Mappings APIs
The following APIs can be used for a number of tasks related to mappings, from creating to getting and updating mappings.
Get Mappings View
Example request
GET /_plugins/_security_analytics/mappings/view
{
"index_name": "windows",
"rule_topic": "windows"
}
Example response
{
"properties": {
"windows-event_data-CommandLine": {
"path": "CommandLine",
"type": "alias"
},
"event_uid": {
"path": "EventID",
"type": "alias"
}
},
"unmapped_index_fields": [
"windows-event_data-CommandLine",
"unmapped_HiveName",
"src_ip",
"sha1",
"processPath",
"CallerProcessName",
"CallTrace",
"AuthenticationPackageName",
"AuditSourceName",
"AuditPolicyChanges",
"AttributeValue",
"AttributeLDAPDisplayName",
"ApplicationPath",
"Application",
"AllowedToDelegateTo",
"Address",
"Action",
"AccountType",
"AccountName",
"Accesses",
"AccessMask",
"AccessList"
]
}
Create Mappings
Example request
POST /_plugins/_security_analytics/mappings
{
"index_name": "windows",
"rule_topic": "windows",
"partial": true,
"alias_mappings": {
"properties": {
"event_uid": {
"type": "alias",
"path": "EventID"
}
}
}
}
Example response
{
"acknowledged": true
}
Get Mappings
Example request
GET /_plugins/_security_analytics/mappings
Example response
{
"windows": {
"mappings": {
"properties": {
"windows-event_data-CommandLine": {
"type": "alias",
"path": "CommandLine"
},
"event_uid": {
"type": "alias",
"path": "EventID"
}
}
}
}
}
Update Mappings
Example request
PUT /_plugins/_security_analytics/mappings
{
"index_name": "windows",
"field": "CommandLine",
"alias": "windows-event_data-CommandLine"
}
Example response
{
"acknowledged": true
}