{ "order": 0, "template": "wazuh*", "settings": { "index.refresh_interval": "5s" }, "mappings": { "wazuh": { "dynamic_templates": [ { "string_as_keyword": { "match_mapping_type": "string", "mapping": { "type": "keyword", "doc_values": "true" } } } ], "properties": { "@timestamp": { "type": "date", "format": "dateOptionalTime" }, "@version": { "type": "text" }, "agent": { "properties": { "ip": { "type": "keyword", "doc_values": "true" }, "id": { "type": "keyword", "doc_values": "true" }, "name": { "type": "keyword", "doc_values": "true" } } }, "manager": { "properties": { "name": { "type": "keyword", "doc_values": "true" } } }, "dstuser": { "type": "keyword", "doc_values": "true" }, "AlertsFile": { "type": "keyword", "doc_values": "true" }, "full_log": { "type": "text" }, "previous_log": { "type": "text" }, "GeoLocation": { "properties": { "area_code": { "type": "long" }, "city_name": { "type": "keyword", "doc_values": "true" }, "continent_code": { "type": "text" }, "coordinates": { "type": "double" }, "country_code2": { "type": "text" }, "country_code3": { "type": "text" }, "country_name": { "type": "keyword", "doc_values": "true" }, "dma_code": { "type": "long" }, "ip": { "type": "keyword", "doc_values": "true" }, "latitude": { "type": "double" }, "location": { "type": "geo_point" }, "longitude": { "type": "double" }, "postal_code": { "type": "keyword" }, "real_region_name": { "type": "keyword", "doc_values": "true" }, "region_name": { "type": "keyword", "doc_values": "true" }, "timezone": { "type": "text" } } }, "host": { "type": "keyword", "doc_values": "true" }, "syscheck": { "properties": { "path": { "type": "keyword", "doc_values": "true" }, "sha1_before": { "type": "keyword", "doc_values": "true" }, "sha1_after": { "type": "keyword", "doc_values": "true" }, "uid_before": { "type": "keyword", "doc_values": "true" }, "uid_after": { "type": "keyword", "doc_values": "true" }, "gid_before": { "type": "keyword", "doc_values": "true" }, "gid_after": { "type": "keyword", "doc_values": "true" }, "perm_before": { "type": "keyword", "doc_values": "true" }, "perm_after": { "type": "keyword", "doc_values": "true" }, "md5_after": { "type": "keyword", "doc_values": "true" }, "md5_before": { "type": "keyword", "doc_values": "true" }, "gname_after": { "type": "keyword", "doc_values": "true" }, "gname_before": { "type": "keyword", "doc_values": "true" }, "inode_after": { "type": "keyword", "doc_values": "true" }, "inode_before": { "type": "keyword", "doc_values": "true" }, "mtime_after": { "type": "date", "format": "dateOptionalTime", "doc_values": "true" }, "mtime_before": { "type": "date", "format": "dateOptionalTime", "doc_values": "true" }, "uname_after": { "type": "keyword", "doc_values": "true" }, "uname_before": { "type": "keyword", "doc_values": "true" }, "size_before": { "type": "long", "doc_values": "true" }, "size_after": { "type": "long", "doc_values": "true" }, "diff": { "type": "keyword", "doc_values": "true" }, "event": { "type": "keyword", "doc_values": "true" } } }, "location": { "type": "keyword", "doc_values": "true" }, "message": { "type": "text" }, "offset": { "type": "keyword" }, "rule": { "properties": { "description": { "type": "keyword", "doc_values": "true" }, "groups": { "type": "keyword", "doc_values": "true" }, "level": { "type": "long", "doc_values": "true" }, "id": { "type": "keyword", "doc_values": "true" }, "cve": { "type": "keyword", "doc_values": "true" }, "info": { "type": "keyword", "doc_values": "true" }, "frequency": { "type": "long", "doc_values": "true" }, "firedtimes": { "type": "long", "doc_values": "true" }, "cis": { "type": "keyword", "doc_values": "true" }, "pci_dss": { "type": "keyword", "doc_values": "true" } } }, "decoder": { "properties": { "parent": { "type": "keyword", "doc_values": "true" }, "name": { "type": "keyword", "doc_values": "true" }, "ftscomment": { "type": "keyword", "doc_values": "true" }, "fts": { "type": "long", "doc_values": "true" }, "accumulate": { "type": "long", "doc_values": "true" } } }, "srcip": { "type": "keyword", "doc_values": "true" }, "protocol": { "type": "keyword", "doc_values": "true" }, "action": { "type": "keyword", "doc_values": "true" }, "dstip": { "type": "keyword", "doc_values": "true" }, "dstport": { "type": "keyword", "doc_values": "true" }, "srcuser": { "type": "keyword", "doc_values": "true" }, "program_name": { "type": "keyword", "doc_values": "true" }, "id": { "type": "keyword", "doc_values": "true" }, "status": { "type": "keyword", "doc_values": "true" }, "command": { "type": "keyword", "doc_values": "true" }, "url": { "type": "keyword", "doc_values": "true" }, "data": { "type": "keyword", "doc_values": "true" }, "system_name": { "type": "keyword", "doc_values": "true" }, "type": { "type": "text" }, "title": { "type": "keyword", "doc_values": "true" }, "oscap": { "properties": { "check.title": { "type": "keyword", "doc_values": "true" }, "check.id": { "type": "keyword", "doc_values": "true" }, "check.result": { "type": "keyword", "doc_values": "true" }, "check.severity": { "type": "keyword", "doc_values": "true" }, "check.description": { "type": "text" }, "check.rationale": { "type": "text" }, "check.references": { "type": "text" }, "check.identifiers": { "type": "text" }, "check.oval.id": { "type": "keyword", "doc_values": "true" }, "scan.id": { "type": "keyword", "doc_values": "true" }, "scan.content": { "type": "keyword", "doc_values": "true" }, "scan.benchmark.id": { "type": "keyword", "doc_values": "true" }, "scan.profile.title": { "type": "keyword", "doc_values": "true" }, "scan.profile.id": { "type": "keyword", "doc_values": "true" }, "scan.score": { "type": "double", "doc_values": "true" }, "scan.return_code": { "type": "long", "doc_values": "true" } } }, "audit": { "properties": { "type": { "type": "keyword", "doc_values": "true" }, "id": { "type": "keyword", "doc_values": "true" }, "syscall": { "type": "keyword", "doc_values": "true" }, "exit": { "type": "keyword", "doc_values": "true" }, "ppid": { "type": "keyword", "doc_values": "true" }, "pid": { "type": "keyword", "doc_values": "true" }, "auid": { "type": "keyword", "doc_values": "true" }, "uid": { "type": "keyword", "doc_values": "true" }, "gid": { "type": "keyword", "doc_values": "true" }, "euid": { "type": "keyword", "doc_values": "true" }, "suid": { "type": "keyword", "doc_values": "true" }, "fsuid": { "type": "keyword", "doc_values": "true" }, "egid": { "type": "keyword", "doc_values": "true" }, "sgid": { "type": "keyword", "doc_values": "true" }, "fsgid": { "type": "keyword", "doc_values": "true" }, "tty": { "type": "keyword", "doc_values": "true" }, "session": { "type": "keyword", "doc_values": "true" }, "command": { "type": "keyword", "doc_values": "true" }, "exe": { "type": "keyword", "doc_values": "true" }, "key": { "type": "keyword", "doc_values": "true" }, "cwd": { "type": "keyword", "doc_values": "true" }, "directory.name": { "type": "keyword", "doc_values": "true" }, "directory.inode": { "type": "keyword", "doc_values": "true" }, "directory.mode": { "type": "keyword", "doc_values": "true" }, "file.name": { "type": "keyword", "doc_values": "true" }, "file.inode": { "type": "keyword", "doc_values": "true" }, "file.mode": { "type": "keyword", "doc_values": "true" }, "acct": { "type": "keyword", "doc_values": "true" }, "dev": { "type": "keyword", "doc_values": "true" }, "enforcing": { "type": "keyword", "doc_values": "true" }, "list": { "type": "keyword", "doc_values": "true" }, "old-auid": { "type": "keyword", "doc_values": "true" }, "old-ses": { "type": "keyword", "doc_values": "true" }, "old_enforcing": { "type": "keyword", "doc_values": "true" }, "old_prom": { "type": "keyword", "doc_values": "true" }, "op": { "type": "keyword", "doc_values": "true" }, "prom": { "type": "keyword", "doc_values": "true" }, "res": { "type": "keyword", "doc_values": "true" }, "srcip": { "type": "keyword", "doc_values": "true" }, "subj": { "type": "keyword", "doc_values": "true" }, "success": { "type": "keyword", "doc_values": "true" } } } } }, "agent": { "properties": { "@timestamp": { "type": "date", "format": "dateOptionalTime" }, "status": { "type": "keyword" }, "ip": { "type": "keyword" }, "host": { "type": "keyword" }, "name": { "type": "keyword" }, "id": { "type": "keyword" } } } } }