映射 API
以下 API 可用于映射相关的多项任务,从创建到获取和更新映射。
获取映射视图
此 API 返回用作日志源的索引中包含的字段视图。
请求正文字段
以下字段用于获取字段映射。
| 字段 | 类型 | 描述 |
|---|---|---|
index_name | 字符串 | 用于日志摄取的索引名称。 |
rule_topic | 字符串 | 索引的日志类型。 |
请求示例
GET /_plugins/_security_analytics/mappings/view
{
"index_name": "windows",
"rule_topic": "windows"
}
示例响应
{
"properties": {
"windows-event_data-CommandLine": {
"path": "CommandLine",
"type": "alias"
},
"event_uid": {
"path": "EventID",
"type": "alias"
}
},
"unmapped_index_fields": [
"windows-event_data-CommandLine",
"unmapped_HiveName",
"src_ip",
"sha1",
"processPath",
"CallerProcessName",
"CallTrace",
"AuthenticationPackageName",
"AuditSourceName",
"AuditPolicyChanges",
"AttributeValue",
"AttributeLDAPDisplayName",
"ApplicationPath",
"Application",
"AllowedToDelegateTo",
"Address",
"Action",
"AccountType",
"AccountName",
"Accesses",
"AccessMask",
"AccessList"
]
}
创建映射
请求示例
POST /_plugins/_security_analytics/mappings
{
"index_name": "windows",
"rule_topic": "windows",
"partial": true,
"alias_mappings": {
"properties": {
"event_uid": {
"type": "alias",
"path": "EventID"
}
}
}
}
示例响应
{
"acknowledged": true
}
获取映射
路径选项
| 字段 | 类型 | 描述 |
|---|---|---|
index_name | 字符串 | 用于日志摄取的索引名称。必填。 |
请求示例
GET /_plugins/_security_analytics/mappings?index_name=windows
示例响应
{
"windows": {
"mappings": {
"properties": {
"windows-event_data-CommandLine": {
"type": "alias",
"path": "CommandLine"
},
"event_uid": {
"type": "alias",
"path": "EventID"
}
}
}
}
}
更新映射
请求示例
PUT /_plugins/_security_analytics/mappings
{
"index_name": "windows",
"field": "CommandLine",
"alias": "windows-event_data-CommandLine"
}
示例响应
{
"acknowledged": true
}