting Logstash PIPELINE_WORKERS *************** if [[ -z "$PIPELINE_WORKERS" ]]; then # Get total CPUs/cores as reported by OS TOTAL_CORES=$(getconf _NPROCESSORS_ONLN 2>/dev/null) # try one more way - [ -z "$TOTAL_CORES" ] && TOTAL_CORES=$(getconf NPROCESSORS_ONLN) + [[ -z "$TOTAL_CORES" ]] && TOTAL_CORES=$(getconf NPROCESSORS_ONLN) # Unable to get reported cores - if [ -z "$TOTAL_CORES" ]; then + if [[ -z "$TOTAL_CORES" ]]; then TOTAL_CORES=1 - echo "$HELK_ERROR_TAG unable to get number of CPUs/cores as reported by the OS" + echo -e "${HELK_WARNING_TAG} unable to get number of CPUs/cores as reported by the OS" fi # Set workers based on available cores - if [ "$TOTAL_CORES" -ge 1 ] && [ "$TOTAL_CORES" -le 3 ]; then + if [[ "$TOTAL_CORES" -ge 1 ]] && [[ "$TOTAL_CORES" -le 3 ]]; then PIPELINE_WORKERS=1 # Divide by 2 - elif [ "$TOTAL_CORES" -ge 4 ]; then + elif [[ "$TOTAL_CORES" -ge 4 ]]; then PIPELINE_WORKERS="$(( TOTAL_CORES / 2 ))" # some unknown number else - echo "$HELK_ERROR_TAG reported CPUs/cores not an integer? not greater or equal to 1.." + echo -e "${HELK_WARNING_TAG} reported CPUs/cores not an integer? not greater or equal to 1.." PIPELINE_WORKERS=1 fi export PIPELINE_WORKERS fi -echo "$HELK_LOGSTASH_INFO_TAG Setting PIPELINE_WORKERS to ${PIPELINE_WORKERS}" +echo -e "${HELK_INFO_TAG} Setting PIPELINE_WORKERS to ${PIPELINE_WORKERS}" # ********** Starting Logstash ***************** -echo "$HELK_LOGSTASH_INFO_TAG Running docker-entrypoint script.." +echo -e "${HELK_INFO_TAG} Running docker-entrypoint script.." /usr/local/bin/docker-entrypoint \ No newline at end of file diff --git a/docker/helk-nginx/Dockerfile b/docker/helk-nginx/Dockerfile index 453ac91f..92590417 100644 --- a/docker/helk-nginx/Dockerfile +++ b/docker/helk-nginx/Dockerfile @@ -7,7 +7,7 @@ # https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_98.html # https://github.com/spujadas/elk-docker/blob/master/Dockerfile -FROM otrf/helk-base:0.0.4 +FROM nginx:1.17.9 LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g" LABEL description="Dockerfile base for the HELK Nginx." @@ -17,7 +17,7 @@ ENV DEBIAN_FRONTEND noninteractive # -qq : No output except for errors RUN echo "[HELK-DOCKER-INSTALLATION-INFO] Updating Ubuntu base image.." \ && apt-get update -qq - +RUN apt-get install -qqy curl RUN apt-get -qy clean \ autoremove @@ -25,10 +25,6 @@ RUN apt-get -qy clean \ COPY scripts/nginx-entrypoint.sh /opt/helk/scripts/ RUN chmod +x /opt/helk/scripts/nginx-entrypoint.sh -# *********** Installing Nginx *************** -RUN apt-get install -qqy nginx -RUN apt-get update -qq - # *********** RUN HELK *************** EXPOSE 80 443 WORKDIR "/opt/helk/scripts/" diff --git a/docker/helk-nginx/config/basic-elk b/docker/helk-nginx/config/basic-elk index e44f1683..366b1439 100644 --- a/docker/helk-nginx/config/basic-elk +++ b/docker/helk-nginx/config/basic-elk @@ -32,7 +32,7 @@ server { add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "SAMEORIGIN"; # BufferOverflow Hardening - client_body_buffer_size 100K; + client_body_buffer_size 500K; client_header_buffer_size 1k; client_max_body_size 7500k; # TLS/SSL diff --git a/docker/helk-nginx/config/basic-helk b/docker/helk-nginx/config/basic-helk index 333a9049..ef408afa 100644 --- a/docker/helk-nginx/config/basic-helk +++ b/docker/helk-nginx/config/basic-helk @@ -32,7 +32,7 @@ server { add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "SAMEORIGIN"; # BufferOverflow Hardening - client_body_buffer_size 100K; + client_body_buffer_size 500K; client_header_buffer_size 1k; client_max_body_size 7500k; # TLS/SSL diff --git a/docker/helk-nginx/config/trial-elk b/docker/helk-nginx/config/trial-elk index 2a333bbb..c75e5e21 100644 --- a/docker/helk-nginx/config/trial-elk +++ b/docker/helk-nginx/config/trial-elk @@ -32,7 +32,7 @@ server { add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "SAMEORIGIN"; # BufferOverflow Hardening - client_body_buffer_size 100K; + client_body_buffer_size 500K; client_header_buffer_size 1k; client_max_body_size 7500k; # TLS/SSL diff --git a/docker/helk-nginx/config/trial-helk b/docker/helk-nginx/config/trial-helk index cd48091a..7a6ee6bc 100644 --- a/docker/helk-nginx/config/trial-helk +++ b/docker/helk-nginx/config/trial-helk @@ -32,7 +32,7 @@ server { add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "SAMEORIGIN"; # BufferOverflow Hardening - client_body_buffer_size 100K; + client_body_buffer_size 500K; client_header_buffer_size 1k; client_max_body_size 7500k; # TLS/SSL diff --git a/docker/helk-nginx/htpasswd.users b/docker/helk-nginx/htpasswd.users deleted file mode 100644 index ba4039a6..00000000 --- a/docker/helk-nginx/htpasswd.users +++ /dev/null @@ -1 +0,0 @@ -helk:$apr1$gJLi7kOb$FTKdndIRNajq55tTzEkGc/ diff --git a/docker/helk-zookeeper/Dockerfile b/docker/helk-zookeeper/Dockerfile index d4129195..cca76670 100644 --- a/docker/helk-zookeeper/Dockerfile +++ b/docker/helk-zookeeper/Dockerfile @@ -3,7 +3,7 @@ # Author: Roberto Rodriguez (@Cyb3rWard0g) # License: GPL-3.0 -FROM otrf/helk-kafka-base:2.3.0 +FROM otrf/helk-kafka-base:2.4.0 LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g" LABEL description="Dockerfile base for the HELK Kafka Zookeeper." diff --git a/docker/helk_install.sh b/docker/helk_install.sh index c6572811..28d4f401 100755 --- a/docker/helk_install.sh +++ b/docker/helk_install.sh @@ -6,6 +6,9 @@ # Author: Roberto Rodriguez (@Cyb3rWard0g) # License: GPL-3.0 +HELK_BUILD_VERSION="v0.1.9-alpha03272020" +HELK_ELK_VERSION="7.6.2" + # *********** Helk log tagging variables *************** # For more efficient script editing/reading, and also if/when we switch to different install script language HELK_INFO_TAG="[HELK-INSTALLATION-INFO]" @@ -573,14 +576,14 @@ check_logstash_connected() { show_banner() { # *********** Showing HELK Docker menu options *************** echo " " - echo "**********************************************" - echo "** HELK - THE HUNTING ELK **" - echo "** **" - echo "** Author: Roberto Rodriguez (@Cyb3rWard0g) **" - echo "** HELK build version: v0.1.8-alpha01032020 **" - echo "** HELK ELK version: 7.5.2 **" - echo "** License: GPL-3.0 **" - echo "**********************************************" + echo "***********************************************" + echo "** HELK - THE HUNTING ELK **" + echo "** **" + echo "** Author: Roberto Rodriguez (@Cyb3rWard0g) **" + echo "** HELK build version: ${HELK_BUILD_VERSION} **" + echo "** HELK ELK version: ${HELK_ELK_VERSION} **" + echo "** License: GPL-3.0 **" + echo "***********************************************" echo " " } diff --git a/docker/helk_update.sh b/docker/helk_update.sh index 8bc3f456..3efa8e82 100755 --- a/docker/helk_update.sh +++ b/docker/helk_update.sh @@ -7,6 +7,9 @@ # Script Author: Dev Dua (@devdua) # License: GPL-3.0 +HELK_BUILD_VERSION="v0.1.9-alpha03272020" +HELK_ELK_VERSION="7.6.2" + RED='\033[0;31m' CYAN='\033[0;36m' WAR='\033[1;33m' @@ -26,14 +29,14 @@ SYSTEM_KERNEL="$(uname -s)" show_banner(){ # *********** Showing HELK Docker menu options *************** echo " " - echo "**********************************************" - echo "** HELK - THE HUNTING ELK **" - echo "** **" - echo "** Author: Roberto Rodriguez (@Cyb3rWard0g) **" - echo "** HELK build version: v0.1.8-alpha01032020 **" - echo "** HELK ELK version: 7.5.2 **" - echo "** License: GPL-3.0 **" - echo "**********************************************" + echo "***********************************************" + echo "** HELK - THE HUNTING ELK **" + echo "** **" + echo "** Author: Roberto Rodriguez (@Cyb3rWard0g) **" + echo "** HELK build version: ${HELK_BUILD_VERSION} **" + echo "** HELK ELK version: {$HELK_ELK_VERSION} **" + echo "** License: GPL-3.0 **" + echo "***********************************************" echo " " } diff --git a/docs/_build/installation.html b/docs/_build/installation.html index 0d86c04b..247248fd 100644 --- a/docs/_build/installation.html +++ b/docs/_build/installation.html @@ -95,7 +95,7 @@

HELK Install < ** ** ** Author: Roberto Rodriguez (@Cyb3rWard0g) ** ** HELK build version: v0.1.8-alpha01032020 ** -** HELK ELK version: 7.5.2 ** +** HELK ELK version: 7.6.2 ** ** License: GPL-3.0 ** ********************************************** @@ -152,30 +152,30 @@

Monitor HELK installation Logs 
Adding password for user helk
 Creating network "docker_helk" with driver "bridge"
 Creating volume "docker_esdata" with local driver
-Pulling helk-elasticsearch (docker.elastic.co/elasticsearch/elasticsearch:7.5.2)...
-7.5.2: Pulling from elasticsearch/elasticsearch
+Pulling helk-elasticsearch (docker.elastic.co/elasticsearch/elasticsearch:7.6.2)...
+7.6.2: Pulling from elasticsearch/elasticsearch
 Digest: sha256:771240a8e1c76cc6ac6aa740d2b82de94d4b8b7dbcca5ad0cf49d12b88a3b8e7
-Status: Downloaded newer image for docker.elastic.co/elasticsearch/elasticsearch:7.5.2
-Pulling helk-kibana (docker.elastic.co/kibana/kibana:7.5.2)...
-7.5.2: Pulling from kibana/kibana
+Status: Downloaded newer image for docker.elastic.co/elasticsearch/elasticsearch:7.6.2
+Pulling helk-kibana (docker.elastic.co/kibana/kibana:7.6.2)...
+7.6.2: Pulling from kibana/kibana
 Digest: sha256:fb0ac36c40de29b321a30805bcbda4cbe486e1c5979780647458ad77b5ee2f98
-Status: Downloaded newer image for docker.elastic.co/kibana/kibana:7.5.2
-Pulling helk-logstash (otrf/helk-logstash:7.5.2)...
-7.5.2: Pulling from otrf/helk-logstash
+Status: Downloaded newer image for docker.elastic.co/kibana/kibana:7.6.2
+Pulling helk-logstash (otrf/helk-logstash:7.6.2)...
+7.6.2: Pulling from otrf/helk-logstash
 Digest: sha256:c54057ff1d02d7ebae23e49835060c0b4012844312c674ce2264d8bbaee64f1a
-Status: Downloaded newer image for otrf/helk-logstash:7.5.2
-Pulling helk-nginx (otrf/helk-nginx:0.0.8)...
+Status: Downloaded newer image for otrf/helk-logstash:7.6.2
+Pulling helk-nginx (otrf/helk-nginx:0.3.0)...
 0.0.8: Pulling from otrf/helk-nginx
 Digest: sha256:83e86d3ee3891b8a06173f4278ddc9f85cbba9b2dfceada48fb311411e236341
-Status: Downloaded newer image for otrf/helk-nginx:0.0.8
-Pulling helk-zookeeper (otrf/helk-zookeeper:2.3.0)...
+Status: Downloaded newer image for otrf/helk-nginx:0.3.0
+Pulling helk-zookeeper (otrf/helk-zookeeper:2.4.0)...
 2.3.0: Pulling from otrf/helk-zookeeper
 Digest: sha256:3e7a0f3a73bcffeac4f239083618c362017005463dd747392a9b43db99535a68
-Status: Downloaded newer image for otrf/helk-zookeeper:2.3.0
-Pulling helk-kafka-broker (otrf/helk-kafka-broker:2.3.0)...
+Status: Downloaded newer image for otrf/helk-zookeeper:2.4.0
+Pulling helk-kafka-broker (otrf/helk-kafka-broker:2.4.0)...
 2.3.0: Pulling from otrf/helk-kafka-broker
 Digest: sha256:03569d98c46028715623778b4adf809bf417a055c3c19d21f426db4e1b2d6f55
-Status: Downloaded newer image for otrf/helk-kafka-broker:2.3.0
+Status: Downloaded newer image for otrf/helk-kafka-broker:2.4.0
 Pulling helk-ksql-server (confluentinc/cp-ksql-server:5.1.3)...
 5.1.3: Pulling from confluentinc/cp-ksql-server
 Digest: sha256:063add111cc93b1a0118f88b577e31303045d4cc08eb1d21458429f05cba4b02
@@ -184,10 +184,10 @@ 
Monitor HELK installation Logs
 5.1.3: Pulling from confluentinc/cp-ksql-cli
 Digest: sha256:18c0ccb00fbf87679e16e9e0da600548fcb236a2fd173263b09e89b2d3a42cc3
 Status: Downloaded newer image for confluentinc/cp-ksql-cli:5.1.3
-Pulling helk-elastalert (otrf/helk-elastalert:0.2.6)...
+Pulling helk-elastalert (otrf/helk-elastalert:0.3.0)...
 0.2.6: Pulling from otrf/helk-elastalert
 Digest: sha256:ae1096829aacbadce42bd4024b36da3a9636f1901ef4e9e62a12b881cfc23cf5
-Status: Downloaded newer image for otrf/helk-elastalert:0.2.6
+Status: Downloaded newer image for otrf/helk-elastalert:0.3.0
 Creating helk-elasticsearch ... done
 Creating helk-kibana        ... done
 Creating helk-logstash      ... done
@@ -204,13 +204,13 @@ 
Monitor HELK installation Logs
 
CONTAINER ID        IMAGE                                                 COMMAND                  CREATED             STATUS              PORTS                                                                              NAMES
 2caa7d86bc9e        confluentinc/cp-ksql-cli:5.1.3                        "/bin/sh"                5 minutes ago       Up 5 minutes                                                                                           helk-ksql-cli
 1ee3c0d90b2a        confluentinc/cp-ksql-server:5.1.3                     "/etc/confluent/dock…"   5 minutes ago       Up 5 minutes        0.0.0.0:8088->8088/tcp                                                             helk-ksql-server
-e753a811ffd2        otrf/helk-kafka-broker:2.3.0                          "./kafka-entrypoint.…"   5 minutes ago       Up 5 minutes        0.0.0.0:9092->9092/tcp                                                             helk-kafka-broker
-f93239de7d95        otrf/helk-zookeeper:2.3.0                             "./zookeeper-entrypo…"   5 minutes ago       Up 5 minutes        2181/tcp, 2888/tcp, 3888/tcp                                                       helk-zookeeper
-229ea8467075        otrf/helk-elastalert:0.2.6                            "./elastalert-entryp…"   5 minutes ago       Up 5 minutes                                                                                           helk-elastalert
-f6fd290d2a9d        otrf/helk-nginx:0.0.8                                 "/opt/helk/scripts/n…"   5 minutes ago       Up 5 minutes        0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp                                           helk-nginx
-d4f2b6d7d21e        otrf/helk-logstash:7.5.2                              "/usr/share/logstash…"   5 minutes ago       Up 5 minutes        0.0.0.0:3515->3515/tcp, 0.0.0.0:5044->5044/tcp, 0.0.0.0:8531->8531/tcp, 9600/tcp   helk-logstash
-c5ae143741ea        docker.elastic.co/kibana/kibana:7.5.2                 "/usr/share/kibana/s…"   5 minutes ago       Up 5 minutes        5601/tcp                                                                           helk-kibana
-1729e3234b91        docker.elastic.co/elasticsearch/elasticsearch:7.5.2   "/usr/share/elastics…"   5 minutes ago       Up 5 minutes        9200/tcp, 9300/tcp                                                                 helk-elasticsearch

+e753a811ffd2        otrf/helk-kafka-broker:2.4.0                          "./kafka-entrypoint.…"   5 minutes ago       Up 5 minutes        0.0.0.0:9092->9092/tcp                                                             helk-kafka-broker
+f93239de7d95        otrf/helk-zookeeper:2.4.0                             "./zookeeper-entrypo…"   5 minutes ago       Up 5 minutes        2181/tcp, 2888/tcp, 3888/tcp                                                       helk-zookeeper
+229ea8467075        otrf/helk-elastalert:0.3.0                            "./elastalert-entryp…"   5 minutes ago       Up 5 minutes                                                                                           helk-elastalert
+f6fd290d2a9d        otrf/helk-nginx:0.3.0                                 "/opt/helk/scripts/n…"   5 minutes ago       Up 5 minutes        0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp                                           helk-nginx
+d4f2b6d7d21e        otrf/helk-logstash:7.6.2                              "/usr/share/logstash…"   5 minutes ago       Up 5 minutes        0.0.0.0:3515->3515/tcp, 0.0.0.0:5044->5044/tcp, 0.0.0.0:8531->8531/tcp, 9600/tcp   helk-logstash
+c5ae143741ea        docker.elastic.co/kibana/kibana:7.6.2                 "/usr/share/kibana/s…"   5 minutes ago       Up 5 minutes        5601/tcp                                                                           helk-kibana
+1729e3234b91        docker.elastic.co/elasticsearch/elasticsearch:7.6.2   "/usr/share/elastics…"   5 minutes ago       Up 5 minutes        9200/tcp, 9300/tcp                                                                 helk-elasticsearch

If you want to monitor the resources being utilized (Memory, CPU, etc), you can run the following:

user@HELK-vm:~$ sudo docker stats --all
@@ -236,7 +236,7 @@ 
Monitor HELK installation Logs
 {"type": "server", "timestamp": "2020-01-25T04:26:19,448Z", "level": "INFO", "component": "o.e.e.NodeEnvironment", "cluster.name": "helk-cluster", "node.name": "helk-1", "message": "using [1] data paths, mounts [[/usr/share/elasticsearch/data (/dev/mapper/ubuntu--vg-root)]], net usable_space [102.2gb], net total_space [116.6gb], types [ext4]" }
 {"type": "server", "timestamp": "2020-01-25T04:26:19,451Z", "level": "INFO", "component": "o.e.e.NodeEnvironment", "cluster.name": "helk-cluster", "node.name": "helk-1", "message": "heap size [3gb], compressed ordinary object pointers [true]" }
 {"type": "server", "timestamp": "2020-01-25T04:26:19,458Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "helk-cluster", "node.name": "helk-1", "message": "node name [helk-1], node ID [Ed3L9UydShyLmPCbP3GLxw], cluster name [helk-cluster]" }
-{"type": "server", "timestamp": "2020-01-25T04:26:19,459Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "helk-cluster", "node.name": "helk-1", "message": "version[7.5.2], pid[16], build[default/docker/8bec50e1e0ad29dad5653712cf3bb580cd1afcdf/2020-01-15T12:11:52.313576Z], OS[Linux/4.15.0-74-generic/amd64], JVM[AdoptOpenJDK/OpenJDK 64-Bit Server VM/13.0.1/13.0.1+9]" }
+{"type": "server", "timestamp": "2020-01-25T04:26:19,459Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "helk-cluster", "node.name": "helk-1", "message": "version[7.6.2], pid[16], build[default/docker/8bec50e1e0ad29dad5653712cf3bb580cd1afcdf/2020-01-15T12:11:52.313576Z], OS[Linux/4.15.0-74-generic/amd64], JVM[AdoptOpenJDK/OpenJDK 64-Bit Server VM/13.0.1/13.0.1+9]" }
 {"type": "server", "timestamp": "2020-01-25T04:26:19,459Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "helk-cluster", "node.name": "helk-1", "message": "JVM home [/usr/share/elasticsearch/jdk]" }
 {"type": "server", "timestamp": "2020-01-25T04:26:19,460Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "helk-cluster", "node.name": "helk-1", "message": "JVM arguments [-Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=COMPAT, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Djava.io.tmpdir=/tmp/elasticsearch-3812421782724323797, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.locale.providers=COMPAT, -Des.cgroups.hierarchy.override=/, -Xms3200m, -Xmx3200m, -XX:MaxDirectMemorySize=1677721600, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/usr/share/elasticsearch/config, -Des.distribution.flavor=default, -Des.distribution.type=docker, -Des.bundled_jdk=true]" }
 {"type": "server", "timestamp": "2020-01-25T04:26:21,523Z", "level": "INFO", "component": "o.e.p.PluginsService", "cluster.name": "helk-cluster", "node.name": "helk-1", "message": "loaded module [aggs-matrix-stats]" }
diff --git a/docs/content/installation.md b/docs/content/installation.md
index 7d54a224..6f045a32 100644
--- a/docs/content/installation.md
+++ b/docs/content/installation.md
@@ -63,7 +63,7 @@ sudo ./helk_install.sh
 **                                          **
 ** Author: Roberto Rodriguez (@Cyb3rWard0g) **
 ** HELK build version: v0.1.8-alpha01032020 **
-** HELK ELK version: 7.5.2                  **
+** HELK ELK version: 7.6.2                  **
 ** License: GPL-3.0                         **
 **********************************************
  
@@ -127,30 +127,30 @@ tail -f /var/log/helk-install.log
 Adding password for user helk
 Creating network "docker_helk" with driver "bridge"
 Creating volume "docker_esdata" with local driver
-Pulling helk-elasticsearch (docker.elastic.co/elasticsearch/elasticsearch:7.5.2)...
-7.5.2: Pulling from elasticsearch/elasticsearch
+Pulling helk-elasticsearch (docker.elastic.co/elasticsearch/elasticsearch:7.6.2)...
+7.6.2: Pulling from elasticsearch/elasticsearch
 Digest: sha256:771240a8e1c76cc6ac6aa740d2b82de94d4b8b7dbcca5ad0cf49d12b88a3b8e7
-Status: Downloaded newer image for docker.elastic.co/elasticsearch/elasticsearch:7.5.2
-Pulling helk-kibana (docker.elastic.co/kibana/kibana:7.5.2)...
-7.5.2: Pulling from kibana/kibana
+Status: Downloaded newer image for docker.elastic.co/elasticsearch/elasticsearch:7.6.2
+Pulling helk-kibana (docker.elastic.co/kibana/kibana:7.6.2)...
+7.6.2: Pulling from kibana/kibana
 Digest: sha256:fb0ac36c40de29b321a30805bcbda4cbe486e1c5979780647458ad77b5ee2f98
-Status: Downloaded newer image for docker.elastic.co/kibana/kibana:7.5.2
-Pulling helk-logstash (otrf/helk-logstash:7.5.2)...
-7.5.2: Pulling from otrf/helk-logstash
+Status: Downloaded newer image for docker.elastic.co/kibana/kibana:7.6.2
+Pulling helk-logstash (otrf/helk-logstash:7.6.2)...
+7.6.2: Pulling from otrf/helk-logstash
 Digest: sha256:c54057ff1d02d7ebae23e49835060c0b4012844312c674ce2264d8bbaee64f1a
-Status: Downloaded newer image for otrf/helk-logstash:7.5.2
-Pulling helk-nginx (otrf/helk-nginx:0.0.8)...
+Status: Downloaded newer image for otrf/helk-logstash:7.6.2
+Pulling helk-nginx (otrf/helk-nginx:0.3.0)...
 0.0.8: Pulling from otrf/helk-nginx
 Digest: sha256:83e86d3ee3891b8a06173f4278ddc9f85cbba9b2dfceada48fb311411e236341
-Status: Downloaded newer image for otrf/helk-nginx:0.0.8
-Pulling helk-zookeeper (otrf/helk-zookeeper:2.3.0)...
+Status: Downloaded newer image for otrf/helk-nginx:0.3.0
+Pulling helk-zookeeper (otrf/helk-zookeeper:2.4.0)...
 2.3.0: Pulling from otrf/helk-zookeeper
 Digest: sha256:3e7a0f3a73bcffeac4f239083618c362017005463dd747392a9b43db99535a68
-Status: Downloaded newer image for otrf/helk-zookeeper:2.3.0
-Pulling helk-kafka-broker (otrf/helk-kafka-broker:2.3.0)...
+Status: Downloaded newer image for otrf/helk-zookeeper:2.4.0
+Pulling helk-kafka-broker (otrf/helk-kafka-broker:2.4.0)...
 2.3.0: Pulling from otrf/helk-kafka-broker
 Digest: sha256:03569d98c46028715623778b4adf809bf417a055c3c19d21f426db4e1b2d6f55
-Status: Downloaded newer image for otrf/helk-kafka-broker:2.3.0
+Status: Downloaded newer image for otrf/helk-kafka-broker:2.4.0
 Pulling helk-ksql-server (confluentinc/cp-ksql-server:5.1.3)...
 5.1.3: Pulling from confluentinc/cp-ksql-server
 Digest: sha256:063add111cc93b1a0118f88b577e31303045d4cc08eb1d21458429f05cba4b02
@@ -159,10 +159,10 @@ Pulling helk-ksql-cli (confluentinc/cp-ksql-cli:5.1.3)...
 5.1.3: Pulling from confluentinc/cp-ksql-cli
 Digest: sha256:18c0ccb00fbf87679e16e9e0da600548fcb236a2fd173263b09e89b2d3a42cc3
 Status: Downloaded newer image for confluentinc/cp-ksql-cli:5.1.3
-Pulling helk-elastalert (otrf/helk-elastalert:0.2.6)...
+Pulling helk-elastalert (otrf/helk-elastalert:0.3.0)...
 0.2.6: Pulling from otrf/helk-elastalert
 Digest: sha256:ae1096829aacbadce42bd4024b36da3a9636f1901ef4e9e62a12b881cfc23cf5
-Status: Downloaded newer image for otrf/helk-elastalert:0.2.6
+Status: Downloaded newer image for otrf/helk-elastalert:0.3.0
 Creating helk-elasticsearch ... done
 Creating helk-kibana        ... done
 Creating helk-logstash      ... done
@@ -183,13 +183,13 @@ sudo docker ps
 CONTAINER ID        IMAGE                                                 COMMAND                  CREATED             STATUS              PORTS                                                                              NAMES
 2caa7d86bc9e        confluentinc/cp-ksql-cli:5.1.3                        "/bin/sh"                5 minutes ago       Up 5 minutes                                                                                           helk-ksql-cli
 1ee3c0d90b2a        confluentinc/cp-ksql-server:5.1.3                     "/etc/confluent/dock…"   5 minutes ago       Up 5 minutes        0.0.0.0:8088->8088/tcp                                                             helk-ksql-server
-e753a811ffd2        otrf/helk-kafka-broker:2.3.0                          "./kafka-entrypoint.…"   5 minutes ago       Up 5 minutes        0.0.0.0:9092->9092/tcp                                                             helk-kafka-broker
-f93239de7d95        otrf/helk-zookeeper:2.3.0                             "./zookeeper-entrypo…"   5 minutes ago       Up 5 minutes        2181/tcp, 2888/tcp, 3888/tcp                                                       helk-zookeeper
-229ea8467075        otrf/helk-elastalert:0.2.6                            "./elastalert-entryp…"   5 minutes ago       Up 5 minutes                                                                                           helk-elastalert
-f6fd290d2a9d        otrf/helk-nginx:0.0.8                                 "/opt/helk/scripts/n…"   5 minutes ago       Up 5 minutes        0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp                                           helk-nginx
-d4f2b6d7d21e        otrf/helk-logstash:7.5.2                              "/usr/share/logstash…"   5 minutes ago       Up 5 minutes        0.0.0.0:3515->3515/tcp, 0.0.0.0:5044->5044/tcp, 0.0.0.0:8531->8531/tcp, 9600/tcp   helk-logstash
-c5ae143741ea        docker.elastic.co/kibana/kibana:7.5.2                 "/usr/share/kibana/s…"   5 minutes ago       Up 5 minutes        5601/tcp                                                                           helk-kibana
-1729e3234b91        docker.elastic.co/elasticsearch/elasticsearch:7.5.2   "/usr/share/elastics…"   5 minutes ago       Up 5 minutes        9200/tcp, 9300/tcp                                                                 helk-elasticsearch
+e753a811ffd2        otrf/helk-kafka-broker:2.4.0                          "./kafka-entrypoint.…"   5 minutes ago       Up 5 minutes        0.0.0.0:9092->9092/tcp                                                             helk-kafka-broker
+f93239de7d95        otrf/helk-zookeeper:2.4.0                             "./zookeeper-entrypo…"   5 minutes ago       Up 5 minutes        2181/tcp, 2888/tcp, 3888/tcp                                                       helk-zookeeper
+229ea8467075        otrf/helk-elastalert:0.3.0                            "./elastalert-entryp…"   5 minutes ago       Up 5 minutes                                                                                           helk-elastalert
+f6fd290d2a9d        otrf/helk-nginx:0.3.0                                 "/opt/helk/scripts/n…"   5 minutes ago       Up 5 minutes        0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp                                           helk-nginx
+d4f2b6d7d21e        otrf/helk-logstash:7.6.2                              "/usr/share/logstash…"   5 minutes ago       Up 5 minutes        0.0.0.0:3515->3515/tcp, 0.0.0.0:5044->5044/tcp, 0.0.0.0:8531->8531/tcp, 9600/tcp   helk-logstash
+c5ae143741ea        docker.elastic.co/kibana/kibana:7.6.2                 "/usr/share/kibana/s…"   5 minutes ago       Up 5 minutes        5601/tcp                                                                           helk-kibana
+1729e3234b91        docker.elastic.co/elasticsearch/elasticsearch:7.6.2   "/usr/share/elastics…"   5 minutes ago       Up 5 minutes        9200/tcp, 9300/tcp                                                                 helk-elasticsearch
 ```
 
 If you want to monitor the resources being utilized (Memory, CPU, etc), you can run the following:
@@ -222,7 +222,7 @@ user@HELK-vm:~$ sudo docker logs --follow --tail 20 helk-elasticsearch
 {"type": "server", "timestamp": "2020-01-25T04:26:19,448Z", "level": "INFO", "component": "o.e.e.NodeEnvironment", "cluster.name": "helk-cluster", "node.name": "helk-1", "message": "using [1] data paths, mounts [[/usr/share/elasticsearch/data (/dev/mapper/ubuntu--vg-root)]], net usable_space [102.2gb], net total_space [116.6gb], types [ext4]" }
 {"type": "server", "timestamp": "2020-01-25T04:26:19,451Z", "level": "INFO", "component": "o.e.e.NodeEnvironment", "cluster.name": "helk-cluster", "node.name": "helk-1", "message": "heap size [3gb], compressed ordinary object pointers [true]" }
 {"type": "server", "timestamp": "2020-01-25T04:26:19,458Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "helk-cluster", "node.name": "helk-1", "message": "node name [helk-1], node ID [Ed3L9UydShyLmPCbP3GLxw], cluster name [helk-cluster]" }
-{"type": "server", "timestamp": "2020-01-25T04:26:19,459Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "helk-cluster", "node.name": "helk-1", "message": "version[7.5.2], pid[16], build[default/docker/8bec50e1e0ad29dad5653712cf3bb580cd1afcdf/2020-01-15T12:11:52.313576Z], OS[Linux/4.15.0-74-generic/amd64], JVM[AdoptOpenJDK/OpenJDK 64-Bit Server VM/13.0.1/13.0.1+9]" }
+{"type": "server", "timestamp": "2020-01-25T04:26:19,459Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "helk-cluster", "node.name": "helk-1", "message": "version[7.6.2], pid[16], build[default/docker/8bec50e1e0ad29dad5653712cf3bb580cd1afcdf/2020-01-15T12:11:52.313576Z], OS[Linux/4.15.0-74-generic/amd64], JVM[AdoptOpenJDK/OpenJDK 64-Bit Server VM/13.0.1/13.0.1+9]" }
 {"type": "server", "timestamp": "2020-01-25T04:26:19,459Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "helk-cluster", "node.name": "helk-1", "message": "JVM home [/usr/share/elasticsearch/jdk]" }
 {"type": "server", "timestamp": "2020-01-25T04:26:19,460Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "helk-cluster", "node.name": "helk-1", "message": "JVM arguments [-Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=COMPAT, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Djava.io.tmpdir=/tmp/elasticsearch-3812421782724323797, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.locale.providers=COMPAT, -Des.cgroups.hierarchy.override=/, -Xms3200m, -Xmx3200m, -XX:MaxDirectMemorySize=1677721600, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/usr/share/elasticsearch/config, -Des.distribution.flavor=default, -Des.distribution.type=docker, -Des.bundled_jdk=true]" }
 {"type": "server", "timestamp": "2020-01-25T04:26:21,523Z", "level": "INFO", "component": "o.e.p.PluginsService", "cluster.name": "helk-cluster", "node.name": "helk-1", "message": "loaded module [aggs-matrix-stats]" }