diff --git a/x-pack/plugins/security_solution/public/flyout/entity_details/user_details_left/index.test.tsx b/x-pack/plugins/security_solution/public/flyout/entity_details/user_details_left/index.test.tsx
new file mode 100644
index 0000000000000..32d4b2f6c2f86
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/flyout/entity_details/user_details_left/index.test.tsx
@@ -0,0 +1,52 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { TestProviders } from '../../../common/mock';
+import { render } from '@testing-library/react';
+import React from 'react';
+import { UserDetailsPanel } from '.';
+import { EntityDetailsLeftPanelTab } from '../shared/components/left_panel/left_panel_header';
+
+describe('LeftPanel', () => {
+ it('renders', () => {
+ const { queryByText } = render(
+ ,
+ {
+ wrapper: TestProviders,
+ }
+ );
+
+ const tabElement = queryByText('Risk Inputs');
+
+ expect(tabElement).toBeInTheDocument();
+ });
+
+ it('does not render the tab if tab is not found', () => {
+ const { queryByText } = render(
+ ,
+ {
+ wrapper: TestProviders,
+ }
+ );
+
+ const tabElement = queryByText('Risk Inputs');
+
+ expect(tabElement).not.toBeInTheDocument();
+ });
+});
diff --git a/x-pack/plugins/security_solution/public/flyout/entity_details/user_details_left/index.tsx b/x-pack/plugins/security_solution/public/flyout/entity_details/user_details_left/index.tsx
index 7cab4350e667c..3a682ba125864 100644
--- a/x-pack/plugins/security_solution/public/flyout/entity_details/user_details_left/index.tsx
+++ b/x-pack/plugins/security_solution/public/flyout/entity_details/user_details_left/index.tsx
@@ -41,6 +41,10 @@ export const UserDetailsPanel = ({ isRiskScoreExist, user, path }: UserDetailsPa
if (managedUser.isLoading) return ;
+ if (!selectedTabId) {
+ return null;
+ }
+
return (
<>
{
- const defaultTab = tabs[0].id;
+ const defaultTab = tabs.length > 0 ? tabs[0].id : undefined;
if (!path) return defaultTab;
return tabs.find((tab) => tab.id === path.tab)?.id ?? defaultTab;
diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/new_user_detail/hooks/use_managed_user.test.ts b/x-pack/plugins/security_solution/public/timelines/components/side_panel/new_user_detail/hooks/use_managed_user.test.ts
index 1e40f66b70242..5a26600948267 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/new_user_detail/hooks/use_managed_user.test.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/new_user_detail/hooks/use_managed_user.test.ts
@@ -38,18 +38,28 @@ jest.mock('../../../../../common/hooks/use_space_id', () => ({
useSpaceId: () => 'test-space-id',
}));
+const mockUseIsExperimentalFeatureEnabled = jest.fn().mockReturnValue(true);
+
+jest.mock('../../../../../common/hooks/use_experimental_features', () => ({
+ useIsExperimentalFeatureEnabled: () => mockUseIsExperimentalFeatureEnabled(),
+}));
+
const mockSearch = jest.fn().mockReturnValue({
data: [],
});
+const useSearchStrategyDefaultResponse = {
+ loading: false,
+ result: { users: [] },
+ search: (...params: unknown[]) => mockSearch(...params),
+ refetch: () => {},
+ inspect: {},
+};
+
+const mockUseSearchStrategy = jest.fn().mockReturnValue(useSearchStrategyDefaultResponse);
+
jest.mock('../../../../../common/containers/use_search_strategy', () => ({
- useSearchStrategy: () => ({
- loading: false,
- result: { users: [] },
- search: (...params: unknown[]) => mockSearch(...params),
- refetch: () => {},
- inspect: {},
- }),
+ useSearchStrategy: () => mockUseSearchStrategy(),
}));
describe('useManagedUser', () => {
@@ -108,4 +118,28 @@ describe('useManagedUser', () => {
})
);
});
+
+ it('should not search if the feature is disabled', () => {
+ mockUseIsExperimentalFeatureEnabled.mockReturnValue(false);
+ renderHook(() => useManagedUser('test-userName', undefined, false), {
+ wrapper: TestProviders,
+ });
+
+ expect(mockSearch).not.toHaveBeenCalled();
+ });
+
+ it('should return loading false when the feature is disabled', () => {
+ mockUseIsExperimentalFeatureEnabled.mockReturnValue(false);
+ mockUseInstalledIntegrations.mockReturnValue({
+ data: [],
+ isLoading: true,
+ });
+ mockUseSearchStrategy.mockReturnValue({ ...useSearchStrategyDefaultResponse, loading: true });
+
+ const { result } = renderHook(() => useManagedUser('test-userName', undefined, false), {
+ wrapper: TestProviders,
+ });
+
+ expect(result.current.isLoading).toBeFalsy();
+ });
});
diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/new_user_detail/hooks/use_managed_user.ts b/x-pack/plugins/security_solution/public/timelines/components/side_panel/new_user_detail/hooks/use_managed_user.ts
index 6eb7e385ea0b1..2b98529163895 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/new_user_detail/hooks/use_managed_user.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/new_user_detail/hooks/use_managed_user.ts
@@ -37,7 +37,7 @@ export const useManagedUser = (
email: string[] | undefined,
isLoading?: boolean
): ManagedUserData => {
- const skip = useIsExperimentalFeatureEnabled('newUserDetailsFlyoutManagedUser');
+ const skip = !useIsExperimentalFeatureEnabled('newUserDetailsFlyoutManagedUser');
const { to, from, isInitializing, deleteQuery, setQuery } = useGlobalTime();
const spaceId = useSpaceId();
const {
@@ -95,9 +95,9 @@ export const useManagedUser = (
return useMemo(
() => ({
data: managedUserData,
- isLoading: loadingManagedUser || loadingIntegrations,
+ isLoading: skip ? false : loadingManagedUser || loadingIntegrations,
isIntegrationEnabled,
}),
- [isIntegrationEnabled, loadingIntegrations, loadingManagedUser, managedUserData]
+ [isIntegrationEnabled, loadingIntegrations, loadingManagedUser, managedUserData, skip]
);
};
diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/new_user_detail/managed_user_accordion.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/new_user_detail/managed_user_accordion.tsx
index ad8b089adc168..6de3c45fc5786 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/new_user_detail/managed_user_accordion.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/new_user_detail/managed_user_accordion.tsx
@@ -38,6 +38,7 @@ export const ManagedUserAccordion: React.FC = ({
return (
{
cy.task('esArchiverLoad', { archiveName: 'risk_scores_new_complete_data' });
cy.task('esArchiverLoad', { archiveName: 'query_alert', useCreate: true, docsOnly: true });
+ cy.task('esArchiverLoad', { archiveName: 'user_managed_data' });
});
after(() => {
cy.task('esArchiverUnload', 'risk_scores_new_complete_data');
+ cy.task('esArchiverUnload', 'user_managed_data');
deleteAlertsAndRules(); // esArchiverUnload doesn't work properly when using with `useCreate` and `docsOnly` flags
deleteCriticality({ idField: 'host.name', idValue: SIEM_KIBANA_HOST_NAME });
deleteCriticality({ idField: 'user.name', idValue: USER_NAME });
@@ -80,39 +97,73 @@ describe(
cy.get(RISK_INPUT_PANEL_HEADER).should('exist');
});
- it('should show asset criticality in the risk input panel', () => {
- expandFirstAlertUserFlyout();
- expandRiskInputsFlyoutPanel();
- cy.get(ASSET_CRITICALITY_BADGE).should('contain.text', 'Very important');
- });
-
- it('should display asset criticality accordion', () => {
- cy.log('asset criticality');
- expandFirstAlertUserFlyout();
- cy.get(ENTITY_DETAILS_FLYOUT_ASSET_CRITICALITY_SELECTOR).should(
- 'contain.text',
- 'Asset Criticality'
- );
-
- cy.get(ENTITY_DETAILS_FLYOUT_ASSET_CRITICALITY_BUTTON).should('have.text', 'Create');
- });
- it('should display asset criticality modal', () => {
- cy.log('asset criticality modal');
- expandFirstAlertUserFlyout();
- toggleAssetCriticalityModal();
- cy.get(ENTITY_DETAILS_FLYOUT_ASSET_CRITICALITY_MODAL_TITLE).should(
- 'have.text',
- 'Pick asset criticality level'
- );
+ describe('Asset criticality', () => {
+ it('should show asset criticality in the risk input panel', () => {
+ expandFirstAlertUserFlyout();
+ expandRiskInputsFlyoutPanel();
+ cy.get(ASSET_CRITICALITY_BADGE).should('contain.text', 'Very important');
+ });
+
+ it('should display asset criticality accordion', () => {
+ cy.log('asset criticality');
+ expandFirstAlertUserFlyout();
+ cy.get(ENTITY_DETAILS_FLYOUT_ASSET_CRITICALITY_SELECTOR).should(
+ 'contain.text',
+ 'Asset Criticality'
+ );
+
+ cy.get(ENTITY_DETAILS_FLYOUT_ASSET_CRITICALITY_BUTTON).should('have.text', 'Create');
+ });
+
+ it('should display asset criticality modal', () => {
+ cy.log('asset criticality modal');
+ expandFirstAlertUserFlyout();
+ toggleAssetCriticalityModal();
+ cy.get(ENTITY_DETAILS_FLYOUT_ASSET_CRITICALITY_MODAL_TITLE).should(
+ 'have.text',
+ 'Pick asset criticality level'
+ );
+ });
+
+ it('should update asset criticality state', () => {
+ cy.log('asset criticality update');
+ expandFirstAlertUserFlyout();
+ selectAssetCriticalityLevel('Important');
+ cy.get(ENTITY_DETAILS_FLYOUT_ASSET_CRITICALITY_LEVEL)
+ .contains('Important')
+ .should('be.visible');
+ });
});
- it('should update asset criticality state', () => {
- cy.log('asset criticality update');
- expandFirstAlertUserFlyout();
- selectAssetCriticalityLevel('Important');
- cy.get(ENTITY_DETAILS_FLYOUT_ASSET_CRITICALITY_LEVEL)
- .contains('Important')
- .should('be.visible');
+ describe('Managed data section', () => {
+ beforeEach(() => {
+ mockFleetInstalledIntegrations([
+ {
+ package_name: ENTRA_ID_PACKAGE_NAME,
+ is_enabled: true,
+ package_title: 'azure entra',
+ package_version: 'test_package_version',
+ },
+ {
+ package_name: OKTA_PACKAGE_NAME,
+ is_enabled: true,
+ package_title: 'okta',
+ package_version: 'test_package_version',
+ },
+ ]);
+ });
+
+ it('should show okta and azure managed data sections and expand panel', () => {
+ expandFirstAlertUserFlyout();
+
+ expandManagedDataEntraPanel();
+ cy.get(ENTRA_DOCUMENT_TAB).should('have.attr', 'aria-selected');
+ cy.get(ASSET_TYPE_FIELD).should('contain.text', 'microsoft_entra_id_user');
+
+ expandManagedDataOktaPanel();
+ cy.get(OKTA_DOCUMENT_TAB).should('have.attr', 'aria-selected');
+ cy.get(ASSET_TYPE_FIELD).should('contain.text', 'okta_user');
+ });
});
});
diff --git a/x-pack/test/security_solution_cypress/cypress/screens/hosts/flyout_user_panel.ts b/x-pack/test/security_solution_cypress/cypress/screens/users/flyout_asset_panel.ts
similarity index 53%
rename from x-pack/test/security_solution_cypress/cypress/screens/hosts/flyout_user_panel.ts
rename to x-pack/test/security_solution_cypress/cypress/screens/users/flyout_asset_panel.ts
index 170c87349fe45..d83ad90de215e 100644
--- a/x-pack/test/security_solution_cypress/cypress/screens/hosts/flyout_user_panel.ts
+++ b/x-pack/test/security_solution_cypress/cypress/screens/users/flyout_asset_panel.ts
@@ -7,4 +7,8 @@
import { getDataTestSubjectSelector } from '../../helpers/common';
-export const USER_PANEL_HEADER = getDataTestSubjectSelector('user-panel-header');
+export const ASSET_TYPE_FIELD = getDataTestSubjectSelector('event-field-asset.type');
+
+export const OKTA_DOCUMENT_TAB = getDataTestSubjectSelector('securitySolutionFlyoutOktaTab');
+
+export const ENTRA_DOCUMENT_TAB = getDataTestSubjectSelector('securitySolutionFlyoutEntraTab');
diff --git a/x-pack/test/security_solution_cypress/cypress/screens/users/flyout_user_panel.ts b/x-pack/test/security_solution_cypress/cypress/screens/users/flyout_user_panel.ts
new file mode 100644
index 0000000000000..40507311d424d
--- /dev/null
+++ b/x-pack/test/security_solution_cypress/cypress/screens/users/flyout_user_panel.ts
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { getDataTestSubjectSelector } from '../../helpers/common';
+
+export const USER_PANEL_HEADER = getDataTestSubjectSelector('user-panel-header');
+
+const MANAGED_DATA_SECTION = getDataTestSubjectSelector('managedUser-data');
+
+export const OKTA_MANAGED_DATA_TITLE = `${MANAGED_DATA_SECTION} ${getDataTestSubjectSelector(
+ 'managed-user-accordion-userAssetOktaLeftSection'
+)}`;
+
+export const ENTRA_MANAGED_DATA_TITLE = `${MANAGED_DATA_SECTION} ${getDataTestSubjectSelector(
+ 'managed-user-accordion-userAssetEntraLeftSection'
+)}`;
diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/fleet_integrations.ts b/x-pack/test/security_solution_cypress/cypress/tasks/fleet_integrations.ts
new file mode 100644
index 0000000000000..bafc80b383547
--- /dev/null
+++ b/x-pack/test/security_solution_cypress/cypress/tasks/fleet_integrations.ts
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import {
+ GET_INSTALLED_INTEGRATIONS_URL,
+ InstalledIntegration,
+} from '@kbn/security-solution-plugin/common/api/detection_engine';
+
+export const mockFleetInstalledIntegrations = (integrations: InstalledIntegration[] = []) => {
+ cy.intercept('GET', `${GET_INSTALLED_INTEGRATIONS_URL}*`, {
+ statusCode: 200,
+ body: {
+ installed_integrations: integrations,
+ },
+ }).as('installedIntegrations');
+};
diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/users/flyout_user_panel.ts b/x-pack/test/security_solution_cypress/cypress/tasks/users/flyout_user_panel.ts
new file mode 100644
index 0000000000000..4d9e4a3897a35
--- /dev/null
+++ b/x-pack/test/security_solution_cypress/cypress/tasks/users/flyout_user_panel.ts
@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import {
+ ENTRA_MANAGED_DATA_TITLE,
+ OKTA_MANAGED_DATA_TITLE,
+} from '../../screens/users/flyout_user_panel';
+
+export const expandManagedDataEntraPanel = () => {
+ cy.get(ENTRA_MANAGED_DATA_TITLE).click();
+};
+
+export const expandManagedDataOktaPanel = () => {
+ cy.get(OKTA_MANAGED_DATA_TITLE).click();
+};
diff --git a/x-pack/test/security_solution_cypress/es_archives/user_managed_data/data.json b/x-pack/test/security_solution_cypress/es_archives/user_managed_data/data.json
new file mode 100644
index 0000000000000..ef3db8154650d
--- /dev/null
+++ b/x-pack/test/security_solution_cypress/es_archives/user_managed_data/data.json
@@ -0,0 +1,220 @@
+{
+ "type": "doc",
+ "value": {
+ "id": "IYAoRo0BywOJt6WJ-NXN",
+ "data_stream": "logs-entityanalytics_okta.user-default",
+ "index": ".ds-logs-entityanalytics_okta.user-default-000001",
+ "source": {
+ "agent": {
+ "name": "docker-fleet-server",
+ "id": "62489a87-bbb5-44d1-9dd5-63c508de884b",
+ "type": "filebeat",
+ "ephemeral_id": "ea069592-b9bb-4e85-bf22-ec67bdb10394",
+ "version": "8.12.0"
+ },
+ "elastic_agent": {
+ "id": "62489a87-bbb5-44d1-9dd5-63c508de884b",
+ "version": "8.12.0",
+ "snapshot": true
+ },
+ "entityanalytics_okta": {
+ "user": {
+ "_links": {
+ "self": {
+ "href": "https://dev-36006609.okta.com/api/v1/users/00udojsvifqsBhoxR5d7"
+ }
+ },
+ "type": {
+ "id": "otyf1r6hlGf9AXhZ95d6"
+ }
+ }
+ },
+ "labels": {
+ "identity_source": "entity-analytics-entityanalytics_okta.user-73e543b5-2de4-41f8-9e7f-a9d1dbd1857c"
+ },
+ "tags": [
+ "forwarded",
+ "entityanalytics_okta-user"
+ ],
+ "input": {
+ "type": "entity-analytics"
+ },
+ "@timestamp": "2024-01-26T14:24:56.744Z",
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "related": {
+ "user": [
+ "00udojsvifqsBhoxR5d7",
+ "user1@gmail.com",
+ "test",
+ "123"
+ ]
+ },
+ "data_stream": {
+ "namespace": "default",
+ "type": "logs",
+ "dataset": "entityanalytics_okta.user"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "ingested": "2024-01-26T14:25:06Z",
+ "kind": "asset",
+ "action": "user-modified",
+ "category": [
+ "iam"
+ ],
+ "type": [
+ "user",
+ "info"
+ ],
+ "dataset": "entityanalytics_okta.user"
+ },
+ "asset": {
+ "last_updated": "2023-12-06T13:45:09.000Z",
+ "last_seen": "2023-12-06T13:45:09.000Z",
+ "last_status_change_date": "2023-12-06T13:45:09.000Z",
+ "id": "00udojsvifqsBhoxR5d7",
+ "category": "entity",
+ "type": "okta_user",
+ "create_date": "2023-12-06T13:44:23.000Z",
+ "status": "ACTIVE"
+ },
+ "user": {
+ "profile": {
+ "last_name": "123",
+ "first_name": "test",
+ "status": "ACTIVE"
+ },
+ "name": "user1",
+ "id": "00udojsvifqsBhoxR5d7",
+ "account": {
+ "change_date": "2023-12-06T13:45:09.000Z",
+ "password_change_date": "2023-12-06T13:45:09.000Z",
+ "activated_date": "2023-12-06T13:44:23.000Z",
+ "create_date": "2023-12-06T13:44:23.000Z",
+ "status": {
+ "password_expired": false,
+ "deprovisioned": false,
+ "locked_out": false,
+ "recovery": false,
+ "suspended": false
+ }
+ },
+ "email": "user1@gmail.com"
+ }
+ }
+ }
+}
+
+{
+ "type": "doc",
+ "value": {
+ "id": "uYSkRo0Bc35HUGZSHMQR",
+ "data_stream": "logs-entityanalytics_entra_id.user-default",
+ "index": ".ds-logs-entityanalytics_entra_id.user-default",
+ "source": {
+ "agent": {
+ "name": "ingest-linux-1",
+ "id": "adb765aa-365b-4f27-8111-bca5bf3d51d3",
+ "type": "filebeat",
+ "ephemeral_id": "3228f5dd-b26b-4eae-b8ff-1d3941688e0a",
+ "version": "8.12.0"
+ },
+ "elastic_agent": {
+ "id": "adb765aa-365b-4f27-8111-bca5bf3d51d3",
+ "version": "8.12.0",
+ "snapshot": true
+ },
+ "labels": {
+ "identity_source": "entity-analytics-entityanalytics_entra_id.entity-297a838e-1c2d-42f1-8c47-c576bc5424d3"
+ },
+ "tags": [
+ "users-entities",
+ "forwarded",
+ "entityanalytics_entra_id-entity"
+ ],
+ "cloud": {
+ "availability_zone": "us-central1-c",
+ "instance": {
+ "name": "ingest-linux-1",
+ "id": "8765304135675025125"
+ },
+ "provider": "gcp",
+ "service": {
+ "name": "GCE"
+ },
+ "machine": {
+ "type": "n1-standard-1"
+ },
+ "project": {
+ "id": "elastic-siem"
+ },
+ "region": "us-central1",
+ "account": {
+ "id": "elastic-siem"
+ }
+ },
+ "input": {
+ "type": "entity-analytics"
+ },
+ "@timestamp": "2024-01-29T08:39:39.340Z",
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "related": {
+ "user": [
+ "user1@elastic.co",
+ "user1_elastic.co#EXT#@azure2elasticsearch.onmicrosoft.com",
+ "user1",
+ "b6bcbd11-7e2b-4d6a-9dbe-f3c487c6cf7a"
+ ]
+ },
+ "data_stream": {
+ "namespace": "default",
+ "type": "logs",
+ "dataset": "entityanalytics_entra_id.user"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "ingested": "2024-01-29T08:39:49Z",
+ "kind": "asset",
+ "action": "user-modified",
+ "category": [
+ "iam"
+ ],
+ "type": [
+ "user",
+ "info"
+ ],
+ "dataset": "entityanalytics_entra_id.user"
+ },
+ "asset": {
+ "id": "b6bcbd11-7e2b-4d6a-9dbe-f3c487c6cf7a",
+ "category": "entity",
+ "type": "microsoft_entra_id_user",
+ "group": [
+ {
+ "name": "obs-integrations",
+ "id": "ee4d999c-57f2-4213-adac-6192582b8649"
+ }
+ ]
+ },
+ "user": {
+ "full_name": "user1 Test",
+ "name": "user1",
+ "last_name": "Test",
+ "id": "b6bcbd11-7e2b-4d6a-9dbe-f3c487c6cf7a",
+ "first_name": "user1",
+ "job_title": "user1@elastic.co",
+ "email": "user1@elastic.co",
+ "group": [
+ {
+ "name": "obs-integrations",
+ "id": "ee4d999c-57f2-4213-adac-6192582b8649"
+ }
+ ]
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/x-pack/test/security_solution_cypress/es_archives/user_managed_data/mappings.json b/x-pack/test/security_solution_cypress/es_archives/user_managed_data/mappings.json
new file mode 100644
index 0000000000000..c8d6c4ad73294
--- /dev/null
+++ b/x-pack/test/security_solution_cypress/es_archives/user_managed_data/mappings.json
@@ -0,0 +1,1277 @@
+{
+ "type": "data_stream",
+ "value": {
+ "data_stream": "logs-entityanalytics_okta.user-default",
+ "template": {
+ "_meta": {
+ "managed": true,
+ "namespace": "default"
+ },
+ "data_stream": {
+ "hidden": false
+ },
+ "index_patterns": [
+ "logs-entityanalytics_okta.user-default"
+ ],
+ "name": "logs-entityanalytics_okta.user-default-index-template",
+ "template": {
+ "mappings": {
+ "dynamic": false,
+ "properties": {
+ "@timestamp": {
+ "type": "date",
+ "ignore_malformed": false
+ },
+ "agent": {
+ "properties": {
+ "ephemeral_id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "name": {
+ "type": "keyword"
+ },
+ "type": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "version": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "asset": {
+ "properties": {
+ "category": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "costCenter": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "create_date": {
+ "type": "date"
+ },
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "last_seen": {
+ "type": "date"
+ },
+ "last_status_change_date": {
+ "type": "date"
+ },
+ "last_updated": {
+ "type": "date"
+ },
+ "name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "status": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "type": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "vendor": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "data_stream": {
+ "properties": {
+ "dataset": {
+ "type": "constant_keyword",
+ "value": "entityanalytics_okta.user"
+ },
+ "namespace": {
+ "type": "constant_keyword",
+ "value": "default"
+ },
+ "type": {
+ "type": "constant_keyword",
+ "value": "logs"
+ }
+ }
+ },
+ "ecs": {
+ "properties": {
+ "version": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "elastic_agent": {
+ "properties": {
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "snapshot": {
+ "type": "boolean"
+ },
+ "version": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "entityanalytics_okta": {
+ "properties": {
+ "user": {
+ "properties": {
+ "_embedded": {
+ "type": "flattened"
+ },
+ "_links": {
+ "type": "flattened"
+ },
+ "activated": {
+ "type": "date"
+ },
+ "created": {
+ "type": "date"
+ },
+ "credentials": {
+ "properties": {
+ "provider": {
+ "properties": {
+ "name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "type": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ }
+ }
+ },
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "last_login": {
+ "type": "date"
+ },
+ "last_updated": {
+ "type": "date"
+ },
+ "password_changed": {
+ "type": "date"
+ },
+ "profile": {
+ "properties": {
+ "city": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "cost_center": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "country_code": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "department": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "display_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "division": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "email": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "employee_number": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "first_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "honorific": {
+ "properties": {
+ "prefix": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "suffix": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "last_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "locale": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "login": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "manager": {
+ "properties": {
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "middle_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "mobile_phone": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "nick_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "organization": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "postal_address": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "preferred_language": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "primary_phone": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "second_email": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "state": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "street_address": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "timezone": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "title": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "url": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "user_type": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "zip_code": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "status": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "status_changed": {
+ "type": "date"
+ },
+ "transitioning_to_status": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "type": {
+ "type": "flattened"
+ }
+ }
+ }
+ }
+ },
+ "event": {
+ "properties": {
+ "action": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "agent_id_status": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "category": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "dataset": {
+ "type": "constant_keyword",
+ "value": "entityanalytics_okta.user"
+ },
+ "end": {
+ "type": "date"
+ },
+ "ingested": {
+ "type": "date",
+ "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis"
+ },
+ "kind": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "module": {
+ "type": "constant_keyword",
+ "value": "entityanalytics_okta"
+ },
+ "start": {
+ "type": "date"
+ },
+ "type": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "input": {
+ "properties": {
+ "type": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "labels": {
+ "properties": {
+ "identity_source": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "log": {
+ "properties": {
+ "offset": {
+ "type": "long"
+ }
+ }
+ },
+ "related": {
+ "properties": {
+ "user": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "tags": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "user": {
+ "properties": {
+ "account": {
+ "properties": {
+ "activated_date": {
+ "type": "date"
+ },
+ "change_date": {
+ "type": "date"
+ },
+ "create_date": {
+ "type": "date"
+ },
+ "password_change_date": {
+ "type": "date"
+ },
+ "status": {
+ "properties": {
+ "deprovisioned": {
+ "type": "boolean"
+ },
+ "locked_out": {
+ "type": "boolean"
+ },
+ "password_expired": {
+ "type": "boolean"
+ },
+ "recovery": {
+ "type": "boolean"
+ },
+ "suspended": {
+ "type": "boolean"
+ }
+ }
+ }
+ }
+ },
+ "email": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "full_name": {
+ "type": "keyword",
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ }
+ },
+ "geo": {
+ "properties": {
+ "city_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "country_iso_code": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "postal_code": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "region_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "timezone": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "name": {
+ "type": "keyword",
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ }
+ },
+ "organization": {
+ "properties": {
+ "name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "profile": {
+ "properties": {
+ "department": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "first_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "job_title": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "last_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "manager": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "mobile_phone": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "other_identities": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "primaryPhone": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "secondEmail": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "status": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "type": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
+
+{
+ "type": "data_stream",
+ "value": {
+ "data_stream": "logs-entityanalytics_entra_id.user-default",
+ "template": {
+ "_meta": {
+ "managed": true,
+ "namespace": "default"
+ },
+ "data_stream": {
+ "hidden": false
+ },
+ "index_patterns": [
+ "logs-entityanalytics_entra_id.user-default"
+ ],
+ "name": "logs-entityanalytics_entra_id.user-default-index-template",
+ "template": {
+ "mappings": {
+ "dynamic": false,
+ "properties": {
+ "@timestamp": {
+ "type": "date",
+ "ignore_malformed": false
+ },
+ "agent": {
+ "properties": {
+ "ephemeral_id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "name": {
+ "type": "keyword"
+ },
+ "type": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "version": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "asset": {
+ "properties": {
+ "category": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "first_seen": {
+ "type": "date"
+ },
+ "group": {
+ "properties": {
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "is_managed": {
+ "type": "boolean"
+ },
+ "last_seen": {
+ "type": "date"
+ },
+ "last_updated": {
+ "type": "date"
+ },
+ "model": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "status": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "tags": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "type": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "vendor": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "version": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "cloud": {
+ "properties": {
+ "account": {
+ "properties": {
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "availability_zone": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "instance": {
+ "properties": {
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "name": {
+ "type": "keyword",
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ }
+ }
+ }
+ },
+ "machine": {
+ "properties": {
+ "type": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "project": {
+ "properties": {
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "provider": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "region": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "service": {
+ "properties": {
+ "name": {
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "data_stream": {
+ "properties": {
+ "dataset": {
+ "type": "constant_keyword",
+ "value": "entityanalytics_entra_id.entity"
+ },
+ "namespace": {
+ "type": "constant_keyword",
+ "value": "default"
+ },
+ "type": {
+ "type": "constant_keyword",
+ "value": "logs"
+ }
+ }
+ },
+ "device": {
+ "properties": {
+ "group": {
+ "properties": {
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "registered_owners": {
+ "properties": {
+ "business_phones": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "display_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "given_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "job_title": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "mail": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "mobile_phone": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "surname": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "user_principal_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "registered_users": {
+ "properties": {
+ "business_phones": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "display_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "given_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "job_title": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "mail": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "mobile_phone": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "surname": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "user_principal_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ }
+ }
+ },
+ "ecs": {
+ "properties": {
+ "version": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "elastic_agent": {
+ "properties": {
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "snapshot": {
+ "type": "boolean"
+ },
+ "version": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "entityanalytics_entra_id": {
+ "properties": {
+ "device": {
+ "dynamic": "true",
+ "properties": {
+ "account_enabled": {
+ "type": "boolean"
+ },
+ "alternative_security_ids": {
+ "properties": {
+ "identity_provider": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "key": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "type": {
+ "type": "long"
+ }
+ }
+ },
+ "approximate_last_sign_in_date_time": {
+ "type": "date"
+ },
+ "category": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "compliance_expiration_date_time": {
+ "type": "date"
+ },
+ "d_id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "display_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "enrollment_profile_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "extension_attributes": {
+ "type": "object",
+ "dynamic": "true"
+ },
+ "group": {
+ "properties": {
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "is_compliant": {
+ "type": "boolean"
+ },
+ "is_managed": {
+ "type": "boolean"
+ },
+ "manufacturer": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "mdm_app_id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "metadata": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "model": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "on_premises_last_sync_date_time": {
+ "type": "date"
+ },
+ "on_premises_sync_enabled": {
+ "type": "boolean"
+ },
+ "operating_system": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "operating_system_version": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "ownership": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "physical_ids": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "profile_type": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "registered_owners": {
+ "properties": {
+ "business_phones": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "display_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "given_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "job_title": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "mail": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "mobile_phone": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "surname": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "user_principal_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "registered_users": {
+ "properties": {
+ "business_phones": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "display_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "given_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "job_title": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "mail": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "mobile_phone": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "surname": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "user_principal_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "registration_date_time": {
+ "type": "date"
+ },
+ "system_labels": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "trust_type": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "version": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "user": {
+ "properties": {
+ "account_enabled": {
+ "type": "boolean"
+ },
+ "business_phones": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "display_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "given_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "group": {
+ "properties": {
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "job_title": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "mail": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "mobile_phone": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "office_location": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "preferred_language": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "surname": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "user_principal_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ }
+ }
+ },
+ "event": {
+ "properties": {
+ "action": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "agent_id_status": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "dataset": {
+ "type": "constant_keyword",
+ "value": "entityanalytics_entra_id.entity"
+ },
+ "end": {
+ "type": "date"
+ },
+ "ingested": {
+ "type": "date",
+ "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis"
+ },
+ "kind": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "message": {
+ "type": "text"
+ },
+ "module": {
+ "type": "constant_keyword",
+ "value": "entityanalytics_entra_id"
+ },
+ "provider": {
+ "type": "constant_keyword",
+ "value": "Microsoft Entra ID"
+ },
+ "start": {
+ "type": "date"
+ }
+ }
+ },
+ "input": {
+ "properties": {
+ "type": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "labels": {
+ "properties": {
+ "identity_source": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "log": {
+ "properties": {
+ "file": {
+ "properties": {
+ "path": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "flags": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "offset": {
+ "type": "long"
+ }
+ }
+ },
+ "tags": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "user": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "first_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "group": {
+ "properties": {
+ "id": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ },
+ "job_title": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "last_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "phone": {
+ "type": "keyword",
+ "ignore_above": 1024
+ },
+ "work": {
+ "properties": {
+ "location_name": {
+ "type": "keyword",
+ "ignore_above": 1024
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
\ No newline at end of file