maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[Security] Add EQL rule test in CCS config (#112852) (#113777)

Browse source 
Co-authored-by: Domenico Andreoli <domenico.andreoli@elastic.co>
This commit is contained in:
Kibana Machine 2021-10-04 13:33:17 -04:00 committed by GitHub
parent af114bf336
commit d33e519c35
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 1178 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
x-pack/plugins/security_solution/cypress/ccs_integration/detection_rules/event_correlation_rule.spec.ts Normal file
View file

@ -0,0 +1,55 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import { esArchiverCCSLoad } from '../../tasks/es_archiver';
import { getCCSEqlRule } from '../../objects/rule';
import { ALERT_DATA_GRID, NUMBER_OF_ALERTS } from '../../screens/alerts';
import {
filterByCustomRules,
goToRuleDetails,
waitForRulesTableToBeLoaded,
} from '../../tasks/alerts_detection_rules';
import { createSignalsIndex, createEventCorrelationRule } from '../../tasks/api_calls/rules';
import { cleanKibana } from '../../tasks/common';
import { waitForAlertsToPopulate, waitForTheRuleToBeExecuted } from '../../tasks/create_new_rule';
import { loginAndWaitForPageWithoutDateRange } from '../../tasks/login';
import { DETECTIONS_RULE_MANAGEMENT_URL } from '../../urls/navigation';
describe('Detection rules', function () {
const expectedNumberOfAlerts = '1 alert';
beforeEach('Reset signals index', function () {
cleanKibana();
createSignalsIndex();
});
it('EQL rule on remote indices generates alerts', function () {
esArchiverCCSLoad('linux_process');
this.rule = getCCSEqlRule();
createEventCorrelationRule(this.rule);
loginAndWaitForPageWithoutDateRange(DETECTIONS_RULE_MANAGEMENT_URL);
waitForRulesTableToBeLoaded();
filterByCustomRules();
goToRuleDetails();
waitForTheRuleToBeExecuted();
waitForAlertsToPopulate();
cy.get(NUMBER_OF_ALERTS).should('have.text', expectedNumberOfAlerts);
cy.get(ALERT_DATA_GRID)
.invoke('text')
.then((text) => {
cy.log('ALERT_DATA_GRID', text);
expect(text).contains(this.rule.name);
expect(text).contains(this.rule.severity.toLowerCase());
expect(text).contains(this.rule.riskScore);
});
});
});

23
x-pack/plugins/security_solution/cypress/objects/rule.ts
View file

@ -72,6 +72,10 @@ export interface OverrideRule extends CustomRule {
timestampOverride: string;
}
export interface EventCorrelationRule extends CustomRule {
language: string;
}
export interface ThreatIndicatorRule extends CustomRule {
indicatorIndexPattern: string[];
indicatorMappingField: string;
@ -326,6 +330,25 @@ export const getEqlRule = (): CustomRule => ({
maxSignals: 100,
});
export const getCCSEqlRule = (): EventCorrelationRule => ({
customQuery: 'any where process.name == "run-parts"',
name: 'New EQL Rule',
index: [`${ccsRemoteName}:run-parts`],
description: 'New EQL rule description.',
severity: 'High',
riskScore: '17',
tags: ['test', 'newRule'],
referenceUrls: ['http://example.com/', 'https://example.com/'],
falsePositivesExamples: ['False1', 'False2'],
mitre: [getMitre1(), getMitre2()],
note: '# test markdown',
runsEvery: getRunsEvery(),
lookBack: getLookBack(),
timeline: getTimeline(),
maxSignals: 100,
language: 'eql',
});
export const getEqlSequenceRule = (): CustomRule => ({
customQuery:
'sequence with maxspan=30s\

31
x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts
View file

@ -5,7 +5,7 @@
* 2.0.
*/
import { CustomRule, ThreatIndicatorRule } from '../../objects/rule';
import { CustomRule, EventCorrelationRule, ThreatIndicatorRule } from '../../objects/rule';
export const createCustomRule = (rule: CustomRule, ruleId = 'rule_testing', interval = '100m') =>
cy.request({
@ -29,6 +29,27 @@ export const createCustomRule = (rule: CustomRule, ruleId = 'rule_testing', inte
failOnStatusCode: false,
});
export const createEventCorrelationRule = (rule: EventCorrelationRule, ruleId = 'rule_testing') =>
cy.request({
method: 'POST',
url: 'api/detection_engine/rules',
body: {
rule_id: ruleId,
risk_score: parseInt(rule.riskScore, 10),
description: rule.description,
interval: `${rule.runsEvery.interval}${rule.runsEvery.type}`,
from: `now-${rule.lookBack.interval}${rule.lookBack.type}`,
name: rule.name,
severity: rule.severity.toLocaleLowerCase(),
type: 'eql',
index: rule.index,
query: rule.customQuery,
language: 'eql',
enabled: true,
},
headers: { 'kbn-xsrf': 'cypress-creds' },
});
export const createCustomIndicatorRule = (rule: ThreatIndicatorRule, ruleId = 'rule_testing') =>
cy.request({
method: 'POST',
@ -107,6 +128,14 @@ export const deleteCustomRule = (ruleId = '1') => {
});
};
export const createSignalsIndex = () => {
cy.request({
method: 'POST',
url: 'api/detection_engine/index',
headers: { 'kbn-xsrf': 'cypress-creds' },
});
};
export const removeSignalsIndex = () => {
cy.request({ url: '/api/detection_engine/index', failOnStatusCode: false }).then((response) => {
if (response.status === 200) {

135
x-pack/test/security_solution_cypress/es_archives/linux_process/data.json Normal file
View file

@ -0,0 +1,135 @@
{
"type": "doc",
"value": {
"id": "qxnqn3sBBf0WZxoXk7tg",
"index": "run-parts",
"source": {
"@timestamp": "2021-09-01T05:52:29.9451497Z",
"agent": {
"id": "cda623db-f791-4869-a63d-5b8352dfaa56",
"type": "endpoint",
"version": "7.14.0"
},
"data_stream": {
"dataset": "endpoint.events.process",
"namespace": "default",
"type": "logs"
},
"ecs": {
"version": "1.6.0"
},
"elastic": {
"agent": {
"id": "cda623db-f791-4869-a63d-5b8352dfaa56"
}
},
"event": {
"action": "exec",
"agent_id_status": "verified",
"category": [
"process"
],
"created": "2021-09-01T05:52:29.9451497Z",
"dataset": "endpoint.events.process",
"id": "MGwI0NpfzFKkX6gW+++++CVd",
"ingested": "2021-09-01T05:52:35.677424686Z",
"kind": "event",
"module": "endpoint",
"sequence": 3523,
"type": [
"start"
]
},
"group": {
"Ext": {
"real": {
"id": 0,
"name": "root"
}
},
"id": 0,
"name": "root"
},
"host": {
"architecture": "x86_64",
"hostname": "localhost",
"id": "f5c59e5f0c963f828782bc413653d324",
"ip": [
"127.0.0.1",
"::1"
],
"mac": [
"00:16:3e:10:96:79"
],
"name": "localhost",
"os": {
"Ext": {
"variant": "Debian"
},
"family": "debian",
"full": "Debian 10",
"kernel": "4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18)",
"name": "Linux",
"platform": "debian",
"version": "10"
}
},
"message": "Endpoint process event",
"process": {
"Ext": {
"ancestry": [
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEzNTAtMTMyNzQ5NDkxNDkuOTM2Njk1MDAw",
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEzNTAtMTMyNzQ5NDkxNDkuOTMwNzYyMTAw",
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEzNDktMTMyNzQ5NDkxNDkuOTI4OTI0ODAw",
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEzNDktMTMyNzQ5NDkxNDkuOTI3NDgwMzAw",
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEzNDEtMTMyNzQ5NDkxNDYuNTI3ODA5NTAw",
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEzNDEtMTMyNzQ5NDkxNDYuNTIzNzEzOTAw",
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTczOC0xMzI3NDk0ODg3OS4yNzgyMjQwMDA=",
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTczOC0xMzI3NDk0ODg3OS4yNTQ1MTUzMDA=",
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEtMTMyNzQ5NDg4NjkuMA=="
]
},
"args": [
"run-parts",
"--lsbsysinit",
"/etc/update-motd.d"
],
"args_count": 3,
"command_line": "run-parts --lsbsysinit /etc/update-motd.d",
"entity_id": "Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEzNTAtMTMyNzQ5NDkxNDkuOTQ1MTQ5NzAw",
"executable": "/usr/bin/run-parts",
"hash": {
"md5": "c83b0578484bf5267893d795b55928bd",
"sha1": "46b6e74e28e5daf69c1dd0f18a8e911ae2922dda",
"sha256": "3346b4d47c637a8c02cb6865eee42d2a5aa9c4e46c6371a9143621348d27420f"
},
"name": "run-parts",
"parent": {
"args": [
"sh",
"-c",
"/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new"
],
"args_count": 0,
"command_line": "sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new",
"entity_id": "Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEzNTAtMTMyNzQ5NDkxNDkuOTM2Njk1MDAw",
"executable": "/",
"name": "",
"pid": 1349
},
"pid": 1350
},
"user": {
"Ext": {
"real": {
"id": 0,
"name": "root"
}
},
"id": 0,
"name": "root"
}
},
"type": "_doc"
}
}

935
x-pack/test/security_solution_cypress/es_archives/linux_process/mappings.json Normal file
View file

@ -0,0 +1,935 @@
{
"type": "index",
"value": {
"aliases": {
},
"index": "run-parts",
"mappings": {
"_data_stream_timestamp": {
"enabled": true
},
"_meta": {
"managed": true,
"managed_by": "ingest-manager",
"package": {
"name": "endpoint"
}
},
"date_detection": false,
"dynamic": "false",
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"agent": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"dataset": {
"type": "constant_keyword",
"value": "endpoint.events.process"
},
"namespace": {
"type": "constant_keyword",
"value": "default"
},
"type": {
"type": "constant_keyword",
"value": "logs"
}
}
},
"destination": {
"properties": {
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"dataset": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"sequence": {
"type": "long"
},
"severity": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"group": {
"properties": {
"Ext": {
"properties": {
"real": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"host": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"Ext": {
"properties": {
"variant": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"fields": {
"caseless": {
"ignore_above": 1024,
"normalizer": "lowercase",
"type": "keyword"
},
"text": {
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"caseless": {
"ignore_above": 1024,
"normalizer": "lowercase",
"type": "keyword"
},
"text": {
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uptime": {
"type": "long"
}
}
},
"message": {
"type": "text"
},
"package": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"process": {
"properties": {
"Ext": {
"properties": {
"ancestry": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_id": {
"ignore_above": 1024,
"type": "keyword"
},
"code_signature": {
"properties": {
"exists": {
"type": "boolean"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
},
"type": "nested"
},
"defense_evasions": {
"ignore_above": 1024,
"type": "keyword"
},
"dll": {
"properties": {
"Ext": {
"properties": {
"mapped_address": {
"type": "unsigned_long"
},
"mapped_size": {
"type": "unsigned_long"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"protection": {
"ignore_above": 1024,
"type": "keyword"
},
"session": {
"ignore_above": 1024,
"type": "keyword"
},
"token": {
"properties": {
"elevation": {
"type": "boolean"
},
"elevation_level": {
"ignore_above": 1024,
"type": "keyword"
},
"elevation_type": {
"ignore_above": 1024,
"type": "keyword"
},
"integrity_level_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"args": {
"ignore_above": 1024,
"type": "keyword"
},
"args_count": {
"type": "long"
},
"code_signature": {
"properties": {
"exists": {
"type": "boolean"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"command_line": {
"fields": {
"caseless": {
"ignore_above": 1024,
"normalizer": "lowercase",
"type": "keyword"
},
"text": {
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"entity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"executable": {
"fields": {
"caseless": {
"ignore_above": 1024,
"normalizer": "lowercase",
"type": "keyword"
},
"text": {
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"exit_code": {
"type": "long"
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"fields": {
"caseless": {
"ignore_above": 1024,
"normalizer": "lowercase",
"type": "keyword"
},
"text": {
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"parent": {
"properties": {
"Ext": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"code_signature": {
"properties": {
"exists": {
"type": "boolean"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
},
"type": "nested"
},
"protection": {
"ignore_above": 1024,
"type": "keyword"
},
"real": {
"properties": {
"pid": {
"type": "long"
}
}
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"args": {
"ignore_above": 1024,
"type": "keyword"
},
"args_count": {
"type": "long"
},
"code_signature": {
"properties": {
"exists": {
"type": "boolean"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"command_line": {
"fields": {
"caseless": {
"ignore_above": 1024,
"normalizer": "lowercase",
"type": "keyword"
},
"text": {
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"entity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"executable": {
"fields": {
"caseless": {
"ignore_above": 1024,
"normalizer": "lowercase",
"type": "keyword"
},
"text": {
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"exit_code": {
"type": "long"
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"fields": {
"caseless": {
"ignore_above": 1024,
"normalizer": "lowercase",
"type": "keyword"
},
"text": {
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"pe": {
"properties": {
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pgid": {
"type": "long"
},
"pid": {
"type": "long"
},
"ppid": {
"type": "long"
},
"thread": {
"properties": {
"id": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"title": {
"fields": {
"text": {
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"uptime": {
"type": "long"
},
"working_directory": {
"fields": {
"caseless": {
"ignore_above": 1024,
"normalizer": "lowercase",
"type": "keyword"
},
"text": {
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pe": {
"properties": {
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pgid": {
"type": "long"
},
"pid": {
"type": "long"
},
"ppid": {
"type": "long"
},
"thread": {
"properties": {
"id": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"title": {
"fields": {
"text": {
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"uptime": {
"type": "long"
},
"working_directory": {
"fields": {
"caseless": {
"ignore_above": 1024,
"normalizer": "lowercase",
"type": "keyword"
},
"text": {
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
},
"source": {
"properties": {
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"user": {
"properties": {
"Ext": {
"properties": {
"real": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"Ext": {
"properties": {
"real": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"settings": {
"index": {
"number_of_replicas": "0",
"number_of_shards": "1"
}
}
}
}