search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.41k stars 946 forks source link

Application update failed - Limit of total fields [3000] has been exceeded #8988

Open SergioIbIGZ opened 4 days ago

SergioIbIGZ commented 4 days ago

Prerequisites

Description

Hello. The reason for this issue is to discuss a problem I encountered today trying to update my OpenCTI platform. It is currently running version 5.12.33 without any problems. Using Kubernetes and the official docker images. I performed a test upgrade in pre-production following this order:

6.0.10 6.1.13 6.2.18 6.3.11

I had no problems at all.

Today in production, an environment that has much more data stored and connectors deployed, the result was different. When deploying with Helm a change from 5.12.33 to 6.0.10, the opencti-server pod on which the others depend went into CrashLoopBack. The reason is that the platform startup fails to create/recreate the OpenCTI indexes in our OpenSearch 2.11. The error is basically: ‘Limit of total fields [3000] has been exceeded’.

I have checked that indeed, all OpenCTI indexes have that property ‘index.mapping.total_fields.limit’: 3000 and that also OpenCTI index templates set them to 3000. So I tried to change the value manually, but the setting forces back to 3000 and the update is not able to start. I have seen in the source code that the value for this is a constant called ‘ES_MAX_MAPPINGS’. I understand that it is impossible to change or customise it.

My Live environment is old, first deployed using version 5.7.6. I also remember there was some slowness and indexing issues a while back that were resolved for us in version 5.9 or 5.10. I don't know if it's related. I would like to know if you have any workaround so that I can get OpenCTI upgraded; my goal is to get the latest version available.

Thank you very much for your help.

Environment

  1. OS (where OpenCTI server runs): Kubernetes - official Docker image
  2. OpenCTI version: 5.12.33
  3. OpenCTI client: frontend
  4. Other environment details:

Reproducible Steps

I couldn't reproduce the problem. In pre-production I installed a new, empty OpenCTI in version 5.12.33 and was able to update without problems. So I think the problem comes from either the large amount of data stored in OpenSearch, or a problem generated in a previous version used in production.

Additional information

SergioIbIGZ commented 3 days ago

Hello again, This is the OpenCTI server boot log, to add more info about it:

{"category":"APP","level":"info","message":"[OPENCTI] Starting platform","timestamp":"2024-11-14T08:12:36.417Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[OPENCTI] Checking dependencies statuses","timestamp":"2024-11-14T08:12:36.419Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[SEARCH] Engine client not specified, trying to discover it with opensearch client","timestamp":"2024-11-14T08:12:36.420Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[SEARCH] Engine detected to opensearch","timestamp":"2024-11-14T08:12:36.793Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[SEARCH] opensearch (2.11.1) client selected / runtime sorting disabled / attachment processor enabled","timestamp":"2024-11-14T08:12:36.815Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[CHECK] Search engine is alive","timestamp":"2024-11-14T08:12:36.816Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[CHECK] Minio is alive","timestamp":"2024-11-14T08:12:37.877Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[CHECK] RabbitMQ is alive","timestamp":"2024-11-14T08:12:37.937Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[REDIS] Redis 'base' client ready","timestamp":"2024-11-14T08:12:37.952Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[REDIS] Clients initialized in single mode","timestamp":"2024-11-14T08:12:37.952Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[CHECK] Redis is alive","timestamp":"2024-11-14T08:12:37.953Z","version":"6.0.10"}
{"category":"APP","level":"warn","message":"SMTP seems down, email notification will may not work","timestamp":"2024-11-14T08:12:37.958Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[CHECK] Python3 is available","timestamp":"2024-11-14T08:12:37.991Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[REDIS] Redis 'subscriber' client ready","timestamp":"2024-11-14T08:12:37.998Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[OPENCTI-MODULE] Cache manager pub sub listener initialized","timestamp":"2024-11-14T08:12:37.999Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[REDIS] Redis 'lock' client ready","timestamp":"2024-11-14T08:12:38.005Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[INIT] Starting platform initialization","timestamp":"2024-11-14T08:12:38.007Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[INIT] Existing platform detected, initialization...","timestamp":"2024-11-14T08:12:38.286Z","version":"6.0.10"}
{"category":"APP","level":"info","message":"[INIT] Platform initialization done","timestamp":"2024-11-14T08:12:41.731Z","version":"6.0.10"}
{"category":"APP","level":"error","message":"[OPENCTI] Platform default initialization failed","platformError":{"_error":{},"_showLocations":false,"_showPath":false,"data":{"cause":{"meta":{"body":{"error":{"reason":"Limit of total fields [3000] has been exceeded","root_cause":[{"reason":"Limit of total fields [3000] has been exceeded","type":"illegal_argument_exception"}],"type":"illegal_argument_exception"},"status":400},"headers":{"content-length":"229","content-type":"application/json; charset=UTF-8"},"meta":{"aborted":false,"attempts":0,"connection":{"_openRequests":0,"deadCount":0,"headers":{},"id":"http://opencti-master.opensearch:9200/","resurrectTimeout":0,"roles":{"data":true,"ingest":true},"status":"alive","url":"http://opencti-master.opensearch:9200/"},"context":null,"name":"opensearch-js","request":{"id":31,"options":{},"params":{"body":"{\"properties\":{\"account_created\":{\"type\":\"date\"},\"account_expires\":{\"type\":\"date\"},\"account_first_login\":{\"type\":\"date\"},\"account_last_login\":{\"type\":\"date\"},\"account_lock_after_date\":{\"type\":\"date\"},\"account_login\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"account_number\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"account_status\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"account_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"actions\":{\"type\":\"flat_object\"},\"active\":{\"type\":\"boolean\"},\"activity_listeners_ids\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"added_after_start\":{\"type\":\"date\"},\"administrated_organizations\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"aliases\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"analysis_definition_version\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"analysis_ended\":{\"type\":\"date\"},\"analysis_engine_version\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"analysis_started\":{\"type\":\"date\"},\"analytics_google_analytics_v4\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"api_token\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"applicant_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"architecture_execution_envs\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"aslr_enabled\":{\"type\":\"boolean\"},\"atime\":{\"type\":\"date\"},\"attachment\":{\"dynamic\":\"strict\",\"properties\":{\"author\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"comments\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"content\":{\"type\":\"text\"},\"content_length\":{\"type\":\"integer\",\"coerce\":false},\"content_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"creator_tool\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"date\":{\"type\":\"date\"},\"description\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"format\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"keywords\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"language\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"metadata_date\":{\"type\":\"date\"},\"modified\":{\"type\":\"date\"},\"modifier\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"print_date\":{\"type\":\"date\"},\"title\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"attribute_abstract\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"attribute_count\":{\"type\":\"integer\",\"coerce\":false},\"attribute_date\":{\"type\":\"date\"},\"attribute_key\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"attribute_order\":{\"type\":\"integer\"},\"attributes_configuration\":{\"type\":\"text\"},\"authentication_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"authentication_value\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"authority_key_identifier\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"authorized_authorities\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"authorized_members\":{\"dynamic\":\"strict\",\"properties\":{\"access_right\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"entity_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"name\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"authors\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"auto\":{\"type\":\"boolean\"},\"auto_new_marking\":{\"type\":\"boolean\"},\"availableSettings\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"base_score\":{\"type\":\"integer\"},\"base_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"basic_constraints\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"bic\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"body\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"bookmarks\":{\"dynamic\":\"strict\",\"properties\":{\"id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"builtIn\":{\"type\":\"boolean\"},\"built_in\":{\"type\":\"boolean\"},\"can_escalate_privs\":{\"type\":\"boolean\"},\"capabilities\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"card_number\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"caseTemplate\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"category\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"certificate_policies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"channel_types\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"collection\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"collection_layers\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"color\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"command_line\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"completed\":{\"type\":\"boolean\"},\"completed_number\":{\"type\":\"integer\",\"coerce\":false},\"completed_time\":{\"type\":\"date\"},\"confidence\":{\"type\":\"integer\"},\"configuration_version\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"connections\":{\"type\":\"nested\"},\"connector_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"connector_scope\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"connector_state\":{\"type\":\"text\"},\"connector_state_reset\":{\"type\":\"boolean\"},\"connector_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"connector_user_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"contact_information\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"content\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"content_disposition\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"content_mapping\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"content_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"context\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"context_data\":{\"dynamic\":\"strict\",\"properties\":{\"commit\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"connector_name\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"connectors\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"created_by_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"created_by_ref_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"creator_ids\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"element_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"entity_name\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"entity_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"export_scope\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"export_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"external_references\":{\"type\":\"flat_object\"},\"file_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"file_mime\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"file_name\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"filters\":{\"type\":\"text\"},\"format\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"from_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"granted_refs_ids\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"input\":{\"type\":\"flat_object\"},\"labels_ids\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"list_params\":{\"type\":\"flat_object\"},\"marking_definition_ids\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"max_marking\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"message\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"object_marking_refs_ids\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"operation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"path\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"provider\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"search\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"selected_ids\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"to_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"types\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"username\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"workspace_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"connector_id\":{\"fields\":{\"keyword\":{\"ignore_above\":512,\"normalizer\":\"string_normalizer\",\"type\":\"keyword\"}},\"type\":\"text\"},\"entity_id\":{\"fields\":{\"keyword\":{\"ignore_above\":512,\"normalizer\":\"string_normalizer\",\"type\":\"keyword\"}},\"type\":\"text\"}}},\"cpe\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"created\":{\"type\":\"date\"},\"created_at\":{\"type\":\"date\"},\"created_by_ref\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"created_time\":{\"type\":\"date\"},\"creator_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"credential\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"credential_last_changed\":{\"type\":\"date\"},\"crl_distribution_points\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"ctime\":{\"type\":\"date\"},\"current_state_cursor\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"current_state_date\":{\"type\":\"date\"},\"cvv\":{\"type\":\"integer\",\"coerce\":false},\"cwd\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"data\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"data_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"date_of_birth\":{\"type\":\"date\"},\"decay_applied_rule\":{\"type\":\"flat_object\"},\"decay_base_score\":{\"type\":\"integer\",\"coerce\":false},\"decay_base_score_date\":{\"type\":\"date\"},\"decay_history\":{\"type\":\"flat_object\"},\"decay_next_reaction_date\":{\"type\":\"date\"},\"decryption_key\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"default_assignation\":{\"type\":\"boolean\"},\"default_dashboard\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"default_hidden_types\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"default_marking\":{\"dynamic\":\"strict\",\"properties\":{\"entity_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"values\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"default_time_field\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"definition\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"definition_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"dep_enabled\":{\"type\":\"boolean\"},\"description\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"descriptions\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"display_name\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"dst_byte_count\":{\"type\":\"integer\",\"coerce\":false},\"dst_packets\":{\"type\":\"integer\",\"coerce\":false},\"dst_port\":{\"type\":\"integer\",\"coerce\":false},\"due_date\":{\"type\":\"date\"},\"enable\":{\"type\":\"boolean\"},\"encryption_algorithm\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"end\":{\"type\":\"date\"},\"enforce_reference\":{\"type\":\"boolean\"},\"enterprise_edition\":{\"type\":\"date\"},\"entity_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"entity_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"environment_variables\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"errors\":{\"dynamic\":\"strict\",\"properties\":{\"error\":{\"type\":\"text\"},\"id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"message\":{\"type\":\"text\"},\"source\":{\"type\":\"text\"},\"timestamp\":{\"type\":\"date\"}}},\"event_access\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"event_date\":{\"type\":\"date\"},\"event_scope\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"event_source_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"event_status\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"event_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"event_types\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"expiration_date\":{\"type\":\"date\"},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"extended_key_usage\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"extensions\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"external\":{\"type\":\"boolean\"},\"external_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"eye_color\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"feed_attributes\":{\"dynamic\":\"strict\",\"properties\":{\"attribute\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"mappings\":{\"dynamic\":\"strict\",\"properties\":{\"attribute\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}}}},\"feed_date_attribute\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"feed_public\":{\"type\":\"boolean\"},\"feed_types\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"file_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"filters\":{\"type\":\"text\"},\"first_observed\":{\"type\":\"date\"},\"first_seen\":{\"type\":\"date\"},\"firstname\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"fromType\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"gender\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"goals\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"grant\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"grantable_groups\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"graph_data\":{\"type\":\"text\"},\"group_confidence_level\":{\"dynamic\":\"strict\",\"properties\":{\"max_confidence\":{\"type\":\"integer\",\"coerce\":false},\"overrides\":{\"type\":\"nested\",\"dynamic\":\"strict\",\"properties\":{\"entity_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"max_confidence\":{\"type\":\"integer\",\"coerce\":false}}}}},\"group_ids\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"group_name\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hair_color\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"has_header\":{\"type\":\"boolean\"},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hashes\":{\"dynamic\":\"strict\",\"properties\":{\"LZJD\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"MD5\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"SDHASH\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"SHA-1\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"SHA-256\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"SHA-512\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"SHA3-256\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"SHA3-512\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"SSDEEP\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"TLSH\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"height\":{\"type\":\"nested\",\"properties\":{\"date_seen\":{\"type\":\"date\"},\"measure\":{\"type\":\"float\"}}},\"holder_name\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"i_aliases_ids\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"i_inference_weight\":{\"type\":\"integer\",\"coerce\":false},\"i_rule_attribution_attribution\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_attribution_targets\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_attribution_use\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_indicate_sighted\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_localization_of_targets\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_location_location\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_location_targets\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_observable_related\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_observe_sighting\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_part-of_targets\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_part_part\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_participate-to_parts\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_related_related\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_report_ref_identity_part_of\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_report_ref_indicator_based_on\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_report_ref_location_located_at\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_report_ref_observable_based_on\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_sighting_incident\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_sighting_indicator\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"i_rule_sighting_observable\":{\"dynamic\":\"strict\",\"properties\":{\"data\":{\"type\":\"flat_object\"},\"dependencies\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"explanation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"hash\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"iban\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"identity_class\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"implementation_languages\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"import_expected_number\":{\"type\":\"integer\"},\"import_processed_number\":{\"type\":\"integer\"},\"incident_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"include_header\":{\"type\":\"boolean\"},\"indexed_at\":{\"type\":\"date\"},\"indicator_types\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"information\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"information_types\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"infrastructure_types\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"ingestion_running\":{\"type\":\"boolean\"},\"inhibit_any_policy\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"initiator_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"instance_trigger\":{\"type\":\"boolean\"},\"integrity_level\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"investigated_entities_ids\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"is_active\":{\"type\":\"boolean\"},\"is_disabled\":{\"type\":\"boolean\"},\"is_family\":{\"type\":\"boolean\"},\"is_hidden\":{\"type\":\"boolean\"},\"is_multipart\":{\"type\":\"boolean\"},\"is_privileged\":{\"type\":\"boolean\"},\"is_read\":{\"type\":\"boolean\"},\"is_self_signed\":{\"type\":\"boolean\"},\"is_service_account\":{\"type\":\"boolean\"},\"issuer\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"issuer_alternative_name\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"job_title\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"key_usage\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"kill_chain_name\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"lang\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"language\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"languages\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"lastEventId\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"lastModified\":{\"type\":\"date\"},\"lastModifiedSinceMin\":{\"type\":\"integer\",\"coerce\":false},\"lastRun\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"last_deleted_count\":{\"type\":\"integer\",\"coerce\":false},\"last_execution_date\":{\"type\":\"date\"},\"last_observed\":{\"type\":\"date\"},\"last_run_end_date\":{\"type\":\"date\"},\"last_run_start_date\":{\"type\":\"date\"},\"last_seen\":{\"type\":\"date\"},\"lastname\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"latitude\":{\"type\":\"float\"},\"likelihood\":{\"type\":\"integer\"},\"listen_deletion\":{\"type\":\"boolean\"},\"longitude\":{\"type\":\"float\"},\"magic_number_hex\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"malware_types\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"manager_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"manager_running\":{\"type\":\"boolean\"},\"manager_setting\":{\"type\":\"flat_object\"},\"manifest\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"marital_status\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"max_retention\":{\"type\":\"integer\",\"coerce\":false},\"media_category\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"message_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"messages\":{\"dynamic\":\"strict\",\"properties\":{\"message\":{\"type\":\"text\"},\"timestamp\":{\"type\":\"date\"}}},\"metaData\":{\"dynamic\":\"strict\",\"properties\":{\"creator_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"description\":{\"type\":\"text\"},\"encoding\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"entity_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"errors\":{\"type\":\"flat_object\"},\"external_reference_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"filename\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"inCarousel\":{\"type\":\"boolean\"},\"labels\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"labels_text\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"list_filters\":{\"type\":\"text\"},\"messages\":{\"type\":\"flat_object\"},\"mimetype\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"order\":{\"type\":\"integer\",\"coerce\":false},\"version\":{\"type\":\"date\"}}},\"mime_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"modified\":{\"type\":\"date\"},\"modified_at\":{\"type\":\"date\"},\"modified_time\":{\"type\":\"date\"},\"modules\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"mtime\":{\"type\":\"date\"},\"name\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"name_constraints\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"name_enc\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"narrative_types\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"no_dependencies\":{\"type\":\"boolean\"},\"note_types\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"notification_content\":{\"dynamic\":\"strict\",\"properties\":{\"events\":{\"dynamic\":\"strict\",\"properties\":{\"instance_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"message\":{\"type\":\"text\"},\"operation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"title\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"notification_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"notifier_configuration\":{\"type\":\"text\"},\"notifier_connector_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"notifiers\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"number\":{\"type\":\"integer\",\"coerce\":false},\"number_observed\":{\"type\":\"integer\"},\"number_of_subkeys\":{\"type\":\"integer\",\"coerce\":false},\"object_marking_refs\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"objective\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"obsContent\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"observable_date\":{\"type\":\"date\"},\"only_contextual\":{\"type\":\"boolean\"},\"openCTI_version\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"opinion\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"order\":{\"type\":\"integer\",\"coerce\":false},\"organization_ids\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"otp_activated\":{\"type\":\"boolean\"},\"otp_mandatory\":{\"type\":\"boolean\"},\"otp_qr\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"otp_secret\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"outcomes\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"owner_sid\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"parent_types\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"password\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"password_policy_max_length\":{\"type\":\"integer\",\"coerce\":false},\"password_policy_min_length\":{\"type\":\"integer\",\"coerce\":false},\"password_policy_min_lowercase\":{\"type\":\"integer\",\"coerce\":false},\"password_policy_min_numbers\":{\"type\":\"integer\",\"coerce\":false},\"password_policy_min_symbols\":{\"type\":\"integer\",\"coerce\":false},\"password_policy_min_uppercase\":{\"type\":\"integer\",\"coerce\":false},\"password_policy_min_words\":{\"type\":\"integer\",\"coerce\":false},\"path\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"path_enc\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"pattern\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"pattern_type\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"pattern_version\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"payload_bin\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"period\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"personal_motivations\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"phase_name\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"pid\":{\"type\":\"long\",\"coerce\":false},\"platformVersion\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_banner_level\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_banner_text\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_consent_confirm_text\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_consent_message\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_email\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_entity_files_ref\":{\"type\":\"boolean\"},\"platform_favicon\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_hidden_type\":{\"type\":\"boolean\"},\"platform_language\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_login_message\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_messages\":{\"type\":\"text\"},\"platform_organization\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_dark_accent\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_dark_background\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_dark_logo\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_dark_logo_collapsed\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_dark_logo_login\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_dark_nav\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_dark_paper\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_dark_primary\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_dark_secondary\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_light_accent\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_light_background\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_light_logo\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_light_logo_collapsed\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_light_logo_login\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_light_nav\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_light_paper\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_light_primary\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_theme_light_secondary\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_title\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"platform_whitemark\":{\"type\":\"boolean\"},\"playbook_compatible\":{\"type\":\"boolean\"},\"playbook_definition\":{\"type\":\"text\"},\"playbook_running\":{\"type\":\"boolean\"},\"playbook_start\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"policy_constraints\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"policy_mappings\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"postal_code\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"precision\":{\"type\":\"float\",\"coerce\":false},\"primary_motivation\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"priority\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"private_key_usage_period_not_after\":{\"type\":\"date\"},\"private_key_usage_period_not_before\":{\"type\":\"date\"},\"processed_time\":{\"type\":\"date\"},\"product\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"protocols\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"publication_date\":{\"type\":\"date\"},\"published\":{\"type\":\"date\"},\"rating\":{\"type\":\"integer\",\"coerce\":false},\"received_lines\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"received_time\":{\"type\":\"date\"},\"recipients\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"rel_accesses-to\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_allowed-by\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_amplifies\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_analysis-of\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_analysis-sco\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_attributed-to\":{\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_authored-by\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_based-on\":{\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_bcc\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_beacons-to\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_belongs-to\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_body-multipart\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_body-raw\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_born-in\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_cc\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_characterizes\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_child\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_citizen-of\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_communicates-with\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}},\"internal_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":512,\"normalizer\":\"string_normalizer\"}}}}},\"rel_compromises\":{\"dynamic\":\"strict\",\"properties\":{\"inferred_id\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_

(...)
SergioIbIGZ commented 3 days ago

I extracted the current indexes and fields number per index:

./index-counter-curl.sh 
Index field number
opencti_inferred_relationships-000002 - 1569 fields
opencti_stix_meta_relationships-000001 - 1592 fields
opencti_inferred_relationships-000001 - 1583 fields
opencti_stix_domain_objects-000001 - 2850 fields
opencti_inferred_entities-000001 - 1547 fields
opencti_inferred_entities-000002 - 1533 fields
opencti_files-000001 - 1546 fields
opencti_stix_sighting_relationships-000001 - 1558 fields
opencti_internal_relationships-000002 - 1533 fields
opencti_internal_objects-000002 - 1533 fields
opencti_internal_relationships-000001 - 1556 fields
opencti_internal_objects-000001 - 1564 fields
opencti_stix_domain_objects-000002 - 1533 fields
opencti_history-000001 - 1550 fields
opencti_stix_sighting_relationships-000002 - 1533 fields
opencti_history-000002 - 1533 fields
opencti_stix_cyber_observables-000002 - 1533 fields
opencti_stix_core_relationships-000002 - 1533 fields
opencti_stix_cyber_observables-000001 - 1553 fields
opencti_stix_meta_objects-000001 - 1553 fields
opencti_stix_core_relationships-000001 - 1560 fields
opencti_stix_meta_objects-000002 - 1533 fields
opencti_stix_meta_relationships-000002 - 1533 fields
health status index                                      uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   opencti_inferred_relationships-000002      E70pdlC3S5CsNboM5qmx4Q   1   1          0            0       416b           208b
green  open   opencti_stix_meta_relationships-000001     4hrI68VaTmib9TNWgrwGUA   1   1   35659512      1248919     17.6gb          8.8gb
green  open   opencti_inferred_relationships-000001      nBswM9hYRiqp3n4MlUR7dg   1   1          0            0       418b           209b
green  open   opencti_stix_domain_objects-000001         Zlb2m3H3QtCTjcM8yztUAQ   1   1     398624        54759      5.8gb          2.9gb
green  open   opencti_inferred_entities-000001           jGfRfIWoSweko0fn0e5efQ   1   1          0            0       418b           209b
green  open   opencti_inferred_entities-000002           uZQQ55p9TVugKDH3MAeiMg   1   1          0            0       416b           208b
green  open   opencti_files-000001                       _HVgYakjQaiydgf9GQYTNQ   1   1          0            0       418b           209b
green  open   opencti_stix_sighting_relationships-000001 u_xlBeFiQneXtyiK7-yE6A   1   1         39            3    150.8kb         75.4kb
green  open   opencti_internal_relationships-000002      rWzqab2USmec_n2BTsYYxg   1   1         15            0    156.9kb         78.4kb
green  open   opencti_internal_objects-000002            5dr_ugJiQZKQlQ1fEKu8hw   1   1         12            0     67.7kb         33.8kb
green  open   opencti_internal_relationships-000001      dAwJNSZsR2iu_aAxVrbQig   1   1        471           29    455.1kb        227.5kb
green  open   opencti_internal_objects-000001            H3qH7HIsQdq84XD1FlVADw   1   1      26722          190     34.1mb           17mb
green  open   opencti_stix_domain_objects-000002         lWOiP95WRPyUX4wkX_CNYA   1   1       5254          401     22.8mb         11.4mb
green  open   opencti_history-000001                     Grn_FVbURdOfs7yVUF_RvA   1   1    5295023        30198      5.2gb          2.6gb
green  open   opencti_stix_sighting_relationships-000002 407vd_M7SViUN61obQxT8w   1   1          0            0       416b           208b
green  open   opencti_history-000002                     PwxvaoayQF21dvGmjnTraw   1   1      33497          583     74.3mb         37.1mb
green  open   opencti_stix_cyber_observables-000002      90LU1UEURoKe9gV_0knOpA   1   1         12            0    158.4kb         79.2kb
green  open   opencti_stix_core_relationships-000002     oRV_KYWzR4yNiB0zi4rBMw   1   1       4665           27      5.5mb          2.7mb
green  open   opencti_stix_cyber_observables-000001      ceBUrTpnSF2dP39kmeE2Mg   1   1     190959        28696      1.5gb        782.4mb
green  open   opencti_stix_meta_objects-000001           L6LHh7LKTmyBoDxwOZ89sw   1   1     927738        53488      1.4gb        722.1mb
green  open   opencti_stix_core_relationships-000001     _ddT7J9GQzuAdTjDylDetA   1   1    9845466       799740        6gb            3gb
green  open   opencti_stix_meta_objects-000002           cSxl0BooSFiRLkXhA2w5sA   1   1      16554          379     26.8mb         13.4mb
green  open   opencti_stix_meta_relationships-000002     fvgWn_QyQiOgywFVgHZe6w   1   1      91089            0     52.6mb         26.3mb