--- name: security fields: base: fields: "@timestamp": {} message: {} data_stream: fields: "*" ecs: fields: version: {} # these fields are needed in the mapping so the maps page of the security app does not throw a bunch of errors source: fields: geo: fields: "*" destination: fields: geo: fields: "*" host: fields: architecture: {} domain: {} hostname: {} id: {} ip: {} mac: {} name: {} type: {} uptime: {} os: fields: family: {} full: {} kernel: {} platform: {} version: {} name: {} type: {} Ext: fields: variant: {} event: fields: action: {} category: {} created: {} code: {} dataset: {} hash: {} id: {} ingested: {} kind: {} module: {} outcome: {} provider: {} sequence: {} severity: {} type: {} agent: fields: version: {} type: {} id: {} group: fields: domain: {} id: {} name: {} Ext: fields: real: fields: id: {} name: {} user: fields: domain: {} email: {} full_name: {} hash: {} id: {} name: {} effective: fields: domain: {} email: {} full_name: {} hash: {} id: {} name: {} group: fields: domain: {} id: {} name: {} Ext: fields: real: fields: id: {} name: {} Ext: fields: real: fields: id: {} name: {} process: fields: pid: {} name: {} executable: {} entity_id: {} code_signature: fields: exists: {} signing_id: {} status: {} subject_name: {} team_id: {} trusted: {} valid: {} thread: fields: id: {} Ext: fields: ancestry: {} authentication_id: {} code_signature: fields: exists: {} status: {} subject_name: {} trusted: {} valid: {} Target: fields: process: fields: Ext: fields: authentication_id: {} winlog: fields: event_data: fields: PrivilegeList: {} file: fields: code_signature: fields: signing_id: {} team_id: {} path: {}