{ "template": "threatline*", "settings" : { "index" : { "number_of_shards" : 3, "number_of_replicas" : 2 } }, "mappings": { "capture_loss": { "_all": { "enabled": false }, "properties": { "acks": { "type": "long" }, "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "enrichment": { "type": "object" }, "gaps": { "type": "long" }, "peer": { "type": "keyword" }, "percent_lost": { "type": "double" }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "ts": { "format": "epoch_second", "type": "date" }, "ts_delta": { "type": "double" } } }, "communication": { "_all": { "enabled": false }, "properties": { "connected_peer_addr": { "type": "ip" }, "connected_peer_desc": { "type": "keyword" }, "connected_peer_port": { "type": "keyword" }, "level": { "type": "keyword" }, "message": { "type": "keyword" }, "peer": { "type": "keyword" }, "src_name": { "type": "keyword" }, "ts": { "format": "epoch_second", "type": "date" } } }, "conn": { "_all": { "enabled": false }, "properties": { "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "conn_state": { "type": "keyword" }, "duration": { "type": "double" }, "enrichment": { "properties": { "ip": { "properties": { "asn_country_code": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "asn_desc": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "asn_num": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "network": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "whois": { "properties": { "email": { "properties": { "value": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" } } }, "kind": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "name": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "phone": { "properties": { "type": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "value": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" } } } } } } } } }, "enrichmment": { "type": "object" }, "history": { "type": "keyword" }, "id": { "properties": { "orig_h": { "type": "ip" }, "orig_p": { "type": "keyword" }, "resp_h": { "type": "ip" }, "resp_p": { "type": "keyword" } } }, "local_orig": { "type": "boolean" }, "local_resp": { "type": "boolean" }, "missed_bytes": { "type": "long" }, "orig_bytes": { "type": "long" }, "orig_ip_bytes": { "type": "long" }, "orig_l2_addr": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "orig_pkts": { "type": "long" }, "proto": { "type": "keyword" }, "resp_bytes": { "type": "long" }, "resp_ip_bytes": { "type": "long" }, "resp_l2_addr": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "resp_pkts": { "type": "long" }, "service": { "type": "keyword" }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "ts": { "format": "epoch_second", "type": "date" }, "tunnel_parents": { "type": "keyword" }, "uid": { "type": "keyword" } } }, "dns": { "_all": { "enabled": false }, "properties": { "AA": { "type": "boolean" }, "RA": { "type": "boolean" }, "RD": { "type": "boolean" }, "TC": { "type": "boolean" }, "TTLs": { "type": "double" }, "Z": { "type": "long" }, "answers": { "type": "keyword" }, "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "enrichment": { "type": "object" }, "id": { "properties": { "orig_h": { "type": "ip" }, "orig_p": { "type": "keyword" }, "resp_h": { "type": "ip" }, "resp_p": { "type": "keyword" } } }, "proto": { "type": "keyword" }, "qclass": { "type": "long" }, "qclass_name": { "type": "keyword" }, "qtype": { "type": "long" }, "qtype_name": { "type": "keyword" }, "query": { "type": "keyword" }, "rcode": { "type": "long" }, "rcode_name": { "type": "keyword" }, "rejected": { "type": "boolean" }, "rtt": { "type": "double" }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "trans_id": { "type": "long" }, "ts": { "format": "epoch_second", "type": "date" }, "uid": { "type": "keyword" } } }, "dpd": { "_all": { "enabled": false }, "properties": { "analyzer": { "type": "keyword" }, "failure_reason": { "type": "keyword" }, "id": { "properties": { "orig_h": { "type": "ip" }, "orig_p": { "type": "keyword" }, "resp_h": { "type": "ip" }, "resp_p": { "type": "keyword" } } }, "proto": { "type": "keyword" }, "ts": { "format": "epoch_second", "type": "date" }, "uid": { "type": "keyword" } } }, "files": { "_all": { "enabled": false }, "properties": { "analyzers": { "type": "keyword" }, "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "conn_uids": { "type": "keyword" }, "depth": { "type": "long" }, "duration": { "type": "double" }, "enrichment": { "type": "object" }, "extracted": { "type": "keyword" }, "extracted_cutoff": { "type": "boolean" }, "extracted_size": { "type": "long" }, "filename": { "type": "keyword" }, "fuid": { "type": "keyword" }, "is_orig": { "type": "boolean" }, "local_orig": { "type": "boolean" }, "md5": { "type": "keyword" }, "mime_type": { "type": "keyword" }, "missing_bytes": { "type": "long" }, "overflow_bytes": { "type": "long" }, "parent_fuid": { "type": "keyword" }, "rx_hosts": { "type": "ip" }, "seen_bytes": { "type": "long" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" }, "source": { "type": "keyword" }, "timedout": { "type": "boolean" }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "total_bytes": { "type": "long" }, "ts": { "format": "epoch_second", "type": "date" }, "tx_hosts": { "type": "ip" } } }, "http": { "_all": { "enabled": false }, "properties": { "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "enrichment": { "type": "object" }, "host": { "type": "keyword" }, "id": { "properties": { "orig_h": { "type": "ip" }, "orig_p": { "type": "keyword" }, "resp_h": { "type": "ip" }, "resp_p": { "type": "keyword" } } }, "info_code": { "type": "long" }, "info_msg": { "type": "keyword" }, "method": { "type": "keyword" }, "orig_filenames": { "type": "keyword" }, "orig_fuids": { "type": "keyword" }, "orig_mime_types": { "type": "keyword" }, "password": { "type": "keyword" }, "proxied": { "type": "keyword" }, "referrer": { "type": "keyword" }, "request_body_len": { "type": "long" }, "resp_filenames": { "type": "keyword" }, "resp_fuids": { "type": "keyword" }, "resp_mime_types": { "type": "keyword" }, "response_body_len": { "type": "long" }, "status_code": { "type": "long" }, "status_msg": { "type": "keyword" }, "tags": { "type": "keyword" }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "trans_depth": { "type": "long" }, "ts": { "format": "epoch_second", "type": "date" }, "uid": { "type": "keyword" }, "uri": { "type": "keyword" }, "user_agent": { "type": "keyword" }, "username": { "type": "keyword" }, "version": { "type": "keyword" } } }, "loaded_scripts": { "_all": { "enabled": false }, "properties": { "name": { "type": "keyword" }, "ts": { "format": "epoch_second", "type": "date" } } }, "notice": { "_all": { "enabled": false }, "properties": { "actions": { "type": "keyword" }, "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "dropped": { "type": "boolean" }, "dst": { "type": "ip" }, "enrichment": { "type": "object" }, "file_desc": { "type": "keyword" }, "file_mime_type": { "type": "keyword" }, "fuid": { "type": "keyword" }, "id": { "properties": { "orig_h": { "type": "ip" }, "orig_p": { "type": "keyword" }, "resp_h": { "type": "ip" }, "resp_p": { "type": "keyword" } } }, "msg": { "type": "keyword" }, "n": { "type": "long" }, "note": { "type": "keyword" }, "p": { "type": "keyword" }, "peer_descr": { "type": "keyword" }, "proto": { "type": "keyword" }, "remote_location": { "properties": { "city": { "type": "keyword" }, "country_code": { "type": "keyword" }, "latitude": { "type": "double" }, "longitude": { "type": "double" }, "region": { "type": "keyword" } } }, "src": { "type": "ip" }, "sub": { "type": "keyword" }, "suppress_for": { "type": "double" }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "ts": { "format": "epoch_second", "type": "date" }, "uid": { "type": "keyword" } } }, "packet_filter": { "_all": { "enabled": false }, "properties": { "filter": { "type": "keyword" }, "init": { "type": "boolean" }, "node": { "type": "keyword" }, "success": { "type": "boolean" }, "ts": { "format": "epoch_second", "type": "date" } } }, "pe": { "properties": { "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "compile_ts": { "type": "float" }, "enrichment": { "type": "object" }, "has_cert_table": { "type": "boolean" }, "has_debug_data": { "type": "boolean" }, "has_export_table": { "type": "boolean" }, "has_import_table": { "type": "boolean" }, "is_64bit": { "type": "boolean" }, "is_exe": { "type": "boolean" }, "machine": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "os": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "section_names": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "subsystem": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "ts": { "format": "epoch_second", "type": "date" }, "uid": { "type": "keyword" }, "uses_aslr": { "type": "boolean" }, "uses_code_integrity": { "type": "boolean" }, "uses_dep": { "type": "boolean" }, "uses_seh": { "type": "boolean" } } }, "rdp": { "properties": { "cert_count": { "type": "long" }, "cookie": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "id": { "properties": { "orig_h": { "type": "ip" }, "orig_p": { "type": "keyword" }, "resp_h": { "type": "ip" }, "resp_p": { "type": "keyword" } } }, "result": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "security_protocol": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "ts": { "format": "epoch_second", "type": "date" }, "uid": { "type": "keyword" } } }, "reporter": { "_all": { "enabled": false }, "properties": { "level": { "type": "keyword" }, "location": { "type": "keyword" }, "message": { "type": "keyword" }, "ts": { "format": "epoch_second", "type": "date" } } }, "smb_files": { "properties": { "action": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "enrichment": { "type": "object" }, "fuid": { "type": "keyword" }, "id": { "properties": { "orig_h": { "type": "ip" }, "orig_p": { "type": "keyword" }, "resp_h": { "type": "ip" }, "resp_p": { "type": "keyword" } } }, "name": { "type": "keyword" }, "path": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "prev_name": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "size": { "type": "long" }, "times": { "properties": { "accessed": { "type": "float" }, "changed": { "type": "float" }, "created": { "type": "float" }, "modified": { "type": "float" } } }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "ts": { "format": "epoch_second", "type": "date" }, "uid": { "type": "keyword" } } }, "smb_mapping": { "properties": { "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "id": { "properties": { "orig_h": { "type": "ip" }, "orig_p": { "type": "keyword" }, "resp_h": { "type": "ip" }, "resp_p": { "type": "keyword" } } }, "path": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "share_type": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "ts": { "format": "epoch_second", "type": "date" }, "uid": { "type": "keyword" } } }, "smtp": { "properties": { "cc": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "date": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "enrichment": { "type": "object" }, "first_received": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "from": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "fuids": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "helo": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "id": { "properties": { "orig_h": { "type": "ip" }, "orig_p": { "type": "keyword" }, "resp_h": { "type": "ip" }, "resp_p": { "type": "keyword" } } }, "in_reply_to": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "is_webmail": { "type": "boolean" }, "last_reply": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "mailfrom": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "msg_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "path": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "rcptto": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "reply_to": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "subject": { "type": "keyword" }, "tls": { "type": "boolean" }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "to": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "trans_depth": { "type": "long" }, "ts": { "format": "epoch_second", "type": "date" }, "uid": { "type": "keyword" }, "user_agent": { "type": "keyword" } } }, "snmp": { "properties": { "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "community": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "duration": { "type": "double" }, "enrichment": { "type": "object" }, "get_bulk_requests": { "type": "long" }, "get_requests": { "type": "long" }, "get_responses": { "type": "long" }, "id": { "properties": { "orig_h": { "type": "ip" }, "orig_p": { "type": "keyword" }, "resp_h": { "type": "ip" }, "resp_p": { "type": "keyword" } } }, "set_requests": { "type": "long" }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "ts": { "format": "epoch_second", "type": "date" }, "uid": { "type": "keyword" }, "version": { "type": "keyword" } } }, "software": { "properties": { "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "enrichment": { "type": "object" }, "host": { "type": "keyword" }, "host_p": { "type": "long" }, "name": { "type": "keyword" }, "software_type": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "ts": { "format": "epoch_second", "type": "date" }, "unparsed_version": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "version_addl": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "version_major": { "type": "long" }, "version_minor": { "type": "long" }, "version_minor2": { "type": "long" }, "version_minor3": { "type": "long" } } }, "ssh": { "properties": { "auth_attempts": { "type": "long" }, "auth_success": { "type": "boolean" }, "cipher_alg": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "client": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "compression_alg": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "host_key": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "host_key_alg": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "id": { "properties": { "orig_h": { "type": "ip" }, "orig_p": { "type": "keyword" }, "resp_h": { "type": "ip" }, "resp_p": { "type": "keyword" } } }, "kex_alg": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "mac_alg": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "server": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "ts": { "format": "epoch_second", "type": "date" }, "uid": { "type": "keyword" }, "version": { "type": "keyword" } } }, "ssl": { "_all": { "enabled": false }, "properties": { "cert_chain_fuids": { "type": "keyword" }, "cipher": { "type": "keyword" }, "client_cert_chain_fuids": { "type": "keyword" }, "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "client_issuer": { "type": "keyword" }, "client_subject": { "type": "keyword" }, "curve": { "type": "keyword" }, "enrichment": { "type": "object" }, "established": { "type": "boolean" }, "id": { "properties": { "orig_h": { "type": "ip" }, "orig_p": { "type": "keyword" }, "resp_h": { "type": "ip" }, "resp_p": { "type": "keyword" } } }, "issuer": { "type": "keyword" }, "last_alert": { "type": "keyword" }, "next_protocol": { "type": "keyword" }, "resumed": { "type": "boolean" }, "server_name": { "type": "keyword" }, "subject": { "type": "keyword" }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "ts": { "format": "epoch_second", "type": "date" }, "uid": { "type": "keyword" }, "validation_status": { "type": "keyword" }, "version": { "type": "keyword" } } }, "stats": { "_all": { "enabled": false }, "properties": { "active_dns_requests": { "type": "long" }, "active_files": { "type": "long" }, "active_icmp_conns": { "type": "long" }, "active_tcp_conns": { "type": "long" }, "active_timers": { "type": "long" }, "active_udp_conns": { "type": "long" }, "bytes_recv": { "type": "long" }, "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "dns_requests": { "type": "long" }, "enrichment": { "type": "object" }, "events_proc": { "type": "long" }, "events_queued": { "type": "long" }, "files": { "type": "long" }, "icmp_conns": { "type": "long" }, "mem": { "type": "long" }, "peer": { "type": "keyword" }, "pkt_lag": { "type": "double" }, "pkts_dropped": { "type": "long" }, "pkts_link": { "type": "long" }, "pkts_proc": { "type": "long" }, "reassem_file_size": { "type": "long" }, "reassem_frag_size": { "type": "long" }, "reassem_tcp_size": { "type": "long" }, "reassem_unknown_size": { "type": "long" }, "tcp_conns": { "type": "long" }, "timers": { "type": "long" }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "ts": { "format": "epoch_second", "type": "date" }, "udp_conns": { "type": "long" } } }, "tunnel": { "properties": { "action": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "enrichment": { "type": "object" }, "id": { "properties": { "orig_h": { "type": "ip" }, "orig_p": { "type": "keyword" }, "resp_h": { "type": "ip" }, "resp_p": { "type": "keyword" } } }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "ts": { "format": "epoch_second", "type": "date" }, "tunnel_type": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "uid": { "type": "keyword" } } }, "weird": { "_all": { "enabled": false }, "properties": { "addl": { "type": "keyword" }, "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "enrichment": { "type": "object" }, "id": { "properties": { "orig_h": { "type": "ip" }, "orig_p": { "type": "keyword" }, "resp_h": { "type": "ip" }, "resp_p": { "type": "keyword" } } }, "name": { "type": "keyword" }, "notice": { "type": "boolean" }, "peer": { "type": "keyword" }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "ts": { "format": "epoch_second", "type": "date" }, "uid": { "type": "keyword" } } }, "x509": { "properties": { "basic_constraints": { "properties": { "ca": { "type": "boolean" }, "path_len": { "type": "long" } } }, "certificate": { "properties": { "curve": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "exponent": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "issuer": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "key_alg": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "key_length": { "type": "long" }, "key_type": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "not_valid_after": { "type": "float" }, "not_valid_before": { "type": "float" }, "serial": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "sig_alg": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "subject": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "version": { "type": "long" } } }, "client_id": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "enrichment": { "type": "object" }, "san": { "properties": { "dns": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "email": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" } } }, "tltype": { "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } }, "type": "text" }, "ts": { "format": "epoch_second", "type": "date" }, "uid": { "type": "keyword" } } } } }