From 9dd395b4523f4885d27f43aa9b06730b44029918 Mon Sep 17 00:00:00 2001
From: Jonathan Buttner <56361221+jonathan-buttner@users.noreply.github.com>
Date: Wed, 3 Mar 2021 13:28:59 -0500
Subject: [PATCH] [Security Solution][Case][Bug] Only update alert status in
 its specific index (#92530)

* Writing failing test for duplicate ids

* Test is correctly failing prior to bug fix

* Working jest tests

* Adding more jest tests

* Fixing jest tests

* Adding await and gzip

* Fixing type errors

* Updating log message

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
---
 .../plugins/case/server/client/alerts/get.ts  |   13 +-
 .../client/alerts/update_status.test.ts       |   10 +-
 .../server/client/alerts/update_status.ts     |   12 +-
 .../plugins/case/server/client/cases/push.ts  |    7 +-
 .../case/server/client/cases/update.test.ts   |   43 +-
 .../case/server/client/cases/update.ts        |   44 +-
 x-pack/plugins/case/server/client/client.ts   |   12 +-
 .../case/server/client/comments/add.test.ts   |   78 +-
 .../case/server/client/comments/add.ts        |   35 +-
 x-pack/plugins/case/server/client/mocks.ts    |    4 +
 x-pack/plugins/case/server/client/types.ts    |   17 +-
 x-pack/plugins/case/server/common/index.ts    |    1 +
 x-pack/plugins/case/server/common/types.ts    |   14 +
 x-pack/plugins/case/server/common/utils.ts    |   32 +-
 .../api/__fixtures__/mock_saved_objects.ts    |   37 +
 .../api/cases/comments/patch_comment.test.ts  |   79 +
 .../server/routes/api/cases/get_case.test.ts  |    2 +-
 .../server/routes/api/cases/push_case.test.ts |    3 +-
 .../api/cases/sub_case/patch_sub_cases.ts     |   40 +-
 .../plugins/case/server/routes/api/utils.ts   |  116 +-
 .../case/server/services/alerts/index.test.ts |   27 +-
 .../case/server/services/alerts/index.ts      |  104 +-
 .../basic/tests/cases/patch_cases.ts          |  151 +-
 .../tests/cases/sub_cases/patch_sub_cases.ts  |   72 +-
 .../case_api_integration/common/lib/utils.ts  |   15 +-
 .../cases/signals/duplicate_ids/data.json.gz  |  Bin 0 -> 5513 bytes
 .../cases/signals/duplicate_ids/mappings.json | 6624 +++++++++++++++++
 27 files changed, 7281 insertions(+), 311 deletions(-)
 create mode 100644 x-pack/plugins/case/server/common/types.ts
 create mode 100644 x-pack/test/functional/es_archives/cases/signals/duplicate_ids/data.json.gz
 create mode 100644 x-pack/test/functional/es_archives/cases/signals/duplicate_ids/mappings.json

diff --git a/x-pack/plugins/case/server/client/alerts/get.ts b/x-pack/plugins/case/server/client/alerts/get.ts
index 0b2663b73720..6a6e961e952c 100644
--- a/x-pack/plugins/case/server/client/alerts/get.ts
+++ b/x-pack/plugins/case/server/client/alerts/get.ts
@@ -6,34 +6,33 @@
  */
 
 import { ElasticsearchClient, Logger } from 'kibana/server';
+import { AlertInfo } from '../../common';
 import { AlertServiceContract } from '../../services';
 import { CaseClientGetAlertsResponse } from './types';
 
 interface GetParams {
   alertsService: AlertServiceContract;
-  ids: string[];
-  indices: Set<string>;
+  alertsInfo: AlertInfo[];
   scopedClusterClient: ElasticsearchClient;
   logger: Logger;
 }
 
 export const get = async ({
   alertsService,
-  ids,
-  indices,
+  alertsInfo,
   scopedClusterClient,
   logger,
 }: GetParams): Promise<CaseClientGetAlertsResponse> => {
-  if (ids.length === 0 || indices.size <= 0) {
+  if (alertsInfo.length === 0) {
     return [];
   }
 
-  const alerts = await alertsService.getAlerts({ ids, indices, scopedClusterClient, logger });
+  const alerts = await alertsService.getAlerts({ alertsInfo, scopedClusterClient, logger });
   if (!alerts) {
     return [];
   }
 
-  return alerts.hits.hits.map((alert) => ({
+  return alerts.docs.map((alert) => ({
     id: alert._id,
     index: alert._index,
     ...alert._source,
diff --git a/x-pack/plugins/case/server/client/alerts/update_status.test.ts b/x-pack/plugins/case/server/client/alerts/update_status.test.ts
index b3ed3c2b84a9..4662ce197662 100644
--- a/x-pack/plugins/case/server/client/alerts/update_status.test.ts
+++ b/x-pack/plugins/case/server/client/alerts/update_status.test.ts
@@ -15,17 +15,13 @@ describe('updateAlertsStatus', () => {
 
     const caseClient = await createCaseClientWithMockSavedObjectsClient({ savedObjectsClient });
     await caseClient.client.updateAlertsStatus({
-      ids: ['alert-id-1'],
-      status: CaseStatuses.closed,
-      indices: new Set<string>(['.siem-signals']),
+      alerts: [{ id: 'alert-id-1', index: '.siem-signals', status: CaseStatuses.closed }],
     });
 
     expect(caseClient.services.alertsService.updateAlertsStatus).toHaveBeenCalledWith({
-      scopedClusterClient: expect.anything(),
       logger: expect.anything(),
-      ids: ['alert-id-1'],
-      indices: new Set<string>(['.siem-signals']),
-      status: CaseStatuses.closed,
+      scopedClusterClient: expect.anything(),
+      alerts: [{ id: 'alert-id-1', index: '.siem-signals', status: CaseStatuses.closed }],
     });
   });
 });
diff --git a/x-pack/plugins/case/server/client/alerts/update_status.ts b/x-pack/plugins/case/server/client/alerts/update_status.ts
index 2194c3a18afd..cd6f97273d6d 100644
--- a/x-pack/plugins/case/server/client/alerts/update_status.ts
+++ b/x-pack/plugins/case/server/client/alerts/update_status.ts
@@ -6,25 +6,21 @@
  */
 
 import { ElasticsearchClient, Logger } from 'src/core/server';
-import { CaseStatuses } from '../../../common/api';
 import { AlertServiceContract } from '../../services';
+import { UpdateAlertRequest } from '../types';
 
 interface UpdateAlertsStatusArgs {
   alertsService: AlertServiceContract;
-  ids: string[];
-  status: CaseStatuses;
-  indices: Set<string>;
+  alerts: UpdateAlertRequest[];
   scopedClusterClient: ElasticsearchClient;
   logger: Logger;
 }
 
 export const updateAlertsStatus = async ({
   alertsService,
-  ids,
-  status,
-  indices,
+  alerts,
   scopedClusterClient,
   logger,
 }: UpdateAlertsStatusArgs): Promise<void> => {
-  await alertsService.updateAlertsStatus({ ids, status, indices, scopedClusterClient, logger });
+  await alertsService.updateAlertsStatus({ alerts, scopedClusterClient, logger });
 };
diff --git a/x-pack/plugins/case/server/client/cases/push.ts b/x-pack/plugins/case/server/client/cases/push.ts
index 80dcc7a0e018..8aab11be21b0 100644
--- a/x-pack/plugins/case/server/client/cases/push.ts
+++ b/x-pack/plugins/case/server/client/cases/push.ts
@@ -15,7 +15,7 @@ import {
   SavedObject,
 } from 'kibana/server';
 import { ActionResult, ActionsClient } from '../../../../actions/server';
-import { flattenCaseSavedObject, getAlertIndicesAndIDs } from '../../routes/api/utils';
+import { flattenCaseSavedObject, getAlertInfoFromComments } from '../../routes/api/utils';
 
 import {
   ActionConnector,
@@ -108,12 +108,11 @@ export const push = async ({
     );
   }
 
-  const { ids, indices } = getAlertIndicesAndIDs(theCase?.comments);
+  const alertsInfo = getAlertInfoFromComments(theCase?.comments);
 
   try {
     alerts = await caseClient.getAlerts({
-      ids,
-      indices,
+      alertsInfo,
     });
   } catch (e) {
     throw createCaseError({
diff --git a/x-pack/plugins/case/server/client/cases/update.test.ts b/x-pack/plugins/case/server/client/cases/update.test.ts
index 752b0ab369de..be68aa126602 100644
--- a/x-pack/plugins/case/server/client/cases/update.test.ts
+++ b/x-pack/plugins/case/server/client/cases/update.test.ts
@@ -430,9 +430,13 @@ describe('update', () => {
       await caseClient.client.update(patchCases);
 
       expect(caseClient.client.updateAlertsStatus).toHaveBeenCalledWith({
-        ids: ['test-id'],
-        status: 'closed',
-        indices: new Set<string>(['test-index']),
+        alerts: [
+          {
+            id: 'test-id',
+            index: 'test-index',
+            status: 'closed',
+          },
+        ],
       });
     });
 
@@ -458,11 +462,10 @@ describe('update', () => {
       });
 
       const caseClient = await createCaseClientWithMockSavedObjectsClient({ savedObjectsClient });
-      caseClient.client.updateAlertsStatus = jest.fn();
 
       await caseClient.client.update(patchCases);
 
-      expect(caseClient.client.updateAlertsStatus).not.toHaveBeenCalled();
+      expect(caseClient.esClient.bulk).not.toHaveBeenCalled();
     });
 
     test('it updates alert status when syncAlerts is turned on', async () => {
@@ -492,9 +495,7 @@ describe('update', () => {
       await caseClient.client.update(patchCases);
 
       expect(caseClient.client.updateAlertsStatus).toHaveBeenCalledWith({
-        ids: ['test-id'],
-        status: 'open',
-        indices: new Set<string>(['test-index']),
+        alerts: [{ id: 'test-id', index: 'test-index', status: 'open' }],
       });
     });
 
@@ -515,11 +516,10 @@ describe('update', () => {
       });
 
       const caseClient = await createCaseClientWithMockSavedObjectsClient({ savedObjectsClient });
-      caseClient.client.updateAlertsStatus = jest.fn();
 
       await caseClient.client.update(patchCases);
 
-      expect(caseClient.client.updateAlertsStatus).not.toHaveBeenCalled();
+      expect(caseClient.esClient.bulk).not.toHaveBeenCalled();
     });
 
     test('it updates alert status for multiple cases', async () => {
@@ -576,22 +576,12 @@ describe('update', () => {
       caseClient.client.updateAlertsStatus = jest.fn();
 
       await caseClient.client.update(patchCases);
-      /**
-       * the update code will put each comment into a status bucket and then make at most 1 call
-       * to ES for each status bucket
-       * Now instead of doing a call per case to get the comments, it will do a single call with all the cases
-       * and sub cases and get all the comments in one go
-       */
-      expect(caseClient.client.updateAlertsStatus).toHaveBeenNthCalledWith(1, {
-        ids: ['test-id'],
-        status: 'open',
-        indices: new Set<string>(['test-index']),
-      });
 
-      expect(caseClient.client.updateAlertsStatus).toHaveBeenNthCalledWith(2, {
-        ids: ['test-id-2'],
-        status: 'closed',
-        indices: new Set<string>(['test-index-2']),
+      expect(caseClient.client.updateAlertsStatus).toHaveBeenCalledWith({
+        alerts: [
+          { id: 'test-id', index: 'test-index', status: 'open' },
+          { id: 'test-id-2', index: 'test-index-2', status: 'closed' },
+        ],
       });
     });
 
@@ -611,11 +601,10 @@ describe('update', () => {
       });
 
       const caseClient = await createCaseClientWithMockSavedObjectsClient({ savedObjectsClient });
-      caseClient.client.updateAlertsStatus = jest.fn();
 
       await caseClient.client.update(patchCases);
 
-      expect(caseClient.client.updateAlertsStatus).not.toHaveBeenCalled();
+      expect(caseClient.esClient.bulk).not.toHaveBeenCalled();
     });
   });
 
diff --git a/x-pack/plugins/case/server/client/cases/update.ts b/x-pack/plugins/case/server/client/cases/update.ts
index 36318f03bd33..8c788d6f3bcd 100644
--- a/x-pack/plugins/case/server/client/cases/update.ts
+++ b/x-pack/plugins/case/server/client/cases/update.ts
@@ -18,7 +18,6 @@ import {
   Logger,
 } from 'kibana/server';
 import {
-  AlertInfo,
   flattenCaseSavedObject,
   isCommentRequestTypeAlertOrGenAlert,
 } from '../../routes/api/utils';
@@ -53,7 +52,8 @@ import {
   SUB_CASE_SAVED_OBJECT,
 } from '../../saved_object_types';
 import { CaseClientHandler } from '..';
-import { addAlertInfoToStatusMap } from '../../common';
+import { createAlertUpdateRequest } from '../../common';
+import { UpdateAlertRequest } from '../types';
 import { createCaseError } from '../../common/error';
 
 /**
@@ -291,33 +291,25 @@ async function updateAlerts({
   // get a map of sub case id to the sub case status
   const subCasesToStatus = await getSubCasesToStatus({ totalAlerts, client, caseService });
 
-  // create a map of the case statuses to the alert information that we need to update for that status
-  // This allows us to make at most 3 calls to ES, one for each status type that we need to update
-  // One potential improvement here is to do a tick (set timeout) to reduce the memory footprint if that becomes an issue
-  const alertsToUpdate = totalAlerts.saved_objects.reduce((acc, alertComment) => {
-    if (isCommentRequestTypeAlertOrGenAlert(alertComment.attributes)) {
-      const status = getSyncStatusForComment({
-        alertComment,
-        casesToSyncToStatus,
-        subCasesToStatus,
-      });
+  // create an array of requests that indicate the id, index, and status to update an alert
+  const alertsToUpdate = totalAlerts.saved_objects.reduce(
+    (acc: UpdateAlertRequest[], alertComment) => {
+      if (isCommentRequestTypeAlertOrGenAlert(alertComment.attributes)) {
+        const status = getSyncStatusForComment({
+          alertComment,
+          casesToSyncToStatus,
+          subCasesToStatus,
+        });
 
-      addAlertInfoToStatusMap({ comment: alertComment.attributes, statusMap: acc, status });
-    }
+        acc.push(...createAlertUpdateRequest({ comment: alertComment.attributes, status }));
+      }
 
-    return acc;
-  }, new Map<CaseStatuses, AlertInfo>());
+      return acc;
+    },
+    []
+  );
 
-  // This does at most 3 calls to Elasticsearch to update the status of the alerts to either open, closed, or in-progress
-  for (const [status, alertInfo] of alertsToUpdate.entries()) {
-    if (alertInfo.ids.length > 0 && alertInfo.indices.size > 0) {
-      caseClient.updateAlertsStatus({
-        ids: alertInfo.ids,
-        status,
-        indices: alertInfo.indices,
-      });
-    }
-  }
+  await caseClient.updateAlertsStatus({ alerts: alertsToUpdate });
 }
 
 interface UpdateArgs {
diff --git a/x-pack/plugins/case/server/client/client.ts b/x-pack/plugins/case/server/client/client.ts
index c34c3942b18d..9f4bf6067764 100644
--- a/x-pack/plugins/case/server/client/client.ts
+++ b/x-pack/plugins/case/server/client/client.ts
@@ -169,9 +169,9 @@ export class CaseClientHandler implements CaseClient {
       });
     } catch (error) {
       throw createCaseError({
-        message: `Failed to update alerts status using client ids: ${JSON.stringify(
-          args.ids
-        )} \nindices: ${JSON.stringify([...args.indices])} \nstatus: ${args.status}: ${error}`,
+        message: `Failed to update alerts status using client alerts: ${JSON.stringify(
+          args.alerts
+        )}: ${error}`,
         error,
         logger: this.logger,
       });
@@ -218,9 +218,9 @@ export class CaseClientHandler implements CaseClient {
       });
     } catch (error) {
       throw createCaseError({
-        message: `Failed to get alerts using client ids: ${JSON.stringify(
-          args.ids
-        )} \nindices: ${JSON.stringify([...args.indices])}: ${error}`,
+        message: `Failed to get alerts using client requested alerts: ${JSON.stringify(
+          args.alertsInfo
+        )}: ${error}`,
         error,
         logger: this.logger,
       });
diff --git a/x-pack/plugins/case/server/client/comments/add.test.ts b/x-pack/plugins/case/server/client/comments/add.test.ts
index 123ecec6abea..460a03643b63 100644
--- a/x-pack/plugins/case/server/client/comments/add.test.ts
+++ b/x-pack/plugins/case/server/client/comments/add.test.ts
@@ -15,6 +15,8 @@ import {
 } from '../../routes/api/__fixtures__';
 import { createCaseClientWithMockSavedObjectsClient } from '../mocks';
 
+type AlertComment = CommentType.alert | CommentType.generatedAlert;
+
 describe('addComment', () => {
   beforeEach(async () => {
     jest.restoreAllMocks();
@@ -248,9 +250,7 @@ describe('addComment', () => {
       });
 
       expect(caseClient.client.updateAlertsStatus).toHaveBeenCalledWith({
-        ids: ['test-alert'],
-        status: 'open',
-        indices: new Set<string>(['test-index']),
+        alerts: [{ id: 'test-alert', index: 'test-index', status: 'open' }],
       });
     });
 
@@ -517,5 +517,77 @@ describe('addComment', () => {
           expect(boomErr.output.statusCode).toBe(400);
         });
     });
+
+    describe('alert format', () => {
+      it.each([
+        ['1', ['index1', 'index2'], CommentType.alert],
+        [['1', '2'], 'index', CommentType.alert],
+        ['1', ['index1', 'index2'], CommentType.generatedAlert],
+        [['1', '2'], 'index', CommentType.generatedAlert],
+      ])(
+        'throws an error with an alert comment with contents id: %p indices: %p type: %s',
+        async (alertId, index, type) => {
+          expect.assertions(1);
+
+          const savedObjectsClient = createMockSavedObjectsRepository({
+            caseSavedObject: mockCases,
+            caseCommentSavedObject: mockCaseComments,
+          });
+
+          const caseClient = await createCaseClientWithMockSavedObjectsClient({
+            savedObjectsClient,
+          });
+          await expect(
+            caseClient.client.addComment({
+              caseId: 'mock-id-4',
+              comment: {
+                // casting because type must be either alert or generatedAlert but type is CommentType
+                type: type as AlertComment,
+                alertId,
+                index,
+                rule: {
+                  id: 'test-rule1',
+                  name: 'test-rule',
+                },
+              },
+            })
+          ).rejects.toThrow();
+        }
+      );
+
+      it.each([
+        ['1', ['index1'], CommentType.alert],
+        [['1', '2'], ['index', 'other-index'], CommentType.alert],
+      ])(
+        'does not throw an error with an alert comment with contents id: %p indices: %p type: %s',
+        async (alertId, index, type) => {
+          expect.assertions(1);
+
+          const savedObjectsClient = createMockSavedObjectsRepository({
+            caseSavedObject: mockCases,
+            caseCommentSavedObject: mockCaseComments,
+          });
+
+          const caseClient = await createCaseClientWithMockSavedObjectsClient({
+            savedObjectsClient,
+          });
+          await expect(
+            caseClient.client.addComment({
+              caseId: 'mock-id-1',
+              comment: {
+                // casting because type must be either alert or generatedAlert but type is CommentType
+                type: type as AlertComment,
+                alertId,
+                index,
+                rule: {
+                  id: 'test-rule1',
+                  name: 'test-rule',
+                },
+              },
+            })
+          ).resolves.not.toBeUndefined();
+        }
+      );
+    });
   });
 });
diff --git a/x-pack/plugins/case/server/client/comments/add.ts b/x-pack/plugins/case/server/client/comments/add.ts
index d3d7047e71bd..22a59e4d0539 100644
--- a/x-pack/plugins/case/server/client/comments/add.ts
+++ b/x-pack/plugins/case/server/client/comments/add.ts
@@ -11,11 +11,7 @@ import { fold } from 'fp-ts/lib/Either';
 import { identity } from 'fp-ts/lib/function';
 
 import { SavedObject, SavedObjectsClientContract, Logger } from 'src/core/server';
-import {
-  decodeCommentRequest,
-  getAlertIds,
-  isCommentRequestTypeGenAlert,
-} from '../../routes/api/utils';
+import { decodeCommentRequest, isCommentRequestTypeGenAlert } from '../../routes/api/utils';
 
 import {
   throwErrors,
@@ -36,7 +32,7 @@ import {
 } from '../../services/user_actions/helpers';
 
 import { CaseServiceSetup, CaseUserActionServiceSetup } from '../../services';
-import { CommentableCase } from '../../common';
+import { CommentableCase, createAlertUpdateRequest } from '../../common';
 import { CaseClientHandler } from '..';
 import { createCaseError } from '../../common/error';
 import { CASE_COMMENT_SAVED_OBJECT } from '../../saved_object_types';
@@ -177,15 +173,12 @@ const addGeneratedAlerts = async ({
         newComment.attributes.type === CommentType.generatedAlert) &&
       caseInfo.attributes.settings.syncAlerts
     ) {
-      const ids = getAlertIds(query);
-      await caseClient.updateAlertsStatus({
-        ids,
+      const alertsToUpdate = createAlertUpdateRequest({
+        comment: query,
         status: subCase.attributes.status,
-        indices: new Set([
-          ...(Array.isArray(newComment.attributes.index)
-            ? newComment.attributes.index
-            : [newComment.attributes.index]),
-        ]),
+      });
+      await caseClient.updateAlertsStatus({
+        alerts: alertsToUpdate,
       });
     }
 
@@ -331,15 +324,13 @@ export const addComment = async ({
     });
 
     if (newComment.attributes.type === CommentType.alert && updatedCase.settings.syncAlerts) {
-      const ids = getAlertIds(query);
-      await caseClient.updateAlertsStatus({
-        ids,
+      const alertsToUpdate = createAlertUpdateRequest({
+        comment: query,
         status: updatedCase.status,
-        indices: new Set([
-          ...(Array.isArray(newComment.attributes.index)
-            ? newComment.attributes.index
-            : [newComment.attributes.index]),
-        ]),
+      });
+
+      await caseClient.updateAlertsStatus({
+        alerts: alertsToUpdate,
       });
     }
 
diff --git a/x-pack/plugins/case/server/client/mocks.ts b/x-pack/plugins/case/server/client/mocks.ts
index 98ffed0eaf8c..5cbd31c79885 100644
--- a/x-pack/plugins/case/server/client/mocks.ts
+++ b/x-pack/plugins/case/server/client/mocks.ts
@@ -5,6 +5,8 @@
  * 2.0.
  */
 
+import { ElasticsearchClient } from 'kibana/server';
+import { DeeplyMockedKeys } from 'packages/kbn-utility-types/target/jest';
 import { loggingSystemMock, elasticsearchServiceMock } from '../../../../../src/core/server/mocks';
 import {
   AlertServiceContract,
@@ -45,6 +47,7 @@ export const createCaseClientWithMockSavedObjectsClient = async ({
     userActionService: jest.Mocked<CaseUserActionServiceSetup>;
     alertsService: jest.Mocked<AlertServiceContract>;
   };
+  esClient: DeeplyMockedKeys<ElasticsearchClient>;
 }> => {
   const esClient = elasticsearchServiceMock.createElasticsearchClient();
   const log = loggingSystemMock.create().get('case');
@@ -82,5 +85,6 @@ export const createCaseClientWithMockSavedObjectsClient = async ({
   return {
     client: caseClient,
     services: { userActionService, alertsService },
+    esClient,
   };
 };
diff --git a/x-pack/plugins/case/server/client/types.ts b/x-pack/plugins/case/server/client/types.ts
index adc66d8b1ea7..3f4ef77d7f34 100644
--- a/x-pack/plugins/case/server/client/types.ts
+++ b/x-pack/plugins/case/server/client/types.ts
@@ -19,6 +19,7 @@ import {
   CaseUserActionsResponse,
   User,
 } from '../../common/api';
+import { AlertInfo } from '../common';
 import {
   CaseConfigureServiceSetup,
   CaseServiceSetup,
@@ -46,14 +47,11 @@ export interface CaseClientAddComment {
 }
 
 export interface CaseClientUpdateAlertsStatus {
-  ids: string[];
-  status: CaseStatuses;
-  indices: Set<string>;
+  alerts: UpdateAlertRequest[];
 }
 
 export interface CaseClientGetAlerts {
-  ids: string[];
-  indices: Set<string>;
+  alertsInfo: AlertInfo[];
 }
 
 export interface CaseClientGetUserActions {
@@ -85,6 +83,15 @@ export interface ConfigureFields {
   connectorType: string;
 }
 
+/**
+ * Defines the fields necessary to update an alert's status.
+ */
+export interface UpdateAlertRequest {
+  id: string;
+  index: string;
+  status: CaseStatuses;
+}
+
 /**
  * This represents the interface that other plugins can access.
  */
diff --git a/x-pack/plugins/case/server/common/index.ts b/x-pack/plugins/case/server/common/index.ts
index 0960b28b3d25..b07ed5d4ae2d 100644
--- a/x-pack/plugins/case/server/common/index.ts
+++ b/x-pack/plugins/case/server/common/index.ts
@@ -7,3 +7,4 @@
 
 export * from './models';
 export * from './utils';
+export * from './types';
diff --git a/x-pack/plugins/case/server/common/types.ts b/x-pack/plugins/case/server/common/types.ts
new file mode 100644
index 000000000000..b58d8ec0e849
--- /dev/null
+++ b/x-pack/plugins/case/server/common/types.ts
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/**
+ * This structure holds the alert ID and index from an alert comment
+ */
+export interface AlertInfo {
+  id: string;
+  index: string;
+}
diff --git a/x-pack/plugins/case/server/common/utils.ts b/x-pack/plugins/case/server/common/utils.ts
index a3ac0361569d..dce26f3d5998 100644
--- a/x-pack/plugins/case/server/common/utils.ts
+++ b/x-pack/plugins/case/server/common/utils.ts
@@ -6,8 +6,15 @@
  */
 
 import { SavedObjectsFindResult, SavedObjectsFindResponse } from 'kibana/server';
-import { CaseStatuses, CommentAttributes, CommentType, User } from '../../common/api';
-import { AlertInfo, getAlertIndicesAndIDs } from '../routes/api/utils';
+import {
+  CaseStatuses,
+  CommentAttributes,
+  CommentRequest,
+  CommentType,
+  User,
+} from '../../common/api';
+import { UpdateAlertRequest } from '../client/types';
+import { getAlertInfoFromComments } from '../routes/api/utils';
 
 /**
  * Default sort field for querying saved objects.
@@ -22,27 +29,14 @@ export const nullUser: User = { username: null, full_name: null, email: null };
 /**
  * Adds the ids and indices to a map of statuses
  */
-export function addAlertInfoToStatusMap({
+export function createAlertUpdateRequest({
   comment,
-  statusMap,
   status,
 }: {
-  comment: CommentAttributes;
-  statusMap: Map<CaseStatuses, AlertInfo>;
+  comment: CommentRequest;
   status: CaseStatuses;
-}) {
-  const newAlertInfo = getAlertIndicesAndIDs([comment]);
-
-  // combine the already accumulated ids and indices with the new ones from this alert comment
-  if (newAlertInfo.ids.length > 0 && newAlertInfo.indices.size > 0) {
-    const accAlertInfo = statusMap.get(status) ?? { ids: [], indices: new Set<string>() };
-    accAlertInfo.ids.push(...newAlertInfo.ids);
-    accAlertInfo.indices = new Set<string>([
-      ...accAlertInfo.indices.values(),
-      ...newAlertInfo.indices.values(),
-    ]);
-    statusMap.set(status, accAlertInfo);
-  }
+}): UpdateAlertRequest[] {
+  return getAlertInfoFromComments([comment]).map((alert) => ({ ...alert, status }));
 }
 
 /**
diff --git a/x-pack/plugins/case/server/routes/api/__fixtures__/mock_saved_objects.ts b/x-pack/plugins/case/server/routes/api/__fixtures__/mock_saved_objects.ts
index e67a6f6dd334..f2318c45e6ed 100644
--- a/x-pack/plugins/case/server/routes/api/__fixtures__/mock_saved_objects.ts
+++ b/x-pack/plugins/case/server/routes/api/__fixtures__/mock_saved_objects.ts
@@ -404,6 +404,43 @@ export const mockCaseComments: Array<SavedObject<CommentAttributes>> = [
     updated_at: '2019-11-25T22:32:30.608Z',
     version: 'WzYsMV0=',
   },
+  {
+    type: 'cases-comment',
+    id: 'mock-comment-6',
+    attributes: {
+      associationType: AssociationType.case,
+      type: CommentType.generatedAlert,
+      index: 'test-index',
+      alertId: 'test-id',
+      created_at: '2019-11-25T22:32:30.608Z',
+      created_by: {
+        full_name: 'elastic',
+        email: 'testemail@elastic.co',
+        username: 'elastic',
+      },
+      pushed_at: null,
+      pushed_by: null,
+      rule: {
+        id: 'rule-id-1',
+        name: 'rule-name-1',
+      },
+      updated_at: '2019-11-25T22:32:30.608Z',
+      updated_by: {
+        full_name: 'elastic',
+        email: 'testemail@elastic.co',
+        username: 'elastic',
+      },
+    },
+    references: [
+      {
+        type: 'cases',
+        name: 'associated-cases',
+        id: 'mock-id-4',
+      },
+    ],
+    updated_at: '2019-11-25T22:32:30.608Z',
+    version: 'WzYsMV0=',
+  },
 ];
 
 export const mockCaseConfigure: Array<SavedObject<ESCasesConfigureAttributes>> = [
diff --git a/x-pack/plugins/case/server/routes/api/cases/comments/patch_comment.test.ts b/x-pack/plugins/case/server/routes/api/cases/comments/patch_comment.test.ts
index 1ebd336c83af..9cc0575f9bb9 100644
--- a/x-pack/plugins/case/server/routes/api/cases/comments/patch_comment.test.ts
+++ b/x-pack/plugins/case/server/routes/api/cases/comments/patch_comment.test.ts
@@ -296,4 +296,83 @@ describe('PATCH comment', () => {
     expect(response.status).toEqual(404);
     expect(response.payload.isBoom).toEqual(true);
   });
+
+  describe('alert format', () => {
+    it.each([
+      ['1', ['index1', 'index2'], CommentType.alert, 'mock-comment-4'],
+      [['1', '2'], 'index', CommentType.alert, 'mock-comment-4'],
+      ['1', ['index1', 'index2'], CommentType.generatedAlert, 'mock-comment-6'],
+      [['1', '2'], 'index', CommentType.generatedAlert, 'mock-comment-6'],
+    ])(
+      'returns an error with an alert comment with contents id: %p indices: %p type: %s comment id: %s',
+      async (alertId, index, type, commentID) => {
+        const request = httpServerMock.createKibanaRequest({
+          path: CASE_COMMENTS_URL,
+          method: 'patch',
+          params: {
+            case_id: 'mock-id-4',
+          },
+          body: {
+            type,
+            alertId,
+            index,
+            rule: {
+              id: 'rule-id',
+              name: 'rule',
+            },
+            id: commentID,
+            version: 'WzYsMV0=',
+          },
+        });
+
+        const { context } = await createRouteContext(
+          createMockSavedObjectsRepository({
+            caseSavedObject: mockCases,
+            caseCommentSavedObject: mockCaseComments,
+          })
+        );
+
+        const response = await routeHandler(context, request, kibanaResponseFactory);
+        expect(response.status).toEqual(400);
+      }
+    );
+
+    it.each([
+      ['1', ['index1'], CommentType.alert],
+      [['1', '2'], ['index', 'other-index'], CommentType.alert],
+    ])(
+      'does not return an error with an alert comment with contents id: %p indices: %p type: %s',
+      async (alertId, index, type) => {
+        const request = httpServerMock.createKibanaRequest({
+          path: CASE_COMMENTS_URL,
+          method: 'patch',
+          params: {
+            case_id: 'mock-id-4',
+          },
+          body: {
+            type,
+            alertId,
+            index,
+            rule: {
+              id: 'rule-id',
+              name: 'rule',
+            },
+            id: 'mock-comment-4',
+            // this version is different than the one in mockCaseComments because it gets updated in place
+            version: 'WzE3LDFd',
+          },
+        });
+
+        const { context } = await createRouteContext(
+          createMockSavedObjectsRepository({
+            caseSavedObject: mockCases,
+            caseCommentSavedObject: mockCaseComments,
+          })
+        );
+
+        const response = await routeHandler(context, request, kibanaResponseFactory);
+        expect(response.status).toEqual(200);
+      }
+    );
+  });
 });
diff --git a/x-pack/plugins/case/server/routes/api/cases/get_case.test.ts b/x-pack/plugins/case/server/routes/api/cases/get_case.test.ts
index 968dd0424fe3..b9312331b4df 100644
--- a/x-pack/plugins/case/server/routes/api/cases/get_case.test.ts
+++ b/x-pack/plugins/case/server/routes/api/cases/get_case.test.ts
@@ -105,7 +105,7 @@ describe('GET case', () => {
     const response = await routeHandler(context, request, kibanaResponseFactory);
 
     expect(response.status).toEqual(200);
-    expect(response.payload.comments).toHaveLength(5);
+    expect(response.payload.comments).toHaveLength(6);
   });
 
   it(`returns an error when thrown from getAllCaseComments`, async () => {
diff --git a/x-pack/plugins/case/server/routes/api/cases/push_case.test.ts b/x-pack/plugins/case/server/routes/api/cases/push_case.test.ts
index c8501130493b..0c3ebe67d227 100644
--- a/x-pack/plugins/case/server/routes/api/cases/push_case.test.ts
+++ b/x-pack/plugins/case/server/routes/api/cases/push_case.test.ts
@@ -132,8 +132,7 @@ describe('Push case', () => {
     const response = await routeHandler(context, request, kibanaResponseFactory);
     expect(response.status).toEqual(200);
     expect(caseClient.getAlerts).toHaveBeenCalledWith({
-      ids: ['test-id'],
-      indices: new Set<string>(['test-index']),
+      alertsInfo: [{ id: 'test-id', index: 'test-index' }],
     });
   });
 
diff --git a/x-pack/plugins/case/server/routes/api/cases/sub_case/patch_sub_cases.ts b/x-pack/plugins/case/server/routes/api/cases/sub_case/patch_sub_cases.ts
index 73aacc2c2b0b..da7ec956cad1 100644
--- a/x-pack/plugins/case/server/routes/api/cases/sub_case/patch_sub_cases.ts
+++ b/x-pack/plugins/case/server/routes/api/cases/sub_case/patch_sub_cases.ts
@@ -39,7 +39,6 @@ import {
 import { SUB_CASES_PATCH_DEL_URL } from '../../../../../common/constants';
 import { RouteDeps } from '../../types';
 import {
-  AlertInfo,
   escapeHatch,
   flattenSubCaseSavedObject,
   isCommentRequestTypeAlertOrGenAlert,
@@ -47,7 +46,8 @@ import {
 } from '../../utils';
 import { getCaseToUpdate } from '../helpers';
 import { buildSubCaseUserActions } from '../../../../services/user_actions/helpers';
-import { addAlertInfoToStatusMap } from '../../../../common';
+import { createAlertUpdateRequest } from '../../../../common';
+import { UpdateAlertRequest } from '../../../../client/types';
 import { createCaseError } from '../../../../common/error';
 
 interface UpdateArgs {
@@ -235,29 +235,23 @@ async function updateAlerts({
     // get all the alerts for all sub cases that need to be synced
     const totalAlerts = await getAlertComments({ caseService, client, subCasesToSync });
     // create a map of the status (open, closed, etc) to alert info that needs to be updated
-    const alertsToUpdate = totalAlerts.saved_objects.reduce((acc, alertComment) => {
-      if (isCommentRequestTypeAlertOrGenAlert(alertComment.attributes)) {
-        const id = getID(alertComment);
-        const status =
-          id !== undefined
-            ? subCasesToSyncMap.get(id)?.status ?? CaseStatuses.open
-            : CaseStatuses.open;
+    const alertsToUpdate = totalAlerts.saved_objects.reduce(
+      (acc: UpdateAlertRequest[], alertComment) => {
+        if (isCommentRequestTypeAlertOrGenAlert(alertComment.attributes)) {
+          const id = getID(alertComment);
+          const status =
+            id !== undefined
+              ? subCasesToSyncMap.get(id)?.status ?? CaseStatuses.open
+              : CaseStatuses.open;
 
-        addAlertInfoToStatusMap({ comment: alertComment.attributes, statusMap: acc, status });
-      }
-      return acc;
-    }, new Map<CaseStatuses, AlertInfo>());
+          acc.push(...createAlertUpdateRequest({ comment: alertComment.attributes, status }));
+        }
+        return acc;
+      },
+      []
+    );
 
-    // This does at most 3 calls to Elasticsearch to update the status of the alerts to either open, closed, or in-progress
-    for (const [status, alertInfo] of alertsToUpdate.entries()) {
-      if (alertInfo.ids.length > 0 && alertInfo.indices.size > 0) {
-        caseClient.updateAlertsStatus({
-          ids: alertInfo.ids,
-          status,
-          indices: alertInfo.indices,
-        });
-      }
-    }
+    await caseClient.updateAlertsStatus({ alerts: alertsToUpdate });
   } catch (error) {
     throw createCaseError({
       message: `Failed to update alert status while updating sub cases: ${JSON.stringify(
diff --git a/x-pack/plugins/case/server/routes/api/utils.ts b/x-pack/plugins/case/server/routes/api/utils.ts
index 298f8bb877cd..37bffafa4377 100644
--- a/x-pack/plugins/case/server/routes/api/utils.ts
+++ b/x-pack/plugins/case/server/routes/api/utils.ts
@@ -45,6 +45,7 @@ import {
 import { transformESConnectorToCaseConnector } from './cases/helpers';
 
 import { SortFieldCase } from './types';
+import { AlertInfo } from '../../common';
 import { isCaseError } from '../../common/error';
 
 export const transformNewSubCase = ({
@@ -111,55 +112,50 @@ export const getAlertIds = (comment: CommentRequest): string[] => {
   return [];
 };
 
-/**
- * This structure holds the alert IDs and indices found from multiple alert comments
- */
-export interface AlertInfo {
-  ids: string[];
-  indices: Set<string>;
-}
+const getIDsAndIndicesAsArrays = (
+  comment: CommentRequestAlertType
+): { ids: string[]; indices: string[] } => {
+  return {
+    ids: Array.isArray(comment.alertId) ? comment.alertId : [comment.alertId],
+    indices: Array.isArray(comment.index) ? comment.index : [comment.index],
+  };
+};
 
-const accumulateIndicesAndIDs = (comment: CommentAttributes, acc: AlertInfo): AlertInfo => {
-  if (isCommentRequestTypeAlertOrGenAlert(comment)) {
-    acc.ids.push(...getAlertIds(comment));
-    const indices = Array.isArray(comment.index) ? comment.index : [comment.index];
-    indices.forEach((index) => acc.indices.add(index));
+/**
+ * This functions extracts the ids and indices from an alert comment. It enforces that the alertId and index are either
+ * both strings or string arrays that are the same length. If they are arrays they represent a 1-to-1 mapping of
+ * id existing in an index at each position in the array. This is not ideal. Ideally an alert comment request would
+ * accept an array of objects like this: Array<{id: string; index: string; ruleName: string ruleID: string}> instead.
+ *
+ * To reformat the alert comment request requires a migration and a breaking API change.
+ */
+const getAndValidateAlertInfoFromComment = (comment: CommentRequest): AlertInfo[] => {
+  if (!isCommentRequestTypeAlertOrGenAlert(comment)) {
+    return [];
   }
-  return acc;
+
+  const { ids, indices } = getIDsAndIndicesAsArrays(comment);
+
+  if (ids.length !== indices.length) {
+    return [];
+  }
+
+  return ids.map((id, index) => ({ id, index: indices[index] }));
 };
 
 /**
  * Builds an AlertInfo object accumulating the alert IDs and indices for the passed in alerts.
  */
-export const getAlertIndicesAndIDs = (comments: CommentAttributes[] | undefined): AlertInfo => {
+export const getAlertInfoFromComments = (comments: CommentRequest[] | undefined): AlertInfo[] => {
   if (comments === undefined) {
-    return { ids: [], indices: new Set<string>() };
+    return [];
   }
 
-  return comments.reduce(
-    (acc: AlertInfo, comment) => {
-      return accumulateIndicesAndIDs(comment, acc);
-    },
-    { ids: [], indices: new Set<string>() }
-  );
-};
-
-/**
- * Builds an AlertInfo object accumulating the alert IDs and indices for the passed in alert saved objects.
- */
-export const getAlertIndicesAndIDsFromSO = (
-  comments: SavedObjectsFindResponse<CommentAttributes> | undefined
-): AlertInfo => {
-  if (comments === undefined) {
-    return { ids: [], indices: new Set<string>() };
-  }
-
-  return comments.saved_objects.reduce(
-    (acc: AlertInfo, comment) => {
-      return accumulateIndicesAndIDs(comment.attributes, acc);
-    },
-    { ids: [], indices: new Set<string>() }
-  );
+  return comments.reduce((acc: AlertInfo[], comment) => {
+    const alertInfo = getAndValidateAlertInfoFromComment(comment);
+    acc.push(...alertInfo);
+    return acc;
+  }, []);
 };
 
 export const transformNewComment = ({
@@ -378,5 +374,47 @@ export const decodeCommentRequest = (comment: CommentRequest) => {
     pipe(excess(ContextTypeUserRt).decode(comment), fold(throwErrors(badRequest), identity));
   } else if (isCommentRequestTypeAlertOrGenAlert(comment)) {
     pipe(excess(AlertCommentRequestRt).decode(comment), fold(throwErrors(badRequest), identity));
+    const { ids, indices } = getIDsAndIndicesAsArrays(comment);
+
+    /**
+     * The alertId and index field must either be both of type string or they must both be string[] and be the same length.
+     * Having a one-to-one relationship between the id and index of an alert avoids accidentally updating or
+     * retrieving the wrong alert. Elasticsearch only guarantees that the _id (the field we use for alertId) to be
+     * unique within a single index. So if we attempt to update or get a specific alert across multiple indices we could
+     * update or receive the wrong one.
+     *
+     * Consider the situation where we have a alert1 with _id = '100' in index 'my-index-awesome' and also in index
+     *  'my-index-hi'.
+     * If we attempt to update the status of alert1 using an index pattern like `my-index-*` or even providing multiple
+     * indices, there's a chance we'll accidentally update too many alerts.
+     *
+     * This check doesn't enforce that the API request has the correct alert ID to index relationship it just guards
+     * against accidentally making a request like:
+     * {
+     *  alertId: [1,2,3],
+     *  index: awesome,
+     * }
+     *
+     * Instead this requires the requestor to provide:
+     * {
+     *  alertId: [1,2,3],
+     *  index: [awesome, awesome, awesome]
+     * }
+     *
+     * Ideally we'd change the format of the comment request to be an array of objects like:
+     * {
+     *  alerts: [{id: 1, index: awesome}, {id: 2, index: awesome}]
+     * }
+     *
+     * But we'd need to also implement a migration because the saved object document currently stores the id and index
+     * in separate fields.
+     */
+    if (ids.length !== indices.length) {
+      throw badRequest(
+        `Received an alert comment with ids and indices arrays of different lengths ids: ${JSON.stringify(
+          ids
+        )} indices: ${JSON.stringify(indices)}`
+      );
+    }
   }
 };
diff --git a/x-pack/plugins/case/server/services/alerts/index.test.ts b/x-pack/plugins/case/server/services/alerts/index.test.ts
index 3b1020d3ef55..042e415b77e4 100644
--- a/x-pack/plugins/case/server/services/alerts/index.test.ts
+++ b/x-pack/plugins/case/server/services/alerts/index.test.ts
@@ -17,10 +17,8 @@ describe('updateAlertsStatus', () => {
   describe('happy path', () => {
     let alertService: AlertServiceContract;
     const args = {
-      ids: ['alert-id-1'],
-      indices: new Set<string>(['.siem-signals']),
+      alerts: [{ id: 'alert-id-1', index: '.siem-signals', status: CaseStatuses.closed }],
       request: {} as KibanaRequest,
-      status: CaseStatuses.closed,
       scopedClusterClient: esClient,
       logger,
     };
@@ -33,14 +31,17 @@ describe('updateAlertsStatus', () => {
     test('it update the status of the alert correctly', async () => {
       await alertService.updateAlertsStatus(args);
 
-      expect(esClient.updateByQuery).toHaveBeenCalledWith({
-        body: {
-          query: { ids: { values: args.ids } },
-          script: { lang: 'painless', source: `ctx._source.signal.status = '${args.status}'` },
-        },
-        conflicts: 'abort',
-        ignore_unavailable: true,
-        index: [...args.indices],
+      expect(esClient.bulk).toHaveBeenCalledWith({
+        body: [
+          { update: { _id: 'alert-id-1', _index: '.siem-signals' } },
+          {
+            doc: {
+              signal: {
+                status: CaseStatuses.closed,
+              },
+            },
+          },
+        ],
       });
     });
 
@@ -48,9 +49,7 @@ describe('updateAlertsStatus', () => {
       it('ignores empty indices', async () => {
         expect(
           await alertService.updateAlertsStatus({
-            ids: ['alert-id-1'],
-            status: CaseStatuses.closed,
-            indices: new Set<string>(['']),
+            alerts: [{ id: 'alert-id-1', index: '', status: CaseStatuses.closed }],
             scopedClusterClient: esClient,
             logger,
           })
diff --git a/x-pack/plugins/case/server/services/alerts/index.ts b/x-pack/plugins/case/server/services/alerts/index.ts
index 45245b86ba2d..6ce4db61ab95 100644
--- a/x-pack/plugins/case/server/services/alerts/index.ts
+++ b/x-pack/plugins/case/server/services/alerts/index.ts
@@ -5,28 +5,26 @@
  * 2.0.
  */
 
-import _ from 'lodash';
+import { isEmpty } from 'lodash';
 
 import type { PublicMethodsOf } from '@kbn/utility-types';
 
 import { ElasticsearchClient, Logger } from 'kibana/server';
-import { CaseStatuses } from '../../../common/api';
 import { MAX_ALERTS_PER_SUB_CASE } from '../../../common/constants';
+import { UpdateAlertRequest } from '../../client/types';
+import { AlertInfo } from '../../common';
 import { createCaseError } from '../../common/error';
 
 export type AlertServiceContract = PublicMethodsOf<AlertService>;
 
 interface UpdateAlertsStatusArgs {
-  ids: string[];
-  status: CaseStatuses;
-  indices: Set<string>;
+  alerts: UpdateAlertRequest[];
   scopedClusterClient: ElasticsearchClient;
   logger: Logger;
 }
 
 interface GetAlertsArgs {
-  ids: string[];
-  indices: Set<string>;
+  alertsInfo: AlertInfo[];
   scopedClusterClient: ElasticsearchClient;
   logger: Logger;
 }
@@ -38,54 +36,33 @@ interface Alert {
 }
 
 interface AlertsResponse {
-  hits: {
-    hits: Alert[];
-  };
+  docs: Alert[];
 }
 
-/**
- * remove empty strings from the indices, I'm not sure how likely this is but in the case that
- * the document doesn't have _index set the security_solution code sets the value to an empty string
- * instead
- */
-function getValidIndices(indices: Set<string>): string[] {
-  return [...indices].filter((index) => !_.isEmpty(index));
+function isEmptyAlert(alert: AlertInfo): boolean {
+  return isEmpty(alert.id) || isEmpty(alert.index);
 }
 
 export class AlertService {
   constructor() {}
 
-  public async updateAlertsStatus({
-    ids,
-    status,
-    indices,
-    scopedClusterClient,
-    logger,
-  }: UpdateAlertsStatusArgs) {
-    const sanitizedIndices = getValidIndices(indices);
-    if (sanitizedIndices.length <= 0) {
-      logger.warn(`Empty alert indices when updateAlertsStatus ids: ${JSON.stringify(ids)}`);
-      return;
-    }
-
+  public async updateAlertsStatus({ alerts, scopedClusterClient, logger }: UpdateAlertsStatusArgs) {
     try {
-      const result = await scopedClusterClient.updateByQuery({
-        index: sanitizedIndices,
-        conflicts: 'abort',
-        body: {
-          script: {
-            source: `ctx._source.signal.status = '${status}'`,
-            lang: 'painless',
-          },
-          query: { ids: { values: ids } },
-        },
-        ignore_unavailable: true,
-      });
+      const body = alerts
+        .filter((alert) => !isEmptyAlert(alert))
+        .flatMap((alert) => [
+          { update: { _id: alert.id, _index: alert.index } },
+          { doc: { signal: { status: alert.status } } },
+        ]);
 
-      return result;
+      if (body.length <= 0) {
+        return;
+      }
+
+      return scopedClusterClient.bulk({ body });
     } catch (error) {
       throw createCaseError({
-        message: `Failed to update alert status ids: ${JSON.stringify(ids)}: ${error}`,
+        message: `Failed to update alert status ids: ${JSON.stringify(alerts)}: ${error}`,
         error,
         logger,
       });
@@ -94,38 +71,25 @@ export class AlertService {
 
   public async getAlerts({
     scopedClusterClient,
-    ids,
-    indices,
+    alertsInfo,
     logger,
   }: GetAlertsArgs): Promise<AlertsResponse | undefined> {
-    const index = getValidIndices(indices);
-    if (index.length <= 0) {
-      logger.warn(`Empty alert indices when retrieving alerts ids: ${JSON.stringify(ids)}`);
-      return;
-    }
-
     try {
-      const result = await scopedClusterClient.search<AlertsResponse>({
-        index,
-        body: {
-          query: {
-            bool: {
-              filter: {
-                ids: {
-                  values: ids,
-                },
-              },
-            },
-          },
-        },
-        size: MAX_ALERTS_PER_SUB_CASE,
-        ignore_unavailable: true,
-      });
+      const docs = alertsInfo
+        .filter((alert) => !isEmptyAlert(alert))
+        .slice(0, MAX_ALERTS_PER_SUB_CASE)
+        .map((alert) => ({ _id: alert.id, _index: alert.index }));
 
-      return result.body;
+      if (docs.length <= 0) {
+        return;
+      }
+
+      const results = await scopedClusterClient.mget<AlertsResponse>({ body: { docs } });
+
+      return results.body;
     } catch (error) {
       throw createCaseError({
-        message: `Failed to retrieve alerts ids: ${JSON.stringify(ids)}: ${error}`,
+        message: `Failed to retrieve alerts ids: ${JSON.stringify(alertsInfo)}: ${error}`,
         error,
         logger,
       });
diff --git a/x-pack/test/case_api_integration/basic/tests/cases/patch_cases.ts b/x-pack/test/case_api_integration/basic/tests/cases/patch_cases.ts
index b51b728df715..b41f77fc42e0 100644
--- a/x-pack/test/case_api_integration/basic/tests/cases/patch_cases.ts
+++ b/x-pack/test/case_api_integration/basic/tests/cases/patch_cases.ts
@@ -438,8 +438,12 @@ export default ({ getService }: FtrProviderContext): void => {
           });
 
           // There should be no change in their status since syncing is disabled
-          expect(signals.get(signalID)?._source.signal.status).to.be(CaseStatuses.open);
-          expect(signals.get(signalID2)?._source.signal.status).to.be(CaseStatuses.open);
+          expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source.signal.status).to.be(
+            CaseStatuses.open
+          );
+          expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source.signal.status).to.be(
+            CaseStatuses.open
+          );
 
           const updatedIndWithStatus: CasesResponse = (await setStatus({
             supertest,
@@ -467,8 +471,12 @@ export default ({ getService }: FtrProviderContext): void => {
           });
 
           // There should still be no change in their status since syncing is disabled
-          expect(signals.get(signalID)?._source.signal.status).to.be(CaseStatuses.open);
-          expect(signals.get(signalID2)?._source.signal.status).to.be(CaseStatuses.open);
+          expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source.signal.status).to.be(
+            CaseStatuses.open
+          );
+          expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source.signal.status).to.be(
+            CaseStatuses.open
+          );
 
           // turn on the sync settings
           await supertest
@@ -492,8 +500,139 @@ export default ({ getService }: FtrProviderContext): void => {
           });
 
           // alerts should be updated now that the
-          expect(signals.get(signalID)?._source.signal.status).to.be(CaseStatuses.closed);
-          expect(signals.get(signalID2)?._source.signal.status).to.be(CaseStatuses['in-progress']);
+          expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source.signal.status).to.be(
+            CaseStatuses.closed
+          );
+          expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source.signal.status).to.be(
+            CaseStatuses['in-progress']
+          );
+        });
+      });
+
+      describe('esArchiver', () => {
+        const defaultSignalsIndex = '.siem-signals-default-000001';
+
+        beforeEach(async () => {
+          await esArchiver.load('cases/signals/duplicate_ids');
+        });
+        afterEach(async () => {
+          await esArchiver.unload('cases/signals/duplicate_ids');
+          await deleteAllCaseItems(es);
+        });
+
+        it('should not update the status of duplicate alert ids in separate indices', async () => {
+          const getSignals = async () => {
+            return getSignalsWithES({
+              es,
+              indices: [defaultSignalsIndex, signalsIndex2],
+              ids: [signalIDInFirstIndex, signalIDInSecondIndex],
+            });
+          };
+
+          // this id exists only in .siem-signals-default-000001
+          const signalIDInFirstIndex =
+            'cae78067e65582a3b277c1ad46ba3cb29044242fe0d24bbf3fcde757fdd31d1c';
+          // This id exists in both .siem-signals-default-000001 and .siem-signals-default-000002
+          const signalIDInSecondIndex = 'duplicate-signal-id';
+          const signalsIndex2 = '.siem-signals-default-000002';
+
+          const { body: individualCase } = await supertest
+            .post(CASES_URL)
+            .set('kbn-xsrf', 'true')
+            .send({
+              ...postCaseReq,
+              settings: {
+                syncAlerts: false,
+              },
+            });
+
+          const { body: updatedIndWithComment } = await supertest
+            .post(`${CASES_URL}/${individualCase.id}/comments`)
+            .set('kbn-xsrf', 'true')
+            .send({
+              alertId: signalIDInFirstIndex,
+              index: defaultSignalsIndex,
+              rule: { id: 'test-rule-id', name: 'test-index-id' },
+              type: CommentType.alert,
+            })
+            .expect(200);
+
+          const { body: updatedIndWithComment2 } = await supertest
+            .post(`${CASES_URL}/${updatedIndWithComment.id}/comments`)
+            .set('kbn-xsrf', 'true')
+            .send({
+              alertId: signalIDInSecondIndex,
+              index: signalsIndex2,
+              rule: { id: 'test-rule-id', name: 'test-index-id' },
+              type: CommentType.alert,
+            })
+            .expect(200);
+
+          await es.indices.refresh({ index: defaultSignalsIndex });
+
+          let signals = await getSignals();
+          // There should be no change in their status since syncing is disabled
+          expect(
+            signals.get(defaultSignalsIndex)?.get(signalIDInFirstIndex)?._source.signal.status
+          ).to.be(CaseStatuses.open);
+          expect(
+            signals.get(signalsIndex2)?.get(signalIDInSecondIndex)?._source.signal.status
+          ).to.be(CaseStatuses.open);
+
+          const updatedIndWithStatus: CasesResponse = (await setStatus({
+            supertest,
+            cases: [
+              {
+                id: updatedIndWithComment2.id,
+                version: updatedIndWithComment2.version,
+                status: CaseStatuses.closed,
+              },
+            ],
+            type: 'case',
+          })) as CasesResponse;
+
+          await es.indices.refresh({ index: defaultSignalsIndex });
+
+          signals = await getSignals();
+
+          // There should still be no change in their status since syncing is disabled
+          expect(
+            signals.get(defaultSignalsIndex)?.get(signalIDInFirstIndex)?._source.signal.status
+          ).to.be(CaseStatuses.open);
+          expect(
+            signals.get(signalsIndex2)?.get(signalIDInSecondIndex)?._source.signal.status
+          ).to.be(CaseStatuses.open);
+
+          // turn on the sync settings
+          await supertest
+            .patch(CASES_URL)
+            .set('kbn-xsrf', 'true')
+            .send({
+              cases: [
+                {
+                  id: updatedIndWithStatus[0].id,
+                  version: updatedIndWithStatus[0].version,
+                  settings: { syncAlerts: true },
+                },
+              ],
+            })
+            .expect(200);
+          await es.indices.refresh({ index: defaultSignalsIndex });
+
+          signals = await getSignals();
+
+          // alerts should be updated now that the
+          expect(
+            signals.get(defaultSignalsIndex)?.get(signalIDInFirstIndex)?._source.signal.status
+          ).to.be(CaseStatuses.closed);
+          expect(
+            signals.get(signalsIndex2)?.get(signalIDInSecondIndex)?._source.signal.status
+          ).to.be(CaseStatuses.closed);
+
+          // the duplicate signal id in the other index should not be affect (so its status should be open)
+          expect(
+            signals.get(defaultSignalsIndex)?.get(signalIDInSecondIndex)?._source.signal.status
+          ).to.be(CaseStatuses.open);
         });
       });
 
diff --git a/x-pack/test/case_api_integration/basic/tests/cases/sub_cases/patch_sub_cases.ts b/x-pack/test/case_api_integration/basic/tests/cases/sub_cases/patch_sub_cases.ts
index 5a1da194a721..746d8a601bed 100644
--- a/x-pack/test/case_api_integration/basic/tests/cases/sub_cases/patch_sub_cases.ts
+++ b/x-pack/test/case_api_integration/basic/tests/cases/sub_cases/patch_sub_cases.ts
@@ -96,7 +96,9 @@ export default function ({ getService }: FtrProviderContext) {
 
       let signals = await getSignalsWithES({ es, indices: defaultSignalsIndex, ids: signalID });
 
-      expect(signals.get(signalID)?._source.signal.status).to.be(CaseStatuses.open);
+      expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source.signal.status).to.be(
+        CaseStatuses.open
+      );
 
       await setStatus({
         supertest,
@@ -114,7 +116,9 @@ export default function ({ getService }: FtrProviderContext) {
 
       signals = await getSignalsWithES({ es, indices: defaultSignalsIndex, ids: signalID });
 
-      expect(signals.get(signalID)?._source.signal.status).to.be(CaseStatuses['in-progress']);
+      expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source.signal.status).to.be(
+        CaseStatuses['in-progress']
+      );
     });
 
     it('should update the status of multiple alerts attached to a sub case', async () => {
@@ -152,8 +156,12 @@ export default function ({ getService }: FtrProviderContext) {
         ids: [signalID, signalID2],
       });
 
-      expect(signals.get(signalID)?._source.signal.status).to.be(CaseStatuses.open);
-      expect(signals.get(signalID2)?._source.signal.status).to.be(CaseStatuses.open);
+      expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source.signal.status).to.be(
+        CaseStatuses.open
+      );
+      expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source.signal.status).to.be(
+        CaseStatuses.open
+      );
 
       await setStatus({
         supertest,
@@ -175,8 +183,12 @@ export default function ({ getService }: FtrProviderContext) {
         ids: [signalID, signalID2],
       });
 
-      expect(signals.get(signalID)?._source.signal.status).to.be(CaseStatuses['in-progress']);
-      expect(signals.get(signalID2)?._source.signal.status).to.be(CaseStatuses['in-progress']);
+      expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source.signal.status).to.be(
+        CaseStatuses['in-progress']
+      );
+      expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source.signal.status).to.be(
+        CaseStatuses['in-progress']
+      );
     });
 
     it('should update the status of multiple alerts attached to multiple sub cases in one collection', async () => {
@@ -232,8 +244,12 @@ export default function ({ getService }: FtrProviderContext) {
       });
 
       // There should be no change in their status since syncing is disabled
-      expect(signals.get(signalID)?._source.signal.status).to.be(CaseStatuses.open);
-      expect(signals.get(signalID2)?._source.signal.status).to.be(CaseStatuses.open);
+      expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source.signal.status).to.be(
+        CaseStatuses.open
+      );
+      expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source.signal.status).to.be(
+        CaseStatuses.open
+      );
 
       await setStatus({
         supertest,
@@ -256,8 +272,12 @@ export default function ({ getService }: FtrProviderContext) {
       });
 
       // There still should be no change in their status since syncing is disabled
-      expect(signals.get(signalID)?._source.signal.status).to.be(CaseStatuses.open);
-      expect(signals.get(signalID2)?._source.signal.status).to.be(CaseStatuses.open);
+      expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source.signal.status).to.be(
+        CaseStatuses.open
+      );
+      expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source.signal.status).to.be(
+        CaseStatuses.open
+      );
 
       // Turn sync alerts on
       await supertest
@@ -282,8 +302,12 @@ export default function ({ getService }: FtrProviderContext) {
         ids: [signalID, signalID2],
       });
 
-      expect(signals.get(signalID)?._source.signal.status).to.be(CaseStatuses.closed);
-      expect(signals.get(signalID2)?._source.signal.status).to.be(CaseStatuses['in-progress']);
+      expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source.signal.status).to.be(
+        CaseStatuses.closed
+      );
+      expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source.signal.status).to.be(
+        CaseStatuses['in-progress']
+      );
     });
 
     it('should update the status of alerts attached to a case and sub case when sync settings is turned on', async () => {
@@ -342,8 +366,12 @@ export default function ({ getService }: FtrProviderContext) {
       });
 
       // There should be no change in their status since syncing is disabled
-      expect(signals.get(signalID)?._source.signal.status).to.be(CaseStatuses.open);
-      expect(signals.get(signalID2)?._source.signal.status).to.be(CaseStatuses.open);
+      expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source.signal.status).to.be(
+        CaseStatuses.open
+      );
+      expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source.signal.status).to.be(
+        CaseStatuses.open
+      );
 
       await setStatus({
         supertest,
@@ -380,8 +408,12 @@ export default function ({ getService }: FtrProviderContext) {
       });
 
       // There should still be no change in their status since syncing is disabled
-      expect(signals.get(signalID)?._source.signal.status).to.be(CaseStatuses.open);
-      expect(signals.get(signalID2)?._source.signal.status).to.be(CaseStatuses.open);
+      expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source.signal.status).to.be(
+        CaseStatuses.open
+      );
+      expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source.signal.status).to.be(
+        CaseStatuses.open
+      );
 
       // Turn sync alerts on
       await supertest
@@ -421,8 +453,12 @@ export default function ({ getService }: FtrProviderContext) {
       });
 
       // alerts should be updated now that the
-      expect(signals.get(signalID)?._source.signal.status).to.be(CaseStatuses['in-progress']);
-      expect(signals.get(signalID2)?._source.signal.status).to.be(CaseStatuses.closed);
+      expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source.signal.status).to.be(
+        CaseStatuses['in-progress']
+      );
+      expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source.signal.status).to.be(
+        CaseStatuses.closed
+      );
     });
 
     it('404s when sub case id is invalid', async () => {
diff --git a/x-pack/test/case_api_integration/common/lib/utils.ts b/x-pack/test/case_api_integration/common/lib/utils.ts
index 3ade7ef96f9d..169f85080f4e 100644
--- a/x-pack/test/case_api_integration/common/lib/utils.ts
+++ b/x-pack/test/case_api_integration/common/lib/utils.ts
@@ -54,11 +54,11 @@ export const getSignalsWithES = async ({
   es: Client;
   indices: string | string[];
   ids: string | string[];
-}): Promise<Map<string, Hit<SignalHit>>> => {
+}): Promise<Map<string, Map<string, Hit<SignalHit>>>> => {
   const signals = await es.search<SearchResponse<SignalHit>>({
     index: indices,
     body: {
-      size: ids.length,
+      size: 10000,
       query: {
         bool: {
           filter: [
@@ -72,10 +72,17 @@ export const getSignalsWithES = async ({
       },
     },
   });
+
   return signals.body.hits.hits.reduce((acc, hit) => {
-    acc.set(hit._id, hit);
+    let indexMap = acc.get(hit._index);
+    if (indexMap === undefined) {
+      indexMap = new Map<string, Hit<SignalHit>>([[hit._id, hit]]);
+    } else {
+      indexMap.set(hit._id, hit);
+    }
+    acc.set(hit._index, indexMap);
     return acc;
-  }, new Map<string, Hit<SignalHit>>());
+  }, new Map<string, Map<string, Hit<SignalHit>>>());
 };
 
 interface SetStatusCasesParams {
diff --git a/x-pack/test/functional/es_archives/cases/signals/duplicate_ids/data.json.gz b/x-pack/test/functional/es_archives/cases/signals/duplicate_ids/data.json.gz
new file mode 100644
index 0000000000000000000000000000000000000000..46843482c9781c734ee8c0f73249e45b9f7cdcf5
GIT binary patch
literal 5513
zcmV;46?W<$iwFo<ayVcB17u-zVJ>QOZ*BnXomq3^IDWw2`%|d&xHa(LKKdz@)THvV
z*@q;vl}T^8aLR0*7Aap_^W6i=mPCq_by+RRjhQNUH~%Dv<A3320Q~2dPN!QuPki@l
zr|ZVH`%8J@K@Vo-m4C*6#D8XPE}cyVnbm~{dDa{00f?7>dAnic{8M?)O`iGTn>+{3
z2R$1U0G9uu#m)J6HnpqL<CT9YvZ2olJ)D$fV2BZb7$EfDNPZ>kD@8Y$qCeiAkN4}I
z9~G4XmQ}=15{*0oC@=~r6#+;=A<zZ}EIkqdiDfaBhWnA5jI&r~MfTvQc{U!EVty0<
z@4kutTvo&BLf_`a)azlrGNmB*MYZG`{}Ah(-%O@s>+`(&qLGe`pJ@9!1g~AzR>{G*
zmp3cnZC-zQrQYa<-oTbe9va<O4r^~beU4ZEZ+SIdUsQK_?H|9a_c`^NP|OsNj>JA^
z)Bqy`2G)DbAfZ(AP;E{&>cz44u4SmnSFCQZ5E!vPs*m)eewDYs>Qz;e`}>(6&ASdZ
zyR6ofs9)2f(vU{C+>P_KUeQx~mlfU?v*~;UET$d}-DB}mtwZ@-IfmsO{}KNVs539K
zo*Ue|Zlkx16y7id0bz^*im{Eog&Z)Ld4YU@O6%HFll68Wc!LSLK~UWwq$>Bm%8(Q{
zNa1KPtbNpm+O8Mr3<wS|5dYK$VAuZO4s9IQbunJ~?WtJ1G<Pr4OwU!Y`}a7s<Hx-7
zUw#@Dw_CaI&sxiZ9%h45J-d&uPt+S8W`jYqxDJL0*Kb@j;;obpzgfFsGSEdBPluJ#
z>NnK<0$$bl&xS%RjHjkk%?|16sKC*UtQ+4yRz?3()yZC2V)tA3-@bnPHq3@uUl%Vo
z{>gvqcD{YnPrf=JcI^D^+-%--xc1^`62)v@S}~o?ZL-$Vd}h8!<-c9@*<Uj|9p~dv
zv7&0tqEpF==i663zo++>zPwBa_tomeTH0Bm&0t>MdIM@krSrS>>JA;7TOkvia3O%_
zf=7qrq6twHRoH5em4<=h&|bquLpHs1GOxSBxG|J(o~JgFw?kj(^*XM!1JU;Jn-BJQ
zny-!anu$0+DemfCZGQc=cNO^E_eb_$y@$`)|DwmSA+)=G=Q1X{9F(yGY=}k6FkO1%
z8;GM@sYmQ(k;`y74<J=rZFLxnHlV79m}b2!cI9m|2yG5SZGouvszZa(LE)$pkX{>6
zH=5Rn)E<+XQE8LaFT1VGl*%sUh(InWg3-@cHCRtuy0ulAc2%VhSENm9^k<_TKY@)*
zXM=`Y*0zW)WWDiqb=R}vZajVW7BkBRE~@vf8H{cJ_N`*07%6MF*_gjZ{lC>kYw}I_
z4WoQb{}<1gc|`UDofny{-{O33r`e=<3zcvE*qOJtcB3Da@t_>C7=(OX^kn_Kg#31p
z&6BgutqpO);cqA7JS(yX|9<C%Y*6@y2VT2pI-chMqwymk9Ihn+uPWxfz}yB1xK$!{
znKwW|$$$`EbH+LL+N?b{94_PEyvD7Tw&o-BWC;EOim4vuud4Bvb*0lYmlY<C322C-
zLib|WYYJi~`1VKUhS0bgXDEHY;UzJfiVwZXHoNFi?DdCv8115Ay<-M?)SJb5T`B9&
zd<+3~ac2D}pG)h4p?<o3n{JkF5!PK?ON6crEgP=4qn{Z)igUU+iM`d6$?a@9uk2k>
zOuqj5YcwN0D6{>qj6?Kmyy4e8<}=fn^=wXD7dgjor9bE_0$gXaJ&eXhtDTN##bj38
zzCYEj7j-}H$b~byS-kw~w}m;zl(GKA)CWH;!`J)9G0pP+ZEnZ&loF#2vfE+oqUeC$
zFDiDxTh3^?hr!2?O|%PuDkXs?fdFZ-vWPKb{95pyKV0_k?Kmc0)6BK@T&^FYubRK3
zDT`e*AHewp`*A&%zY2G1NTGZ0cUo~*dd+ROjEiE>+KMvr53-Tp(2%7#CgGb4m_wF#
zJF6JKdA;_Sec!ar*~GmYKt!C2%0Jqlc_)BWGU?V7VKsRfPyDD!IcB+^u3?$+P-pXK
zBpz80;$h~h?s;jdvryd6_;hRr%Tm8Ae*XF8&o5ufGJgy-TTD(9H2Yl8O!zonLIq&0
zgMbF2fR>a3Oem2~5Gi=A&$rG}B*aSW56!Sl)GSf6&qU2SHTG1Ew5?I3j?*UN$5_uh
zKNu{5+C7?H1W<$QCC+Q^d!zpQK&{?{9g!NOkaFZXke=aaUmOBM7zEabIK2@PVaeV{
zYMWo%jwH6j!cLRNtucbRlt@AwI&@*U?zaYt5EqCd&VcLo41)&+!p^R^t{My5qhT{1
z?#=7avAk}pE?q0HyAC5sye{#&l{E3XZsK)`*Ck$;c-={PotqZ!Ud--T4IwN{wcmew
zQFkv4em|bqS?z^{TzJly#F`i^ghkp>ZZxq5D@ZA(IC$tVH71Z?ofk|5=Lm9W(I;s|
zT=(aNd!7>*bwmR%gaTB036y~}4goT81c=#pMVy2TqW$3>NlW4q-1}^Bua$$%C5L0b
z#wxmTUema<K|ek2g~yi%)4TidRdmWh91s<Ncx3^F8UaNRkE%`;=8kiv(SfVzwgbNn
zgV;oRZNv|Aaq-0O-~Bbfj583wJ!9iR(Xq2D@gqNCg&sbZ_-)mtYbAcyVI+z8CE~Y|
zCgRsk#4i!QMEnx*J1OxC6aF|Lv*&EqM*K20n#kv%zRx~jg<gnW(P&JdB8K>wheD1y
zb=)YfxMhkn98K3rD5H*BVG#2SIuCu2NSd?<HW9xr_1rrIWlS>!2Gl7741^9S9Va`%
z7zSx=rRffH8Ug76#1ALpmx$jdBYv$AY%Vzk3moJ+&zB%jX0`pRX9IzpPIwOcjEvt0
zfy>(ONC7d_lm!wUkT);}3(bI(h5&3Z;VRG&1IGIlu=R~QAixcy+GKof2#_Ky8=7`$
z2=FS_Go59R?q0$2pm5pQ83E#&<TMD79E|`!>!QEwFp`7-69QaG69Vie1eg$DLVyVY
zo)iI&uzZGh-!ZOEPM4<Y?o>XB^OY$)9sw$3HBwd@W2y6)MGe<XV$XThXo@Yffk3Yr
z!46Zzv^9hyM2Ub#(x~wX0VV`!xpo2z0=Q-zP)rFh&O0D93yKg&9pw8VKtjm@$Kdg_
z=r19_&xQb7@z?7!KNJp@Y2QS<B_15y*Ld97@L(VgJ<rH<{`5W`tki!;Ko|oSk`#HM
z2t+ZIa9{2bj`qPcL{<bsJ%1k%Zg}Soh;YNGHyL32zF^54ns{M|@UK@vKhA&%_Y9^7
zh11Tih>-t?Rf6<bM7UL#t`!kphmj;im=NJgnh;?(A;N?R6CzBA@T7>4N~|&onX0jZ
zg{fi`@`sn%y)BMMgb)YltcMm#>Ah4^2IZ-9%o0XbkTiHBkO)pO6SQJfazmi;C_du_
zTT;J-2!CEgXcW`|N0%r}>~6{k2HI;6ET#%FZ#9)wj<w62hGB95B1FwTONg*#*b*YF
zlyc#SuoZ#LC6@vZ8@r5OhL`cJ4pu~uA1LZ=Ia=_5UB(n~g(zfzD<J@l;W64UM}QE@
zy(@pi=IzOL8E;UDCLnC%hlohgP}2+JhyVGvYd|As;D>ug+Jj<kXJ>v`pI4oRAF^Zl
z;Z|L`R(^OLMw0kp;)g3~;)mVD4--F3{4nvulk!8xiIR8yDQ@M5(r}g|#OVhtF@#Zd
zop6N3yp%d2DG>rIgN-zlK`aE+2ueewB1Q-kLxwX%V@{E>6q`lHlK5fw=jDf3$LX|$
z<&j;n<0&gwMJQUbD9tzuR5@CkBJVJ#;Yc3957RE=#1B6kKWv3yuMNI<vber1@u62c
zHRF8C5?#*Z(0I7zBf$GFOY{apOdJJ{a1E$82uPw3(3U%{q=JOt_qpQX%Mv$eN|PJ5
z?pzk|^0DGooXd6wthi?YJ}3ltcE*Z7V&^hH8Y_O*!wav&ND@{|SaBsySh1V1V#10E
zD<-UXQmi=OgNISy+xyzF?F&<VnmtUVdVZ>u`epHRU#uttF){57&PmRKFu_q8CqIy5
zX_;3}m9r$l4YS^3k9bsg9&e;N=5;(^n6P5PiXJ+t1yq1*7w6KJDWDN|AP9|_p(JQk
z+kwBsoJOcab}rL|6%$tcWLU8kfz2h?3>=#uOkvf@@A-&h?=Jcc;&bu+ed2h?2UCc_
znn(q(j?R%<jDhlk09U$6D+F`fzL9*)QpR>QYC^@<rHou%K6AW^U7qLoV9I{c`JnjR
z*_k=gn&dRhQ5?-2KkHWL>oAhU920X~NfUGICgzx!V`7epIi8d`epk4dKnVx6na{#h
z!%#|Ho@B_5XO0XzZ9Q{PIbpQ)!VqJf3|?r-q*didRG`9)Q)igu&<7%z#X)-xm9h&s
z@*|idPR#K#nIrXzdm4vKieLdHm;e>k6IjAgunLhliQkVoa*7Z5V2Vmh8548-Y|OD0
zg1t8QQ_{%HKMi7THeDUdIA9k+BQyR;XZ`3VYrj8f(#UE9cBGLG`+&IefO%CefQ()=
zMqmhJ^b*E9rKs4lv3k=>cc76Q6s(CGTUS65c=6wE`Jbx*Eob?5%U*H&pvc|Xl}4%`
zu>w*aOCz`H(zVja>oAf;BNL5WNfV9iCK{P&WTKIYMxK;LPWU~?GnU&?D~&AJU0(=F
z(eX5r1P!gxk{A+00;3|PY$BFzg@e*MPKi+p5=XVt(9FN;qM#<qYXOZxi(|wSjqLus
zG&1T5w$uh-1uJJY1_33M1wjNA^+nLNZxHP;r(x<48ktr=CK~zKXk;q{n@fH+PFer7
zG}X1^7S9GLX-~co8eZ~h*6{(KmNtYSM5G4{mR`ceJktmv0pvU;n<!{$;QNH~&`(Qm
z(6}alY{iol!-f@H7@qw7D)ye90Z;B3$PWtTot^RIk60|Jj>VH(b?I91<aHQH!jlP4
zuA~W1b`zdVcrxM1geOn?-58eHM`qnauMJOfF`Q8`9fhak@uW8}K&Omi&PZ*Uz@7+B
zsAPf#DoGGh5Qqb|$Op*~5mY!yEs-%@vE)a7S~}s$3&oSlJEa|_zzJsnmDU2qgaLsC
ztcXxfqdKMAKBwVA9DpZTv(FNqY#FwMCo82~IG$|9Uvo(Umm9ZxXVcp6_0GmF?@dN|
z{-DT~?_M9W-8+UhZV3Z85D%yz94PD<Fg%8A?42M^pKQDL2BmBw%2t92`Ne<v`uEv2
zz?m};%spfMLD9amGr?pv$w>%itn#r0bDJ(*Ey27BBS{1^5zLh|5zKBPn2BH}f|&^B
zNeSlj6SQ|z$L?#iZDFb+kJFPUZlaG`l=@}yb6<i<9aSub3B{G9&c=TR=?LRKPJ*P5
zDG3dTQD%{p3_`_><J1Noh_c3FwCIyWFuOl5!Q>p7AV`R_n&=HF^b9B-Jm7=`%ZRZ`
z){)%SIgO$c?@urhPAe=E!u)Iqvz3C)B?)dW{<a6)?3v5hJ??vQI&>aOUaiiDz)fAA
z{fv14$PgFv)aaD8rU3+rIg0UKyBGsoYxn_hbA!6R(M!x^J9m5&Q`WGc3uBx1D)z;m
zfo<-Y1ss$IbarK%wN#)z8EB>hd&5m~EZp3xOxFrGufs|b+)QwDB~5U%o8V@Gn+a|v
zxOq~z`O<ToKD<o&t>4eFgg=ICI2uonhntEDV=WEX28p<oN(W{!^9Vc2O1w$9kLvEB
z;es(Dm}7zv$B>rVaGQ3IC%D;F<?>x`G~mK&P<~no=;#uGp~@o*1GjoVxT%of2Yi+r
zv2>Vaf}5WWZnjdexg=rF4?Q%q|5DTAvtiFCO-!NTbH6$_`<O#BIfq_5t72f(@rN<d
z^N2V#l+0N|305&kp6t-f4T`+rnnd8%H@}G$U8GqT%RRqe1<^Ujn$G<ago9Fq&d%JE
z{eV+5W43xE_uQ&X*UCMw!%7nOOx$xNP297axM$*?iF+pQc~b7#A0SdhS30e}b7`tQ
z7nsY(qZ#>tQ!{0mc_L$!4BQ*T6vN7Mgf%3HaApO<P=<1~r^j9ig*lN#+aRFOLZ@x%
ziF<a9^V%aSfS^v5pP=x-#0fSK3<Vb?j5$X&4c%o@qX;^Ld!|L5iF+pQnYiaJ+_TJM
zC)%yHvcuX3^Un9>^1)N~h>e?VIfk=R{~f8Pf^ptwqPIcV3P5#qyM_n^thUNq>7~S5
z4&vPK&ZD8H<n1}s;-F4>@yxS-6^9I-fqCwk92}G$barQ+KVq#XJC=EFRi<lYp4VX|
ziFqdGxsoR4*-gwdG0((26Z1SN^DLf5k}yC1Uga4}Q|-&1$d$?-<?+lD1uZl}SW_M&
zgF(`vn1=dbg*V(ILS<BXLQs?%1f6ysF+^1qLL@m)YdsV5>?#)BpC=F~Y7n4EX`mg{
zfEtYiv?!3U-%*^3Vtfeml&INhiFvk+TVkG-QZAf%CbD@9+4N77`ijn6*Y;1G4Q=9_
zP6_p9SUYXIi8iYZ*pY2QAqCPr&iEvUfO3a{(Kz~JY62s~OGVxLY;)5~kKV}s-VvRg
zUp(2I{_Pr=%{f+c?w0}_lmv8kCY!Q8<2w!6<j0cDt;%$*Wb-<#B$3TTHdoR_HoJ*z
zCbF5xW+Iy>C7Yxd?85_p8nlv4S!g!Ndb8k;C!0bsp`rDRLE)6}SYpL#kT8hgtPTiL
z<d|@ldgz3KQaNo5);Q*!T9L)fIg!oo&r3EX2~kNT1On00FG3L~I4DkQJj7UP!U(FJ
zL$`fW!>MBXlT8d&BAbb9eloJziooWQ#5_NA7yHxqYW8-<!#gLWcc%yTzE+(N*~PBo
z1ca915IO3j{o)uMP4w9qN8gE{fympF?PA}c$ZuSeQ2E|2c0m@v@?x>)^Hl(yb9`ET
zzx?2!4570t_N*ld?P)?YQP>-Mies_oR%N<Y?0FqllCWpOo-1j>p525!6ZTBlGhxq@
zV$XYL(BN_6i>wWM3j1h#cas?(f55lZS)2-$JJUHKo_Q@rRB{f9i|HuzI3P{5V$y4i
z4fBX<$FL2=5`wh#L?-N+uqRap8%rdhERGv>h61I^9czwq=ahF?@41Ox3Ut7NPE2^h
zo(X#<?3u7<Yee3HJ=sewGMo*2ihDBkR0T;s9DAaet|Eg15Qaq0qc{Ub@c?X0Y_Y+f
z7{6ty=gF`qrBb!N`Asa*#dA-36~_{ufqU+mARLq;bav*R)hwYsPiSTedvi~DEce{1
zOxMaiufs|b_e|V#B~9G3o49A<o{4)V?s-z~*_&lgc9O}g+RCM=x|dAT7X|x+cJBHA
LaEsfZh+6>w)zN{p

literal 0
HcmV?d00001

diff --git a/x-pack/test/functional/es_archives/cases/signals/duplicate_ids/mappings.json b/x-pack/test/functional/es_archives/cases/signals/duplicate_ids/mappings.json
new file mode 100644
index 000000000000..97b289715021
--- /dev/null
+++ b/x-pack/test/functional/es_archives/cases/signals/duplicate_ids/mappings.json
@@ -0,0 +1,6624 @@
+{
+  "type": "index",
+  "value": {
+    "aliases": {
+      ".siem-signals-default": {
+        "is_write_index": true
+      }
+    },
+    "index": ".siem-signals-default-000001",
+    "mappings": {
+      "_meta": {
+        "version": 14
+      },
+      "dynamic": "false",
+      "properties": {
+        "@timestamp": {
+          "type": "date"
+        },
+        "agent": {
+          "properties": {
+            "ephemeral_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "as": {
+          "properties": {
+            "number": {
+              "type": "long"
+            },
+            "organization": {
+              "properties": {
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "client": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "as": {
+              "properties": {
+                "number": {
+                  "type": "long"
+                },
+                "organization": {
+                  "properties": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nat": {
+              "properties": {
+                "ip": {
+                  "type": "ip"
+                },
+                "port": {
+                  "type": "long"
+                }
+              }
+            },
+            "packets": {
+              "type": "long"
+            },
+            "port": {
+              "type": "long"
+            },
+            "registered_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "cloud": {
+          "properties": {
+            "account": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "availability_zone": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "instance": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "machine": {
+              "properties": {
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "provider": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "region": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "code_signature": {
+          "properties": {
+            "exists": {
+              "type": "boolean"
+            },
+            "status": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "subject_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "trusted": {
+              "type": "boolean"
+            },
+            "valid": {
+              "type": "boolean"
+            }
+          }
+        },
+        "container": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "image": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tag": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "labels": {
+              "type": "object"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "runtime": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "destination": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "as": {
+              "properties": {
+                "number": {
+                  "type": "long"
+                },
+                "organization": {
+                  "properties": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nat": {
+              "properties": {
+                "ip": {
+                  "type": "ip"
+                },
+                "port": {
+                  "type": "long"
+                }
+              }
+            },
+            "packets": {
+              "type": "long"
+            },
+            "port": {
+              "type": "long"
+            },
+            "registered_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "dll": {
+          "properties": {
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "hash": {
+              "properties": {
+                "md5": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha1": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha256": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha512": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "file_version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "original_file_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "product": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "dns": {
+          "properties": {
+            "answers": {
+              "properties": {
+                "class": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "data": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ttl": {
+                  "type": "long"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "header_flags": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "op_code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "question": {
+              "properties": {
+                "class": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "registered_domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subdomain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "top_level_domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "resolved_ip": {
+              "type": "ip"
+            },
+            "response_code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "ecs": {
+          "properties": {
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "error": {
+          "properties": {
+            "code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "message": {
+              "norms": false,
+              "type": "text"
+            },
+            "stack_trace": {
+              "doc_values": false,
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "event": {
+          "properties": {
+            "action": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "category": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "created": {
+              "type": "date"
+            },
+            "dataset": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "duration": {
+              "type": "long"
+            },
+            "end": {
+              "type": "date"
+            },
+            "hash": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ingested": {
+              "type": "date"
+            },
+            "kind": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "module": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "original": {
+              "doc_values": false,
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword"
+            },
+            "outcome": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "provider": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "risk_score": {
+              "type": "float"
+            },
+            "risk_score_norm": {
+              "type": "float"
+            },
+            "sequence": {
+              "type": "long"
+            },
+            "severity": {
+              "type": "long"
+            },
+            "start": {
+              "type": "date"
+            },
+            "timezone": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "url": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "file": {
+          "properties": {
+            "accessed": {
+              "type": "date"
+            },
+            "attributes": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "created": {
+              "type": "date"
+            },
+            "ctime": {
+              "type": "date"
+            },
+            "device": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "directory": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "drive_letter": {
+              "ignore_above": 1,
+              "type": "keyword"
+            },
+            "extension": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "gid": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "group": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "hash": {
+              "properties": {
+                "md5": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha1": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha256": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha512": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "inode": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "mime_type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "mode": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "mtime": {
+              "type": "date"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "owner": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "file_version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "original_file_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "product": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "size": {
+              "type": "long"
+            },
+            "target_path": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "uid": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "geo": {
+          "properties": {
+            "city_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "continent_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "country_iso_code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "country_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "location": {
+              "type": "geo_point"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "region_iso_code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "region_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "group": {
+          "properties": {
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "hash": {
+          "properties": {
+            "md5": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "sha1": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "sha256": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "sha512": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "host": {
+          "properties": {
+            "architecture": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hostname": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "os": {
+              "properties": {
+                "family": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "kernel": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "platform": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "uptime": {
+              "type": "long"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "http": {
+          "properties": {
+            "request": {
+              "properties": {
+                "body": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "content": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "bytes": {
+                  "type": "long"
+                },
+                "method": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "referrer": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "response": {
+              "properties": {
+                "body": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "content": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "bytes": {
+                  "type": "long"
+                },
+                "status_code": {
+                  "type": "long"
+                }
+              }
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "interface": {
+          "properties": {
+            "alias": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "labels": {
+          "type": "object"
+        },
+        "log": {
+          "properties": {
+            "level": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "logger": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "origin": {
+              "properties": {
+                "file": {
+                  "properties": {
+                    "line": {
+                      "type": "integer"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "function": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "original": {
+              "doc_values": false,
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword"
+            },
+            "syslog": {
+              "properties": {
+                "facility": {
+                  "properties": {
+                    "code": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "priority": {
+                  "type": "long"
+                },
+                "severity": {
+                  "properties": {
+                    "code": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "message": {
+          "norms": false,
+          "type": "text"
+        },
+        "network": {
+          "properties": {
+            "application": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "community_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "direction": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "forwarded_ip": {
+              "type": "ip"
+            },
+            "iana_number": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "inner": {
+              "properties": {
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "packets": {
+              "type": "long"
+            },
+            "protocol": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "transport": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "vlan": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "observer": {
+          "properties": {
+            "egress": {
+              "properties": {
+                "interface": {
+                  "properties": {
+                    "alias": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "zone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hostname": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ingress": {
+              "properties": {
+                "interface": {
+                  "properties": {
+                    "alias": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "zone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "os": {
+              "properties": {
+                "family": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "kernel": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "platform": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "product": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "serial_number": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "vendor": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "organization": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "os": {
+          "properties": {
+            "family": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "full": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "kernel": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "platform": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "package": {
+          "properties": {
+            "architecture": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "build_version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "checksum": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "description": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "install_scope": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "installed": {
+              "type": "date"
+            },
+            "license": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "size": {
+              "type": "long"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "pe": {
+          "properties": {
+            "company": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "description": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "file_version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "original_file_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "product": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "process": {
+          "properties": {
+            "args": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "args_count": {
+              "type": "long"
+            },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "command_line": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "entity_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "executable": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "exit_code": {
+              "type": "long"
+            },
+            "hash": {
+              "properties": {
+                "md5": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha1": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha256": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha512": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "parent": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "code_signature": {
+                  "properties": {
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "status": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "pgid": {
+                  "type": "long"
+                },
+                "pid": {
+                  "type": "long"
+                },
+                "ppid": {
+                  "type": "long"
+                },
+                "start": {
+                  "type": "date"
+                },
+                "thread": {
+                  "properties": {
+                    "id": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "title": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "uptime": {
+                  "type": "long"
+                },
+                "working_directory": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "file_version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "original_file_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "product": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "pgid": {
+              "type": "long"
+            },
+            "pid": {
+              "type": "long"
+            },
+            "ppid": {
+              "type": "long"
+            },
+            "start": {
+              "type": "date"
+            },
+            "thread": {
+              "properties": {
+                "id": {
+                  "type": "long"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "title": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "uptime": {
+              "type": "long"
+            },
+            "working_directory": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "registry": {
+          "properties": {
+            "data": {
+              "properties": {
+                "bytes": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "strings": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hive": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "key": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "value": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "related": {
+          "properties": {
+            "hash": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "user": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "rule": {
+          "properties": {
+            "author": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "category": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "description": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "license": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ruleset": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "uuid": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "server": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "as": {
+              "properties": {
+                "number": {
+                  "type": "long"
+                },
+                "organization": {
+                  "properties": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nat": {
+              "properties": {
+                "ip": {
+                  "type": "ip"
+                },
+                "port": {
+                  "type": "long"
+                }
+              }
+            },
+            "packets": {
+              "type": "long"
+            },
+            "port": {
+              "type": "long"
+            },
+            "registered_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "service": {
+          "properties": {
+            "ephemeral_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "node": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "state": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "signal": {
+          "properties": {
+            "_meta": {
+              "properties": {
+                "version": {
+                  "type": "long"
+                }
+              }
+            },
+            "ancestors": {
+              "properties": {
+                "depth": {
+                  "type": "long"
+                },
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "keyword"
+                },
+                "rule": {
+                  "type": "keyword"
+                },
+                "type": {
+                  "type": "keyword"
+                }
+              }
+            },
+            "depth": {
+              "type": "integer"
+            },
+            "group": {
+              "properties": {
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "integer"
+                }
+              }
+            },
+            "original_event": {
+              "properties": {
+                "action": {
+                  "type": "keyword"
+                },
+                "category": {
+                  "type": "keyword"
+                },
+                "code": {
+                  "type": "keyword"
+                },
+                "created": {
+                  "type": "date"
+                },
+                "dataset": {
+                  "type": "keyword"
+                },
+                "duration": {
+                  "type": "long"
+                },
+                "end": {
+                  "type": "date"
+                },
+                "hash": {
+                  "type": "keyword"
+                },
+                "id": {
+                  "type": "keyword"
+                },
+                "kind": {
+                  "type": "keyword"
+                },
+                "module": {
+                  "type": "keyword"
+                },
+                "original": {
+                  "doc_values": false,
+                  "index": false,
+                  "type": "keyword"
+                },
+                "outcome": {
+                  "type": "keyword"
+                },
+                "provider": {
+                  "type": "keyword"
+                },
+                "risk_score": {
+                  "type": "float"
+                },
+                "risk_score_norm": {
+                  "type": "float"
+                },
+                "sequence": {
+                  "type": "long"
+                },
+                "severity": {
+                  "type": "long"
+                },
+                "start": {
+                  "type": "date"
+                },
+                "timezone": {
+                  "type": "keyword"
+                },
+                "type": {
+                  "type": "keyword"
+                }
+              }
+            },
+            "original_signal": {
+              "dynamic": "false",
+              "enabled": false,
+              "type": "object"
+            },
+            "original_time": {
+              "type": "date"
+            },
+            "parent": {
+              "properties": {
+                "depth": {
+                  "type": "long"
+                },
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "keyword"
+                },
+                "rule": {
+                  "type": "keyword"
+                },
+                "type": {
+                  "type": "keyword"
+                }
+              }
+            },
+            "parents": {
+              "properties": {
+                "depth": {
+                  "type": "long"
+                },
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "keyword"
+                },
+                "rule": {
+                  "type": "keyword"
+                },
+                "type": {
+                  "type": "keyword"
+                }
+              }
+            },
+            "rule": {
+              "properties": {
+                "author": {
+                  "type": "keyword"
+                },
+                "building_block_type": {
+                  "type": "keyword"
+                },
+                "created_at": {
+                  "type": "date"
+                },
+                "created_by": {
+                  "type": "keyword"
+                },
+                "description": {
+                  "type": "keyword"
+                },
+                "enabled": {
+                  "type": "keyword"
+                },
+                "false_positives": {
+                  "type": "keyword"
+                },
+                "filters": {
+                  "type": "object"
+                },
+                "from": {
+                  "type": "keyword"
+                },
+                "id": {
+                  "type": "keyword"
+                },
+                "immutable": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "keyword"
+                },
+                "interval": {
+                  "type": "keyword"
+                },
+                "language": {
+                  "type": "keyword"
+                },
+                "license": {
+                  "type": "keyword"
+                },
+                "max_signals": {
+                  "type": "keyword"
+                },
+                "name": {
+                  "type": "keyword"
+                },
+                "note": {
+                  "type": "text"
+                },
+                "output_index": {
+                  "type": "keyword"
+                },
+                "query": {
+                  "type": "keyword"
+                },
+                "references": {
+                  "type": "keyword"
+                },
+                "risk_score": {
+                  "type": "float"
+                },
+                "risk_score_mapping": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "operator": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "rule_id": {
+                  "type": "keyword"
+                },
+                "rule_name_override": {
+                  "type": "keyword"
+                },
+                "saved_id": {
+                  "type": "keyword"
+                },
+                "severity": {
+                  "type": "keyword"
+                },
+                "severity_mapping": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "operator": {
+                      "type": "keyword"
+                    },
+                    "severity": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "size": {
+                  "type": "keyword"
+                },
+                "tags": {
+                  "type": "keyword"
+                },
+                "threat": {
+                  "properties": {
+                    "framework": {
+                      "type": "keyword"
+                    },
+                    "tactic": {
+                      "properties": {
+                        "id": {
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "type": "keyword"
+                        },
+                        "reference": {
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "technique": {
+                      "properties": {
+                        "id": {
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "type": "keyword"
+                        },
+                        "reference": {
+                          "type": "keyword"
+                        },
+                        "subtechnique": {
+                          "properties": {
+                            "id": {
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "type": "keyword"
+                            },
+                            "reference": {
+                              "type": "keyword"
+                            }
+                          }
+                        }
+                      }
+                    }
+                  }
+                },
+                "threshold": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "float"
+                    }
+                  }
+                },
+                "timeline_id": {
+                  "type": "keyword"
+                },
+                "timeline_title": {
+                  "type": "keyword"
+                },
+                "timestamp_override": {
+                  "type": "keyword"
+                },
+                "to": {
+                  "type": "keyword"
+                },
+                "type": {
+                  "type": "keyword"
+                },
+                "updated_at": {
+                  "type": "date"
+                },
+                "updated_by": {
+                  "type": "keyword"
+                },
+                "version": {
+                  "type": "keyword"
+                }
+              }
+            },
+            "status": {
+              "type": "keyword"
+            },
+            "threshold_count": {
+              "type": "float"
+            },
+            "threshold_result": {
+              "properties": {
+                "count": {
+                  "type": "long"
+                },
+                "value": {
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "source": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "as": {
+              "properties": {
+                "number": {
+                  "type": "long"
+                },
+                "organization": {
+                  "properties": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nat": {
+              "properties": {
+                "ip": {
+                  "type": "ip"
+                },
+                "port": {
+                  "type": "long"
+                }
+              }
+            },
+            "packets": {
+              "type": "long"
+            },
+            "port": {
+              "type": "long"
+            },
+            "registered_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "tags": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        },
+        "threat": {
+          "properties": {
+            "framework": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "tactic": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "reference": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "technique": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "reference": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "tls": {
+          "properties": {
+            "cipher": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "client": {
+              "properties": {
+                "certificate": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "certificate_chain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "issuer": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ja3": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "not_after": {
+                  "type": "date"
+                },
+                "not_before": {
+                  "type": "date"
+                },
+                "server_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "supported_ciphers": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "curve": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "established": {
+              "type": "boolean"
+            },
+            "next_protocol": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "resumed": {
+              "type": "boolean"
+            },
+            "server": {
+              "properties": {
+                "certificate": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "certificate_chain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "issuer": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ja3s": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "not_after": {
+                  "type": "date"
+                },
+                "not_before": {
+                  "type": "date"
+                },
+                "subject": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version_protocol": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "trace": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "transaction": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "url": {
+          "properties": {
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "extension": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "fragment": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "full": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "original": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "password": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "port": {
+              "type": "long"
+            },
+            "query": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "registered_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "scheme": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "username": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "user": {
+          "properties": {
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "email": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "full_name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "group": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hash": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "user_agent": {
+          "properties": {
+            "device": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "original": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "os": {
+              "properties": {
+                "family": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "kernel": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "platform": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "vlan": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "vulnerability": {
+          "properties": {
+            "category": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "classification": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "description": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "enumeration": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "report_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "scanner": {
+              "properties": {
+                "vendor": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "score": {
+              "properties": {
+                "base": {
+                  "type": "float"
+                },
+                "environmental": {
+                  "type": "float"
+                },
+                "temporal": {
+                  "type": "float"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "severity": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    },
+    "settings": {
+      "index": {
+        "lifecycle": {
+          "name": ".siem-signals-default",
+          "rollover_alias": ".siem-signals-default"
+        },
+        "mapping": {
+          "total_fields": {
+            "limit": "10000"
+          }
+        },
+        "number_of_replicas": "1",
+        "number_of_shards": "1"
+      }
+    }
+  }
+}
+
+{
+  "type": "index",
+  "value": {
+    "aliases": {
+    },
+    "index": ".siem-signals-default-000002",
+    "mappings": {
+      "_meta": {
+        "version": 14
+      },
+      "dynamic": "false",
+      "properties": {
+        "@timestamp": {
+          "type": "date"
+        },
+        "agent": {
+          "properties": {
+            "ephemeral_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "as": {
+          "properties": {
+            "number": {
+              "type": "long"
+            },
+            "organization": {
+              "properties": {
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "client": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "as": {
+              "properties": {
+                "number": {
+                  "type": "long"
+                },
+                "organization": {
+                  "properties": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nat": {
+              "properties": {
+                "ip": {
+                  "type": "ip"
+                },
+                "port": {
+                  "type": "long"
+                }
+              }
+            },
+            "packets": {
+              "type": "long"
+            },
+            "port": {
+              "type": "long"
+            },
+            "registered_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "cloud": {
+          "properties": {
+            "account": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "availability_zone": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "instance": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "machine": {
+              "properties": {
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "provider": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "region": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "code_signature": {
+          "properties": {
+            "exists": {
+              "type": "boolean"
+            },
+            "status": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "subject_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "trusted": {
+              "type": "boolean"
+            },
+            "valid": {
+              "type": "boolean"
+            }
+          }
+        },
+        "container": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "image": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tag": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "labels": {
+              "type": "object"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "runtime": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "destination": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "as": {
+              "properties": {
+                "number": {
+                  "type": "long"
+                },
+                "organization": {
+                  "properties": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nat": {
+              "properties": {
+                "ip": {
+                  "type": "ip"
+                },
+                "port": {
+                  "type": "long"
+                }
+              }
+            },
+            "packets": {
+              "type": "long"
+            },
+            "port": {
+              "type": "long"
+            },
+            "registered_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "dll": {
+          "properties": {
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "hash": {
+              "properties": {
+                "md5": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha1": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha256": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha512": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "file_version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "original_file_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "product": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "dns": {
+          "properties": {
+            "answers": {
+              "properties": {
+                "class": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "data": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ttl": {
+                  "type": "long"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "header_flags": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "op_code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "question": {
+              "properties": {
+                "class": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "registered_domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subdomain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "top_level_domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "resolved_ip": {
+              "type": "ip"
+            },
+            "response_code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "ecs": {
+          "properties": {
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "error": {
+          "properties": {
+            "code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "message": {
+              "norms": false,
+              "type": "text"
+            },
+            "stack_trace": {
+              "doc_values": false,
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "event": {
+          "properties": {
+            "action": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "category": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "created": {
+              "type": "date"
+            },
+            "dataset": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "duration": {
+              "type": "long"
+            },
+            "end": {
+              "type": "date"
+            },
+            "hash": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ingested": {
+              "type": "date"
+            },
+            "kind": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "module": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "original": {
+              "doc_values": false,
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword"
+            },
+            "outcome": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "provider": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "risk_score": {
+              "type": "float"
+            },
+            "risk_score_norm": {
+              "type": "float"
+            },
+            "sequence": {
+              "type": "long"
+            },
+            "severity": {
+              "type": "long"
+            },
+            "start": {
+              "type": "date"
+            },
+            "timezone": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "url": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "file": {
+          "properties": {
+            "accessed": {
+              "type": "date"
+            },
+            "attributes": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "created": {
+              "type": "date"
+            },
+            "ctime": {
+              "type": "date"
+            },
+            "device": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "directory": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "drive_letter": {
+              "ignore_above": 1,
+              "type": "keyword"
+            },
+            "extension": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "gid": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "group": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "hash": {
+              "properties": {
+                "md5": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha1": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha256": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha512": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "inode": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "mime_type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "mode": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "mtime": {
+              "type": "date"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "owner": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "file_version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "original_file_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "product": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "size": {
+              "type": "long"
+            },
+            "target_path": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "uid": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "geo": {
+          "properties": {
+            "city_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "continent_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "country_iso_code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "country_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "location": {
+              "type": "geo_point"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "region_iso_code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "region_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "group": {
+          "properties": {
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "hash": {
+          "properties": {
+            "md5": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "sha1": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "sha256": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "sha512": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "host": {
+          "properties": {
+            "architecture": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hostname": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "os": {
+              "properties": {
+                "family": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "kernel": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "platform": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "uptime": {
+              "type": "long"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "http": {
+          "properties": {
+            "request": {
+              "properties": {
+                "body": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "content": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "bytes": {
+                  "type": "long"
+                },
+                "method": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "referrer": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "response": {
+              "properties": {
+                "body": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "content": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "bytes": {
+                  "type": "long"
+                },
+                "status_code": {
+                  "type": "long"
+                }
+              }
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "interface": {
+          "properties": {
+            "alias": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "labels": {
+          "type": "object"
+        },
+        "log": {
+          "properties": {
+            "level": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "logger": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "origin": {
+              "properties": {
+                "file": {
+                  "properties": {
+                    "line": {
+                      "type": "integer"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "function": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "original": {
+              "doc_values": false,
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword"
+            },
+            "syslog": {
+              "properties": {
+                "facility": {
+                  "properties": {
+                    "code": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "priority": {
+                  "type": "long"
+                },
+                "severity": {
+                  "properties": {
+                    "code": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "message": {
+          "norms": false,
+          "type": "text"
+        },
+        "network": {
+          "properties": {
+            "application": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "community_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "direction": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "forwarded_ip": {
+              "type": "ip"
+            },
+            "iana_number": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "inner": {
+              "properties": {
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "packets": {
+              "type": "long"
+            },
+            "protocol": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "transport": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "vlan": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "observer": {
+          "properties": {
+            "egress": {
+              "properties": {
+                "interface": {
+                  "properties": {
+                    "alias": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "zone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hostname": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ingress": {
+              "properties": {
+                "interface": {
+                  "properties": {
+                    "alias": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "zone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "os": {
+              "properties": {
+                "family": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "kernel": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "platform": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "product": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "serial_number": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "vendor": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "organization": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "os": {
+          "properties": {
+            "family": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "full": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "kernel": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "platform": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "package": {
+          "properties": {
+            "architecture": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "build_version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "checksum": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "description": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "install_scope": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "installed": {
+              "type": "date"
+            },
+            "license": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "size": {
+              "type": "long"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "pe": {
+          "properties": {
+            "company": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "description": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "file_version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "original_file_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "product": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "process": {
+          "properties": {
+            "args": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "args_count": {
+              "type": "long"
+            },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "command_line": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "entity_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "executable": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "exit_code": {
+              "type": "long"
+            },
+            "hash": {
+              "properties": {
+                "md5": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha1": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha256": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha512": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "parent": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "code_signature": {
+                  "properties": {
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "status": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "pgid": {
+                  "type": "long"
+                },
+                "pid": {
+                  "type": "long"
+                },
+                "ppid": {
+                  "type": "long"
+                },
+                "start": {
+                  "type": "date"
+                },
+                "thread": {
+                  "properties": {
+                    "id": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "title": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "uptime": {
+                  "type": "long"
+                },
+                "working_directory": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "file_version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "original_file_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "product": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "pgid": {
+              "type": "long"
+            },
+            "pid": {
+              "type": "long"
+            },
+            "ppid": {
+              "type": "long"
+            },
+            "start": {
+              "type": "date"
+            },
+            "thread": {
+              "properties": {
+                "id": {
+                  "type": "long"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "title": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "uptime": {
+              "type": "long"
+            },
+            "working_directory": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "registry": {
+          "properties": {
+            "data": {
+              "properties": {
+                "bytes": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "strings": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hive": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "key": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "value": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "related": {
+          "properties": {
+            "hash": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "user": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "rule": {
+          "properties": {
+            "author": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "category": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "description": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "license": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ruleset": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "uuid": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "server": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "as": {
+              "properties": {
+                "number": {
+                  "type": "long"
+                },
+                "organization": {
+                  "properties": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nat": {
+              "properties": {
+                "ip": {
+                  "type": "ip"
+                },
+                "port": {
+                  "type": "long"
+                }
+              }
+            },
+            "packets": {
+              "type": "long"
+            },
+            "port": {
+              "type": "long"
+            },
+            "registered_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "service": {
+          "properties": {
+            "ephemeral_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "node": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "state": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "signal": {
+          "properties": {
+            "_meta": {
+              "properties": {
+                "version": {
+                  "type": "long"
+                }
+              }
+            },
+            "ancestors": {
+              "properties": {
+                "depth": {
+                  "type": "long"
+                },
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "keyword"
+                },
+                "rule": {
+                  "type": "keyword"
+                },
+                "type": {
+                  "type": "keyword"
+                }
+              }
+            },
+            "depth": {
+              "type": "integer"
+            },
+            "group": {
+              "properties": {
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "integer"
+                }
+              }
+            },
+            "original_event": {
+              "properties": {
+                "action": {
+                  "type": "keyword"
+                },
+                "category": {
+                  "type": "keyword"
+                },
+                "code": {
+                  "type": "keyword"
+                },
+                "created": {
+                  "type": "date"
+                },
+                "dataset": {
+                  "type": "keyword"
+                },
+                "duration": {
+                  "type": "long"
+                },
+                "end": {
+                  "type": "date"
+                },
+                "hash": {
+                  "type": "keyword"
+                },
+                "id": {
+                  "type": "keyword"
+                },
+                "kind": {
+                  "type": "keyword"
+                },
+                "module": {
+                  "type": "keyword"
+                },
+                "original": {
+                  "doc_values": false,
+                  "index": false,
+                  "type": "keyword"
+                },
+                "outcome": {
+                  "type": "keyword"
+                },
+                "provider": {
+                  "type": "keyword"
+                },
+                "risk_score": {
+                  "type": "float"
+                },
+                "risk_score_norm": {
+                  "type": "float"
+                },
+                "sequence": {
+                  "type": "long"
+                },
+                "severity": {
+                  "type": "long"
+                },
+                "start": {
+                  "type": "date"
+                },
+                "timezone": {
+                  "type": "keyword"
+                },
+                "type": {
+                  "type": "keyword"
+                }
+              }
+            },
+            "original_signal": {
+              "dynamic": "false",
+              "enabled": false,
+              "type": "object"
+            },
+            "original_time": {
+              "type": "date"
+            },
+            "parent": {
+              "properties": {
+                "depth": {
+                  "type": "long"
+                },
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "keyword"
+                },
+                "rule": {
+                  "type": "keyword"
+                },
+                "type": {
+                  "type": "keyword"
+                }
+              }
+            },
+            "parents": {
+              "properties": {
+                "depth": {
+                  "type": "long"
+                },
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "keyword"
+                },
+                "rule": {
+                  "type": "keyword"
+                },
+                "type": {
+                  "type": "keyword"
+                }
+              }
+            },
+            "rule": {
+              "properties": {
+                "author": {
+                  "type": "keyword"
+                },
+                "building_block_type": {
+                  "type": "keyword"
+                },
+                "created_at": {
+                  "type": "date"
+                },
+                "created_by": {
+                  "type": "keyword"
+                },
+                "description": {
+                  "type": "keyword"
+                },
+                "enabled": {
+                  "type": "keyword"
+                },
+                "false_positives": {
+                  "type": "keyword"
+                },
+                "filters": {
+                  "type": "object"
+                },
+                "from": {
+                  "type": "keyword"
+                },
+                "id": {
+                  "type": "keyword"
+                },
+                "immutable": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "keyword"
+                },
+                "interval": {
+                  "type": "keyword"
+                },
+                "language": {
+                  "type": "keyword"
+                },
+                "license": {
+                  "type": "keyword"
+                },
+                "max_signals": {
+                  "type": "keyword"
+                },
+                "name": {
+                  "type": "keyword"
+                },
+                "note": {
+                  "type": "text"
+                },
+                "output_index": {
+                  "type": "keyword"
+                },
+                "query": {
+                  "type": "keyword"
+                },
+                "references": {
+                  "type": "keyword"
+                },
+                "risk_score": {
+                  "type": "float"
+                },
+                "risk_score_mapping": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "operator": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "rule_id": {
+                  "type": "keyword"
+                },
+                "rule_name_override": {
+                  "type": "keyword"
+                },
+                "saved_id": {
+                  "type": "keyword"
+                },
+                "severity": {
+                  "type": "keyword"
+                },
+                "severity_mapping": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "operator": {
+                      "type": "keyword"
+                    },
+                    "severity": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "size": {
+                  "type": "keyword"
+                },
+                "tags": {
+                  "type": "keyword"
+                },
+                "threat": {
+                  "properties": {
+                    "framework": {
+                      "type": "keyword"
+                    },
+                    "tactic": {
+                      "properties": {
+                        "id": {
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "type": "keyword"
+                        },
+                        "reference": {
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "technique": {
+                      "properties": {
+                        "id": {
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "type": "keyword"
+                        },
+                        "reference": {
+                          "type": "keyword"
+                        },
+                        "subtechnique": {
+                          "properties": {
+                            "id": {
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "type": "keyword"
+                            },
+                            "reference": {
+                              "type": "keyword"
+                            }
+                          }
+                        }
+                      }
+                    }
+                  }
+                },
+                "threshold": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "float"
+                    }
+                  }
+                },
+                "timeline_id": {
+                  "type": "keyword"
+                },
+                "timeline_title": {
+                  "type": "keyword"
+                },
+                "timestamp_override": {
+                  "type": "keyword"
+                },
+                "to": {
+                  "type": "keyword"
+                },
+                "type": {
+                  "type": "keyword"
+                },
+                "updated_at": {
+                  "type": "date"
+                },
+                "updated_by": {
+                  "type": "keyword"
+                },
+                "version": {
+                  "type": "keyword"
+                }
+              }
+            },
+            "status": {
+              "type": "keyword"
+            },
+            "threshold_count": {
+              "type": "float"
+            },
+            "threshold_result": {
+              "properties": {
+                "count": {
+                  "type": "long"
+                },
+                "value": {
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "source": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "as": {
+              "properties": {
+                "number": {
+                  "type": "long"
+                },
+                "organization": {
+                  "properties": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nat": {
+              "properties": {
+                "ip": {
+                  "type": "ip"
+                },
+                "port": {
+                  "type": "long"
+                }
+              }
+            },
+            "packets": {
+              "type": "long"
+            },
+            "port": {
+              "type": "long"
+            },
+            "registered_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "tags": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        },
+        "threat": {
+          "properties": {
+            "framework": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "tactic": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "reference": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "technique": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "reference": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "tls": {
+          "properties": {
+            "cipher": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "client": {
+              "properties": {
+                "certificate": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "certificate_chain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "issuer": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ja3": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "not_after": {
+                  "type": "date"
+                },
+                "not_before": {
+                  "type": "date"
+                },
+                "server_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "supported_ciphers": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "curve": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "established": {
+              "type": "boolean"
+            },
+            "next_protocol": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "resumed": {
+              "type": "boolean"
+            },
+            "server": {
+              "properties": {
+                "certificate": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "certificate_chain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "issuer": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ja3s": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "not_after": {
+                  "type": "date"
+                },
+                "not_before": {
+                  "type": "date"
+                },
+                "subject": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version_protocol": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "trace": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "transaction": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "url": {
+          "properties": {
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "extension": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "fragment": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "full": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "original": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "password": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "port": {
+              "type": "long"
+            },
+            "query": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "registered_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "scheme": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "username": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "user": {
+          "properties": {
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "email": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "full_name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "group": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hash": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "user_agent": {
+          "properties": {
+            "device": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "original": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "os": {
+              "properties": {
+                "family": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "kernel": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "platform": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "vlan": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "vulnerability": {
+          "properties": {
+            "category": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "classification": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "description": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "enumeration": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "report_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "scanner": {
+              "properties": {
+                "vendor": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "score": {
+              "properties": {
+                "base": {
+                  "type": "float"
+                },
+                "environmental": {
+                  "type": "float"
+                },
+                "temporal": {
+                  "type": "float"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "severity": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    },
+    "settings": {
+      "index": {
+        "lifecycle": {
+          "name": ".siem-signals-default",
+          "rollover_alias": ".siem-signals-default"
+        },
+        "mapping": {
+          "total_fields": {
+            "limit": "10000"
+          }
+        },
+        "number_of_replicas": "1",
+        "number_of_shards": "1"
+      }
+    }
+  }
+}