PUT _index_template/microsoft.dns { "index_patterns": ["microsoft.dns-*"], "template": { "settings": { "number_of_shards": 1, "number_of_replicas": 1, "max_docvalue_fields_search" : "200", "index": { "refresh_interval": "5s", "lifecycle": { "name": "microsoft.dns", "rollover_alias": "microsoft.dns" } } }, "mappings" : { "numeric_detection": true, "_meta" : { "beat" : "microsoft.dns" }, "dynamic_templates": [ { "strings_as_keyword": { "match_mapping_type" : "string", "mapping": { "ignore_above" : 1024, "type": "keyword" } } }, { "strings_as_ip": { "match_mapping_type": "string", "match": "ip*", "runtime": { "type": "ip" } } } ], "properties": { "@timestamp" : { "type" : "date" }, "tags": { "ignore_above" : 1024, "type": "keyword" }, "id": { "ignore_above" : 1024, "type": "keyword" }, "name": { "ignore_above" : 1024, "type": "keyword" }, "hostname": { "ignore_above" : 1024, "type": "keyword" }, "version": { "ignore_above" : 1024, "type": "keyword" }, "type": { "ignore_above" : 1024, "type": "keyword" }, "host": { "properties": { "ip": { "type": "ip" } } }, "ecs": { "properties": { "version": { "ignore_above" : 1024, "type": "keyword" } } }, "agent": { "properties": { "ephemeral_id": { "ignore_above" : 1024, "type": "keyword" } } }, "log": { "properties": { "file": { "properties": { "path": { "ignore_above" : 1024, "type": "keyword" } } } } }, "process": { "properties": { "name": { "ignore_above" : 1024, "type": "keyword" }, "pid": { "type": "long" }, "start": { "type": "date" }, "end": { "type": "date" }, "exit_code": { "type": "long" }, "args_count":{ "type": "long" }, "uptime": { "type": "long" } } }, "event": { "properties": { "category": { "ignore_above" : 1024, "type": "keyword" }, "start": { "type": "date" }, "end": { "type": "date" }, "dataset": { "ignore_above" : 1024, "type": "keyword" }, "kind": { "ignore_above" : 1024, "type": "keyword" }, "type": { "ignore_above" : 1024, "type": "keyword" }, "risk_score": { "type": "float" }, "risk_score_norm": { "type": "float" }, "severity": { "type": "long" }, "original": { "type": "keyword" } } }, "source": { "properties": { "ip": { "type": "ip" }, "port": { "type": "long" }, "address": { "ignore_above" : 1024, "type": "keyword" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "location": { "type": "geo_point" }, "country_name": { "type": "keyword" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } } } }, "dns": { "properties": { "resolved_ip": { "type": "ip" }, "id": { "type": "keyword" }, "op_code": { "type": "keyword" }, "header_flags": { "type": "keyword" }, "response_code": { "type": "keyword" }, "type": { "type": "keyword" }, "answers": { "properties": { "ttl": { "type": "long" }, "type": { "type": "keyword" }, "name": { "type": "keyword" }, "data": { "type": "keyword" } } }, "question": { "properties": { "class": { "type": "keyword" }, "name": { "type": "keyword" }, "registered_domain": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "type": { "type": "keyword" } } } } }, "destination": { "properties": { "ip": { "type": "ip" }, "port": { "type": "long" }, "address": { "ignore_above" : 1024, "type": "keyword" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "location": { "type": "geo_point" }, "country_name": { "type": "keyword" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } } } }, "related": { "properties": { "ip": { "type": "ip" }, "hosts": { "ignore_above" : 1024, "type": "keyword" }, "hash": { "ignore_above" : 1024, "type": "keyword" }, "user": { "ignore_above" : 1024, "type": "keyword" } } } } } } }