From de289de6c132f84927aa61ff0e417a0dfe432909 Mon Sep 17 00:00:00 2001
From: Zacqary Adam Xeper <Zacqary@users.noreply.github.com>
Date: Mon, 7 Dec 2020 14:46:26 -0600
Subject: [PATCH 1/6] [Metrics UI] Refactor Process List API to fetch only top
 processes (#84716)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
---
 .../http_api/host_details/process_list.ts     | 129 +++++++++++++-
 .../node_details/tabs/processes/index.tsx     | 145 +++++++++-------
 .../tabs/processes/parse_process_list.ts      |  55 ------
 .../tabs/processes/parse_search_string.ts     |  37 ++++
 .../tabs/processes/process_row.tsx            | 124 +------------
 .../tabs/processes/process_row_charts.tsx     | 164 ++++++++++++++++++
 .../tabs/processes/processes_table.tsx        | 117 +++++--------
 .../tabs/processes/summary_table.tsx          |  14 +-
 .../inventory_view/hooks/use_process_list.ts  |  54 ++++--
 .../hooks/use_process_list_row_chart.ts       |  54 ++++++
 .../infra/server/lib/host_details/common.ts   |   6 +
 .../server/lib/host_details/process_list.ts   | 157 ++++++++++++-----
 .../lib/host_details/process_list_chart.ts    | 138 +++++++++++++++
 .../infra/server/routes/process_list/index.ts |  37 +++-
 14 files changed, 859 insertions(+), 372 deletions(-)
 delete mode 100644 x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/parse_process_list.ts
 create mode 100644 x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/parse_search_string.ts
 create mode 100644 x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/process_row_charts.tsx
 create mode 100644 x-pack/plugins/infra/public/pages/metrics/inventory_view/hooks/use_process_list_row_chart.ts
 create mode 100644 x-pack/plugins/infra/server/lib/host_details/common.ts
 create mode 100644 x-pack/plugins/infra/server/lib/host_details/process_list_chart.ts

diff --git a/x-pack/plugins/infra/common/http_api/host_details/process_list.ts b/x-pack/plugins/infra/common/http_api/host_details/process_list.ts
index 4b4a0a54b9d13..3141d100307c4 100644
--- a/x-pack/plugins/infra/common/http_api/host_details/process_list.ts
+++ b/x-pack/plugins/infra/common/http_api/host_details/process_list.ts
@@ -5,16 +5,139 @@
  */
 
 import * as rt from 'io-ts';
-import { MetricsAPITimerangeRT, MetricsAPISeriesRT } from '../metrics_api';
+import { MetricsAPISeriesRT, MetricsAPIRow } from '../metrics_api';
+
+const AggValueRT = rt.type({
+  value: rt.number,
+});
 
 export const ProcessListAPIRequestRT = rt.type({
   hostTerm: rt.record(rt.string, rt.string),
-  timerange: MetricsAPITimerangeRT,
+  timefield: rt.string,
   indexPattern: rt.string,
+  to: rt.number,
+  sortBy: rt.type({
+    name: rt.string,
+    isAscending: rt.boolean,
+  }),
+  searchFilter: rt.array(rt.record(rt.string, rt.record(rt.string, rt.unknown))),
 });
 
-export const ProcessListAPIResponseRT = rt.array(MetricsAPISeriesRT);
+export const ProcessListAPIQueryAggregationRT = rt.type({
+  summaryEvent: rt.type({
+    summary: rt.type({
+      hits: rt.type({
+        hits: rt.array(
+          rt.type({
+            _source: rt.type({
+              system: rt.type({
+                process: rt.type({
+                  summary: rt.record(rt.string, rt.number),
+                }),
+              }),
+            }),
+          })
+        ),
+      }),
+    }),
+  }),
+  processes: rt.type({
+    filteredProcs: rt.type({
+      buckets: rt.array(
+        rt.type({
+          key: rt.string,
+          cpu: AggValueRT,
+          memory: AggValueRT,
+          startTime: rt.type({
+            value_as_string: rt.string,
+          }),
+          meta: rt.type({
+            hits: rt.type({
+              hits: rt.array(
+                rt.type({
+                  _source: rt.type({
+                    process: rt.type({
+                      pid: rt.number,
+                    }),
+                    system: rt.type({
+                      process: rt.type({
+                        state: rt.string,
+                      }),
+                    }),
+                    user: rt.type({
+                      name: rt.string,
+                    }),
+                  }),
+                })
+              ),
+            }),
+          }),
+        })
+      ),
+    }),
+  }),
+});
+
+export const ProcessListAPIResponseRT = rt.type({
+  processList: rt.array(
+    rt.type({
+      cpu: rt.number,
+      memory: rt.number,
+      startTime: rt.number,
+      pid: rt.number,
+      state: rt.string,
+      user: rt.string,
+      command: rt.string,
+    })
+  ),
+  summary: rt.record(rt.string, rt.number),
+});
+
+export type ProcessListAPIQueryAggregation = rt.TypeOf<typeof ProcessListAPIQueryAggregationRT>;
 
 export type ProcessListAPIRequest = rt.TypeOf<typeof ProcessListAPIRequestRT>;
 
 export type ProcessListAPIResponse = rt.TypeOf<typeof ProcessListAPIResponseRT>;
+
+export const ProcessListAPIChartRequestRT = rt.type({
+  hostTerm: rt.record(rt.string, rt.string),
+  timefield: rt.string,
+  indexPattern: rt.string,
+  to: rt.number,
+  command: rt.string,
+});
+
+export const ProcessListAPIChartQueryAggregationRT = rt.type({
+  process: rt.type({
+    filteredProc: rt.type({
+      buckets: rt.array(
+        rt.type({
+          timeseries: rt.type({
+            buckets: rt.array(
+              rt.type({
+                key: rt.number,
+                memory: AggValueRT,
+                cpu: AggValueRT,
+              })
+            ),
+          }),
+        })
+      ),
+    }),
+  }),
+});
+
+export const ProcessListAPIChartResponseRT = rt.type({
+  cpu: MetricsAPISeriesRT,
+  memory: MetricsAPISeriesRT,
+});
+
+export type ProcessListAPIChartQueryAggregation = rt.TypeOf<
+  typeof ProcessListAPIChartQueryAggregationRT
+>;
+
+export type ProcessListAPIChartRequest = rt.TypeOf<typeof ProcessListAPIChartRequestRT>;
+
+export type ProcessListAPIChartResponse = rt.TypeOf<typeof ProcessListAPIChartResponseRT>;
+
+export type ProcessListAPIRow = MetricsAPIRow;
diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/index.tsx b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/index.tsx
index 836d491e6210e..6ee3c9f1fae80 100644
--- a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/index.tsx
+++ b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/index.tsx
@@ -5,16 +5,28 @@
  */
 
 import React, { useMemo, useState } from 'react';
+import { debounce } from 'lodash';
 import { i18n } from '@kbn/i18n';
-import { EuiSearchBar, EuiSpacer, EuiEmptyPrompt, EuiButton, Query } from '@elastic/eui';
-import { useProcessList } from '../../../../hooks/use_process_list';
+import { EuiSearchBar, EuiSpacer, EuiEmptyPrompt, EuiButton } from '@elastic/eui';
+import {
+  useProcessList,
+  SortBy,
+  ProcessListContextProvider,
+} from '../../../../hooks/use_process_list';
 import { TabContent, TabProps } from '../shared';
 import { STATE_NAMES } from './states';
 import { SummaryTable } from './summary_table';
 import { ProcessesTable } from './processes_table';
+import { parseSearchString } from './parse_search_string';
 
 const TabComponent = ({ currentTime, node, nodeType, options }: TabProps) => {
-  const [searchFilter, setSearchFilter] = useState<Query>(EuiSearchBar.Query.MATCH_ALL);
+  const [searchFilter, setSearchFilter] = useState<string>('');
+  const [sortBy, setSortBy] = useState<SortBy>({
+    name: 'cpu',
+    isAscending: false,
+  });
+
+  const timefield = options.fields!.timestamp;
 
   const hostTerm = useMemo(() => {
     const field =
@@ -26,69 +38,80 @@ const TabComponent = ({ currentTime, node, nodeType, options }: TabProps) => {
 
   const { loading, error, response, makeRequest: reload } = useProcessList(
     hostTerm,
-    'metricbeat-*',
-    options.fields!.timestamp,
-    currentTime
+    timefield,
+    currentTime,
+    sortBy,
+    parseSearchString(searchFilter)
   );
 
-  if (error) {
-    return (
-      <TabContent>
-        <EuiEmptyPrompt
-          iconType="tableDensityNormal"
-          title={
-            <h4>
-              {i18n.translate('xpack.infra.metrics.nodeDetails.processListError', {
-                defaultMessage: 'Unable to show process data',
-              })}
-            </h4>
-          }
-          actions={
-            <EuiButton color="primary" fill onClick={reload}>
-              {i18n.translate('xpack.infra.metrics.nodeDetails.processListRetry', {
-                defaultMessage: 'Try again',
-              })}
-            </EuiButton>
-          }
-        />
-      </TabContent>
-    );
-  }
+  const debouncedSearchOnChange = useMemo(
+    () =>
+      debounce<(props: { queryText: string }) => void>(
+        ({ queryText }) => setSearchFilter(queryText),
+        500
+      ),
+    [setSearchFilter]
+  );
 
   return (
     <TabContent>
-      <SummaryTable isLoading={loading} processList={response ?? []} />
-      <EuiSpacer size="m" />
-      <EuiSearchBar
-        query={searchFilter}
-        onChange={({ query }) => setSearchFilter(query ?? EuiSearchBar.Query.MATCH_ALL)}
-        box={{
-          incremental: true,
-          placeholder: i18n.translate('xpack.infra.metrics.nodeDetails.searchForProcesses', {
-            defaultMessage: 'Search for processes…',
-          }),
-        }}
-        filters={[
-          {
-            type: 'field_value_selection',
-            field: 'state',
-            name: 'State',
-            operator: 'exact',
-            multiSelect: false,
-            options: Object.entries(STATE_NAMES).map(([value, view]: [string, string]) => ({
-              value,
-              view,
-            })),
-          },
-        ]}
-      />
-      <EuiSpacer size="m" />
-      <ProcessesTable
-        currentTime={currentTime}
-        isLoading={loading || !response}
-        processList={response ?? []}
-        searchFilter={searchFilter}
-      />
+      <ProcessListContextProvider hostTerm={hostTerm} to={currentTime} timefield={timefield}>
+        <SummaryTable
+          isLoading={loading}
+          processSummary={(!error ? response?.summary : null) ?? { total: 0 }}
+        />
+        <EuiSpacer size="m" />
+        <EuiSearchBar
+          onChange={debouncedSearchOnChange}
+          box={{
+            incremental: true,
+            placeholder: i18n.translate('xpack.infra.metrics.nodeDetails.searchForProcesses', {
+              defaultMessage: 'Search for processes…',
+            }),
+          }}
+          filters={[
+            {
+              type: 'field_value_selection',
+              field: 'state',
+              name: 'State',
+              operator: 'exact',
+              multiSelect: false,
+              options: Object.entries(STATE_NAMES).map(([value, view]: [string, string]) => ({
+                value,
+                view,
+              })),
+            },
+          ]}
+        />
+        <EuiSpacer size="m" />
+        {!error ? (
+          <ProcessesTable
+            currentTime={currentTime}
+            isLoading={loading || !response}
+            processList={response?.processList ?? []}
+            sortBy={sortBy}
+            setSortBy={setSortBy}
+          />
+        ) : (
+          <EuiEmptyPrompt
+            iconType="tableDensityNormal"
+            title={
+              <h4>
+                {i18n.translate('xpack.infra.metrics.nodeDetails.processListError', {
+                  defaultMessage: 'Unable to show process data',
+                })}
+              </h4>
+            }
+            actions={
+              <EuiButton color="primary" fill onClick={reload}>
+                {i18n.translate('xpack.infra.metrics.nodeDetails.processListRetry', {
+                  defaultMessage: 'Try again',
+                })}
+              </EuiButton>
+            }
+          />
+        )}
+      </ProcessListContextProvider>
     </TabContent>
   );
 };
diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/parse_process_list.ts b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/parse_process_list.ts
deleted file mode 100644
index 88584ef2987e1..0000000000000
--- a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/parse_process_list.ts
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { ProcessListAPIResponse } from '../../../../../../../../common/http_api';
-import { Process } from './types';
-
-export const parseProcessList = (processList: ProcessListAPIResponse) =>
-  processList.map((process) => {
-    const command = process.id;
-    let mostRecentPoint;
-    for (let i = process.rows.length - 1; i >= 0; i--) {
-      const point = process.rows[i];
-      if (point && Array.isArray(point.meta) && point.meta?.length) {
-        mostRecentPoint = point;
-        break;
-      }
-    }
-    if (!mostRecentPoint) return { command, cpu: null, memory: null, startTime: null, state: null };
-
-    const { cpu, memory } = mostRecentPoint;
-    const { system, process: processMeta, user } = (mostRecentPoint.meta as any[])[0];
-    const startTime = system.process.cpu.start_time;
-    const state = system.process.state;
-
-    const timeseries = {
-      cpu: pickTimeseries(process.rows, 'cpu'),
-      memory: pickTimeseries(process.rows, 'memory'),
-    };
-
-    return {
-      command,
-      cpu,
-      memory,
-      startTime,
-      state,
-      pid: processMeta.pid,
-      user: user.name,
-      timeseries,
-    } as Process;
-  });
-
-const pickTimeseries = (rows: any[], metricID: string) => ({
-  rows: rows.map((row) => ({
-    timestamp: row.timestamp,
-    metric_0: row[metricID],
-  })),
-  columns: [
-    { name: 'timestamp', type: 'date' },
-    { name: 'metric_0', type: 'number' },
-  ],
-  id: metricID,
-});
diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/parse_search_string.ts b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/parse_search_string.ts
new file mode 100644
index 0000000000000..455656306c8d0
--- /dev/null
+++ b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/parse_search_string.ts
@@ -0,0 +1,37 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+export const parseSearchString = (query: string) => {
+  if (query.trim() === '') {
+    return [
+      {
+        match_all: {},
+      },
+    ];
+  }
+  const elements = query
+    .split(' ')
+    .map((s) => s.trim())
+    .filter(Boolean);
+  const stateFilter = elements.filter((s) => s.startsWith('state='));
+  const cmdlineFilters = elements.filter((s) => !s.startsWith('state='));
+  return [
+    ...cmdlineFilters.map((clause) => ({
+      query_string: {
+        fields: ['system.process.cmdline'],
+        query: `*${escapeReservedCharacters(clause)}*`,
+        minimum_should_match: 1,
+      },
+    })),
+    ...stateFilter.map((state) => ({
+      match: {
+        'system.process.state': state.replace('state=', ''),
+      },
+    })),
+  ];
+};
+
+const escapeReservedCharacters = (clause: string) =>
+  clause.replace(/([+-=!\(\)\{\}\[\]^"~*?:\\/!]|&&|\|\|)/g, '\\$1');
diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/process_row.tsx b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/process_row.tsx
index bbf4a25fc49a7..4718ed09dc9b2 100644
--- a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/process_row.tsx
+++ b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/process_row.tsx
@@ -4,9 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { useState, useMemo } from 'react';
-import moment from 'moment';
-import { first, last } from 'lodash';
+import React, { useState } from 'react';
 import { i18n } from '@kbn/i18n';
 import {
   EuiTableRow,
@@ -22,18 +20,10 @@ import {
   EuiButton,
   EuiSpacer,
 } from '@elastic/eui';
-import { Axis, Chart, Settings, Position, TooltipValue, niceTimeFormatter } from '@elastic/charts';
 import { AutoSizer } from '../../../../../../../components/auto_sizer';
-import { createFormatter } from '../../../../../../../../common/formatters';
-import { useUiSetting } from '../../../../../../../../../../../src/plugins/kibana_react/public';
-import { getChartTheme } from '../../../../../metrics_explorer/components/helpers/get_chart_theme';
-import { calculateDomain } from '../../../../../metrics_explorer/components/helpers/calculate_domain';
-import { MetricsExplorerChartType } from '../../../../../metrics_explorer/hooks/use_metrics_explorer_options';
-import { MetricExplorerSeriesChart } from '../../../../../metrics_explorer/components/series_chart';
-import { MetricsExplorerAggregation } from '../../../../../../../../common/http_api';
-import { Color } from '../../../../../../../../common/color_palette';
 import { euiStyled } from '../../../../../../../../../observability/public';
 import { Process } from './types';
+import { ProcessRowCharts } from './process_row_charts';
 
 interface Props {
   cells: React.ReactNode[];
@@ -118,26 +108,7 @@ export const ProcessRow = ({ cells, item }: Props) => {
                         <CodeLine>{item.user}</CodeLine>
                       </EuiDescriptionListDescription>
                     </EuiFlexItem>
-                    <EuiFlexItem>
-                      <EuiDescriptionListTitle>{cpuMetricLabel}</EuiDescriptionListTitle>
-                      <EuiDescriptionListDescription>
-                        <ProcessChart
-                          timeseries={item.timeseries.cpu}
-                          color={Color.color2}
-                          label={cpuMetricLabel}
-                        />
-                      </EuiDescriptionListDescription>
-                    </EuiFlexItem>
-                    <EuiFlexItem>
-                      <EuiDescriptionListTitle>{memoryMetricLabel}</EuiDescriptionListTitle>
-                      <EuiDescriptionListDescription>
-                        <ProcessChart
-                          timeseries={item.timeseries.memory}
-                          color={Color.color0}
-                          label={memoryMetricLabel}
-                        />
-                      </EuiDescriptionListDescription>
-                    </EuiFlexItem>
+                    <ProcessRowCharts command={item.command} />
                   </EuiFlexGrid>
                 </EuiDescriptionList>
               </ExpandedRowCell>
@@ -149,76 +120,6 @@ export const ProcessRow = ({ cells, item }: Props) => {
   );
 };
 
-interface ProcessChartProps {
-  timeseries: Process['timeseries']['x'];
-  color: Color;
-  label: string;
-}
-const ProcessChart = ({ timeseries, color, label }: ProcessChartProps) => {
-  const chartMetric = {
-    color,
-    aggregation: 'avg' as MetricsExplorerAggregation,
-    label,
-  };
-  const isDarkMode = useUiSetting<boolean>('theme:darkMode');
-
-  const dateFormatter = useMemo(() => {
-    if (!timeseries) return () => '';
-    const firstTimestamp = first(timeseries.rows)?.timestamp;
-    const lastTimestamp = last(timeseries.rows)?.timestamp;
-
-    if (firstTimestamp == null || lastTimestamp == null) {
-      return (value: number) => `${value}`;
-    }
-
-    return niceTimeFormatter([firstTimestamp, lastTimestamp]);
-  }, [timeseries]);
-
-  const yAxisFormatter = createFormatter('percent');
-
-  const tooltipProps = {
-    headerFormatter: (tooltipValue: TooltipValue) =>
-      moment(tooltipValue.value).format('Y-MM-DD HH:mm:ss.SSS'),
-  };
-
-  const dataDomain = calculateDomain(timeseries, [chartMetric], false);
-  const domain = dataDomain
-    ? {
-        max: dataDomain.max * 1.1, // add 10% headroom.
-        min: dataDomain.min,
-      }
-    : { max: 0, min: 0 };
-
-  return (
-    <ChartContainer>
-      <Chart>
-        <MetricExplorerSeriesChart
-          type={MetricsExplorerChartType.area}
-          metric={chartMetric}
-          id="0"
-          series={timeseries}
-          stack={false}
-        />
-        <Axis
-          id={'timestamp'}
-          position={Position.Bottom}
-          showOverlappingTicks={true}
-          tickFormat={dateFormatter}
-        />
-        <Axis
-          id={'values'}
-          position={Position.Left}
-          tickFormat={yAxisFormatter}
-          domain={domain}
-          ticks={6}
-          showGridLines
-        />
-        <Settings tooltip={tooltipProps} theme={getChartTheme(isDarkMode)} />
-      </Chart>
-    </ChartContainer>
-  );
-};
-
 export const CodeLine = euiStyled(EuiCode).attrs({
   transparentBackground: true,
 })`
@@ -246,22 +147,3 @@ const ExpandedRowCell = euiStyled(EuiTableRowCell).attrs({
   padding: 0 ${(props) => props.theme.eui.paddingSizes.m};
   background-color: ${(props) => props.theme.eui.euiColorLightestShade};
 `;
-
-const ChartContainer = euiStyled.div`
-  width: 300px;
-  height: 140px;
-`;
-
-const cpuMetricLabel = i18n.translate(
-  'xpack.infra.metrics.nodeDetails.processes.expandedRowLabelCPU',
-  {
-    defaultMessage: 'CPU',
-  }
-);
-
-const memoryMetricLabel = i18n.translate(
-  'xpack.infra.metrics.nodeDetails.processes.expandedRowLabelMemory',
-  {
-    defaultMessage: 'Memory',
-  }
-);
diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/process_row_charts.tsx b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/process_row_charts.tsx
new file mode 100644
index 0000000000000..7b7a285b5d6b8
--- /dev/null
+++ b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/process_row_charts.tsx
@@ -0,0 +1,164 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { useMemo } from 'react';
+import moment from 'moment';
+import { first, last } from 'lodash';
+import { i18n } from '@kbn/i18n';
+import {
+  EuiDescriptionListTitle,
+  EuiDescriptionListDescription,
+  EuiFlexItem,
+  EuiLoadingChart,
+  EuiEmptyPrompt,
+  EuiText,
+} from '@elastic/eui';
+import { Axis, Chart, Settings, Position, TooltipValue, niceTimeFormatter } from '@elastic/charts';
+import { createFormatter } from '../../../../../../../../common/formatters';
+import { useUiSetting } from '../../../../../../../../../../../src/plugins/kibana_react/public';
+import { getChartTheme } from '../../../../../metrics_explorer/components/helpers/get_chart_theme';
+import { calculateDomain } from '../../../../../metrics_explorer/components/helpers/calculate_domain';
+import { MetricsExplorerChartType } from '../../../../../metrics_explorer/hooks/use_metrics_explorer_options';
+import { MetricExplorerSeriesChart } from '../../../../../metrics_explorer/components/series_chart';
+import { MetricsExplorerAggregation } from '../../../../../../../../common/http_api';
+import { Color } from '../../../../../../../../common/color_palette';
+import { euiStyled } from '../../../../../../../../../observability/public';
+import { useProcessListRowChart } from '../../../../hooks/use_process_list_row_chart';
+import { Process } from './types';
+
+interface Props {
+  command: string;
+}
+
+export const ProcessRowCharts = ({ command }: Props) => {
+  const { loading, error, response } = useProcessListRowChart(command);
+
+  const isLoading = loading || !response;
+
+  const cpuChart = error ? (
+    <EuiEmptyPrompt iconType="alert" title={<EuiText>{failedToLoadChart}</EuiText>} />
+  ) : isLoading ? (
+    <EuiLoadingChart />
+  ) : (
+    <ProcessChart timeseries={response!.cpu} color={Color.color2} label={cpuMetricLabel} />
+  );
+  const memoryChart = error ? (
+    <EuiEmptyPrompt iconType="alert" title={<EuiText>{failedToLoadChart}</EuiText>} />
+  ) : isLoading ? (
+    <EuiLoadingChart />
+  ) : (
+    <ProcessChart timeseries={response!.memory} color={Color.color0} label={memoryMetricLabel} />
+  );
+
+  return (
+    <>
+      <EuiFlexItem>
+        <EuiDescriptionListTitle>{cpuMetricLabel}</EuiDescriptionListTitle>
+        <EuiDescriptionListDescription>{cpuChart}</EuiDescriptionListDescription>
+      </EuiFlexItem>
+      <EuiFlexItem>
+        <EuiDescriptionListTitle>{memoryMetricLabel}</EuiDescriptionListTitle>
+        <EuiDescriptionListDescription>{memoryChart}</EuiDescriptionListDescription>
+      </EuiFlexItem>
+    </>
+  );
+};
+
+interface ProcessChartProps {
+  timeseries: Process['timeseries']['x'];
+  color: Color;
+  label: string;
+}
+const ProcessChart = ({ timeseries, color, label }: ProcessChartProps) => {
+  const chartMetric = {
+    color,
+    aggregation: 'avg' as MetricsExplorerAggregation,
+    label,
+  };
+  const isDarkMode = useUiSetting<boolean>('theme:darkMode');
+
+  const dateFormatter = useMemo(() => {
+    if (!timeseries) return () => '';
+    const firstTimestamp = first(timeseries.rows)?.timestamp;
+    const lastTimestamp = last(timeseries.rows)?.timestamp;
+
+    if (firstTimestamp == null || lastTimestamp == null) {
+      return (value: number) => `${value}`;
+    }
+
+    return niceTimeFormatter([firstTimestamp, lastTimestamp]);
+  }, [timeseries]);
+
+  const yAxisFormatter = createFormatter('percent');
+
+  const tooltipProps = {
+    headerFormatter: (tooltipValue: TooltipValue) =>
+      moment(tooltipValue.value).format('Y-MM-DD HH:mm:ss.SSS'),
+  };
+
+  const dataDomain = calculateDomain(timeseries, [chartMetric], false);
+  const domain = dataDomain
+    ? {
+        max: dataDomain.max * 1.1, // add 10% headroom.
+        min: dataDomain.min,
+      }
+    : { max: 0, min: 0 };
+
+  return (
+    <ChartContainer>
+      <Chart>
+        <MetricExplorerSeriesChart
+          type={MetricsExplorerChartType.area}
+          metric={chartMetric}
+          id="0"
+          series={timeseries}
+          stack={false}
+        />
+        <Axis
+          id={'timestamp'}
+          position={Position.Bottom}
+          showOverlappingTicks={true}
+          tickFormat={dateFormatter}
+        />
+        <Axis
+          id={'values'}
+          position={Position.Left}
+          tickFormat={yAxisFormatter}
+          domain={domain}
+          ticks={6}
+          showGridLines
+        />
+        <Settings tooltip={tooltipProps} theme={getChartTheme(isDarkMode)} />
+      </Chart>
+    </ChartContainer>
+  );
+};
+
+const ChartContainer = euiStyled.div`
+  width: 300px;
+  height: 140px;
+`;
+
+const cpuMetricLabel = i18n.translate(
+  'xpack.infra.metrics.nodeDetails.processes.expandedRowLabelCPU',
+  {
+    defaultMessage: 'CPU',
+  }
+);
+
+const memoryMetricLabel = i18n.translate(
+  'xpack.infra.metrics.nodeDetails.processes.expandedRowLabelMemory',
+  {
+    defaultMessage: 'Memory',
+  }
+);
+
+const failedToLoadChart = i18n.translate(
+  'xpack.infra.metrics.nodeDetails.processes.failedToLoadChart',
+  {
+    defaultMessage: 'Unable to load chart',
+  }
+);
diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/processes_table.tsx b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/processes_table.tsx
index 43f3a333fda83..1952ba947761c 100644
--- a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/processes_table.tsx
+++ b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/processes_table.tsx
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { useMemo, useState, useEffect, useCallback } from 'react';
+import React, { useMemo, useState, useCallback } from 'react';
 import { omit } from 'lodash';
 import { i18n } from '@kbn/i18n';
 import {
@@ -13,10 +13,8 @@ import {
   EuiTableBody,
   EuiTableHeaderCell,
   EuiTableRowCell,
-  EuiSpacer,
-  EuiTablePagination,
   EuiLoadingChart,
-  Query,
+  EuiEmptyPrompt,
   SortableProperties,
   LEFT_ALIGNMENT,
   RIGHT_ALIGNMENT,
@@ -24,17 +22,18 @@ import {
 import { ProcessListAPIResponse } from '../../../../../../../../common/http_api';
 import { FORMATTERS } from '../../../../../../../../common/formatters';
 import { euiStyled } from '../../../../../../../../../observability/public';
+import { SortBy } from '../../../../hooks/use_process_list';
 import { Process } from './types';
 import { ProcessRow, CodeLine } from './process_row';
-import { parseProcessList } from './parse_process_list';
 import { StateBadge } from './state_badge';
 import { STATE_ORDER } from './states';
 
 interface TableProps {
-  processList: ProcessListAPIResponse;
+  processList: ProcessListAPIResponse['processList'];
   currentTime: number;
   isLoading: boolean;
-  searchFilter: Query;
+  sortBy: SortBy;
+  setSortBy: (s: SortBy) => void;
 }
 
 function useSortableProperties<T>(
@@ -43,25 +42,21 @@ function useSortableProperties<T>(
     getValue: (obj: T) => any;
     isAscending: boolean;
   }>,
-  defaultSortProperty: string
+  defaultSortProperty: string,
+  callback: (s: SortBy) => void
 ) {
   const [sortableProperties] = useState<SortableProperties<T>>(
     new SortableProperties(sortablePropertyItems, defaultSortProperty)
   );
-  const [sortedColumn, setSortedColumn] = useState(
-    omit(sortableProperties.getSortedProperty(), 'getValue')
-  );
 
   return {
-    setSortedColumn: useCallback(
+    updateSortableProperties: useCallback(
       (property) => {
         sortableProperties.sortOn(property);
-        setSortedColumn(omit(sortableProperties.getSortedProperty(), 'getValue'));
+        callback(omit(sortableProperties.getSortedProperty(), 'getValue'));
       },
-      [sortableProperties]
+      [sortableProperties, callback]
     ),
-    sortedColumn,
-    sortItems: (items: T[]) => sortableProperties.sortItems(items),
   };
 }
 
@@ -69,28 +64,15 @@ export const ProcessesTable = ({
   processList,
   currentTime,
   isLoading,
-  searchFilter,
+  sortBy,
+  setSortBy,
 }: TableProps) => {
-  const [currentPage, setCurrentPage] = useState(0);
-  const [itemsPerPage, setItemsPerPage] = useState(10);
-  useEffect(() => setCurrentPage(0), [processList, searchFilter, itemsPerPage]);
-
-  const { sortedColumn, sortItems, setSortedColumn } = useSortableProperties<Process>(
+  const { updateSortableProperties } = useSortableProperties<Process>(
     [
-      {
-        name: 'state',
-        getValue: (item: any) => STATE_ORDER.indexOf(item.state),
-        isAscending: true,
-      },
-      {
-        name: 'command',
-        getValue: (item: any) => item.command.toLowerCase(),
-        isAscending: true,
-      },
       {
         name: 'startTime',
         getValue: (item: any) => Date.parse(item.startTime),
-        isAscending: false,
+        isAscending: true,
       },
       {
         name: 'cpu',
@@ -103,32 +85,34 @@ export const ProcessesTable = ({
         isAscending: false,
       },
     ],
-    'state'
+    'cpu',
+    setSortBy
   );
 
-  const currentItems = useMemo(() => {
-    const filteredItems = Query.execute(searchFilter, parseProcessList(processList)) as Process[];
-    if (!filteredItems.length) return [];
-    const sortedItems = sortItems(filteredItems);
-    return sortedItems;
-  }, [processList, searchFilter, sortItems]);
-
-  const pageCount = useMemo(() => Math.ceil(currentItems.length / itemsPerPage), [
-    itemsPerPage,
-    currentItems,
-  ]);
-
-  const pageStartIdx = useMemo(() => currentPage * itemsPerPage + (currentPage > 0 ? 1 : 0), [
-    currentPage,
-    itemsPerPage,
-  ]);
-  const currentItemsPage = useMemo(
-    () => currentItems.slice(pageStartIdx, pageStartIdx + itemsPerPage),
-    [pageStartIdx, currentItems, itemsPerPage]
+  const currentItems = useMemo(
+    () =>
+      processList.sort(
+        (a, b) => STATE_ORDER.indexOf(a.state) - STATE_ORDER.indexOf(b.state)
+      ) as Process[],
+    [processList]
   );
 
   if (isLoading) return <LoadingPlaceholder />;
 
+  if (currentItems.length === 0)
+    return (
+      <EuiEmptyPrompt
+        iconType="tableDensityNormal"
+        title={
+          <h4>
+            {i18n.translate('xpack.infra.metrics.nodeDetails.noProcesses', {
+              defaultMessage: 'No processes matched these search terms',
+            })}
+          </h4>
+        }
+      />
+    );
+
   return (
     <>
       <EuiTable>
@@ -139,27 +123,18 @@ export const ProcessesTable = ({
               key={`${String(column.field)}-header`}
               align={column.align ?? LEFT_ALIGNMENT}
               width={column.width}
-              onSort={column.sortable ? () => setSortedColumn(column.field) : undefined}
-              isSorted={sortedColumn.name === column.field}
-              isSortAscending={sortedColumn.name === column.field && sortedColumn.isAscending}
+              onSort={column.sortable ? () => updateSortableProperties(column.field) : undefined}
+              isSorted={sortBy.name === column.field}
+              isSortAscending={sortBy.name === column.field && sortBy.isAscending}
             >
               {column.name}
             </EuiTableHeaderCell>
           ))}
         </EuiTableHeader>
         <StyledTableBody>
-          <ProcessesTableBody items={currentItemsPage} currentTime={currentTime} />
+          <ProcessesTableBody items={currentItems} currentTime={currentTime} />
         </StyledTableBody>
       </EuiTable>
-      <EuiSpacer size="m" />
-      <EuiTablePagination
-        itemsPerPage={itemsPerPage}
-        activePage={currentPage}
-        pageCount={pageCount}
-        itemsPerPageOptions={[10, 20, 50]}
-        onChangePage={setCurrentPage}
-        onChangeItemsPerPage={setItemsPerPage}
-      />
     </>
   );
 };
@@ -213,8 +188,8 @@ const StyledTableBody = euiStyled(EuiTableBody)`
 
 const ONE_MINUTE = 60 * 1000;
 const ONE_HOUR = ONE_MINUTE * 60;
-const RuntimeCell = ({ startTime, currentTime }: { startTime: string; currentTime: number }) => {
-  const runtimeLength = currentTime - Date.parse(startTime);
+const RuntimeCell = ({ startTime, currentTime }: { startTime: number; currentTime: number }) => {
+  const runtimeLength = currentTime - startTime;
   let remainingRuntimeMS = runtimeLength;
   const runtimeHours = Math.floor(remainingRuntimeMS / ONE_HOUR);
   remainingRuntimeMS -= runtimeHours * ONE_HOUR;
@@ -244,7 +219,7 @@ const columns: Array<{
     name: i18n.translate('xpack.infra.metrics.nodeDetails.processes.columnLabelState', {
       defaultMessage: 'State',
     }),
-    sortable: true,
+    sortable: false,
     render: (state: string) => <StateBadge state={state} />,
     width: 84,
     textOnly: false,
@@ -254,7 +229,7 @@ const columns: Array<{
     name: i18n.translate('xpack.infra.metrics.nodeDetails.processes.columnLabelCommand', {
       defaultMessage: 'Command',
     }),
-    sortable: true,
+    sortable: false,
     width: '40%',
     render: (command: string) => <CodeLine>{command}</CodeLine>,
   },
@@ -265,7 +240,7 @@ const columns: Array<{
     }),
     align: RIGHT_ALIGNMENT,
     sortable: true,
-    render: (startTime: string, currentTime: number) => (
+    render: (startTime: number, currentTime: number) => (
       <RuntimeCell startTime={startTime} currentTime={currentTime} />
     ),
   },
diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/summary_table.tsx b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/summary_table.tsx
index 59becb0bf534d..6efabf1b8c0ae 100644
--- a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/summary_table.tsx
+++ b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/summary_table.tsx
@@ -5,16 +5,15 @@
  */
 
 import React, { useMemo } from 'react';
-import { mapValues, countBy } from 'lodash';
+import { mapValues } from 'lodash';
 import { i18n } from '@kbn/i18n';
 import { EuiBasicTable, EuiLoadingSpinner, EuiBasicTableColumn } from '@elastic/eui';
 import { euiStyled } from '../../../../../../../../../observability/public';
 import { ProcessListAPIResponse } from '../../../../../../../../common/http_api';
-import { parseProcessList } from './parse_process_list';
 import { STATE_NAMES } from './states';
 
 interface Props {
-  processList: ProcessListAPIResponse;
+  processSummary: ProcessListAPIResponse['summary'];
   isLoading: boolean;
 }
 
@@ -22,18 +21,17 @@ type SummaryColumn = {
   total: number;
 } & Record<keyof typeof STATE_NAMES, number>;
 
-export const SummaryTable = ({ processList, isLoading }: Props) => {
-  const parsedList = parseProcessList(processList);
+export const SummaryTable = ({ processSummary, isLoading }: Props) => {
   const processCount = useMemo(
     () =>
       [
         {
-          total: isLoading ? -1 : parsedList.length,
+          total: isLoading ? -1 : processSummary.total,
           ...mapValues(STATE_NAMES, () => (isLoading ? -1 : 0)),
-          ...(isLoading ? [] : countBy(parsedList, 'state')),
+          ...(isLoading ? {} : processSummary),
         },
       ] as SummaryColumn[],
-    [parsedList, isLoading]
+    [processSummary, isLoading]
   );
   return (
     <StyleWrapper>
diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/hooks/use_process_list.ts b/x-pack/plugins/infra/public/pages/metrics/inventory_view/hooks/use_process_list.ts
index 8e0843fe8b278..888c4321a1905 100644
--- a/x-pack/plugins/infra/public/pages/metrics/inventory_view/hooks/use_process_list.ts
+++ b/x-pack/plugins/infra/public/pages/metrics/inventory_view/hooks/use_process_list.ts
@@ -3,20 +3,32 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
+import createContainter from 'constate';
 import { fold } from 'fp-ts/lib/Either';
 import { identity } from 'fp-ts/lib/function';
 import { pipe } from 'fp-ts/lib/pipeable';
-import { useEffect } from 'react';
+import { useEffect, useState } from 'react';
 import { ProcessListAPIResponse, ProcessListAPIResponseRT } from '../../../../../common/http_api';
 import { throwErrors, createPlainError } from '../../../../../common/runtime_types';
 import { useHTTPRequest } from '../../../../hooks/use_http_request';
+import { useSourceContext } from '../../../../containers/source';
+
+export interface SortBy {
+  name: string;
+  isAscending: boolean;
+}
 
 export function useProcessList(
   hostTerm: Record<string, string>,
-  indexPattern: string,
   timefield: string,
-  to: number
+  to: number,
+  sortBy: SortBy,
+  searchFilter: object
 ) {
+  const { createDerivedIndexPattern } = useSourceContext();
+  const indexPattern = createDerivedIndexPattern('metrics').title;
+
+  const [inErrorState, setInErrorState] = useState(false);
   const decodeResponse = (response: any) => {
     return pipe(
       ProcessListAPIResponseRT.decode(response),
@@ -24,32 +36,52 @@ export function useProcessList(
     );
   };
 
-  const timerange = {
-    field: timefield,
-    interval: 'modules',
-    to,
-    from: to - 15 * 60 * 1000, // 15 minutes
-  };
+  const parsedSortBy =
+    sortBy.name === 'runtimeLength'
+      ? {
+          ...sortBy,
+          name: 'startTime',
+        }
+      : sortBy;
 
   const { error, loading, response, makeRequest } = useHTTPRequest<ProcessListAPIResponse>(
     '/api/metrics/process_list',
     'POST',
     JSON.stringify({
       hostTerm,
-      timerange,
+      timefield,
       indexPattern,
+      to,
+      sortBy: parsedSortBy,
+      searchFilter,
     }),
     decodeResponse
   );
 
+  useEffect(() => setInErrorState(true), [error]);
+  useEffect(() => setInErrorState(false), [loading]);
+
   useEffect(() => {
     makeRequest();
   }, [makeRequest]);
 
   return {
-    error,
+    error: inErrorState,
     loading,
     response,
     makeRequest,
   };
 }
+
+function useProcessListParams(props: {
+  hostTerm: Record<string, string>;
+  timefield: string;
+  to: number;
+}) {
+  const { hostTerm, timefield, to } = props;
+  const { createDerivedIndexPattern } = useSourceContext();
+  const indexPattern = createDerivedIndexPattern('metrics').title;
+  return { hostTerm, indexPattern, timefield, to };
+}
+const ProcessListContext = createContainter(useProcessListParams);
+export const [ProcessListContextProvider, useProcessListContext] = ProcessListContext;
diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/hooks/use_process_list_row_chart.ts b/x-pack/plugins/infra/public/pages/metrics/inventory_view/hooks/use_process_list_row_chart.ts
new file mode 100644
index 0000000000000..ef638319fd9f4
--- /dev/null
+++ b/x-pack/plugins/infra/public/pages/metrics/inventory_view/hooks/use_process_list_row_chart.ts
@@ -0,0 +1,54 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { fold } from 'fp-ts/lib/Either';
+import { identity } from 'fp-ts/lib/function';
+import { pipe } from 'fp-ts/lib/pipeable';
+import { useEffect, useState } from 'react';
+import {
+  ProcessListAPIChartResponse,
+  ProcessListAPIChartResponseRT,
+} from '../../../../../common/http_api';
+import { throwErrors, createPlainError } from '../../../../../common/runtime_types';
+import { useHTTPRequest } from '../../../../hooks/use_http_request';
+import { useProcessListContext } from './use_process_list';
+
+export function useProcessListRowChart(command: string) {
+  const [inErrorState, setInErrorState] = useState(false);
+  const decodeResponse = (response: any) => {
+    return pipe(
+      ProcessListAPIChartResponseRT.decode(response),
+      fold(throwErrors(createPlainError), identity)
+    );
+  };
+  const { hostTerm, timefield, indexPattern, to } = useProcessListContext();
+
+  const { error, loading, response, makeRequest } = useHTTPRequest<ProcessListAPIChartResponse>(
+    '/api/metrics/process_list/chart',
+    'POST',
+    JSON.stringify({
+      hostTerm,
+      timefield,
+      indexPattern,
+      to,
+      command,
+    }),
+    decodeResponse
+  );
+
+  useEffect(() => setInErrorState(true), [error]);
+  useEffect(() => setInErrorState(false), [loading]);
+
+  useEffect(() => {
+    makeRequest();
+  }, [makeRequest]);
+
+  return {
+    error: inErrorState,
+    loading,
+    response,
+    makeRequest,
+  };
+}
diff --git a/x-pack/plugins/infra/server/lib/host_details/common.ts b/x-pack/plugins/infra/server/lib/host_details/common.ts
new file mode 100644
index 0000000000000..ddf606e417126
--- /dev/null
+++ b/x-pack/plugins/infra/server/lib/host_details/common.ts
@@ -0,0 +1,6 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+export const CMDLINE_FIELD = 'system.process.cmdline';
diff --git a/x-pack/plugins/infra/server/lib/host_details/process_list.ts b/x-pack/plugins/infra/server/lib/host_details/process_list.ts
index 99e8b2e8f6ab1..e9d35f3601634 100644
--- a/x-pack/plugins/infra/server/lib/host_details/process_list.ts
+++ b/x-pack/plugins/infra/server/lib/host_details/process_list.ts
@@ -4,61 +4,136 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { ProcessListAPIRequest, MetricsAPIRequest } from '../../../common/http_api';
-import { getAllMetricsData } from '../../utils/get_all_metrics_data';
-import { query } from '../metrics';
+import { ProcessListAPIRequest, ProcessListAPIQueryAggregation } from '../../../common/http_api';
 import { ESSearchClient } from '../metrics/types';
+import { CMDLINE_FIELD } from './common';
+
+const TOP_N = 10;
 
 export const getProcessList = async (
-  client: ESSearchClient,
-  { hostTerm, timerange, indexPattern }: ProcessListAPIRequest
+  search: ESSearchClient,
+  { hostTerm, timefield, indexPattern, to, sortBy, searchFilter }: ProcessListAPIRequest
 ) => {
-  const queryBody = {
-    timerange,
-    modules: ['system.cpu', 'system.memory'],
-    groupBy: ['system.process.cmdline'],
-    filters: [{ term: hostTerm }],
-    indexPattern,
-    limit: 9,
-    metrics: [
-      {
-        id: 'cpu',
-        aggregations: {
-          cpu: {
-            avg: {
-              field: 'system.process.cpu.total.norm.pct',
+  const body = {
+    size: 0,
+    query: {
+      bool: {
+        filter: [
+          {
+            range: {
+              [timefield]: {
+                gte: to - 60 * 1000, // 1 minute
+                lte: to,
+              },
             },
           },
-        },
+          {
+            term: hostTerm,
+          },
+        ],
       },
-      {
-        id: 'memory',
-        aggregations: {
-          memory: {
-            avg: {
-              field: 'system.process.memory.rss.pct',
-            },
+    },
+    aggs: {
+      summaryEvent: {
+        filter: {
+          term: {
+            'event.dataset': 'system.process.summary',
           },
         },
-      },
-      {
-        id: 'meta',
-        aggregations: {
-          meta: {
+        aggs: {
+          summary: {
             top_hits: {
               size: 1,
-              sort: [{ [timerange.field]: { order: 'desc' } }],
-              _source: [
-                'system.process.cpu.start_time',
-                'system.process.state',
-                'process.pid',
-                'user.name',
+              sort: [
+                {
+                  [timefield]: {
+                    order: 'desc',
+                  },
+                },
               ],
+              _source: ['system.process.summary'],
+            },
+          },
+        },
+      },
+      processes: {
+        filter: {
+          bool: {
+            must: searchFilter ?? [{ match_all: {} }],
+          },
+        },
+        aggs: {
+          filteredProcs: {
+            terms: {
+              field: CMDLINE_FIELD,
+              size: TOP_N,
+              order: {
+                [sortBy.name]: sortBy.isAscending ? 'asc' : 'desc',
+              },
+            },
+            aggs: {
+              cpu: {
+                avg: {
+                  field: 'system.process.cpu.total.pct',
+                },
+              },
+              memory: {
+                avg: {
+                  field: 'system.process.memory.rss.pct',
+                },
+              },
+              startTime: {
+                max: {
+                  field: 'system.process.cpu.start_time',
+                },
+              },
+              meta: {
+                top_hits: {
+                  size: 1,
+                  sort: [
+                    {
+                      [timefield]: {
+                        order: 'desc',
+                      },
+                    },
+                  ],
+                  _source: ['system.process.state', 'user.name', 'process.pid'],
+                },
+              },
             },
           },
         },
       },
-    ],
-  } as MetricsAPIRequest;
-  return await getAllMetricsData((body: MetricsAPIRequest) => query(client, body), queryBody);
+    },
+  };
+  try {
+    const result = await search<{}, ProcessListAPIQueryAggregation>({
+      body,
+      index: indexPattern,
+    });
+    const { buckets: processListBuckets } = result.aggregations!.processes.filteredProcs;
+    const processList = processListBuckets.map((bucket) => {
+      const meta = bucket.meta.hits.hits[0]._source;
+
+      return {
+        cpu: bucket.cpu.value,
+        memory: bucket.memory.value,
+        startTime: Date.parse(bucket.startTime.value_as_string),
+        pid: meta.process.pid,
+        state: meta.system.process.state,
+        user: meta.user.name,
+        command: bucket.key,
+      };
+    });
+    const {
+      summary,
+    } = result.aggregations!.summaryEvent.summary.hits.hits[0]._source.system.process;
+
+    return {
+      processList,
+      summary,
+    };
+  } catch (e) {
+    throw e;
+  }
 };
diff --git a/x-pack/plugins/infra/server/lib/host_details/process_list_chart.ts b/x-pack/plugins/infra/server/lib/host_details/process_list_chart.ts
new file mode 100644
index 0000000000000..11df1937764c8
--- /dev/null
+++ b/x-pack/plugins/infra/server/lib/host_details/process_list_chart.ts
@@ -0,0 +1,138 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { first } from 'lodash';
+import {
+  ProcessListAPIChartRequest,
+  ProcessListAPIChartQueryAggregation,
+  ProcessListAPIRow,
+  ProcessListAPIChartResponse,
+} from '../../../common/http_api';
+import { ESSearchClient } from '../metrics/types';
+import { CMDLINE_FIELD } from './common';
+
+export const getProcessListChart = async (
+  search: ESSearchClient,
+  { hostTerm, timefield, indexPattern, to, command }: ProcessListAPIChartRequest
+) => {
+  const body = {
+    size: 0,
+    query: {
+      bool: {
+        filter: [
+          {
+            range: {
+              [timefield]: {
+                gte: to - 60 * 1000, // 1 minute
+                lte: to,
+              },
+            },
+          },
+          {
+            term: hostTerm,
+          },
+        ],
+      },
+    },
+    aggs: {
+      process: {
+        filter: {
+          bool: {
+            must: [
+              {
+                match: {
+                  [CMDLINE_FIELD]: command,
+                },
+              },
+            ],
+          },
+        },
+        aggs: {
+          filteredProc: {
+            terms: {
+              field: CMDLINE_FIELD,
+              size: 1,
+            },
+            aggs: {
+              timeseries: {
+                date_histogram: {
+                  field: timefield,
+                  fixed_interval: '1m',
+                  extended_bounds: {
+                    min: to - 60 * 15 * 1000, // 15 minutes,
+                    max: to,
+                  },
+                },
+                aggs: {
+                  cpu: {
+                    avg: {
+                      field: 'system.process.cpu.total.pct',
+                    },
+                  },
+                  memory: {
+                    avg: {
+                      field: 'system.process.memory.rss.pct',
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+  };
+  try {
+    const result = await search<{}, ProcessListAPIChartQueryAggregation>({
+      body,
+      index: indexPattern,
+    });
+    const { buckets } = result.aggregations!.process.filteredProc;
+    const timeseries = first(
+      buckets.map((bucket) =>
+        bucket.timeseries.buckets.reduce(
+          (tsResult, tsBucket) => {
+            tsResult.cpu.rows.push({
+              metric_0: tsBucket.cpu.value,
+              timestamp: tsBucket.key,
+            });
+            tsResult.memory.rows.push({
+              metric_0: tsBucket.memory.value,
+              timestamp: tsBucket.key,
+            });
+            return tsResult;
+          },
+          {
+            cpu: {
+              id: 'cpu',
+              columns: TS_COLUMNS,
+              rows: [] as ProcessListAPIRow[],
+            },
+            memory: {
+              id: 'memory',
+              columns: TS_COLUMNS,
+              rows: [] as ProcessListAPIRow[],
+            },
+          }
+        )
+      )
+    );
+    return timeseries as ProcessListAPIChartResponse;
+  } catch (e) {
+    throw e;
+  }
+};
+
+const TS_COLUMNS = [
+  {
+    name: 'timestamp',
+    type: 'date',
+  },
+  {
+    name: 'metric_0',
+    type: 'number',
+  },
+];
diff --git a/x-pack/plugins/infra/server/routes/process_list/index.ts b/x-pack/plugins/infra/server/routes/process_list/index.ts
index 9851613255d8d..cf7765737e78b 100644
--- a/x-pack/plugins/infra/server/routes/process_list/index.ts
+++ b/x-pack/plugins/infra/server/routes/process_list/index.ts
@@ -13,7 +13,13 @@ import { InfraBackendLibs } from '../../lib/infra_types';
 import { throwErrors } from '../../../common/runtime_types';
 import { createSearchClient } from '../../lib/create_search_client';
 import { getProcessList } from '../../lib/host_details/process_list';
-import { ProcessListAPIRequestRT, ProcessListAPIResponseRT } from '../../../common/http_api';
+import { getProcessListChart } from '../../lib/host_details/process_list_chart';
+import {
+  ProcessListAPIRequestRT,
+  ProcessListAPIResponseRT,
+  ProcessListAPIChartRequestRT,
+  ProcessListAPIChartResponseRT,
+} from '../../../common/http_api';
 
 const escapeHatch = schema.object({}, { unknowns: 'allow' });
 
@@ -47,4 +53,33 @@ export const initProcessListRoute = (libs: InfraBackendLibs) => {
       }
     }
   );
+
+  framework.registerRoute(
+    {
+      method: 'post',
+      path: '/api/metrics/process_list/chart',
+      validate: {
+        body: escapeHatch,
+      },
+    },
+    async (requestContext, request, response) => {
+      try {
+        const options = pipe(
+          ProcessListAPIChartRequestRT.decode(request.body),
+          fold(throwErrors(Boom.badRequest), identity)
+        );
+
+        const client = createSearchClient(requestContext, framework);
+        const processListResponse = await getProcessListChart(client, options);
+
+        return response.ok({
+          body: ProcessListAPIChartResponseRT.encode(processListResponse),
+        });
+      } catch (error) {
+        return response.internalError({
+          body: error.message,
+        });
+      }
+    }
+  );
 };

From 28ea225bef12a9fef72df3626549955683b76737 Mon Sep 17 00:00:00 2001
From: DeDe Morton <dede.morton@elastic.co>
Date: Mon, 7 Dec 2020 12:54:41 -0800
Subject: [PATCH 2/6] Change link text to say Fleet (#85083)

---
 docs/fleet/fleet.asciidoc             | 4 +---
 docs/settings/fleet-settings.asciidoc | 2 +-
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/docs/fleet/fleet.asciidoc b/docs/fleet/fleet.asciidoc
index 06b2b96c0035c..aac733ad8468c 100644
--- a/docs/fleet/fleet.asciidoc
+++ b/docs/fleet/fleet.asciidoc
@@ -17,8 +17,6 @@ Standalone mode requires you to manually configure and manage the agent locally.
 * An overview of the data ingest in your {es} cluster.
 * Multiple integrations to collect and transform data.
 
-//TODO: Redo screen capture.
-
 [role="screenshot"]
 image::fleet/images/fleet-start.png[{fleet} app in {kib}]
 
@@ -26,4 +24,4 @@ image::fleet/images/fleet-start.png[{fleet} app in {kib}]
 == Get started
 
 To get started with {fleet}, refer to the
-{ingest-guide}/index.html[Ingest Management Guide].
+{ingest-guide}/index.html[{fleet}] docs.
diff --git a/docs/settings/fleet-settings.asciidoc b/docs/settings/fleet-settings.asciidoc
index 9c28d28003175..abfd2d3a95bed 100644
--- a/docs/settings/fleet-settings.asciidoc
+++ b/docs/settings/fleet-settings.asciidoc
@@ -10,7 +10,7 @@ experimental[]
 You can configure `xpack.fleet` settings in your `kibana.yml`. 
 By default, {fleet} is enabled. To use {fleet}, you also need to configure {kib} and {es} hosts.
 
-See the {ingest-guide}/index.html[Ingest Management] docs for more information.
+See the {ingest-guide}/index.html[{fleet}] docs for more information.
 
 [[general-fleet-settings-kb]]
 ==== General {fleet} settings

From 1f75d0b79fa5ffda1936c798d3147b27b427f53f Mon Sep 17 00:00:00 2001
From: Dave Snider <dave.snider@gmail.com>
Date: Mon, 7 Dec 2020 12:59:45 -0800
Subject: [PATCH 3/6] Small fixes to Kibana search bar (#85079)

* Small fixes to Kibana search bar

* Animate width

* tweak for ipad breakpoint

Co-authored-by: Ryan Keairns <contactryank@gmail.com>
---
 .../__snapshots__/search_bar.test.tsx.snap    |  2 +-
 .../public/components/search_bar.scss         | 21 +++++++++++
 .../public/components/search_bar.tsx          | 36 ++++++++++---------
 3 files changed, 42 insertions(+), 17 deletions(-)
 create mode 100644 x-pack/plugins/global_search_bar/public/components/search_bar.scss

diff --git a/x-pack/plugins/global_search_bar/public/components/__snapshots__/search_bar.test.tsx.snap b/x-pack/plugins/global_search_bar/public/components/__snapshots__/search_bar.test.tsx.snap
index de45d8ea5dfaf..f5e7a030d59e3 100644
--- a/x-pack/plugins/global_search_bar/public/components/__snapshots__/search_bar.test.tsx.snap
+++ b/x-pack/plugins/global_search_bar/public/components/__snapshots__/search_bar.test.tsx.snap
@@ -35,7 +35,7 @@ exports[`SearchBar supports keyboard shortcuts 1`] = `
   aria-haspopup="listbox"
   aria-label="Filter options"
   autocomplete="off"
-  class="euiFieldSearch euiFieldSearch--fullWidth euiFieldSearch--compressed euiSelectableSearch euiSelectableTemplateSitewide__search"
+  class="euiFieldSearch euiFieldSearch--fullWidth euiFieldSearch--compressed euiSelectableSearch euiSelectableTemplateSitewide__search kbnSearchBar"
   data-test-subj="nav-search-input"
   placeholder="Search Elastic"
   type="search"
diff --git a/x-pack/plugins/global_search_bar/public/components/search_bar.scss b/x-pack/plugins/global_search_bar/public/components/search_bar.scss
new file mode 100644
index 0000000000000..eadac85c8be89
--- /dev/null
+++ b/x-pack/plugins/global_search_bar/public/components/search_bar.scss
@@ -0,0 +1,21 @@
+//TODO add these overrides to EUI so that search behaves the same globally
+.kbnSearchBar {
+  width: 400px;
+  max-width: 100%;
+  will-change: width;
+}
+
+@include euiBreakpoint('l', 'xl') {
+  .kbnSearchBar:focus {
+    animation: kbnAnimateSearchBar $euiAnimSpeedFast forwards;
+  }
+}
+
+@keyframes kbnAnimateSearchBar {
+  from {
+    width: 400px;
+  }
+  to {
+    width: 600px;
+  }
+}
diff --git a/x-pack/plugins/global_search_bar/public/components/search_bar.tsx b/x-pack/plugins/global_search_bar/public/components/search_bar.tsx
index db180d027b228..98dfe937d16cb 100644
--- a/x-pack/plugins/global_search_bar/public/components/search_bar.tsx
+++ b/x-pack/plugins/global_search_bar/public/components/search_bar.tsx
@@ -32,6 +32,7 @@ import {
 } from '../../../global_search/public';
 import { SavedObjectTaggingPluginStart } from '../../../saved_objects_tagging/public';
 import { parseSearchParams } from '../search_syntax';
+import './search_bar.scss';
 
 interface Props {
   globalSearch: GlobalSearchPluginStart['find'];
@@ -273,6 +274,7 @@ export function SearchBar({
         'data-test-subj': 'nav-search-input',
         inputRef: setSearchRef,
         compressed: true,
+        className: 'kbnSearchBar',
         placeholder: i18n.translate('xpack.globalSearchBar.searchBar.placeholder', {
           defaultMessage: 'Search Elastic',
         }),
@@ -289,16 +291,16 @@ export function SearchBar({
       emptyMessage={emptyMessage}
       noMatchesMessage={emptyMessage}
       popoverFooter={
-        <EuiText color="subdued" size="xs">
-          <EuiFlexGroup
-            alignItems="center"
-            justifyContent="spaceBetween"
-            gutterSize="s"
-            responsive={false}
-            wrap
-          >
-            <EuiFlexItem>
-              <p style={{ marginBottom: 0 }}>
+        <EuiFlexGroup
+          alignItems="center"
+          justifyContent="spaceBetween"
+          gutterSize="s"
+          responsive={false}
+          wrap
+        >
+          <EuiFlexItem>
+            <EuiText color="subdued" size="xs">
+              <p>
                 <FormattedMessage
                   id="xpack.globalSearchBar.searchBar.helpText.helpTextPrefix"
                   defaultMessage="Filter by"
@@ -312,9 +314,11 @@ export function SearchBar({
                 &nbsp;
                 <EuiCode>tag:</EuiCode>
               </p>
-            </EuiFlexItem>
-            <EuiFlexItem grow={false}>
-              <p style={{ marginBottom: 0 }}>
+            </EuiText>
+          </EuiFlexItem>
+          <EuiFlexItem grow={false}>
+            <EuiText color="subdued" size="xs">
+              <p>
                 <FormattedMessage
                   id="xpack.globalSearchBar.searchBar.shortcutDescription.shortcutDetail"
                   defaultMessage="{shortcutDescription} {commandDescription}"
@@ -343,9 +347,9 @@ export function SearchBar({
                   }}
                 />
               </p>
-            </EuiFlexItem>
-          </EuiFlexGroup>
-        </EuiText>
+            </EuiText>
+          </EuiFlexItem>
+        </EuiFlexGroup>
       }
     />
   );

From 1bc42b9171387bafafac757b3ee3e012c0b78d22 Mon Sep 17 00:00:00 2001
From: Frank Hassanabad <frank.hassanabad@elastic.co>
Date: Mon, 7 Dec 2020 15:51:12 -0700
Subject: [PATCH 4/6] [Security Solutions][Detection Engine] Fixes cypress
 errors by using latest signals mapping (#84600)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary

Fixes issues within Cypress whenever developers would re-run tests they could become blocked as some of the tests cause a migration/roll over of the signals.

To reproduce the error off of master:

Start Cypress
```ts
cd ./kibana/x-pack/plugins/security_solution
yarn cypress:open-as-ci
```

Then run the export test twice. The first time it will run ok. The second time the test will refuse to run.

<img width="585" alt="Screen Shot 2020-11-30 at 1 57 24 PM" src="https://user-images.githubusercontent.com/1151048/100683706-2233c200-3336-11eb-949f-48f86e884d8b.png">

The second time that you run the test you will get these errors from Cypress and will be blocked until you do workarounds such as logging into `https://localhost:5620` and manually changing the indexes manually or restarting Cypress altogether.
<img width="1067" alt="Screen Shot 2020-11-30 at 6 05 07 PM" src="https://user-images.githubusercontent.com/1151048/100683945-9a9a8300-3336-11eb-9d49-187dee4fc1dc.png">

What is going on with the errors is that a migration is occurring since the existing signals mapping for the tests are not the newer migrated version and these are creating a new index named `.siem-signals-default-0000002` like so:
<img width="1242" alt="Screen Shot 2020-11-30 at 1 57 12 PM" src="https://user-images.githubusercontent.com/1151048/100684145-fcf38380-3336-11eb-8fe1-b29d3462a1ae.png">

This index is not being cleaned up and when the next time we do an es_archive load we are marking two indexes as being writable


file: x-pack/test/security_solution_cypress/es_archives/alerts/mappings.json
```ts
".siem-signals-default": {
  "is_write_index": true
  }
},
"index": ".siem-signals-default-000001",
```

which leads to the stack trace and the Cypress errors on the front end:

```ts
MacBook-Pro.local] path: /.siem-signals-default-000001, params: {index=.siem-signals-default-000001}
     │      java.lang.IllegalStateException: alias [.siem-signals-default] has more than one write index [.siem-signals-default-000002,.siem-signals-default-000001]
     │          at org.elasticsearch.cluster.metadata.IndexAbstraction$Alias.computeAndValidateAliasProperties(IndexAbstraction.java:276) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
```

This fixes that by updating the mapping and migration number. Each time we migrate/change the signals mapping we will have to perform a PR like this to update each location.

At the moment this is 5 different locations we have to update with the latest mappings.

### Checklist

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
---
 .../es_archives/alerts/mappings.json          | 2338 ++++++++++-------
 .../es_archives/closed_alerts/mappings.json   | 2335 +++++++++-------
 .../es_archives/custom_rules/mappings.json    | 2325 +++++++++-------
 .../es_archives/export_rule/mappings.json     | 2133 +++++++--------
 .../es_archives/timeline_alerts/mappings.json | 2326 +++++++++-------
 5 files changed, 6791 insertions(+), 4666 deletions(-)

diff --git a/x-pack/test/security_solution_cypress/es_archives/alerts/mappings.json b/x-pack/test/security_solution_cypress/es_archives/alerts/mappings.json
index 114faa0dae336..00a2f6fb8c8df 100644
--- a/x-pack/test/security_solution_cypress/es_archives/alerts/mappings.json
+++ b/x-pack/test/security_solution_cypress/es_archives/alerts/mappings.json
@@ -9,6 +9,9 @@
     "index": ".siem-signals-default-000001",
     "mappings": {
       "dynamic": "false",
+      "_meta": {
+        "version": 3
+      },
       "properties": {
         "@timestamp": {
           "type": "date"
@@ -16,24 +19,24 @@
         "agent": {
           "properties": {
             "ephemeral_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -45,14 +48,14 @@
             "organization": {
               "properties": {
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -61,8 +64,8 @@
         "client": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -72,14 +75,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -89,41 +92,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -131,8 +134,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -151,66 +154,66 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -221,60 +224,81 @@
             "account": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "availability_zone": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "instance": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "machine": {
               "properties": {
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "provider": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "region": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            }
+          }
+        },
+        "code_signature": {
+          "properties": {
+            "exists": {
+              "type": "boolean"
+            },
+            "status": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "subject_name": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "trusted": {
+              "type": "boolean"
+            },
+            "valid": {
+              "type": "boolean"
             }
           }
         },
         "container": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "image": {
               "properties": {
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "tag": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -282,20 +306,20 @@
               "type": "object"
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "runtime": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "destination": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -305,14 +329,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -322,41 +346,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -364,8 +388,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -384,66 +408,143 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "dll": {
+          "properties": {
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "subject_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "hash": {
+              "properties": {
+                "md5": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "sha1": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "sha256": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "sha512": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
+            },
+            "name": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "path": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "description": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "file_version": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "original_file_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "product": {
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             }
@@ -454,63 +555,63 @@
             "answers": {
               "properties": {
                 "class": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "data": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "ttl": {
                   "type": "long"
                 },
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "header_flags": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "op_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "question": {
               "properties": {
                 "class": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "registered_domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "subdomain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "top_level_domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -518,75 +619,75 @@
               "type": "ip"
             },
             "response_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "ecs": {
           "properties": {
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "error": {
           "properties": {
             "code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "message": {
-              "norms": false,
-              "type": "text"
+              "type": "text",
+              "norms": false
             },
             "stack_trace": {
+              "type": "keyword",
+              "index": false,
               "doc_values": false,
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "index": false,
-              "type": "keyword"
+              }
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "event": {
           "properties": {
             "action": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "created": {
               "type": "date"
             },
             "dataset": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "duration": {
               "type": "long"
@@ -595,37 +696,41 @@
               "type": "date"
             },
             "hash": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ingested": {
               "type": "date"
             },
             "kind": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "module": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "original": {
-              "doc_values": false,
-              "ignore_above": 1024,
+              "type": "keyword",
               "index": false,
-              "type": "keyword"
+              "doc_values": false,
+              "ignore_above": 1024
             },
             "outcome": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "provider": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "reference": {
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "risk_score": {
               "type": "float"
@@ -643,12 +748,16 @@
               "type": "date"
             },
             "timezone": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "url": {
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -658,8 +767,29 @@
               "type": "date"
             },
             "attributes": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "subject_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
             },
             "created": {
               "type": "date"
@@ -668,279 +798,307 @@
               "type": "date"
             },
             "device": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "directory": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "drive_letter": {
-              "ignore_above": 1,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1
             },
             "extension": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "gid": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "group": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "hash": {
               "properties": {
                 "md5": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha1": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha256": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha512": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "inode": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "mime_type": {
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "mode": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "mtime": {
               "type": "date"
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "owner": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "description": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "file_version": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "original_file_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "product": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
             },
             "size": {
               "type": "long"
             },
             "target_path": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "uid": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "geo": {
           "properties": {
             "city_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "continent_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "country_iso_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "country_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "location": {
               "type": "geo_point"
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "region_iso_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "region_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "group": {
           "properties": {
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "hash": {
           "properties": {
             "md5": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "sha1": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "sha256": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "sha512": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "host": {
           "properties": {
             "architecture": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hostname": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ip": {
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "os": {
               "properties": {
                 "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "uptime": {
               "type": "long"
@@ -948,56 +1106,56 @@
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -1013,14 +1171,14 @@
                       "type": "long"
                     },
                     "content": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 },
@@ -1028,12 +1186,12 @@
                   "type": "long"
                 },
                 "method": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "referrer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -1045,14 +1203,14 @@
                       "type": "long"
                     },
                     "content": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 },
@@ -1065,8 +1223,24 @@
               }
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            }
+          }
+        },
+        "interface": {
+          "properties": {
+            "alias": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "id": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "name": {
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -1076,12 +1250,12 @@
         "log": {
           "properties": {
             "level": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "logger": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "origin": {
               "properties": {
@@ -1091,22 +1265,22 @@
                       "type": "integer"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "function": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "original": {
-              "doc_values": false,
-              "ignore_above": 1024,
+              "type": "keyword",
               "index": false,
-              "type": "keyword"
+              "doc_values": false,
+              "ignore_above": 1024
             },
             "syslog": {
               "properties": {
@@ -1116,8 +1290,8 @@
                       "type": "long"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
@@ -1130,8 +1304,8 @@
                       "type": "long"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 }
@@ -1140,308 +1314,457 @@
           }
         },
         "message": {
-          "norms": false,
-          "type": "text"
+          "type": "text",
+          "norms": false
         },
         "network": {
           "properties": {
             "application": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "bytes": {
               "type": "long"
             },
             "community_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "direction": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "forwarded_ip": {
               "type": "ip"
             },
             "iana_number": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "inner": {
+              "properties": {
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                }
+              }
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "packets": {
               "type": "long"
             },
             "protocol": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "transport": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "vlan": {
+              "properties": {
+                "id": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
             }
           }
         },
         "observer": {
           "properties": {
+            "egress": {
+              "properties": {
+                "interface": {
+                  "properties": {
+                    "alias": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
+                "zone": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
+            },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hostname": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "ingress": {
+              "properties": {
+                "interface": {
+                  "properties": {
+                    "alias": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
+                "zone": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
             },
             "ip": {
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "os": {
               "properties": {
                 "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "product": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "serial_number": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "vendor": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "organization": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             }
           }
         },
         "os": {
           "properties": {
             "family": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "full": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "kernel": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "platform": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "package": {
           "properties": {
             "architecture": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "build_version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "checksum": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "description": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "install_scope": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "installed": {
               "type": "date"
             },
             "license": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "size": {
               "type": "long"
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            }
+          }
+        },
+        "pe": {
+          "properties": {
+            "company": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "description": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "file_version": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "original_file_name": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "product": {
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "process": {
           "properties": {
             "args": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "args_count": {
               "type": "long"
             },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "subject_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
             "command_line": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
+            },
+            "entity_id": {
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "executable": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "exit_code": {
               "type": "long"
@@ -1449,74 +1772,119 @@
             "hash": {
               "properties": {
                 "md5": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha1": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha256": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha512": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "parent": {
               "properties": {
                 "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "args_count": {
                   "type": "long"
                 },
+                "code_signature": {
+                  "properties": {
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "status": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "subject_name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
                 "command_line": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
+                },
+                "entity_id": {
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "executable": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
+                    }
+                  }
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "sha1": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "sha256": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "sha512": {
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "exit_code": {
-                  "type": "long"
+                  }
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "pgid": {
                   "type": "long"
@@ -1536,33 +1904,57 @@
                       "type": "long"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "title": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "uptime": {
                   "type": "long"
                 },
                 "working_directory": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
+                }
+              }
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "description": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "file_version": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "original_file_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "product": {
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -1584,33 +1976,33 @@
                   "type": "long"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "title": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "uptime": {
               "type": "long"
             },
             "working_directory": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             }
           }
         },
@@ -1619,93 +2011,101 @@
             "data": {
               "properties": {
                 "bytes": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "strings": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hive": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "key": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "value": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "related": {
           "properties": {
             "hash": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ip": {
               "type": "ip"
             },
             "user": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "rule": {
           "properties": {
+            "author": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
             "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "description": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "license": {
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ruleset": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "uuid": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "server": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -1715,14 +2115,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -1732,41 +2132,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -1774,8 +2174,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -1794,66 +2194,66 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -1862,36 +2262,36 @@
         "service": {
           "properties": {
             "ephemeral_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "node": {
               "properties": {
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "state": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -1905,6 +2305,9 @@
                 "id": {
                   "type": "keyword"
                 },
+                "index": {
+                  "type": "keyword"
+                },
                 "rule": {
                   "type": "keyword"
                 },
@@ -1913,6 +2316,19 @@
                 }
               }
             },
+            "depth": {
+              "type": "integer"
+            },
+            "group": {
+              "properties": {
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "integer"
+                }
+              }
+            },
             "original_event": {
               "properties": {
                 "action": {
@@ -1949,9 +2365,9 @@
                   "type": "keyword"
                 },
                 "original": {
-                  "doc_values": false,
+                  "type": "keyword",
                   "index": false,
-                  "type": "keyword"
+                  "doc_values": false
                 },
                 "outcome": {
                   "type": "keyword"
@@ -1982,6 +2398,11 @@
                 }
               }
             },
+            "original_signal": {
+              "type": "object",
+              "dynamic": "false",
+              "enabled": false
+            },
             "original_time": {
               "type": "date"
             },
@@ -2004,8 +2425,33 @@
                 }
               }
             },
+            "parents": {
+              "properties": {
+                "depth": {
+                  "type": "long"
+                },
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "keyword"
+                },
+                "rule": {
+                  "type": "keyword"
+                },
+                "type": {
+                  "type": "keyword"
+                }
+              }
+            },
             "rule": {
               "properties": {
+                "author": {
+                  "type": "keyword"
+                },
+                "building_block_type": {
+                  "type": "keyword"
+                },
                 "created_at": {
                   "type": "date"
                 },
@@ -2042,12 +2488,18 @@
                 "language": {
                   "type": "keyword"
                 },
+                "license": {
+                  "type": "keyword"
+                },
                 "max_signals": {
                   "type": "keyword"
                 },
                 "name": {
                   "type": "keyword"
                 },
+                "note": {
+                  "type": "text"
+                },
                 "output_index": {
                   "type": "keyword"
                 },
@@ -2058,17 +2510,49 @@
                   "type": "keyword"
                 },
                 "risk_score": {
-                  "type": "keyword"
+                  "type": "float"
+                },
+                "risk_score_mapping": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "operator": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "keyword"
+                    }
+                  }
                 },
                 "rule_id": {
                   "type": "keyword"
                 },
+                "rule_name_override": {
+                  "type": "keyword"
+                },
                 "saved_id": {
                   "type": "keyword"
                 },
                 "severity": {
                   "type": "keyword"
                 },
+                "severity_mapping": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "operator": {
+                      "type": "keyword"
+                    },
+                    "severity": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "size": {
                   "type": "keyword"
                 },
@@ -2108,12 +2592,25 @@
                     }
                   }
                 },
+                "threshold": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "timeline_id": {
                   "type": "keyword"
                 },
                 "timeline_title": {
                   "type": "keyword"
                 },
+                "timestamp_override": {
+                  "type": "keyword"
+                },
                 "to": {
                   "type": "keyword"
                 },
@@ -2133,14 +2630,27 @@
             },
             "status": {
               "type": "keyword"
+            },
+            "threshold_count": {
+              "type": "float"
+            },
+            "threshold_result": {
+              "properties": {
+                "count": {
+                  "type": "long"
+                },
+                "value": {
+                  "type": "keyword"
+                }
+              }
             }
           }
         },
         "source": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -2150,14 +2660,14 @@
                 "organization": {
                   "properties": {
                     "name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
+                      "type": "keyword",
                       "ignore_above": 1024,
-                      "type": "keyword"
+                      "fields": {
+                        "text": {
+                          "type": "text",
+                          "norms": false
+                        }
+                      }
                     }
                   }
                 }
@@ -2167,41 +2677,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -2209,8 +2719,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -2229,116 +2739,116 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
           }
         },
         "tags": {
-          "ignore_above": 1024,
-          "type": "keyword"
+          "type": "keyword",
+          "ignore_above": 1024
         },
         "threat": {
           "properties": {
             "framework": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "tactic": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "reference": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "technique": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "reference": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             }
@@ -2347,42 +2857,42 @@
         "tls": {
           "properties": {
             "cipher": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "client": {
               "properties": {
                 "certificate": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "certificate_chain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "hash": {
                   "properties": {
                     "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "issuer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "ja3": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "not_after": {
                   "type": "date"
@@ -2391,29 +2901,29 @@
                   "type": "date"
                 },
                 "server_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "subject": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "supported_ciphers": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "curve": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "established": {
               "type": "boolean"
             },
             "next_protocol": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "resumed": {
               "type": "boolean"
@@ -2421,36 +2931,36 @@
             "server": {
               "properties": {
                 "certificate": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "certificate_chain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "hash": {
                   "properties": {
                     "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "issuer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "ja3s": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "not_after": {
                   "type": "date"
@@ -2459,157 +2969,157 @@
                   "type": "date"
                 },
                 "subject": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version_protocol": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "trace": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "transaction": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "url": {
           "properties": {
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "extension": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "fragment": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "full": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "original": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "password": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "port": {
               "type": "long"
             },
             "query": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "scheme": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "username": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "user": {
           "properties": {
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "email": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "full_name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "group": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hash": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             }
           }
         },
@@ -2618,112 +3128,124 @@
             "device": {
               "properties": {
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "original": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "os": {
               "properties": {
                 "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            }
+          }
+        },
+        "vlan": {
+          "properties": {
+            "id": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "name": {
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "vulnerability": {
           "properties": {
             "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "classification": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "description": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "enumeration": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "report_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "scanner": {
               "properties": {
                 "vendor": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -2739,14 +3261,14 @@
                   "type": "float"
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "severity": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         }
@@ -7599,4 +8121,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/x-pack/test/security_solution_cypress/es_archives/closed_alerts/mappings.json b/x-pack/test/security_solution_cypress/es_archives/closed_alerts/mappings.json
index 94d89ed55dd8a..00a2f6fb8c8df 100644
--- a/x-pack/test/security_solution_cypress/es_archives/closed_alerts/mappings.json
+++ b/x-pack/test/security_solution_cypress/es_archives/closed_alerts/mappings.json
@@ -9,6 +9,9 @@
     "index": ".siem-signals-default-000001",
     "mappings": {
       "dynamic": "false",
+      "_meta": {
+        "version": 3
+      },
       "properties": {
         "@timestamp": {
           "type": "date"
@@ -16,24 +19,24 @@
         "agent": {
           "properties": {
             "ephemeral_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -45,14 +48,14 @@
             "organization": {
               "properties": {
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -61,8 +64,8 @@
         "client": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -72,14 +75,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -89,41 +92,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -131,8 +134,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -151,66 +154,66 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -221,60 +224,81 @@
             "account": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "availability_zone": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "instance": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "machine": {
               "properties": {
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "provider": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "region": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            }
+          }
+        },
+        "code_signature": {
+          "properties": {
+            "exists": {
+              "type": "boolean"
+            },
+            "status": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "subject_name": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "trusted": {
+              "type": "boolean"
+            },
+            "valid": {
+              "type": "boolean"
             }
           }
         },
         "container": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "image": {
               "properties": {
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "tag": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -282,20 +306,20 @@
               "type": "object"
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "runtime": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "destination": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -305,14 +329,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -322,41 +346,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -364,8 +388,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -384,66 +408,143 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "dll": {
+          "properties": {
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "subject_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "hash": {
+              "properties": {
+                "md5": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "sha1": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "sha256": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "sha512": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
+            },
+            "name": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "path": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "description": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "file_version": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "original_file_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "product": {
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             }
@@ -454,63 +555,63 @@
             "answers": {
               "properties": {
                 "class": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "data": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "ttl": {
                   "type": "long"
                 },
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "header_flags": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "op_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "question": {
               "properties": {
                 "class": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "registered_domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "subdomain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "top_level_domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -518,75 +619,75 @@
               "type": "ip"
             },
             "response_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "ecs": {
           "properties": {
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "error": {
           "properties": {
             "code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "message": {
-              "norms": false,
-              "type": "text"
+              "type": "text",
+              "norms": false
             },
             "stack_trace": {
+              "type": "keyword",
+              "index": false,
               "doc_values": false,
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "index": false,
-              "type": "keyword"
+              }
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "event": {
           "properties": {
             "action": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "created": {
               "type": "date"
             },
             "dataset": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "duration": {
               "type": "long"
@@ -595,37 +696,41 @@
               "type": "date"
             },
             "hash": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ingested": {
               "type": "date"
             },
             "kind": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "module": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "original": {
-              "doc_values": false,
-              "ignore_above": 1024,
+              "type": "keyword",
               "index": false,
-              "type": "keyword"
+              "doc_values": false,
+              "ignore_above": 1024
             },
             "outcome": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "provider": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "reference": {
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "risk_score": {
               "type": "float"
@@ -643,12 +748,16 @@
               "type": "date"
             },
             "timezone": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "url": {
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -658,8 +767,29 @@
               "type": "date"
             },
             "attributes": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "subject_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
             },
             "created": {
               "type": "date"
@@ -668,279 +798,307 @@
               "type": "date"
             },
             "device": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "directory": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "drive_letter": {
-              "ignore_above": 1,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1
             },
             "extension": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "gid": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "group": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "hash": {
               "properties": {
                 "md5": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha1": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha256": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha512": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "inode": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "mime_type": {
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "mode": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "mtime": {
               "type": "date"
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "owner": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "description": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "file_version": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "original_file_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "product": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
             },
             "size": {
               "type": "long"
             },
             "target_path": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "uid": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "geo": {
           "properties": {
             "city_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "continent_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "country_iso_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "country_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "location": {
               "type": "geo_point"
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "region_iso_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "region_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "group": {
           "properties": {
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "hash": {
           "properties": {
             "md5": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "sha1": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "sha256": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "sha512": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "host": {
           "properties": {
             "architecture": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hostname": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ip": {
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "os": {
               "properties": {
                 "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "uptime": {
               "type": "long"
@@ -948,56 +1106,56 @@
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -1013,14 +1171,14 @@
                       "type": "long"
                     },
                     "content": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 },
@@ -1028,12 +1186,12 @@
                   "type": "long"
                 },
                 "method": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "referrer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -1045,14 +1203,14 @@
                       "type": "long"
                     },
                     "content": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 },
@@ -1065,8 +1223,24 @@
               }
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            }
+          }
+        },
+        "interface": {
+          "properties": {
+            "alias": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "id": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "name": {
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -1076,12 +1250,12 @@
         "log": {
           "properties": {
             "level": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "logger": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "origin": {
               "properties": {
@@ -1091,22 +1265,22 @@
                       "type": "integer"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "function": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "original": {
-              "doc_values": false,
-              "ignore_above": 1024,
+              "type": "keyword",
               "index": false,
-              "type": "keyword"
+              "doc_values": false,
+              "ignore_above": 1024
             },
             "syslog": {
               "properties": {
@@ -1116,8 +1290,8 @@
                       "type": "long"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
@@ -1130,8 +1304,8 @@
                       "type": "long"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 }
@@ -1140,308 +1314,457 @@
           }
         },
         "message": {
-          "norms": false,
-          "type": "text"
+          "type": "text",
+          "norms": false
         },
         "network": {
           "properties": {
             "application": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "bytes": {
               "type": "long"
             },
             "community_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "direction": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "forwarded_ip": {
               "type": "ip"
             },
             "iana_number": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "inner": {
+              "properties": {
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                }
+              }
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "packets": {
               "type": "long"
             },
             "protocol": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "transport": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "vlan": {
+              "properties": {
+                "id": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
             }
           }
         },
         "observer": {
           "properties": {
+            "egress": {
+              "properties": {
+                "interface": {
+                  "properties": {
+                    "alias": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
+                "zone": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
+            },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hostname": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "ingress": {
+              "properties": {
+                "interface": {
+                  "properties": {
+                    "alias": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
+                "zone": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
             },
             "ip": {
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "os": {
               "properties": {
                 "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "product": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "serial_number": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "vendor": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "organization": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             }
           }
         },
         "os": {
           "properties": {
             "family": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "full": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "kernel": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "platform": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "package": {
           "properties": {
             "architecture": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "build_version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "checksum": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "description": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "install_scope": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "installed": {
               "type": "date"
             },
             "license": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "size": {
               "type": "long"
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            }
+          }
+        },
+        "pe": {
+          "properties": {
+            "company": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "description": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "file_version": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "original_file_name": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "product": {
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "process": {
           "properties": {
             "args": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "args_count": {
               "type": "long"
             },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "subject_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
             "command_line": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
+            },
+            "entity_id": {
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "executable": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "exit_code": {
               "type": "long"
@@ -1449,74 +1772,119 @@
             "hash": {
               "properties": {
                 "md5": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha1": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha256": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha512": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "parent": {
               "properties": {
                 "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "args_count": {
                   "type": "long"
                 },
+                "code_signature": {
+                  "properties": {
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "status": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "subject_name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
                 "command_line": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
+                },
+                "entity_id": {
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "executable": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
+                    }
+                  }
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "sha1": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "sha256": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "sha512": {
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "exit_code": {
-                  "type": "long"
+                  }
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "pgid": {
                   "type": "long"
@@ -1536,33 +1904,57 @@
                       "type": "long"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "title": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "uptime": {
                   "type": "long"
                 },
                 "working_directory": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
+                }
+              }
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "description": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "file_version": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "original_file_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "product": {
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -1584,33 +1976,33 @@
                   "type": "long"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "title": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "uptime": {
               "type": "long"
             },
             "working_directory": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             }
           }
         },
@@ -1619,93 +2011,101 @@
             "data": {
               "properties": {
                 "bytes": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "strings": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hive": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "key": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "value": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "related": {
           "properties": {
             "hash": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ip": {
               "type": "ip"
             },
             "user": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "rule": {
           "properties": {
+            "author": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
             "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "description": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "license": {
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ruleset": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "uuid": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "server": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -1715,14 +2115,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -1732,41 +2132,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -1774,8 +2174,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -1794,66 +2194,66 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -1862,36 +2262,36 @@
         "service": {
           "properties": {
             "ephemeral_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "node": {
               "properties": {
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "state": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -1905,6 +2305,9 @@
                 "id": {
                   "type": "keyword"
                 },
+                "index": {
+                  "type": "keyword"
+                },
                 "rule": {
                   "type": "keyword"
                 },
@@ -1913,6 +2316,19 @@
                 }
               }
             },
+            "depth": {
+              "type": "integer"
+            },
+            "group": {
+              "properties": {
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "integer"
+                }
+              }
+            },
             "original_event": {
               "properties": {
                 "action": {
@@ -1949,9 +2365,9 @@
                   "type": "keyword"
                 },
                 "original": {
-                  "doc_values": false,
+                  "type": "keyword",
                   "index": false,
-                  "type": "keyword"
+                  "doc_values": false
                 },
                 "outcome": {
                   "type": "keyword"
@@ -1982,6 +2398,11 @@
                 }
               }
             },
+            "original_signal": {
+              "type": "object",
+              "dynamic": "false",
+              "enabled": false
+            },
             "original_time": {
               "type": "date"
             },
@@ -2004,8 +2425,33 @@
                 }
               }
             },
+            "parents": {
+              "properties": {
+                "depth": {
+                  "type": "long"
+                },
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "keyword"
+                },
+                "rule": {
+                  "type": "keyword"
+                },
+                "type": {
+                  "type": "keyword"
+                }
+              }
+            },
             "rule": {
               "properties": {
+                "author": {
+                  "type": "keyword"
+                },
+                "building_block_type": {
+                  "type": "keyword"
+                },
                 "created_at": {
                   "type": "date"
                 },
@@ -2042,6 +2488,9 @@
                 "language": {
                   "type": "keyword"
                 },
+                "license": {
+                  "type": "keyword"
+                },
                 "max_signals": {
                   "type": "keyword"
                 },
@@ -2061,17 +2510,49 @@
                   "type": "keyword"
                 },
                 "risk_score": {
-                  "type": "keyword"
+                  "type": "float"
+                },
+                "risk_score_mapping": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "operator": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "keyword"
+                    }
+                  }
                 },
                 "rule_id": {
                   "type": "keyword"
                 },
+                "rule_name_override": {
+                  "type": "keyword"
+                },
                 "saved_id": {
                   "type": "keyword"
                 },
                 "severity": {
                   "type": "keyword"
                 },
+                "severity_mapping": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "operator": {
+                      "type": "keyword"
+                    },
+                    "severity": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "size": {
                   "type": "keyword"
                 },
@@ -2111,12 +2592,25 @@
                     }
                   }
                 },
+                "threshold": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "timeline_id": {
                   "type": "keyword"
                 },
                 "timeline_title": {
                   "type": "keyword"
                 },
+                "timestamp_override": {
+                  "type": "keyword"
+                },
                 "to": {
                   "type": "keyword"
                 },
@@ -2136,14 +2630,27 @@
             },
             "status": {
               "type": "keyword"
+            },
+            "threshold_count": {
+              "type": "float"
+            },
+            "threshold_result": {
+              "properties": {
+                "count": {
+                  "type": "long"
+                },
+                "value": {
+                  "type": "keyword"
+                }
+              }
             }
           }
         },
         "source": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -2153,14 +2660,14 @@
                 "organization": {
                   "properties": {
                     "name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
+                      "type": "keyword",
                       "ignore_above": 1024,
-                      "type": "keyword"
+                      "fields": {
+                        "text": {
+                          "type": "text",
+                          "norms": false
+                        }
+                      }
                     }
                   }
                 }
@@ -2170,41 +2677,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -2212,8 +2719,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -2232,116 +2739,116 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
           }
         },
         "tags": {
-          "ignore_above": 1024,
-          "type": "keyword"
+          "type": "keyword",
+          "ignore_above": 1024
         },
         "threat": {
           "properties": {
             "framework": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "tactic": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "reference": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "technique": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "reference": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             }
@@ -2350,42 +2857,42 @@
         "tls": {
           "properties": {
             "cipher": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "client": {
               "properties": {
                 "certificate": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "certificate_chain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "hash": {
                   "properties": {
                     "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "issuer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "ja3": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "not_after": {
                   "type": "date"
@@ -2394,29 +2901,29 @@
                   "type": "date"
                 },
                 "server_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "subject": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "supported_ciphers": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "curve": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "established": {
               "type": "boolean"
             },
             "next_protocol": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "resumed": {
               "type": "boolean"
@@ -2424,36 +2931,36 @@
             "server": {
               "properties": {
                 "certificate": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "certificate_chain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "hash": {
                   "properties": {
                     "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "issuer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "ja3s": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "not_after": {
                   "type": "date"
@@ -2462,157 +2969,157 @@
                   "type": "date"
                 },
                 "subject": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version_protocol": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "trace": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "transaction": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "url": {
           "properties": {
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "extension": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "fragment": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "full": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "original": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "password": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "port": {
               "type": "long"
             },
             "query": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "scheme": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "username": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "user": {
           "properties": {
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "email": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "full_name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "group": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hash": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             }
           }
         },
@@ -2621,112 +3128,124 @@
             "device": {
               "properties": {
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "original": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "os": {
               "properties": {
                 "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            }
+          }
+        },
+        "vlan": {
+          "properties": {
+            "id": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "name": {
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "vulnerability": {
           "properties": {
             "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "classification": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "description": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "enumeration": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "report_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "scanner": {
               "properties": {
                 "vendor": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -2742,14 +3261,14 @@
                   "type": "float"
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "severity": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         }
@@ -7602,4 +8121,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/x-pack/test/security_solution_cypress/es_archives/custom_rules/mappings.json b/x-pack/test/security_solution_cypress/es_archives/custom_rules/mappings.json
index d416926a40fa6..a6b171cdfd7d9 100644
--- a/x-pack/test/security_solution_cypress/es_archives/custom_rules/mappings.json
+++ b/x-pack/test/security_solution_cypress/es_archives/custom_rules/mappings.json
@@ -2964,6 +2964,9 @@
     "index": ".siem-signals-default-000001",
     "mappings": {
       "dynamic": "false",
+      "_meta": {
+        "version": 3
+      },
       "properties": {
         "@timestamp": {
           "type": "date"
@@ -2971,24 +2974,24 @@
         "agent": {
           "properties": {
             "ephemeral_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -3000,14 +3003,14 @@
             "organization": {
               "properties": {
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -3016,8 +3019,8 @@
         "client": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -3027,14 +3030,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -3044,41 +3047,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -3086,8 +3089,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -3106,66 +3109,66 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -3176,60 +3179,81 @@
             "account": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "availability_zone": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "instance": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "machine": {
               "properties": {
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "provider": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "region": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            }
+          }
+        },
+        "code_signature": {
+          "properties": {
+            "exists": {
+              "type": "boolean"
+            },
+            "status": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "subject_name": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "trusted": {
+              "type": "boolean"
+            },
+            "valid": {
+              "type": "boolean"
             }
           }
         },
         "container": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "image": {
               "properties": {
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "tag": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -3237,20 +3261,20 @@
               "type": "object"
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "runtime": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "destination": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -3260,14 +3284,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -3277,41 +3301,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -3319,8 +3343,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -3339,66 +3363,143 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "dll": {
+          "properties": {
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "subject_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "hash": {
+              "properties": {
+                "md5": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "sha1": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "sha256": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "sha512": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
+            },
+            "name": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "path": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "description": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "file_version": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "original_file_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "product": {
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             }
@@ -3409,63 +3510,63 @@
             "answers": {
               "properties": {
                 "class": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "data": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "ttl": {
                   "type": "long"
                 },
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "header_flags": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "op_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "question": {
               "properties": {
                 "class": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "registered_domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "subdomain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "top_level_domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -3473,75 +3574,75 @@
               "type": "ip"
             },
             "response_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "ecs": {
           "properties": {
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "error": {
           "properties": {
             "code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "message": {
-              "norms": false,
-              "type": "text"
+              "type": "text",
+              "norms": false
             },
             "stack_trace": {
+              "type": "keyword",
+              "index": false,
               "doc_values": false,
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "index": false,
-              "type": "keyword"
+              }
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "event": {
           "properties": {
             "action": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "created": {
               "type": "date"
             },
             "dataset": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "duration": {
               "type": "long"
@@ -3550,37 +3651,41 @@
               "type": "date"
             },
             "hash": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ingested": {
               "type": "date"
             },
             "kind": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "module": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "original": {
-              "doc_values": false,
-              "ignore_above": 1024,
+              "type": "keyword",
               "index": false,
-              "type": "keyword"
+              "doc_values": false,
+              "ignore_above": 1024
             },
             "outcome": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "provider": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "reference": {
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "risk_score": {
               "type": "float"
@@ -3598,12 +3703,16 @@
               "type": "date"
             },
             "timezone": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "url": {
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -3613,8 +3722,29 @@
               "type": "date"
             },
             "attributes": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "subject_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
             },
             "created": {
               "type": "date"
@@ -3623,279 +3753,307 @@
               "type": "date"
             },
             "device": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "directory": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "drive_letter": {
-              "ignore_above": 1,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1
             },
             "extension": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "gid": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "group": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "hash": {
               "properties": {
                 "md5": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha1": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha256": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha512": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "inode": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "mime_type": {
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "mode": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "mtime": {
               "type": "date"
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "owner": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "description": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "file_version": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "original_file_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "product": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
             },
             "size": {
               "type": "long"
             },
             "target_path": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "uid": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "geo": {
           "properties": {
             "city_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "continent_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "country_iso_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "country_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "location": {
               "type": "geo_point"
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "region_iso_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "region_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "group": {
           "properties": {
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "hash": {
           "properties": {
             "md5": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "sha1": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "sha256": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "sha512": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "host": {
           "properties": {
             "architecture": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hostname": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ip": {
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "os": {
               "properties": {
                 "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "uptime": {
               "type": "long"
@@ -3903,56 +4061,56 @@
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -3968,14 +4126,14 @@
                       "type": "long"
                     },
                     "content": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 },
@@ -3983,12 +4141,12 @@
                   "type": "long"
                 },
                 "method": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "referrer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -4000,14 +4158,14 @@
                       "type": "long"
                     },
                     "content": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 },
@@ -4020,8 +4178,24 @@
               }
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            }
+          }
+        },
+        "interface": {
+          "properties": {
+            "alias": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "id": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "name": {
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -4031,12 +4205,12 @@
         "log": {
           "properties": {
             "level": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "logger": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "origin": {
               "properties": {
@@ -4046,22 +4220,22 @@
                       "type": "integer"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "function": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "original": {
-              "doc_values": false,
-              "ignore_above": 1024,
+              "type": "keyword",
               "index": false,
-              "type": "keyword"
+              "doc_values": false,
+              "ignore_above": 1024
             },
             "syslog": {
               "properties": {
@@ -4071,8 +4245,8 @@
                       "type": "long"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
@@ -4085,8 +4259,8 @@
                       "type": "long"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 }
@@ -4095,308 +4269,457 @@
           }
         },
         "message": {
-          "norms": false,
-          "type": "text"
+          "type": "text",
+          "norms": false
         },
         "network": {
           "properties": {
             "application": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "bytes": {
               "type": "long"
             },
             "community_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "direction": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "forwarded_ip": {
               "type": "ip"
             },
             "iana_number": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "inner": {
+              "properties": {
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                }
+              }
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "packets": {
               "type": "long"
             },
             "protocol": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "transport": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "vlan": {
+              "properties": {
+                "id": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
             }
           }
         },
         "observer": {
           "properties": {
+            "egress": {
+              "properties": {
+                "interface": {
+                  "properties": {
+                    "alias": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
+                "zone": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
+            },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hostname": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "ingress": {
+              "properties": {
+                "interface": {
+                  "properties": {
+                    "alias": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
+                "zone": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
             },
             "ip": {
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "os": {
               "properties": {
                 "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "product": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "serial_number": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "vendor": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "organization": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             }
           }
         },
         "os": {
           "properties": {
             "family": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "full": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "kernel": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "platform": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "package": {
           "properties": {
             "architecture": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "build_version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "checksum": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "description": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "install_scope": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "installed": {
               "type": "date"
             },
             "license": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "size": {
               "type": "long"
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            }
+          }
+        },
+        "pe": {
+          "properties": {
+            "company": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "description": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "file_version": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "original_file_name": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "product": {
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "process": {
           "properties": {
             "args": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "args_count": {
               "type": "long"
             },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "subject_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
             "command_line": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
+            },
+            "entity_id": {
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "executable": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "exit_code": {
               "type": "long"
@@ -4404,74 +4727,119 @@
             "hash": {
               "properties": {
                 "md5": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha1": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha256": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha512": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "parent": {
               "properties": {
                 "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "args_count": {
                   "type": "long"
                 },
+                "code_signature": {
+                  "properties": {
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "status": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "subject_name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
                 "command_line": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
+                },
+                "entity_id": {
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "executable": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "exit_code": {
                   "type": "long"
                 },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "sha1": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "sha256": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "sha512": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "pgid": {
                   "type": "long"
@@ -4491,33 +4859,57 @@
                       "type": "long"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "title": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "uptime": {
                   "type": "long"
                 },
                 "working_directory": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
+                }
+              }
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "description": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "file_version": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "original_file_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "product": {
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -4539,33 +4931,33 @@
                   "type": "long"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "title": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "uptime": {
               "type": "long"
             },
             "working_directory": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             }
           }
         },
@@ -4574,93 +4966,101 @@
             "data": {
               "properties": {
                 "bytes": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "strings": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hive": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "key": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "value": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "related": {
           "properties": {
             "hash": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ip": {
               "type": "ip"
             },
             "user": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "rule": {
           "properties": {
+            "author": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
             "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "description": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "license": {
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ruleset": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "uuid": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "server": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -4670,14 +5070,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -4687,41 +5087,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -4729,8 +5129,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -4749,66 +5149,66 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -4817,36 +5217,36 @@
         "service": {
           "properties": {
             "ephemeral_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "node": {
               "properties": {
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "state": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -4860,6 +5260,9 @@
                 "id": {
                   "type": "keyword"
                 },
+                "index": {
+                  "type": "keyword"
+                },
                 "rule": {
                   "type": "keyword"
                 },
@@ -4868,6 +5271,19 @@
                 }
               }
             },
+            "depth": {
+              "type": "integer"
+            },
+            "group": {
+              "properties": {
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "integer"
+                }
+              }
+            },
             "original_event": {
               "properties": {
                 "action": {
@@ -4904,9 +5320,9 @@
                   "type": "keyword"
                 },
                 "original": {
-                  "doc_values": false,
+                  "type": "keyword",
                   "index": false,
-                  "type": "keyword"
+                  "doc_values": false
                 },
                 "outcome": {
                   "type": "keyword"
@@ -4937,6 +5353,11 @@
                 }
               }
             },
+            "original_signal": {
+              "type": "object",
+              "dynamic": "false",
+              "enabled": false
+            },
             "original_time": {
               "type": "date"
             },
@@ -4959,8 +5380,33 @@
                 }
               }
             },
+            "parents": {
+              "properties": {
+                "depth": {
+                  "type": "long"
+                },
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "keyword"
+                },
+                "rule": {
+                  "type": "keyword"
+                },
+                "type": {
+                  "type": "keyword"
+                }
+              }
+            },
             "rule": {
               "properties": {
+                "author": {
+                  "type": "keyword"
+                },
+                "building_block_type": {
+                  "type": "keyword"
+                },
                 "created_at": {
                   "type": "date"
                 },
@@ -4997,6 +5443,9 @@
                 "language": {
                   "type": "keyword"
                 },
+                "license": {
+                  "type": "keyword"
+                },
                 "max_signals": {
                   "type": "keyword"
                 },
@@ -5016,17 +5465,49 @@
                   "type": "keyword"
                 },
                 "risk_score": {
-                  "type": "keyword"
+                  "type": "float"
+                },
+                "risk_score_mapping": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "operator": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "keyword"
+                    }
+                  }
                 },
                 "rule_id": {
                   "type": "keyword"
                 },
+                "rule_name_override": {
+                  "type": "keyword"
+                },
                 "saved_id": {
                   "type": "keyword"
                 },
                 "severity": {
                   "type": "keyword"
                 },
+                "severity_mapping": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "operator": {
+                      "type": "keyword"
+                    },
+                    "severity": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "size": {
                   "type": "keyword"
                 },
@@ -5066,12 +5547,25 @@
                     }
                   }
                 },
+                "threshold": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "timeline_id": {
                   "type": "keyword"
                 },
                 "timeline_title": {
                   "type": "keyword"
                 },
+                "timestamp_override": {
+                  "type": "keyword"
+                },
                 "to": {
                   "type": "keyword"
                 },
@@ -5091,14 +5585,27 @@
             },
             "status": {
               "type": "keyword"
+            },
+            "threshold_count": {
+              "type": "float"
+            },
+            "threshold_result": {
+              "properties": {
+                "count": {
+                  "type": "long"
+                },
+                "value": {
+                  "type": "keyword"
+                }
+              }
             }
           }
         },
         "source": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -5108,14 +5615,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -5125,41 +5632,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -5167,8 +5674,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -5187,116 +5694,116 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
           }
         },
         "tags": {
-          "ignore_above": 1024,
-          "type": "keyword"
+          "type": "keyword",
+          "ignore_above": 1024
         },
         "threat": {
           "properties": {
             "framework": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "tactic": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "reference": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "technique": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "reference": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             }
@@ -5305,42 +5812,42 @@
         "tls": {
           "properties": {
             "cipher": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "client": {
               "properties": {
                 "certificate": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "certificate_chain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "hash": {
                   "properties": {
                     "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "issuer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "ja3": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "not_after": {
                   "type": "date"
@@ -5349,29 +5856,29 @@
                   "type": "date"
                 },
                 "server_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "subject": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "supported_ciphers": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "curve": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "established": {
               "type": "boolean"
             },
             "next_protocol": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "resumed": {
               "type": "boolean"
@@ -5379,36 +5886,36 @@
             "server": {
               "properties": {
                 "certificate": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "certificate_chain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "hash": {
                   "properties": {
                     "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "issuer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "ja3s": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "not_after": {
                   "type": "date"
@@ -5417,157 +5924,157 @@
                   "type": "date"
                 },
                 "subject": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version_protocol": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "trace": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "transaction": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "url": {
           "properties": {
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "extension": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "fragment": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "full": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "original": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "password": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "port": {
               "type": "long"
             },
             "query": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "scheme": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "username": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "user": {
           "properties": {
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "email": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "full_name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "group": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hash": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             }
           }
         },
@@ -5576,112 +6083,124 @@
             "device": {
               "properties": {
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "original": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "os": {
               "properties": {
                 "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            }
+          }
+        },
+        "vlan": {
+          "properties": {
+            "id": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "name": {
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "vulnerability": {
           "properties": {
             "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "classification": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "description": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "enumeration": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "report_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "scanner": {
               "properties": {
                 "vendor": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -5697,14 +6216,14 @@
                   "type": "float"
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "severity": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         }
@@ -5721,4 +6240,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/x-pack/test/security_solution_cypress/es_archives/export_rule/mappings.json b/x-pack/test/security_solution_cypress/es_archives/export_rule/mappings.json
index f701f811b244b..bbd0326f9e583 100644
--- a/x-pack/test/security_solution_cypress/es_archives/export_rule/mappings.json
+++ b/x-pack/test/security_solution_cypress/es_archives/export_rule/mappings.json
@@ -2550,6 +2550,9 @@
     "index": ".siem-signals-default-000001",
     "mappings": {
       "dynamic": "false",
+      "_meta": {
+        "version": 3
+      },
       "properties": {
         "@timestamp": {
           "type": "date"
@@ -2557,24 +2560,24 @@
         "agent": {
           "properties": {
             "ephemeral_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -2586,14 +2589,14 @@
             "organization": {
               "properties": {
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -2602,8 +2605,8 @@
         "client": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -2613,14 +2616,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -2630,41 +2633,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -2672,8 +2675,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -2692,66 +2695,66 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -2762,42 +2765,42 @@
             "account": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "availability_zone": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "instance": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "machine": {
               "properties": {
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "provider": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "region": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -2807,12 +2810,12 @@
               "type": "boolean"
             },
             "status": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "subject_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "trusted": {
               "type": "boolean"
@@ -2825,18 +2828,18 @@
         "container": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "image": {
               "properties": {
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "tag": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -2844,20 +2847,20 @@
               "type": "object"
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "runtime": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "destination": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -2867,14 +2870,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -2884,41 +2887,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -2926,8 +2929,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -2946,66 +2949,66 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -3019,12 +3022,12 @@
                   "type": "boolean"
                 },
                 "status": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "subject_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "trusted": {
                   "type": "boolean"
@@ -3037,52 +3040,52 @@
             "hash": {
               "properties": {
                 "md5": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha1": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha256": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha512": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "pe": {
               "properties": {
                 "company": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "description": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "file_version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "original_file_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "product": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             }
@@ -3093,63 +3096,63 @@
             "answers": {
               "properties": {
                 "class": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "data": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "ttl": {
                   "type": "long"
                 },
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "header_flags": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "op_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "question": {
               "properties": {
                 "class": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "registered_domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "subdomain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "top_level_domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -3157,75 +3160,75 @@
               "type": "ip"
             },
             "response_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "ecs": {
           "properties": {
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "error": {
           "properties": {
             "code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "message": {
-              "norms": false,
-              "type": "text"
+              "type": "text",
+              "norms": false
             },
             "stack_trace": {
+              "type": "keyword",
+              "index": false,
               "doc_values": false,
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "index": false,
-              "type": "keyword"
+              }
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "event": {
           "properties": {
             "action": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "created": {
               "type": "date"
             },
             "dataset": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "duration": {
               "type": "long"
@@ -3234,41 +3237,41 @@
               "type": "date"
             },
             "hash": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ingested": {
               "type": "date"
             },
             "kind": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "module": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "original": {
-              "doc_values": false,
-              "ignore_above": 1024,
+              "type": "keyword",
               "index": false,
-              "type": "keyword"
+              "doc_values": false,
+              "ignore_above": 1024
             },
             "outcome": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "provider": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "risk_score": {
               "type": "float"
@@ -3286,16 +3289,16 @@
               "type": "date"
             },
             "timezone": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "url": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -3305,8 +3308,8 @@
               "type": "date"
             },
             "attributes": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "code_signature": {
               "properties": {
@@ -3314,12 +3317,12 @@
                   "type": "boolean"
                 },
                 "status": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "subject_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "trusted": {
                   "type": "boolean"
@@ -3336,103 +3339,103 @@
               "type": "date"
             },
             "device": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "directory": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "drive_letter": {
-              "ignore_above": 1,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1
             },
             "extension": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "gid": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "group": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "hash": {
               "properties": {
                 "md5": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha1": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha256": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha512": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "inode": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "mime_type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "mode": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "mtime": {
               "type": "date"
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "owner": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "pe": {
               "properties": {
                 "company": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "description": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "file_version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "original_file_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "product": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -3440,203 +3443,203 @@
               "type": "long"
             },
             "target_path": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "uid": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "geo": {
           "properties": {
             "city_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "continent_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "country_iso_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "country_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "location": {
               "type": "geo_point"
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "region_iso_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "region_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "group": {
           "properties": {
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "hash": {
           "properties": {
             "md5": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "sha1": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "sha256": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "sha512": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "host": {
           "properties": {
             "architecture": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hostname": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ip": {
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "os": {
               "properties": {
                 "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "uptime": {
               "type": "long"
@@ -3644,56 +3647,56 @@
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -3709,14 +3712,14 @@
                       "type": "long"
                     },
                     "content": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 },
@@ -3724,12 +3727,12 @@
                   "type": "long"
                 },
                 "method": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "referrer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -3741,14 +3744,14 @@
                       "type": "long"
                     },
                     "content": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 },
@@ -3761,24 +3764,24 @@
               }
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "interface": {
           "properties": {
             "alias": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -3788,12 +3791,12 @@
         "log": {
           "properties": {
             "level": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "logger": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "origin": {
               "properties": {
@@ -3803,22 +3806,22 @@
                       "type": "integer"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "function": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "original": {
-              "doc_values": false,
-              "ignore_above": 1024,
+              "type": "keyword",
               "index": false,
-              "type": "keyword"
+              "doc_values": false,
+              "ignore_above": 1024
             },
             "syslog": {
               "properties": {
@@ -3828,8 +3831,8 @@
                       "type": "long"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
@@ -3842,8 +3845,8 @@
                       "type": "long"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 }
@@ -3852,77 +3855,77 @@
           }
         },
         "message": {
-          "norms": false,
-          "type": "text"
+          "type": "text",
+          "norms": false
         },
         "network": {
           "properties": {
             "application": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "bytes": {
               "type": "long"
             },
             "community_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "direction": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "forwarded_ip": {
               "type": "ip"
             },
             "iana_number": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "inner": {
               "properties": {
                 "vlan": {
                   "properties": {
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 }
               }
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "packets": {
               "type": "long"
             },
             "protocol": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "transport": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "vlan": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             }
@@ -3935,109 +3938,109 @@
                 "interface": {
                   "properties": {
                     "alias": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "vlan": {
                   "properties": {
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "zone": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hostname": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ingress": {
               "properties": {
                 "interface": {
                   "properties": {
                     "alias": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "vlan": {
                   "properties": {
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "zone": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -4045,216 +4048,216 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "os": {
               "properties": {
                 "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "product": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "serial_number": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "vendor": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "organization": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             }
           }
         },
         "os": {
           "properties": {
             "family": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "full": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "kernel": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "platform": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "package": {
           "properties": {
             "architecture": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "build_version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "checksum": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "description": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "install_scope": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "installed": {
               "type": "date"
             },
             "license": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "size": {
               "type": "long"
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "pe": {
           "properties": {
             "company": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "description": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "file_version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "original_file_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "product": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "process": {
           "properties": {
             "args": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "args_count": {
               "type": "long"
@@ -4265,12 +4268,12 @@
                   "type": "boolean"
                 },
                 "status": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "subject_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "trusted": {
                   "type": "boolean"
@@ -4281,28 +4284,28 @@
               }
             },
             "command_line": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "entity_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "executable": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "exit_code": {
               "type": "long"
@@ -4310,38 +4313,38 @@
             "hash": {
               "properties": {
                 "md5": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha1": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha256": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha512": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "parent": {
               "properties": {
                 "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "args_count": {
                   "type": "long"
@@ -4352,12 +4355,12 @@
                       "type": "boolean"
                     },
                     "status": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "subject_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "trusted": {
                       "type": "boolean"
@@ -4368,28 +4371,28 @@
                   }
                 },
                 "command_line": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "executable": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "exit_code": {
                   "type": "long"
@@ -4397,32 +4400,32 @@
                 "hash": {
                   "properties": {
                     "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "pgid": {
                   "type": "long"
@@ -4442,57 +4445,57 @@
                       "type": "long"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "title": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "uptime": {
                   "type": "long"
                 },
                 "working_directory": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             },
             "pe": {
               "properties": {
                 "company": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "description": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "file_version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "original_file_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "product": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -4514,33 +4517,33 @@
                   "type": "long"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "title": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "uptime": {
               "type": "long"
             },
             "working_directory": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             }
           }
         },
@@ -4549,101 +4552,101 @@
             "data": {
               "properties": {
                 "bytes": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "strings": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hive": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "key": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "value": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "related": {
           "properties": {
             "hash": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ip": {
               "type": "ip"
             },
             "user": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "rule": {
           "properties": {
             "author": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "description": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "license": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ruleset": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "uuid": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "server": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -4653,14 +4656,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -4670,41 +4673,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -4712,8 +4715,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -4732,66 +4735,66 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -4800,36 +4803,36 @@
         "service": {
           "properties": {
             "ephemeral_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "node": {
               "properties": {
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "state": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -4843,6 +4846,9 @@
                 "id": {
                   "type": "keyword"
                 },
+                "index": {
+                  "type": "keyword"
+                },
                 "rule": {
                   "type": "keyword"
                 },
@@ -4851,6 +4857,19 @@
                 }
               }
             },
+            "depth": {
+              "type": "integer"
+            },
+            "group": {
+              "properties": {
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "integer"
+                }
+              }
+            },
             "original_event": {
               "properties": {
                 "action": {
@@ -4887,9 +4906,9 @@
                   "type": "keyword"
                 },
                 "original": {
-                  "doc_values": false,
+                  "type": "keyword",
                   "index": false,
-                  "type": "keyword"
+                  "doc_values": false
                 },
                 "outcome": {
                   "type": "keyword"
@@ -4909,10 +4928,37 @@
                 "severity": {
                   "type": "long"
                 },
-                "start": {
-                  "type": "date"
+                "start": {
+                  "type": "date"
+                },
+                "timezone": {
+                  "type": "keyword"
+                },
+                "type": {
+                  "type": "keyword"
+                }
+              }
+            },
+            "original_signal": {
+              "type": "object",
+              "dynamic": "false",
+              "enabled": false
+            },
+            "original_time": {
+              "type": "date"
+            },
+            "parent": {
+              "properties": {
+                "depth": {
+                  "type": "long"
+                },
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "keyword"
                 },
-                "timezone": {
+                "rule": {
                   "type": "keyword"
                 },
                 "type": {
@@ -4920,10 +4966,7 @@
                 }
               }
             },
-            "original_time": {
-              "type": "date"
-            },
-            "parent": {
+            "parents": {
               "properties": {
                 "depth": {
                   "type": "long"
@@ -5147,8 +5190,8 @@
         "source": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -5158,14 +5201,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -5175,41 +5218,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -5217,8 +5260,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -5237,116 +5280,116 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
           }
         },
         "tags": {
-          "ignore_above": 1024,
-          "type": "keyword"
+          "type": "keyword",
+          "ignore_above": 1024
         },
         "threat": {
           "properties": {
             "framework": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "tactic": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "reference": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "technique": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "reference": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             }
@@ -5355,42 +5398,42 @@
         "tls": {
           "properties": {
             "cipher": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "client": {
               "properties": {
                 "certificate": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "certificate_chain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "hash": {
                   "properties": {
                     "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "issuer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "ja3": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "not_after": {
                   "type": "date"
@@ -5399,29 +5442,29 @@
                   "type": "date"
                 },
                 "server_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "subject": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "supported_ciphers": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "curve": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "established": {
               "type": "boolean"
             },
             "next_protocol": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "resumed": {
               "type": "boolean"
@@ -5429,36 +5472,36 @@
             "server": {
               "properties": {
                 "certificate": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "certificate_chain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "hash": {
                   "properties": {
                     "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "issuer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "ja3s": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "not_after": {
                   "type": "date"
@@ -5467,157 +5510,157 @@
                   "type": "date"
                 },
                 "subject": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version_protocol": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "trace": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "transaction": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "url": {
           "properties": {
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "extension": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "fragment": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "full": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "original": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "password": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "port": {
               "type": "long"
             },
             "query": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "scheme": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "username": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "user": {
           "properties": {
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "email": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "full_name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "group": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hash": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             }
           }
         },
@@ -5626,124 +5669,124 @@
             "device": {
               "properties": {
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "original": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "os": {
               "properties": {
                 "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "vlan": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "vulnerability": {
           "properties": {
             "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "classification": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "description": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "enumeration": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "report_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "scanner": {
               "properties": {
                 "vendor": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -5759,14 +5802,14 @@
                   "type": "float"
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "severity": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         }
@@ -5788,4 +5831,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/x-pack/test/security_solution_cypress/es_archives/timeline_alerts/mappings.json b/x-pack/test/security_solution_cypress/es_archives/timeline_alerts/mappings.json
index abdec252471b7..4e5683f2f3932 100644
--- a/x-pack/test/security_solution_cypress/es_archives/timeline_alerts/mappings.json
+++ b/x-pack/test/security_solution_cypress/es_archives/timeline_alerts/mappings.json
@@ -1473,6 +1473,9 @@
     "index": ".siem-signals-default-000001",
     "mappings": {
       "dynamic": "false",
+      "_meta": {
+        "version": 3
+      },
       "properties": {
         "@timestamp": {
           "type": "date"
@@ -1480,24 +1483,24 @@
         "agent": {
           "properties": {
             "ephemeral_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -1509,14 +1512,14 @@
             "organization": {
               "properties": {
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -1525,8 +1528,8 @@
         "client": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -1536,14 +1539,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -1553,41 +1556,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -1595,8 +1598,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -1615,66 +1618,66 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -1685,60 +1688,81 @@
             "account": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "availability_zone": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "instance": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "machine": {
               "properties": {
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "provider": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "region": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            }
+          }
+        },
+        "code_signature": {
+          "properties": {
+            "exists": {
+              "type": "boolean"
+            },
+            "status": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "subject_name": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "trusted": {
+              "type": "boolean"
+            },
+            "valid": {
+              "type": "boolean"
             }
           }
         },
         "container": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "image": {
               "properties": {
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "tag": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -1746,20 +1770,20 @@
               "type": "object"
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "runtime": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "destination": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -1769,14 +1793,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -1786,41 +1810,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -1828,8 +1852,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -1848,66 +1872,143 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "dll": {
+          "properties": {
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "subject_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "hash": {
+              "properties": {
+                "md5": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "sha1": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "sha256": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "sha512": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
+            },
+            "name": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "path": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "description": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "file_version": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "original_file_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "product": {
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             }
@@ -1918,63 +2019,63 @@
             "answers": {
               "properties": {
                 "class": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "data": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "ttl": {
                   "type": "long"
                 },
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "header_flags": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "op_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "question": {
               "properties": {
                 "class": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "registered_domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "subdomain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "top_level_domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -1982,75 +2083,75 @@
               "type": "ip"
             },
             "response_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "ecs": {
           "properties": {
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "error": {
           "properties": {
             "code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "message": {
-              "norms": false,
-              "type": "text"
+              "type": "text",
+              "norms": false
             },
             "stack_trace": {
+              "type": "keyword",
+              "index": false,
               "doc_values": false,
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "index": false,
-              "type": "keyword"
+              }
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "event": {
           "properties": {
             "action": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "created": {
               "type": "date"
             },
             "dataset": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "duration": {
               "type": "long"
@@ -2059,37 +2160,41 @@
               "type": "date"
             },
             "hash": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ingested": {
               "type": "date"
             },
             "kind": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "module": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "original": {
-              "doc_values": false,
-              "ignore_above": 1024,
+              "type": "keyword",
               "index": false,
-              "type": "keyword"
+              "doc_values": false,
+              "ignore_above": 1024
             },
             "outcome": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "provider": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "reference": {
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "risk_score": {
               "type": "float"
@@ -2107,12 +2212,16 @@
               "type": "date"
             },
             "timezone": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "url": {
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -2122,8 +2231,29 @@
               "type": "date"
             },
             "attributes": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "subject_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
             },
             "created": {
               "type": "date"
@@ -2132,279 +2262,307 @@
               "type": "date"
             },
             "device": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "directory": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "drive_letter": {
-              "ignore_above": 1,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1
             },
             "extension": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "gid": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "group": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "hash": {
               "properties": {
                 "md5": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha1": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha256": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha512": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "inode": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "mime_type": {
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "mode": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "mtime": {
               "type": "date"
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "owner": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "description": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "file_version": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "original_file_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "product": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
             },
             "size": {
               "type": "long"
             },
             "target_path": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "uid": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "geo": {
           "properties": {
             "city_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "continent_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "country_iso_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "country_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "location": {
               "type": "geo_point"
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "region_iso_code": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "region_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "group": {
           "properties": {
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "hash": {
           "properties": {
             "md5": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "sha1": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "sha256": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "sha512": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "host": {
           "properties": {
             "architecture": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hostname": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ip": {
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "os": {
               "properties": {
                 "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "uptime": {
               "type": "long"
@@ -2412,56 +2570,56 @@
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -2477,14 +2635,14 @@
                       "type": "long"
                     },
                     "content": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 },
@@ -2492,12 +2650,12 @@
                   "type": "long"
                 },
                 "method": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "referrer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -2509,14 +2667,14 @@
                       "type": "long"
                     },
                     "content": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 },
@@ -2529,8 +2687,24 @@
               }
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            }
+          }
+        },
+        "interface": {
+          "properties": {
+            "alias": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "id": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "name": {
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -2540,12 +2714,12 @@
         "log": {
           "properties": {
             "level": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "logger": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "origin": {
               "properties": {
@@ -2555,22 +2729,22 @@
                       "type": "integer"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "function": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "original": {
-              "doc_values": false,
-              "ignore_above": 1024,
+              "type": "keyword",
               "index": false,
-              "type": "keyword"
+              "doc_values": false,
+              "ignore_above": 1024
             },
             "syslog": {
               "properties": {
@@ -2580,8 +2754,8 @@
                       "type": "long"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
@@ -2594,8 +2768,8 @@
                       "type": "long"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 }
@@ -2604,308 +2778,457 @@
           }
         },
         "message": {
-          "norms": false,
-          "type": "text"
+          "type": "text",
+          "norms": false
         },
         "network": {
           "properties": {
             "application": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "bytes": {
               "type": "long"
             },
             "community_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "direction": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "forwarded_ip": {
               "type": "ip"
             },
             "iana_number": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "inner": {
+              "properties": {
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                }
+              }
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "packets": {
               "type": "long"
             },
             "protocol": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "transport": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "vlan": {
+              "properties": {
+                "id": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
             }
           }
         },
         "observer": {
           "properties": {
+            "egress": {
+              "properties": {
+                "interface": {
+                  "properties": {
+                    "alias": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
+                "zone": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
+            },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hostname": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "ingress": {
+              "properties": {
+                "interface": {
+                  "properties": {
+                    "alias": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
+                "zone": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                }
+              }
             },
             "ip": {
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "os": {
               "properties": {
                 "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "product": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "serial_number": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "vendor": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "organization": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             }
           }
         },
         "os": {
           "properties": {
             "family": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "full": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "kernel": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "platform": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "package": {
           "properties": {
             "architecture": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "build_version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "checksum": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "description": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "install_scope": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "installed": {
               "type": "date"
             },
             "license": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "size": {
               "type": "long"
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            }
+          }
+        },
+        "pe": {
+          "properties": {
+            "company": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "description": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "file_version": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "original_file_name": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "product": {
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "process": {
           "properties": {
             "args": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "args_count": {
               "type": "long"
             },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "subject_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
             "command_line": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
+            },
+            "entity_id": {
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "executable": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "exit_code": {
               "type": "long"
@@ -2913,74 +3236,119 @@
             "hash": {
               "properties": {
                 "md5": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha1": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha256": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "sha512": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "parent": {
               "properties": {
                 "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "args_count": {
                   "type": "long"
                 },
+                "code_signature": {
+                  "properties": {
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "status": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "subject_name": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
                 "command_line": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
+                },
+                "entity_id": {
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "executable": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "exit_code": {
                   "type": "long"
                 },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "sha1": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "sha256": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    },
+                    "sha512": {
+                      "type": "keyword",
+                      "ignore_above": 1024
+                    }
+                  }
+                },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "pgid": {
                   "type": "long"
@@ -3000,33 +3368,57 @@
                       "type": "long"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "title": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "uptime": {
                   "type": "long"
                 },
                 "working_directory": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
+                }
+              }
+            },
+            "pe": {
+              "properties": {
+                "company": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "description": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "file_version": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "original_file_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024
+                },
+                "product": {
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -3048,33 +3440,33 @@
                   "type": "long"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "title": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "uptime": {
               "type": "long"
             },
             "working_directory": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             }
           }
         },
@@ -3083,93 +3475,101 @@
             "data": {
               "properties": {
                 "bytes": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "strings": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hive": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "key": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "value": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "related": {
           "properties": {
             "hash": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ip": {
               "type": "ip"
             },
             "user": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "rule": {
           "properties": {
+            "author": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
             "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "description": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "license": {
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "ruleset": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "uuid": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "server": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -3179,14 +3579,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -3196,41 +3596,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -3238,8 +3638,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -3258,66 +3658,66 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
@@ -3326,36 +3726,36 @@
         "service": {
           "properties": {
             "ephemeral_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "node": {
               "properties": {
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "state": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
@@ -3369,6 +3769,9 @@
                 "id": {
                   "type": "keyword"
                 },
+                "index": {
+                  "type": "keyword"
+                },
                 "rule": {
                   "type": "keyword"
                 },
@@ -3377,6 +3780,19 @@
                 }
               }
             },
+            "depth": {
+              "type": "integer"
+            },
+            "group": {
+              "properties": {
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "integer"
+                }
+              }
+            },
             "original_event": {
               "properties": {
                 "action": {
@@ -3413,9 +3829,9 @@
                   "type": "keyword"
                 },
                 "original": {
-                  "doc_values": false,
+                  "type": "keyword",
                   "index": false,
-                  "type": "keyword"
+                  "doc_values": false
                 },
                 "outcome": {
                   "type": "keyword"
@@ -3446,6 +3862,11 @@
                 }
               }
             },
+            "original_signal": {
+              "type": "object",
+              "dynamic": "false",
+              "enabled": false
+            },
             "original_time": {
               "type": "date"
             },
@@ -3468,8 +3889,33 @@
                 }
               }
             },
+            "parents": {
+              "properties": {
+                "depth": {
+                  "type": "long"
+                },
+                "id": {
+                  "type": "keyword"
+                },
+                "index": {
+                  "type": "keyword"
+                },
+                "rule": {
+                  "type": "keyword"
+                },
+                "type": {
+                  "type": "keyword"
+                }
+              }
+            },
             "rule": {
               "properties": {
+                "author": {
+                  "type": "keyword"
+                },
+                "building_block_type": {
+                  "type": "keyword"
+                },
                 "created_at": {
                   "type": "date"
                 },
@@ -3506,12 +3952,18 @@
                 "language": {
                   "type": "keyword"
                 },
+                "license": {
+                  "type": "keyword"
+                },
                 "max_signals": {
                   "type": "keyword"
                 },
                 "name": {
                   "type": "keyword"
                 },
+                "note": {
+                  "type": "text"
+                },
                 "output_index": {
                   "type": "keyword"
                 },
@@ -3522,17 +3974,49 @@
                   "type": "keyword"
                 },
                 "risk_score": {
-                  "type": "keyword"
+                  "type": "float"
+                },
+                "risk_score_mapping": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "operator": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "keyword"
+                    }
+                  }
                 },
                 "rule_id": {
                   "type": "keyword"
                 },
+                "rule_name_override": {
+                  "type": "keyword"
+                },
                 "saved_id": {
                   "type": "keyword"
                 },
                 "severity": {
                   "type": "keyword"
                 },
+                "severity_mapping": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "operator": {
+                      "type": "keyword"
+                    },
+                    "severity": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "size": {
                   "type": "keyword"
                 },
@@ -3572,12 +4056,25 @@
                     }
                   }
                 },
+                "threshold": {
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "timeline_id": {
                   "type": "keyword"
                 },
                 "timeline_title": {
                   "type": "keyword"
                 },
+                "timestamp_override": {
+                  "type": "keyword"
+                },
                 "to": {
                   "type": "keyword"
                 },
@@ -3597,14 +4094,27 @@
             },
             "status": {
               "type": "keyword"
+            },
+            "threshold_count": {
+              "type": "float"
+            },
+            "threshold_result": {
+              "properties": {
+                "count": {
+                  "type": "long"
+                },
+                "value": {
+                  "type": "keyword"
+                }
+              }
             }
           }
         },
         "source": {
           "properties": {
             "address": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "as": {
               "properties": {
@@ -3614,14 +4124,14 @@
                 "organization": {
                   "properties": {
                     "name": {
+                      "type": "keyword",
+                      "ignore_above": 1024,
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "text",
+                          "norms": false
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   }
                 }
@@ -3631,41 +4141,41 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "geo": {
               "properties": {
                 "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -3673,8 +4183,8 @@
               "type": "ip"
             },
             "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "nat": {
               "properties": {
@@ -3693,116 +4203,116 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "user": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full_name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "group": {
                   "properties": {
                     "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 }
               }
             }
           }
         },
         "tags": {
-          "ignore_above": 1024,
-          "type": "keyword"
+          "type": "keyword",
+          "ignore_above": 1024
         },
         "threat": {
           "properties": {
             "framework": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "tactic": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "reference": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "technique": {
               "properties": {
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "reference": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             }
@@ -3811,42 +4321,42 @@
         "tls": {
           "properties": {
             "cipher": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "client": {
               "properties": {
                 "certificate": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "certificate_chain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "hash": {
                   "properties": {
                     "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "issuer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "ja3": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "not_after": {
                   "type": "date"
@@ -3855,29 +4365,29 @@
                   "type": "date"
                 },
                 "server_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "subject": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "supported_ciphers": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "curve": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "established": {
               "type": "boolean"
             },
             "next_protocol": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "resumed": {
               "type": "boolean"
@@ -3885,36 +4395,36 @@
             "server": {
               "properties": {
                 "certificate": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "certificate_chain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "hash": {
                   "properties": {
                     "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     },
                     "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "keyword",
+                      "ignore_above": 1024
                     }
                   }
                 },
                 "issuer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "ja3s": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "not_after": {
                   "type": "date"
@@ -3923,157 +4433,157 @@
                   "type": "date"
                 },
                 "subject": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "version_protocol": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "trace": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "transaction": {
           "properties": {
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "url": {
           "properties": {
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "extension": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "fragment": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "full": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "original": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "password": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "port": {
               "type": "long"
             },
             "query": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "scheme": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "top_level_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "username": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "user": {
           "properties": {
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "email": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "full_name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "group": {
               "properties": {
                 "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "hash": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "name": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             }
           }
         },
@@ -4082,112 +4592,124 @@
             "device": {
               "properties": {
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "original": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "os": {
               "properties": {
                 "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "full": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "name": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "text",
+                      "norms": false
                     }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
                 "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
+            }
+          }
+        },
+        "vlan": {
+          "properties": {
+            "id": {
+              "type": "keyword",
+              "ignore_above": 1024
+            },
+            "name": {
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         },
         "vulnerability": {
           "properties": {
             "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "classification": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "description": {
+              "type": "keyword",
+              "ignore_above": 1024,
               "fields": {
                 "text": {
-                  "norms": false,
-                  "type": "text"
+                  "type": "text",
+                  "norms": false
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
             "enumeration": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "report_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             },
             "scanner": {
               "properties": {
                 "vendor": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
@@ -4203,14 +4725,14 @@
                   "type": "float"
                 },
                 "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "keyword",
+                  "ignore_above": 1024
                 }
               }
             },
             "severity": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "keyword",
+              "ignore_above": 1024
             }
           }
         }

From a6a8cc2175994e6aa9417dedb2458220a123b605 Mon Sep 17 00:00:00 2001
From: Tiago Costa <tiagoffcc@hotmail.com>
Date: Mon, 7 Dec 2020 23:42:11 +0000
Subject: [PATCH 5/6] skip flaky suite (#85208)

---
 x-pack/test/functional/apps/uptime/locations.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/x-pack/test/functional/apps/uptime/locations.ts b/x-pack/test/functional/apps/uptime/locations.ts
index 6bfa19c6ef578..eb5a642c8d69d 100644
--- a/x-pack/test/functional/apps/uptime/locations.ts
+++ b/x-pack/test/functional/apps/uptime/locations.ts
@@ -38,7 +38,8 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
     await makeChecksWithStatus(es, LessAvailMonitor, 5, 2, 10000, {}, 'down');
   };
 
-  describe('Observer location', () => {
+  // FLAKY: https://github.com/elastic/kibana/issues/85208
+  describe.skip('Observer location', () => {
     const start = '~ 15 minutes ago';
     const end = 'now';
 

From 6757b95b1e00827e587ff94dcbce9d178bdddcb4 Mon Sep 17 00:00:00 2001
From: Yuliia Naumenko <jo.naumenko@gmail.com>
Date: Mon, 7 Dec 2020 16:44:40 -0800
Subject: [PATCH 6/6] [Alerting UI] Replaced AlertsContextProvider with
 KibanaContextProvider and exposed components in API (#84604)

* [Alerting UI] Replaced AlertsContextProvider with KibanaContextProvider and exposed components in API

* removed AlertContextProvider

* exposed AlertAdd and EditAlert flyouts with triggers_actions_ui plugin start

* fixed type check

* fixed tests

* fixed typechecks

* fixed wrong consumer

* fixed monitoring flyout flickering

* fixed due to comments

* fixed typechecks

* fixed typechecks

* fixed typechecks

* fixed typechecks

* fixed due to comments
---
 .../public/alert_types/always_firing.tsx      |   3 +-
 .../public/components/create_alert.tsx        |  47 ++----
 .../public/application/application.test.tsx   |  20 ++-
 .../plugins/apm/public/application/index.tsx  |  48 +++---
 .../alerting/AlertingFlyout/index.tsx         |  40 +++--
 x-pack/plugins/apm/public/plugin.ts           |  10 +-
 .../common/components/alert_preview.tsx       |  10 +-
 .../inventory/components/alert_flyout.tsx     |  62 +++-----
 .../inventory/components/expression.test.tsx  |  43 ++----
 .../inventory/components/expression.tsx       |  36 ++---
 .../log_threshold/components/alert_flyout.tsx |  56 +++----
 .../components/expression_editor/criteria.tsx |   8 +-
 .../criterion_preview_chart.tsx               |  11 +-
 .../components/expression_editor/editor.tsx   |  17 +--
 .../hooks/use_chart_preview_data.tsx          |  14 +-
 .../components/alert_flyout.tsx               |  59 +++-----
 .../components/expression.test.tsx            |  45 ++----
 .../components/expression.tsx                 |  45 +++---
 .../components/expression_chart.test.tsx      |  74 ++++------
 .../components/expression_chart.tsx           |  12 +-
 .../hooks/use_metrics_explorer_chart_data.ts  |   8 +-
 .../hooks/use_metric_explorer_state.ts        |   1 -
 .../hooks/use_metrics_explorer_data.ts        |   4 +-
 x-pack/plugins/monitoring/kibana.json         |   2 +-
 .../public/alerts/alert_form.test.tsx         |  33 ++---
 .../monitoring/public/alerts/panel.tsx        |  41 ++----
 .../plugins/monitoring/public/legacy_shims.ts |   4 +-
 x-pack/plugins/monitoring/public/plugin.ts    |   2 +-
 x-pack/plugins/monitoring/public/types.ts     |   4 +-
 .../alert_types/geo_containment/index.ts      |   4 +-
 ...inment_alert_type_expression.test.tsx.snap |  42 +++++-
 .../expressions/boundary_index_expression.tsx |  19 ++-
 .../expressions/entity_index_expression.tsx   |  18 ++-
 ...containment_alert_type_expression.test.tsx |  23 +--
 .../geo_containment/query_builder/index.tsx   |  19 +--
 .../public/alert_types/geo_threshold/index.ts |   4 +-
 ...eshold_alert_type_expression.test.tsx.snap |  42 +++++-
 .../expressions/boundary_index_expression.tsx |  19 ++-
 .../expressions/entity_index_expression.tsx   |  15 +-
 ...o_threshold_alert_type_expression.test.tsx |  25 +---
 .../geo_threshold/query_builder/index.tsx     |  15 +-
 .../alert_types/threshold/expression.tsx      |  20 ++-
 .../public/alert_types/threshold/index.ts     |   4 +-
 .../alert_types/threshold/visualization.tsx   |  24 +--
 x-pack/plugins/triggers_actions_ui/README.md  | 125 +++-------------
 .../components/health_check.test.tsx          |  47 +++---
 .../application/components/health_check.tsx   |  14 +-
 .../application/context/alerts_context.tsx    |  59 --------
 .../public/application/home.tsx               |   5 +-
 .../components/alert_details.tsx              |  39 ++---
 .../sections/alert_form/alert_add.test.tsx    |  75 ++++------
 .../sections/alert_form/alert_add.tsx         |  41 ++++--
 .../sections/alert_form/alert_edit.test.tsx   |  61 ++++----
 .../sections/alert_form/alert_edit.tsx        |  42 ++++--
 .../sections/alert_form/alert_form.test.tsx   | 137 ++++++------------
 .../sections/alert_form/alert_form.tsx        |  31 ++--
 .../alerts_list/components/alerts_list.tsx    |  38 ++---
 .../with_actions_api_operations.tsx           |   3 -
 .../with_bulk_alert_api_operations.tsx        |   3 -
 .../public/common/get_add_alert_flyout.tsx    |  16 ++
 .../public/common/get_edit_alert_flyout.tsx   |  16 ++
 .../common/lib/kibana/kibana_react.mock.ts    |   1 -
 .../triggers_actions_ui/public/index.ts       |   1 -
 .../triggers_actions_ui/public/plugin.ts      |  32 +++-
 .../triggers_actions_ui/public/types.ts       |  14 +-
 .../plugins/uptime/public/apps/uptime_app.tsx |  23 ++-
 .../alerts/uptime_edit_alert_flyout.tsx       |  25 +++-
 .../ml/__tests__/ml_integerations.test.tsx    |  11 +-
 .../monitor/ml/__tests__/ml_job_link.test.tsx |   9 +-
 .../ml/__tests__/ml_manage_job.test.tsx       |   9 +-
 .../components/overview/alerts/index.ts       |   1 -
 .../alerts/uptime_alerts_context_provider.tsx |  66 ---------
 .../alerts/uptime_alerts_flyout_wrapper.tsx   |  38 +++--
 73 files changed, 862 insertions(+), 1172 deletions(-)
 delete mode 100644 x-pack/plugins/triggers_actions_ui/public/application/context/alerts_context.tsx
 create mode 100644 x-pack/plugins/triggers_actions_ui/public/common/get_add_alert_flyout.tsx
 create mode 100644 x-pack/plugins/triggers_actions_ui/public/common/get_edit_alert_flyout.tsx
 delete mode 100644 x-pack/plugins/uptime/public/components/overview/alerts/uptime_alerts_context_provider.tsx

diff --git a/x-pack/examples/alerting_example/public/alert_types/always_firing.tsx b/x-pack/examples/alerting_example/public/alert_types/always_firing.tsx
index 6e44479d058d8..134cda6f54188 100644
--- a/x-pack/examples/alerting_example/public/alert_types/always_firing.tsx
+++ b/x-pack/examples/alerting_example/public/alert_types/always_firing.tsx
@@ -22,7 +22,6 @@ import {
   AlertConditionsGroup,
   AlertTypeModel,
   AlertTypeParamsExpressionProps,
-  AlertsContextValue,
 } from '../../../../plugins/triggers_actions_ui/public';
 import {
   AlwaysFiringParams,
@@ -65,7 +64,7 @@ const DEFAULT_THRESHOLDS: AlwaysFiringParams['thresholds'] = {
 };
 
 export const AlwaysFiringExpression: React.FunctionComponent<
-  AlertTypeParamsExpressionProps<AlwaysFiringParams, AlertsContextValue>
+  AlertTypeParamsExpressionProps<AlwaysFiringParams>
 > = ({ alertParams, setAlertParams, actionGroups, defaultActionGroupId }) => {
   const {
     instances = DEFAULT_INSTANCES_TO_GENERATE,
diff --git a/x-pack/examples/alerting_example/public/components/create_alert.tsx b/x-pack/examples/alerting_example/public/components/create_alert.tsx
index 6a85e21df450f..8b62dfbb0997b 100644
--- a/x-pack/examples/alerting_example/public/components/create_alert.tsx
+++ b/x-pack/examples/alerting_example/public/components/create_alert.tsx
@@ -4,26 +4,27 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { useState } from 'react';
+import React, { useMemo, useState } from 'react';
 
 import { EuiIcon, EuiFlexItem, EuiCard, EuiFlexGroup } from '@elastic/eui';
 
-import { AlertsContextProvider, AlertAdd } from '../../../../plugins/triggers_actions_ui/public';
 import { AlertingExampleComponentParams } from '../application';
 import { ALERTING_EXAMPLE_APP_ID } from '../../common/constants';
 
-export const CreateAlert = ({
-  http,
-  triggersActionsUi,
-  charts,
-  uiSettings,
-  docLinks,
-  data,
-  toastNotifications,
-  capabilities,
-}: AlertingExampleComponentParams) => {
+export const CreateAlert = ({ triggersActionsUi }: AlertingExampleComponentParams) => {
   const [alertFlyoutVisible, setAlertFlyoutVisibility] = useState<boolean>(false);
 
+  const AddAlertFlyout = useMemo(
+    () =>
+      triggersActionsUi.getAddAlertFlyout({
+        consumer: ALERTING_EXAMPLE_APP_ID,
+        addFlyoutVisible: alertFlyoutVisible,
+        setAddFlyoutVisibility: setAlertFlyoutVisibility,
+      }),
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+    [alertFlyoutVisible]
+  );
+
   return (
     <EuiFlexGroup>
       <EuiFlexItem grow={false}>
@@ -34,27 +35,7 @@ export const CreateAlert = ({
           onClick={() => setAlertFlyoutVisibility(true)}
         />
       </EuiFlexItem>
-      <EuiFlexItem>
-        <AlertsContextProvider
-          value={{
-            http,
-            actionTypeRegistry: triggersActionsUi.actionTypeRegistry,
-            alertTypeRegistry: triggersActionsUi.alertTypeRegistry,
-            toastNotifications,
-            uiSettings,
-            docLinks,
-            charts,
-            dataFieldsFormats: data.fieldFormats,
-            capabilities,
-          }}
-        >
-          <AlertAdd
-            consumer={ALERTING_EXAMPLE_APP_ID}
-            addFlyoutVisible={alertFlyoutVisible}
-            setAddFlyoutVisibility={setAlertFlyoutVisibility}
-          />
-        </AlertsContextProvider>
-      </EuiFlexItem>
+      <EuiFlexItem>{AddAlertFlyout}</EuiFlexItem>
     </EuiFlexGroup>
   );
 };
diff --git a/x-pack/plugins/apm/public/application/application.test.tsx b/x-pack/plugins/apm/public/application/application.test.tsx
index 2ad5a85be7d71..57e5e4b49bd40 100644
--- a/x-pack/plugins/apm/public/application/application.test.tsx
+++ b/x-pack/plugins/apm/public/application/application.test.tsx
@@ -9,10 +9,12 @@ import { createMemoryHistory } from 'history';
 import { Observable } from 'rxjs';
 import { AppMountParameters, CoreStart, HttpSetup } from 'src/core/public';
 import { mockApmPluginContextValue } from '../context/apm_plugin/mock_apm_plugin_context';
-import { ApmPluginSetupDeps } from '../plugin';
+import { ApmPluginSetupDeps, ApmPluginStartDeps } from '../plugin';
 import { createCallApmApi } from '../services/rest/createCallApmApi';
 import { renderApp } from './';
 import { disableConsoleWarning } from '../utils/testHelpers';
+import { dataPluginMock } from 'src/plugins/data/public/mocks';
+import { embeddablePluginMock } from 'src/plugins/embeddable/public/mocks';
 
 jest.mock('../services/rest/index_pattern', () => ({
   createStaticIndexPattern: () => Promise.resolve(undefined),
@@ -55,6 +57,19 @@ describe('renderApp', () => {
       history: createMemoryHistory(),
       setHeaderActionMenu: () => {},
     };
+
+    const data = dataPluginMock.createStartContract();
+    const embeddable = embeddablePluginMock.createStartContract();
+    const startDeps = {
+      triggersActionsUi: {
+        actionTypeRegistry: {},
+        alertTypeRegistry: {},
+        getAddAlertFlyout: jest.fn(),
+        getEditAlertFlyout: jest.fn(),
+      },
+      data,
+      embeddable,
+    };
     jest.spyOn(window, 'scrollTo').mockReturnValueOnce(undefined);
     createCallApmApi((core.http as unknown) as HttpSetup);
 
@@ -75,7 +90,8 @@ describe('renderApp', () => {
         (core as unknown) as CoreStart,
         (plugins as unknown) as ApmPluginSetupDeps,
         (params as unknown) as AppMountParameters,
-        config
+        config,
+        (startDeps as unknown) as ApmPluginStartDeps
       );
     });
 
diff --git a/x-pack/plugins/apm/public/application/index.tsx b/x-pack/plugins/apm/public/application/index.tsx
index 9c4413765a500..16b3aaf9a6cd8 100644
--- a/x-pack/plugins/apm/public/application/index.tsx
+++ b/x-pack/plugins/apm/public/application/index.tsx
@@ -19,7 +19,6 @@ import {
   RedirectAppLinks,
   useUiSetting$,
 } from '../../../../../src/plugins/kibana_react/public';
-import { AlertsContextProvider } from '../../../triggers_actions_ui/public';
 import { routes } from '../components/app/Main/route_config';
 import { ScrollToTopOnPathChange } from '../components/app/Main/ScrollToTopOnPathChange';
 import {
@@ -29,7 +28,7 @@ import {
 import { LicenseProvider } from '../context/license/license_context';
 import { UrlParamsProvider } from '../context/url_params_context/url_params_context';
 import { useBreadcrumbs } from '../hooks/use_breadcrumbs';
-import { ApmPluginSetupDeps } from '../plugin';
+import { ApmPluginSetupDeps, ApmPluginStartDeps } from '../plugin';
 import { createCallApmApi } from '../services/rest/createCallApmApi';
 import { createStaticIndexPattern } from '../services/rest/index_pattern';
 import { setHelpExtension } from '../setHelpExtension';
@@ -66,38 +65,29 @@ function App() {
 
 export function ApmAppRoot({
   apmPluginContextValue,
+  startDeps,
 }: {
   apmPluginContextValue: ApmPluginContextValue;
+  startDeps: ApmPluginStartDeps;
 }) {
-  const { appMountParameters, core, plugins } = apmPluginContextValue;
+  const { appMountParameters, core } = apmPluginContextValue;
   const { history } = appMountParameters;
   const i18nCore = core.i18n;
 
   return (
     <RedirectAppLinks application={core.application}>
       <ApmPluginContext.Provider value={apmPluginContextValue}>
-        <AlertsContextProvider
-          value={{
-            http: core.http,
-            docLinks: core.docLinks,
-            capabilities: core.application.capabilities,
-            toastNotifications: core.notifications.toasts,
-            actionTypeRegistry: plugins.triggersActionsUi.actionTypeRegistry,
-            alertTypeRegistry: plugins.triggersActionsUi.alertTypeRegistry,
-          }}
-        >
-          <KibanaContextProvider services={{ ...core, ...plugins }}>
-            <i18nCore.Context>
-              <Router history={history}>
-                <UrlParamsProvider>
-                  <LicenseProvider>
-                    <App />
-                  </LicenseProvider>
-                </UrlParamsProvider>
-              </Router>
-            </i18nCore.Context>
-          </KibanaContextProvider>
-        </AlertsContextProvider>
+        <KibanaContextProvider services={{ ...core, ...startDeps }}>
+          <i18nCore.Context>
+            <Router history={history}>
+              <UrlParamsProvider>
+                <LicenseProvider>
+                  <App />
+                </LicenseProvider>
+              </UrlParamsProvider>
+            </Router>
+          </i18nCore.Context>
+        </KibanaContextProvider>
       </ApmPluginContext.Provider>
     </RedirectAppLinks>
   );
@@ -111,7 +101,8 @@ export const renderApp = (
   core: CoreStart,
   setupDeps: ApmPluginSetupDeps,
   appMountParameters: AppMountParameters,
-  config: ConfigSchema
+  config: ConfigSchema,
+  startDeps: ApmPluginStartDeps
 ) => {
   const { element } = appMountParameters;
   const apmPluginContextValue = {
@@ -133,7 +124,10 @@ export const renderApp = (
   });
 
   ReactDOM.render(
-    <ApmAppRoot apmPluginContextValue={apmPluginContextValue} />,
+    <ApmAppRoot
+      apmPluginContextValue={apmPluginContextValue}
+      startDeps={startDeps}
+    />,
     element
   );
   return () => {
diff --git a/x-pack/plugins/apm/public/components/alerting/AlertingFlyout/index.tsx b/x-pack/plugins/apm/public/components/alerting/AlertingFlyout/index.tsx
index 3bee6b2388264..aa1d21dd1d580 100644
--- a/x-pack/plugins/apm/public/components/alerting/AlertingFlyout/index.tsx
+++ b/x-pack/plugins/apm/public/components/alerting/AlertingFlyout/index.tsx
@@ -3,29 +3,37 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import React from 'react';
+import React, { useMemo } from 'react';
+import { useKibana } from '../../../../../../../src/plugins/kibana_react/public';
 import { AlertType } from '../../../../common/alert_types';
-import { AlertAdd } from '../../../../../triggers_actions_ui/public';
-
-type AlertAddProps = React.ComponentProps<typeof AlertAdd>;
+import { TriggersAndActionsUIPublicPluginStart } from '../../../../../triggers_actions_ui/public';
 
 interface Props {
-  addFlyoutVisible: AlertAddProps['addFlyoutVisible'];
-  setAddFlyoutVisibility: AlertAddProps['setAddFlyoutVisibility'];
+  addFlyoutVisible: boolean;
+  setAddFlyoutVisibility: React.Dispatch<React.SetStateAction<boolean>>;
   alertType: AlertType | null;
 }
 
+interface KibanaDeps {
+  triggersActionsUi: TriggersAndActionsUIPublicPluginStart;
+}
+
 export function AlertingFlyout(props: Props) {
   const { addFlyoutVisible, setAddFlyoutVisibility, alertType } = props;
-  return (
-    alertType && (
-      <AlertAdd
-        addFlyoutVisible={addFlyoutVisible}
-        setAddFlyoutVisibility={setAddFlyoutVisibility}
-        consumer="apm"
-        alertTypeId={alertType}
-        canChangeTrigger={false}
-      />
-    )
+  const {
+    services: { triggersActionsUi },
+  } = useKibana<KibanaDeps>();
+  const addAlertFlyout = useMemo(
+    () =>
+      alertType &&
+      triggersActionsUi.getAddAlertFlyout({
+        consumer: 'apm',
+        addFlyoutVisible,
+        setAddFlyoutVisibility,
+        alertTypeId: alertType,
+        canChangeTrigger: false,
+      }),
+    [addFlyoutVisible, alertType, setAddFlyoutVisibility, triggersActionsUi]
   );
+  return <>{addAlertFlyout}</>;
 }
diff --git a/x-pack/plugins/apm/public/plugin.ts b/x-pack/plugins/apm/public/plugin.ts
index cc0151afba63c..89401d9192b0b 100644
--- a/x-pack/plugins/apm/public/plugin.ts
+++ b/x-pack/plugins/apm/public/plugin.ts
@@ -138,12 +138,18 @@ export class ApmPlugin implements Plugin<ApmPluginSetup, ApmPluginStart> {
 
       async mount(params: AppMountParameters<unknown>) {
         // Load application bundle and Get start services
-        const [{ renderApp }, [coreStart]] = await Promise.all([
+        const [{ renderApp }, [coreStart, corePlugins]] = await Promise.all([
           import('./application'),
           core.getStartServices(),
         ]);
 
-        return renderApp(coreStart, pluginSetupDeps, params, config);
+        return renderApp(
+          coreStart,
+          pluginSetupDeps,
+          params,
+          config,
+          corePlugins as ApmPluginStartDeps
+        );
       },
     });
 
diff --git a/x-pack/plugins/infra/public/alerting/common/components/alert_preview.tsx b/x-pack/plugins/infra/public/alerting/common/components/alert_preview.tsx
index 7b15acfb6c4e2..4bf61a5a269f0 100644
--- a/x-pack/plugins/infra/public/alerting/common/components/alert_preview.tsx
+++ b/x-pack/plugins/infra/public/alerting/common/components/alert_preview.tsx
@@ -3,7 +3,6 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import { HttpSetup } from 'kibana/public';
 import { omit } from 'lodash';
 import React, { useCallback, useMemo, useState } from 'react';
 import {
@@ -20,6 +19,7 @@ import {
 } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n/react';
 import { i18n } from '@kbn/i18n';
+import { useKibana } from '../../../../../../../src/plugins/kibana_react/public';
 import { FORMATTERS } from '../../../../common/formatters';
 // eslint-disable-next-line @kbn/eslint/no-restricted-paths
 import { ValidationResult } from '../../../../../triggers_actions_ui/public/types';
@@ -35,7 +35,6 @@ interface Props {
   alertInterval: string;
   alertThrottle: string;
   alertType: PreviewableAlertTypes;
-  fetch: HttpSetup['fetch'];
   alertParams: { criteria: any[]; sourceId: string } & Record<string, any>;
   validate: (params: any) => ValidationResult;
   showNoDataResults?: boolean;
@@ -47,12 +46,13 @@ export const AlertPreview: React.FC<Props> = (props) => {
     alertParams,
     alertInterval,
     alertThrottle,
-    fetch,
     alertType,
     validate,
     showNoDataResults,
     groupByDisplayName,
   } = props;
+  const { http } = useKibana().services;
+
   const [previewLookbackInterval, setPreviewLookbackInterval] = useState<string>('h');
   const [isPreviewLoading, setIsPreviewLoading] = useState<boolean>(false);
   const [previewError, setPreviewError] = useState<any | false>(false);
@@ -70,7 +70,7 @@ export const AlertPreview: React.FC<Props> = (props) => {
     setPreviewError(false);
     try {
       const result = await getAlertPreview({
-        fetch,
+        fetch: http!.fetch,
         params: {
           ...alertParams,
           lookback: previewLookbackInterval as 'h' | 'd' | 'w' | 'M',
@@ -89,12 +89,12 @@ export const AlertPreview: React.FC<Props> = (props) => {
   }, [
     alertParams,
     alertInterval,
-    fetch,
     alertType,
     groupByDisplayName,
     previewLookbackInterval,
     alertThrottle,
     showNoDataResults,
+    http,
   ]);
 
   const previewIntervalError = useMemo(() => {
diff --git a/x-pack/plugins/infra/public/alerting/inventory/components/alert_flyout.tsx b/x-pack/plugins/infra/public/alerting/inventory/components/alert_flyout.tsx
index f7f7048aedf48..432d2073d93b6 100644
--- a/x-pack/plugins/infra/public/alerting/inventory/components/alert_flyout.tsx
+++ b/x-pack/plugins/infra/public/alerting/inventory/components/alert_flyout.tsx
@@ -4,12 +4,9 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { useContext } from 'react';
-import { ApplicationStart, DocLinksStart, HttpStart, NotificationsStart } from 'src/core/public';
+import React, { useContext, useMemo } from 'react';
 
-import { AlertsContextProvider, AlertAdd } from '../../../../../triggers_actions_ui/public';
 import { TriggerActionsContext } from '../../../utils/triggers_actions_context';
-import { useKibana } from '../../../../../../../src/plugins/kibana_react/public';
 // eslint-disable-next-line @kbn/eslint/no-restricted-paths
 import { METRIC_INVENTORY_THRESHOLD_ALERT_TYPE_ID } from '../../../../server/lib/alerting/inventory_metric_threshold/types';
 import { InfraWaffleMapOptions } from '../../../lib/lib';
@@ -24,48 +21,31 @@ interface Props {
   setVisible: React.Dispatch<React.SetStateAction<boolean>>;
 }
 
-interface KibanaDeps {
-  notifications: NotificationsStart;
-  http: HttpStart;
-  docLinks: DocLinksStart;
-  application: ApplicationStart;
-}
-
 export const AlertFlyout = ({ options, nodeType, filter, visible, setVisible }: Props) => {
   const { triggersActionsUI } = useContext(TriggerActionsContext);
-  const { services } = useKibana<KibanaDeps>();
 
   const { inventoryPrefill } = useAlertPrefillContext();
   const { customMetrics } = inventoryPrefill;
 
-  return (
-    <>
-      {triggersActionsUI && (
-        <AlertsContextProvider
-          value={{
-            metadata: {
-              options,
-              nodeType,
-              filter,
-              customMetrics,
-            },
-            toastNotifications: services.notifications?.toasts,
-            http: services.http,
-            docLinks: services.docLinks,
-            capabilities: services.application.capabilities,
-            actionTypeRegistry: triggersActionsUI.actionTypeRegistry,
-            alertTypeRegistry: triggersActionsUI.alertTypeRegistry,
-          }}
-        >
-          <AlertAdd
-            addFlyoutVisible={visible!}
-            setAddFlyoutVisibility={setVisible}
-            alertTypeId={METRIC_INVENTORY_THRESHOLD_ALERT_TYPE_ID}
-            canChangeTrigger={false}
-            consumer={'infrastructure'}
-          />
-        </AlertsContextProvider>
-      )}
-    </>
+  const AddAlertFlyout = useMemo(
+    () =>
+      triggersActionsUI &&
+      triggersActionsUI.getAddAlertFlyout({
+        consumer: 'infrastructure',
+        addFlyoutVisible: visible!,
+        setAddFlyoutVisibility: setVisible,
+        canChangeTrigger: false,
+        alertTypeId: METRIC_INVENTORY_THRESHOLD_ALERT_TYPE_ID,
+        metadata: {
+          options,
+          nodeType,
+          filter,
+          customMetrics,
+        },
+      }),
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+    [triggersActionsUI, visible]
   );
+
+  return <>{AddAlertFlyout}</>;
 };
diff --git a/x-pack/plugins/infra/public/alerting/inventory/components/expression.test.tsx b/x-pack/plugins/infra/public/alerting/inventory/components/expression.test.tsx
index 6f830598ac46d..43764c518ef93 100644
--- a/x-pack/plugins/infra/public/alerting/inventory/components/expression.test.tsx
+++ b/x-pack/plugins/infra/public/alerting/inventory/components/expression.test.tsx
@@ -5,10 +5,8 @@
  */
 
 import { mountWithIntl, nextTick } from '@kbn/test/jest';
-import { actionTypeRegistryMock } from '../../../../../triggers_actions_ui/public/application/action_type_registry.mock';
-import { alertTypeRegistryMock } from '../../../../../triggers_actions_ui/public/application/alert_type_registry.mock';
-import { coreMock } from '../../../../../../../src/core/public/mocks';
-import { AlertsContextValue } from '../../../../../triggers_actions_ui/public/application/context/alerts_context';
+// We are using this inside a `jest.mock` call. Jest requires dynamic dependencies to be prefixed with `mock`
+import { coreMock as mockCoreMock } from 'src/core/public/mocks';
 // eslint-disable-next-line @kbn/eslint/no-restricted-paths
 import { InventoryMetricConditions } from '../../../../server/lib/alerting/inventory_metric_threshold/types';
 import React from 'react';
@@ -25,6 +23,12 @@ jest.mock('../../../containers/source/use_source_via_http', () => ({
   }),
 }));
 
+jest.mock('../../../hooks/use_kibana', () => ({
+  useKibanaContextForPlugin: () => ({
+    services: mockCoreMock.createStart(),
+  }),
+}));
+
 const exampleCustomMetric = {
   id: 'this-is-an-id',
   field: 'some.system.field',
@@ -39,41 +43,15 @@ describe('Expression', () => {
       nodeType: undefined,
       filterQueryText: '',
     };
-
-    const mocks = coreMock.createSetup();
-    const startMocks = coreMock.createStart();
-    const [
-      {
-        application: { capabilities },
-      },
-    ] = await mocks.getStartServices();
-
-    const context: AlertsContextValue<AlertContextMeta> = {
-      http: mocks.http,
-      toastNotifications: mocks.notifications.toasts,
-      actionTypeRegistry: actionTypeRegistryMock.create() as any,
-      alertTypeRegistry: alertTypeRegistryMock.create() as any,
-      docLinks: startMocks.docLinks,
-      capabilities: {
-        ...capabilities,
-        actions: {
-          delete: true,
-          save: true,
-          show: true,
-        },
-      },
-      metadata: currentOptions,
-    };
-
     const wrapper = mountWithIntl(
       <Expressions
-        alertsContext={context}
         alertInterval="1m"
         alertThrottle="1m"
         alertParams={alertParams as any}
         errors={[]}
         setAlertParams={(key, value) => Reflect.set(alertParams, key, value)}
         setAlertProperty={() => {}}
+        metadata={currentOptions}
       />
     );
 
@@ -153,9 +131,6 @@ describe('ExpressionRow', () => {
           metric: [],
         }}
         expression={expression}
-        alertsContextMetadata={{
-          customMetrics: [],
-        }}
         fields={[{ name: 'some.system.field', type: 'bzzz' }]}
       />
     );
diff --git a/x-pack/plugins/infra/public/alerting/inventory/components/expression.tsx b/x-pack/plugins/infra/public/alerting/inventory/components/expression.tsx
index e16b2aeaacac4..3dc754822879d 100644
--- a/x-pack/plugins/infra/public/alerting/inventory/components/expression.tsx
+++ b/x-pack/plugins/infra/public/alerting/inventory/components/expression.tsx
@@ -38,8 +38,6 @@ import {
 } from '../../../../../triggers_actions_ui/public/common';
 // eslint-disable-next-line @kbn/eslint/no-restricted-paths
 import { IErrorObject } from '../../../../../triggers_actions_ui/public/types';
-// eslint-disable-next-line @kbn/eslint/no-restricted-paths
-import { AlertsContextValue } from '../../../../../triggers_actions_ui/public/application/context/alerts_context';
 import { MetricsExplorerKueryBar } from '../../../pages/metrics/metrics_explorer/components/kuery_bar';
 import { useSourceViaHttp } from '../../../containers/source/use_source_via_http';
 import { sqsMetricTypes } from '../../../../common/inventory_models/aws_sqs/toolbar_items';
@@ -67,6 +65,7 @@ import {
 } from '../../../../common/http_api/snapshot_api';
 
 import { validateMetricThreshold } from './validation';
+import { useKibanaContextForPlugin } from '../../../hooks/use_kibana';
 
 const FILTER_TYPING_DEBOUNCE_MS = 500;
 
@@ -89,9 +88,9 @@ interface Props {
   };
   alertInterval: string;
   alertThrottle: string;
-  alertsContext: AlertsContextValue<AlertContextMeta>;
   setAlertParams(key: string, value: any): void;
   setAlertProperty(key: string, value: any): void;
+  metadata: AlertContextMeta;
 }
 
 export const defaultExpression = {
@@ -109,19 +108,13 @@ export const defaultExpression = {
 } as InventoryMetricConditions;
 
 export const Expressions: React.FC<Props> = (props) => {
-  const {
-    setAlertParams,
-    alertParams,
-    errors,
-    alertsContext,
-    alertInterval,
-    alertThrottle,
-  } = props;
+  const { http, notifications } = useKibanaContextForPlugin().services;
+  const { setAlertParams, alertParams, errors, alertInterval, alertThrottle, metadata } = props;
   const { source, createDerivedIndexPattern } = useSourceViaHttp({
     sourceId: 'default',
     type: 'metrics',
-    fetch: alertsContext.http.fetch,
-    toastWarning: alertsContext.toastNotifications.addWarning,
+    fetch: http.fetch,
+    toastWarning: notifications.toasts.addWarning,
   });
   const [timeSize, setTimeSize] = useState<number | undefined>(1);
   const [timeUnit, setTimeUnit] = useState<Unit>('m');
@@ -221,7 +214,7 @@ export const Expressions: React.FC<Props> = (props) => {
   );
 
   const preFillAlertCriteria = useCallback(() => {
-    const md = alertsContext.metadata;
+    const md = metadata;
     if (md && md.options) {
       setAlertParams('criteria', [
         {
@@ -235,10 +228,10 @@ export const Expressions: React.FC<Props> = (props) => {
     } else {
       setAlertParams('criteria', [defaultExpression]);
     }
-  }, [alertsContext.metadata, setAlertParams]);
+  }, [metadata, setAlertParams]);
 
   const preFillAlertFilter = useCallback(() => {
-    const md = alertsContext.metadata;
+    const md = metadata;
     if (md && md.filter) {
       setAlertParams('filterQueryText', md.filter);
       setAlertParams(
@@ -246,10 +239,10 @@ export const Expressions: React.FC<Props> = (props) => {
         convertKueryToElasticSearchQuery(md.filter, derivedIndexPattern) || ''
       );
     }
-  }, [alertsContext.metadata, derivedIndexPattern, setAlertParams]);
+  }, [metadata, derivedIndexPattern, setAlertParams]);
 
   useEffect(() => {
-    const md = alertsContext.metadata;
+    const md = metadata;
     if (!alertParams.nodeType) {
       if (md && md.nodeType) {
         setAlertParams('nodeType', md.nodeType);
@@ -272,7 +265,7 @@ export const Expressions: React.FC<Props> = (props) => {
     if (!alertParams.sourceId) {
       setAlertParams('sourceId', source?.id || 'default');
     }
-  }, [alertsContext.metadata, derivedIndexPattern, defaultExpression, source]); // eslint-disable-line react-hooks/exhaustive-deps
+  }, [metadata, derivedIndexPattern, defaultExpression, source]); // eslint-disable-line react-hooks/exhaustive-deps
 
   return (
     <>
@@ -308,7 +301,6 @@ export const Expressions: React.FC<Props> = (props) => {
               setAlertParams={updateParams}
               errors={errors[idx] || emptyError}
               expression={e || {}}
-              alertsContextMetadata={alertsContext.metadata}
               fields={derivedIndexPattern.fields}
             />
           );
@@ -371,7 +363,7 @@ export const Expressions: React.FC<Props> = (props) => {
         fullWidth
         display="rowCompressed"
       >
-        {(alertsContext.metadata && (
+        {(metadata && (
           <MetricsExplorerKueryBar
             derivedIndexPattern={derivedIndexPattern}
             onSubmit={onFilterChange}
@@ -394,7 +386,6 @@ export const Expressions: React.FC<Props> = (props) => {
         alertType={METRIC_INVENTORY_THRESHOLD_ALERT_TYPE_ID}
         alertParams={pick(alertParams, 'criteria', 'nodeType', 'sourceId', 'filterQuery')}
         validate={validateMetricThreshold}
-        fetch={alertsContext.http.fetch}
         groupByDisplayName={alertParams.nodeType}
         showNoDataResults={alertParams.alertOnNoData}
       />
@@ -418,7 +409,6 @@ interface ExpressionRowProps {
   addExpression(): void;
   remove(id: number): void;
   setAlertParams(id: number, params: Partial<InventoryMetricConditions>): void;
-  alertsContextMetadata: AlertsContextValue<AlertContextMeta>['metadata'];
   fields: IFieldType[];
 }
 
diff --git a/x-pack/plugins/infra/public/alerting/log_threshold/components/alert_flyout.tsx b/x-pack/plugins/infra/public/alerting/log_threshold/components/alert_flyout.tsx
index cd69fe02c5846..206621c4d4dc8 100644
--- a/x-pack/plugins/infra/public/alerting/log_threshold/components/alert_flyout.tsx
+++ b/x-pack/plugins/infra/public/alerting/log_threshold/components/alert_flyout.tsx
@@ -4,11 +4,8 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { useContext } from 'react';
-import { ApplicationStart, DocLinksStart, HttpStart, NotificationsStart } from 'src/core/public';
-import { AlertsContextProvider, AlertAdd } from '../../../../../triggers_actions_ui/public';
+import React, { useContext, useMemo } from 'react';
 import { TriggerActionsContext } from '../../../utils/triggers_actions_context';
-import { useKibana } from '../../../../../../../src/plugins/kibana_react/public';
 import { LOG_DOCUMENT_COUNT_ALERT_TYPE_ID } from '../../../../common/alerting/logs/log_threshold/types';
 
 interface Props {
@@ -16,42 +13,25 @@ interface Props {
   setVisible: React.Dispatch<React.SetStateAction<boolean>>;
 }
 
-interface KibanaDeps {
-  notifications: NotificationsStart;
-  http: HttpStart;
-  docLinks: DocLinksStart;
-  application: ApplicationStart;
-}
-
 export const AlertFlyout = (props: Props) => {
   const { triggersActionsUI } = useContext(TriggerActionsContext);
-  const { services } = useKibana<KibanaDeps>();
 
-  return (
-    <>
-      {triggersActionsUI && (
-        <AlertsContextProvider
-          value={{
-            metadata: {
-              isInternal: true,
-            },
-            toastNotifications: services.notifications.toasts,
-            http: services.http,
-            docLinks: services.docLinks,
-            capabilities: services.application.capabilities,
-            actionTypeRegistry: triggersActionsUI.actionTypeRegistry,
-            alertTypeRegistry: triggersActionsUI.alertTypeRegistry,
-          }}
-        >
-          <AlertAdd
-            addFlyoutVisible={props.visible!}
-            setAddFlyoutVisibility={props.setVisible}
-            alertTypeId={LOG_DOCUMENT_COUNT_ALERT_TYPE_ID}
-            canChangeTrigger={false}
-            consumer={'logs'}
-          />
-        </AlertsContextProvider>
-      )}
-    </>
+  const AddAlertFlyout = useMemo(
+    () =>
+      triggersActionsUI &&
+      triggersActionsUI.getAddAlertFlyout({
+        consumer: 'logs',
+        addFlyoutVisible: props.visible!,
+        setAddFlyoutVisibility: props.setVisible,
+        canChangeTrigger: false,
+        alertTypeId: LOG_DOCUMENT_COUNT_ALERT_TYPE_ID,
+        metadata: {
+          isInternal: true,
+        },
+      }),
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+    [triggersActionsUI, props.visible]
   );
+
+  return <>{AddAlertFlyout}</>;
 };
diff --git a/x-pack/plugins/infra/public/alerting/log_threshold/components/expression_editor/criteria.tsx b/x-pack/plugins/infra/public/alerting/log_threshold/components/expression_editor/criteria.tsx
index c35e7141efc9d..3c474ee1d0ec6 100644
--- a/x-pack/plugins/infra/public/alerting/log_threshold/components/expression_editor/criteria.tsx
+++ b/x-pack/plugins/infra/public/alerting/log_threshold/components/expression_editor/criteria.tsx
@@ -22,7 +22,7 @@ import {
   getDenominator,
 } from '../../../../../common/alerting/logs/log_threshold/types';
 import { Errors, CriterionErrors } from '../../validation';
-import { AlertsContext, ExpressionLike } from './editor';
+import { ExpressionLike } from './editor';
 import { CriterionPreview } from './criterion_preview_chart';
 
 const DEFAULT_CRITERIA = { field: 'log.level', comparator: Comparator.EQ, value: 'error' };
@@ -40,7 +40,6 @@ interface SharedProps {
   criteria?: AlertParams['criteria'];
   errors: Errors['criteria'];
   alertParams: Partial<AlertParams>;
-  context: AlertsContext;
   sourceId: string;
   updateCriteria: (criteria: AlertParams['criteria']) => void;
 }
@@ -66,7 +65,6 @@ interface CriteriaWrapperProps {
   addCriterion: () => void;
   criteria: CriteriaType;
   errors: CriterionErrors;
-  context: SharedProps['context'];
   sourceId: SharedProps['sourceId'];
   isRatio?: boolean;
 }
@@ -80,7 +78,6 @@ const CriteriaWrapper: React.FC<CriteriaWrapperProps> = (props) => {
     fields,
     errors,
     alertParams,
-    context,
     sourceId,
     isRatio = false,
   } = props;
@@ -108,7 +105,6 @@ const CriteriaWrapper: React.FC<CriteriaWrapperProps> = (props) => {
             >
               <CriterionPreview
                 alertParams={alertParams}
-                context={context}
                 chartCriterion={criterion}
                 sourceId={sourceId}
                 showThreshold={!isRatio}
@@ -127,7 +123,6 @@ interface RatioCriteriaProps {
   fields: SharedProps['fields'];
   criteria: RatioCriteriaType;
   errors: Errors['criteria'];
-  context: SharedProps['context'];
   sourceId: SharedProps['sourceId'];
   updateCriteria: (criteria: AlertParams['criteria']) => void;
 }
@@ -201,7 +196,6 @@ interface CountCriteriaProps {
   fields: SharedProps['fields'];
   criteria: CountCriteriaType;
   errors: Errors['criteria'];
-  context: SharedProps['context'];
   sourceId: SharedProps['sourceId'];
   updateCriteria: (criteria: AlertParams['criteria']) => void;
 }
diff --git a/x-pack/plugins/infra/public/alerting/log_threshold/components/expression_editor/criterion_preview_chart.tsx b/x-pack/plugins/infra/public/alerting/log_threshold/components/expression_editor/criterion_preview_chart.tsx
index 1d23b4d4778ca..47dc419022880 100644
--- a/x-pack/plugins/infra/public/alerting/log_threshold/components/expression_editor/criterion_preview_chart.tsx
+++ b/x-pack/plugins/infra/public/alerting/log_threshold/components/expression_editor/criterion_preview_chart.tsx
@@ -19,6 +19,7 @@ import {
 } from '@elastic/charts';
 import { EuiText } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n/react';
+import { useKibana } from '../../../../../../../../src/plugins/kibana_react/public';
 import {
   ChartContainer,
   LoadingState,
@@ -43,7 +44,6 @@ import {
   GetLogAlertsChartPreviewDataAlertParamsSubset,
   getLogAlertsChartPreviewDataAlertParamsSubsetRT,
 } from '../../../../../common/http_api/log_alerts/';
-import { AlertsContext } from './editor';
 import { useChartPreviewData } from './hooks/use_chart_preview_data';
 import { decodeOrThrow } from '../../../../../common/runtime_types';
 
@@ -51,7 +51,6 @@ const GROUP_LIMIT = 5;
 
 interface Props {
   alertParams: Partial<AlertParams>;
-  context: AlertsContext;
   chartCriterion: Partial<Criterion>;
   sourceId: string;
   showThreshold: boolean;
@@ -59,7 +58,6 @@ interface Props {
 
 export const CriterionPreview: React.FC<Props> = ({
   alertParams,
-  context,
   chartCriterion,
   sourceId,
   showThreshold,
@@ -91,7 +89,6 @@ export const CriterionPreview: React.FC<Props> = ({
           ? NUM_BUCKETS
           : NUM_BUCKETS / 4
       } // Display less data for groups due to space limitations
-      context={context}
       sourceId={sourceId}
       threshold={alertParams.count}
       chartAlertParams={chartAlertParams}
@@ -102,7 +99,6 @@ export const CriterionPreview: React.FC<Props> = ({
 
 interface ChartProps {
   buckets: number;
-  context: AlertsContext;
   sourceId: string;
   threshold?: Threshold;
   chartAlertParams: GetLogAlertsChartPreviewDataAlertParamsSubset;
@@ -111,13 +107,13 @@ interface ChartProps {
 
 const CriterionPreviewChart: React.FC<ChartProps> = ({
   buckets,
-  context,
   sourceId,
   threshold,
   chartAlertParams,
   showThreshold,
 }) => {
-  const isDarkMode = context.uiSettings?.get('theme:darkMode') || false;
+  const { uiSettings } = useKibana().services;
+  const isDarkMode = uiSettings?.get('theme:darkMode') || false;
 
   const {
     getChartPreviewData,
@@ -125,7 +121,6 @@ const CriterionPreviewChart: React.FC<ChartProps> = ({
     hasError,
     chartPreviewData: series,
   } = useChartPreviewData({
-    context,
     sourceId,
     alertParams: chartAlertParams,
     buckets,
diff --git a/x-pack/plugins/infra/public/alerting/log_threshold/components/expression_editor/editor.tsx b/x-pack/plugins/infra/public/alerting/log_threshold/components/expression_editor/editor.tsx
index 662b7f68f8fec..854363aacca5c 100644
--- a/x-pack/plugins/infra/public/alerting/log_threshold/components/expression_editor/editor.tsx
+++ b/x-pack/plugins/infra/public/alerting/log_threshold/components/expression_editor/editor.tsx
@@ -8,11 +8,9 @@ import React, { useCallback, useMemo, useState } from 'react';
 import { i18n } from '@kbn/i18n';
 import { EuiLoadingSpinner, EuiSpacer, EuiButton, EuiCallOut } from '@elastic/eui';
 import useMount from 'react-use/lib/useMount';
+import { useKibana } from '../../../../../../../../src/plugins/kibana_react/public';
 import { GroupByExpression } from '../../../common/group_by_expression/group_by_expression';
-import {
-  ForLastExpression,
-  AlertsContextValue,
-} from '../../../../../../triggers_actions_ui/public';
+import { ForLastExpression } from '../../../../../../triggers_actions_ui/public';
 import {
   AlertParams,
   Comparator,
@@ -36,14 +34,13 @@ interface LogsContextMeta {
   isInternal?: boolean;
 }
 
-export type AlertsContext = AlertsContextValue<LogsContextMeta>;
 interface Props {
   errors: Errors;
   alertParams: Partial<AlertParams>;
   setAlertParams(key: string, value: any): void;
   setAlertProperty(key: string, value: any): void;
-  alertsContext: AlertsContext;
   sourceId: string;
+  metadata: LogsContextMeta;
 }
 
 const DEFAULT_CRITERIA = { field: 'log.level', comparator: Comparator.EQ, value: 'error' };
@@ -75,8 +72,9 @@ const DEFAULT_RATIO_EXPRESSION = {
 };
 
 export const ExpressionEditor: React.FC<Props> = (props) => {
-  const isInternal = props.alertsContext.metadata?.isInternal;
+  const isInternal = props.metadata?.isInternal;
   const [sourceId] = useSourceId();
+  const { http } = useKibana().services;
 
   return (
     <>
@@ -85,7 +83,7 @@ export const ExpressionEditor: React.FC<Props> = (props) => {
           <Editor {...props} sourceId={sourceId} />
         </SourceStatusWrapper>
       ) : (
-        <LogSourceProvider sourceId={sourceId} fetch={props.alertsContext.http.fetch}>
+        <LogSourceProvider sourceId={sourceId} fetch={http!.fetch}>
           <SourceStatusWrapper {...props}>
             <Editor {...props} sourceId={sourceId} />
           </SourceStatusWrapper>
@@ -139,7 +137,7 @@ export const SourceStatusWrapper: React.FC<Props> = (props) => {
 };
 
 export const Editor: React.FC<Props> = (props) => {
-  const { setAlertParams, alertParams, errors, alertsContext, sourceId } = props;
+  const { setAlertParams, alertParams, errors, sourceId } = props;
   const [hasSetDefaults, setHasSetDefaults] = useState<boolean>(false);
   const { sourceStatus } = useLogSourceContext();
   useMount(() => {
@@ -228,7 +226,6 @@ export const Editor: React.FC<Props> = (props) => {
       criteria={alertParams.criteria}
       errors={errors.criteria}
       alertParams={alertParams}
-      context={alertsContext}
       sourceId={sourceId}
       updateCriteria={updateCriteria}
     />
diff --git a/x-pack/plugins/infra/public/alerting/log_threshold/components/expression_editor/hooks/use_chart_preview_data.tsx b/x-pack/plugins/infra/public/alerting/log_threshold/components/expression_editor/hooks/use_chart_preview_data.tsx
index d5ba730026b12..5ca8927dcd4ab 100644
--- a/x-pack/plugins/infra/public/alerting/log_threshold/components/expression_editor/hooks/use_chart_preview_data.tsx
+++ b/x-pack/plugins/infra/public/alerting/log_threshold/components/expression_editor/hooks/use_chart_preview_data.tsx
@@ -4,7 +4,8 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 import { useState, useMemo } from 'react';
-import { AlertsContext } from '../editor';
+import { HttpHandler } from 'kibana/public';
+import { useKibana } from '../../../../../../../../../src/plugins/kibana_react/public';
 import { useTrackedPromise } from '../../../../../utils/use_tracked_promise';
 import {
   GetLogAlertsChartPreviewDataSuccessResponsePayload,
@@ -17,12 +18,13 @@ import { GetLogAlertsChartPreviewDataAlertParamsSubset } from '../../../../../..
 
 interface Options {
   sourceId: string;
-  context: AlertsContext;
   alertParams: GetLogAlertsChartPreviewDataAlertParamsSubset;
   buckets: number;
 }
 
-export const useChartPreviewData = ({ context, sourceId, alertParams, buckets }: Options) => {
+export const useChartPreviewData = ({ sourceId, alertParams, buckets }: Options) => {
+  const { http } = useKibana().services;
+
   const [chartPreviewData, setChartPreviewData] = useState<
     GetLogAlertsChartPreviewDataSuccessResponsePayload['data']['series']
   >([]);
@@ -32,7 +34,7 @@ export const useChartPreviewData = ({ context, sourceId, alertParams, buckets }:
       cancelPreviousOn: 'creation',
       createPromise: async () => {
         setHasError(false);
-        return await callGetChartPreviewDataAPI(sourceId, context.http.fetch, alertParams, buckets);
+        return await callGetChartPreviewDataAPI(sourceId, http!.fetch, alertParams, buckets);
       },
       onResolve: ({ data: { series } }) => {
         setHasError(false);
@@ -42,7 +44,7 @@ export const useChartPreviewData = ({ context, sourceId, alertParams, buckets }:
         setHasError(true);
       },
     },
-    [sourceId, context.http.fetch, alertParams, buckets]
+    [sourceId, http, alertParams, buckets]
   );
 
   const isLoading = useMemo(() => getChartPreviewDataRequest.state === 'pending', [
@@ -59,7 +61,7 @@ export const useChartPreviewData = ({ context, sourceId, alertParams, buckets }:
 
 export const callGetChartPreviewDataAPI = async (
   sourceId: string,
-  fetch: AlertsContext['http']['fetch'],
+  fetch: HttpHandler,
   alertParams: GetLogAlertsChartPreviewDataAlertParamsSubset,
   buckets: number
 ) => {
diff --git a/x-pack/plugins/infra/public/alerting/metric_threshold/components/alert_flyout.tsx b/x-pack/plugins/infra/public/alerting/metric_threshold/components/alert_flyout.tsx
index 1f1af38809a3e..779478a313b71 100644
--- a/x-pack/plugins/infra/public/alerting/metric_threshold/components/alert_flyout.tsx
+++ b/x-pack/plugins/infra/public/alerting/metric_threshold/components/alert_flyout.tsx
@@ -4,12 +4,8 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { useContext } from 'react';
-import { ApplicationStart, DocLinksStart, HttpStart, NotificationsStart } from 'src/core/public';
-
-import { AlertsContextProvider, AlertAdd } from '../../../../../triggers_actions_ui/public';
+import React, { useContext, useMemo } from 'react';
 import { TriggerActionsContext } from '../../../utils/triggers_actions_context';
-import { useKibana } from '../../../../../../../src/plugins/kibana_react/public';
 // eslint-disable-next-line @kbn/eslint/no-restricted-paths
 import { METRIC_THRESHOLD_ALERT_TYPE_ID } from '../../../../server/lib/alerting/metric_threshold/types';
 import { MetricsExplorerSeries } from '../../../../common/http_api/metrics_explorer';
@@ -22,43 +18,26 @@ interface Props {
   setVisible: React.Dispatch<React.SetStateAction<boolean>>;
 }
 
-interface KibanaDeps {
-  notifications: NotificationsStart;
-  http: HttpStart;
-  docLinks: DocLinksStart;
-  application: ApplicationStart;
-}
-
 export const AlertFlyout = (props: Props) => {
   const { triggersActionsUI } = useContext(TriggerActionsContext);
-  const { services } = useKibana<KibanaDeps>();
 
-  return (
-    <>
-      {triggersActionsUI && (
-        <AlertsContextProvider
-          value={{
-            metadata: {
-              currentOptions: props.options,
-              series: props.series,
-            },
-            toastNotifications: services.notifications.toasts,
-            http: services.http,
-            docLinks: services.docLinks,
-            capabilities: services.application.capabilities,
-            actionTypeRegistry: triggersActionsUI.actionTypeRegistry,
-            alertTypeRegistry: triggersActionsUI.alertTypeRegistry,
-          }}
-        >
-          <AlertAdd
-            addFlyoutVisible={props.visible!}
-            setAddFlyoutVisibility={props.setVisible}
-            alertTypeId={METRIC_THRESHOLD_ALERT_TYPE_ID}
-            canChangeTrigger={false}
-            consumer={'infrastructure'}
-          />
-        </AlertsContextProvider>
-      )}
-    </>
+  const AddAlertFlyout = useMemo(
+    () =>
+      triggersActionsUI &&
+      triggersActionsUI.getAddAlertFlyout({
+        consumer: 'infrastructure',
+        addFlyoutVisible: props.visible!,
+        setAddFlyoutVisibility: props.setVisible,
+        canChangeTrigger: false,
+        alertTypeId: METRIC_THRESHOLD_ALERT_TYPE_ID,
+        metadata: {
+          currentOptions: props.options,
+          series: props.series,
+        },
+      }),
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+    [triggersActionsUI, props.visible]
   );
+
+  return <>{AddAlertFlyout}</>;
 };
diff --git a/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression.test.tsx b/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression.test.tsx
index c83f9ff33bac5..9358204aba289 100644
--- a/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression.test.tsx
+++ b/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression.test.tsx
@@ -5,11 +5,8 @@
  */
 
 import { mountWithIntl, nextTick } from '@kbn/test/jest';
-import { actionTypeRegistryMock } from '../../../../../triggers_actions_ui/public/application/action_type_registry.mock';
-import { alertTypeRegistryMock } from '../../../../../triggers_actions_ui/public/application/alert_type_registry.mock';
-import { coreMock } from '../../../../../../../src/core/public/mocks';
-import { AlertsContextValue } from '../../../../../triggers_actions_ui/public/application/context/alerts_context';
-import { AlertContextMeta } from '../types';
+// We are using this inside a `jest.mock` call. Jest requires dynamic dependencies to be prefixed with `mock`
+import { coreMock as mockCoreMock } from 'src/core/public/mocks';
 import { MetricsExplorerMetric } from '../../../../common/http_api/metrics_explorer';
 import React from 'react';
 import { Expressions } from './expression';
@@ -24,6 +21,12 @@ jest.mock('../../../containers/source/use_source_via_http', () => ({
   }),
 }));
 
+jest.mock('../../../hooks/use_kibana', () => ({
+  useKibanaContextForPlugin: () => ({
+    services: mockCoreMock.createStart(),
+  }),
+}));
+
 describe('Expression', () => {
   async function setup(currentOptions: {
     metrics?: MetricsExplorerMetric[];
@@ -36,43 +39,17 @@ describe('Expression', () => {
       filterQueryText: '',
       sourceId: 'default',
     };
-
-    const mocks = coreMock.createSetup();
-    const startMocks = coreMock.createStart();
-    const [
-      {
-        application: { capabilities },
-      },
-    ] = await mocks.getStartServices();
-
-    const context: AlertsContextValue<AlertContextMeta> = {
-      http: mocks.http,
-      toastNotifications: mocks.notifications.toasts,
-      actionTypeRegistry: actionTypeRegistryMock.create() as any,
-      alertTypeRegistry: alertTypeRegistryMock.create() as any,
-      docLinks: startMocks.docLinks,
-      capabilities: {
-        ...capabilities,
-        actions: {
-          delete: true,
-          save: true,
-          show: true,
-        },
-      },
-      metadata: {
-        currentOptions,
-      },
-    };
-
     const wrapper = mountWithIntl(
       <Expressions
-        alertsContext={context}
         alertInterval="1m"
         alertThrottle="1m"
         alertParams={alertParams}
         errors={[]}
         setAlertParams={(key, value) => Reflect.set(alertParams, key, value)}
         setAlertProperty={() => {}}
+        metadata={{
+          currentOptions,
+        }}
       />
     );
 
diff --git a/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression.tsx b/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression.tsx
index 48e15e0026ff6..a24a4601ba68d 100644
--- a/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression.tsx
+++ b/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression.tsx
@@ -31,8 +31,6 @@ import {
 } from '../../../../../triggers_actions_ui/public/common';
 // eslint-disable-next-line @kbn/eslint/no-restricted-paths
 import { IErrorObject } from '../../../../../triggers_actions_ui/public/types';
-// eslint-disable-next-line @kbn/eslint/no-restricted-paths
-import { AlertsContextValue } from '../../../../../triggers_actions_ui/public/application/context/alerts_context';
 import { MetricsExplorerKueryBar } from '../../../pages/metrics/metrics_explorer/components/kuery_bar';
 import { MetricsExplorerOptions } from '../../../pages/metrics/metrics_explorer/hooks/use_metrics_explorer_options';
 import { MetricsExplorerGroupBy } from '../../../pages/metrics/metrics_explorer/components/group_by';
@@ -40,20 +38,21 @@ import { useSourceViaHttp } from '../../../containers/source/use_source_via_http
 import { convertKueryToElasticSearchQuery } from '../../../utils/kuery';
 
 import { ExpressionRow } from './expression_row';
-import { AlertContextMeta, MetricExpression, AlertParams } from '../types';
+import { MetricExpression, AlertParams, AlertContextMeta } from '../types';
 import { ExpressionChart } from './expression_chart';
 import { validateMetricThreshold } from './validation';
+import { useKibanaContextForPlugin } from '../../../hooks/use_kibana';
 
 const FILTER_TYPING_DEBOUNCE_MS = 500;
 
 interface Props {
   errors: IErrorObject[];
   alertParams: AlertParams;
-  alertsContext: AlertsContextValue<AlertContextMeta>;
   alertInterval: string;
   alertThrottle: string;
   setAlertParams(key: string, value: any): void;
   setAlertProperty(key: string, value: any): void;
+  metadata: AlertContextMeta;
 }
 
 const defaultExpression = {
@@ -66,19 +65,13 @@ const defaultExpression = {
 export { defaultExpression };
 
 export const Expressions: React.FC<Props> = (props) => {
-  const {
-    setAlertParams,
-    alertParams,
-    errors,
-    alertsContext,
-    alertInterval,
-    alertThrottle,
-  } = props;
+  const { setAlertParams, alertParams, errors, alertInterval, alertThrottle, metadata } = props;
+  const { http, notifications } = useKibanaContextForPlugin().services;
   const { source, createDerivedIndexPattern } = useSourceViaHttp({
     sourceId: 'default',
     type: 'metrics',
-    fetch: alertsContext.http.fetch,
-    toastWarning: alertsContext.toastNotifications.addWarning,
+    fetch: http.fetch,
+    toastWarning: notifications.toasts.addWarning,
   });
 
   const [timeSize, setTimeSize] = useState<number | undefined>(1);
@@ -88,15 +81,15 @@ export const Expressions: React.FC<Props> = (props) => {
   ]);
 
   const options = useMemo<MetricsExplorerOptions>(() => {
-    if (alertsContext.metadata?.currentOptions?.metrics) {
-      return alertsContext.metadata.currentOptions as MetricsExplorerOptions;
+    if (metadata?.currentOptions?.metrics) {
+      return metadata.currentOptions as MetricsExplorerOptions;
     } else {
       return {
         metrics: [],
         aggregation: 'avg',
       };
     }
-  }, [alertsContext.metadata]);
+  }, [metadata]);
 
   const updateParams = useCallback(
     (id, e: MetricExpression) => {
@@ -186,7 +179,7 @@ export const Expressions: React.FC<Props> = (props) => {
   );
 
   const preFillAlertCriteria = useCallback(() => {
-    const md = alertsContext.metadata;
+    const md = metadata;
     if (md?.currentOptions?.metrics?.length) {
       setAlertParams(
         'criteria',
@@ -202,10 +195,10 @@ export const Expressions: React.FC<Props> = (props) => {
     } else {
       setAlertParams('criteria', [defaultExpression]);
     }
-  }, [alertsContext.metadata, setAlertParams, timeSize, timeUnit]);
+  }, [metadata, setAlertParams, timeSize, timeUnit]);
 
   const preFillAlertFilter = useCallback(() => {
-    const md = alertsContext.metadata;
+    const md = metadata;
     if (md && md.currentOptions?.filterQuery) {
       setAlertParams('filterQueryText', md.currentOptions.filterQuery);
       setAlertParams(
@@ -223,14 +216,14 @@ export const Expressions: React.FC<Props> = (props) => {
         convertKueryToElasticSearchQuery(filter, derivedIndexPattern) || ''
       );
     }
-  }, [alertsContext.metadata, derivedIndexPattern, setAlertParams]);
+  }, [metadata, derivedIndexPattern, setAlertParams]);
 
   const preFillAlertGroupBy = useCallback(() => {
-    const md = alertsContext.metadata;
+    const md = metadata;
     if (md && md.currentOptions?.groupBy && !md.series) {
       setAlertParams('groupBy', md.currentOptions.groupBy);
     }
-  }, [alertsContext.metadata, setAlertParams]);
+  }, [metadata, setAlertParams]);
 
   useEffect(() => {
     if (alertParams.criteria && alertParams.criteria.length) {
@@ -251,7 +244,7 @@ export const Expressions: React.FC<Props> = (props) => {
     if (!alertParams.sourceId) {
       setAlertParams('sourceId', source?.id || 'default');
     }
-  }, [alertsContext.metadata, source]); // eslint-disable-line react-hooks/exhaustive-deps
+  }, [metadata, source]); // eslint-disable-line react-hooks/exhaustive-deps
 
   const handleFieldSearchChange = useCallback(
     (e: ChangeEvent<HTMLInputElement>) => onFilterChange(e.target.value),
@@ -291,7 +284,6 @@ export const Expressions: React.FC<Props> = (props) => {
             >
               <ExpressionChart
                 expression={e}
-                context={alertsContext}
                 derivedIndexPattern={derivedIndexPattern}
                 source={source}
                 filterQuery={alertParams.filterQueryText}
@@ -361,7 +353,7 @@ export const Expressions: React.FC<Props> = (props) => {
         fullWidth
         display="rowCompressed"
       >
-        {(alertsContext.metadata && (
+        {(metadata && (
           <MetricsExplorerKueryBar
             derivedIndexPattern={derivedIndexPattern}
             onChange={debouncedOnFilterChange}
@@ -407,7 +399,6 @@ export const Expressions: React.FC<Props> = (props) => {
         alertParams={pick(alertParams, 'criteria', 'groupBy', 'filterQuery', 'sourceId')}
         showNoDataResults={alertParams.alertOnNoData}
         validate={validateMetricThreshold}
-        fetch={alertsContext.http.fetch}
         groupByDisplayName={groupByPreviewDisplayName}
       />
       <EuiSpacer size={'m'} />
diff --git a/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression_chart.test.tsx b/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression_chart.test.tsx
index 5f3f0ea7f3490..a75a692e6e575 100644
--- a/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression_chart.test.tsx
+++ b/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression_chart.test.tsx
@@ -5,11 +5,9 @@
  */
 
 import { mountWithIntl, nextTick } from '@kbn/test/jest';
-import { actionTypeRegistryMock } from '../../../../../triggers_actions_ui/public/application/action_type_registry.mock';
-import { alertTypeRegistryMock } from '../../../../../triggers_actions_ui/public/application/alert_type_registry.mock';
-import { coreMock } from '../../../../../../../src/core/public/mocks';
-import { AlertsContextValue } from '../../../../../triggers_actions_ui/public/application/context/alerts_context';
-import { AlertContextMeta, MetricExpression } from '../types';
+// We are using this inside a `jest.mock` call. Jest requires dynamic dependencies to be prefixed with `mock`
+import { coreMock as mockCoreMock } from 'src/core/public/mocks';
+import { MetricExpression } from '../types';
 import { IIndexPattern } from 'src/plugins/data/public';
 import { InfraSource } from '../../../../common/http_api/source_api';
 import React from 'react';
@@ -17,38 +15,30 @@ import { ExpressionChart } from './expression_chart';
 import { act } from 'react-dom/test-utils';
 // eslint-disable-next-line @kbn/eslint/no-restricted-paths
 import { Aggregators, Comparator } from '../../../../server/lib/alerting/metric_threshold/types';
-import { MetricsExplorerResponse } from '../../../../common/http_api';
 
-describe('ExpressionChart', () => {
-  async function setup(
-    expression: MetricExpression,
-    response: MetricsExplorerResponse | null,
-    filterQuery?: string,
-    groupBy?: string
-  ) {
-    const mocks = coreMock.createSetup();
-    const startMocks = coreMock.createStart();
-    const [
-      {
-        application: { capabilities },
-      },
-    ] = await mocks.getStartServices();
+const mockStartServices = mockCoreMock.createStart();
+jest.mock('../../../hooks/use_kibana', () => ({
+  useKibanaContextForPlugin: () => ({
+    services: {
+      ...mockStartServices,
+    },
+  }),
+}));
 
-    const context: AlertsContextValue<AlertContextMeta> = {
-      http: mocks.http,
-      toastNotifications: mocks.notifications.toasts,
-      actionTypeRegistry: actionTypeRegistryMock.create() as any,
-      alertTypeRegistry: alertTypeRegistryMock.create() as any,
-      docLinks: startMocks.docLinks,
-      capabilities: {
-        ...capabilities,
-        actions: {
-          delete: true,
-          save: true,
-          show: true,
-        },
-      },
-    };
+const mockResponse = {
+  pageInfo: {
+    afterKey: null,
+    total: 0,
+  },
+  series: [{ id: 'Everything', rows: [], columns: [] }],
+};
+
+jest.mock('../hooks/use_metrics_explorer_chart_data', () => ({
+  useMetricsExplorerChartData: () => ({ loading: false, data: mockResponse }),
+}));
+
+describe('ExpressionChart', () => {
+  async function setup(expression: MetricExpression, filterQuery?: string, groupBy?: string) {
     const derivedIndexPattern: IIndexPattern = {
       title: 'metricbeat-*',
       fields: [],
@@ -76,11 +66,8 @@ describe('ExpressionChart', () => {
       },
     };
 
-    mocks.http.fetch.mockImplementation(() => Promise.resolve(response));
-
     const wrapper = mountWithIntl(
       <ExpressionChart
-        context={context}
         expression={expression}
         derivedIndexPattern={derivedIndexPattern}
         source={source}
@@ -97,7 +84,7 @@ describe('ExpressionChart', () => {
 
     await update();
 
-    return { wrapper, update, fetchMock: mocks.http.fetch };
+    return { wrapper, update };
   }
 
   it('should display no data message', async () => {
@@ -109,14 +96,7 @@ describe('ExpressionChart', () => {
       threshold: [1],
       comparator: Comparator.GT_OR_EQ,
     };
-    const response = {
-      pageInfo: {
-        afterKey: null,
-        total: 0,
-      },
-      series: [{ id: 'Everything', rows: [], columns: [] }],
-    };
-    const { wrapper } = await setup(expression, response);
+    const { wrapper } = await setup(expression);
     expect(wrapper.find('[data-test-subj~="noChartData"]').exists()).toBeTruthy();
   });
 });
diff --git a/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression_chart.tsx b/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression_chart.tsx
index 065314d31b008..ae53cd8c2081e 100644
--- a/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression_chart.tsx
+++ b/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression_chart.tsx
@@ -21,8 +21,6 @@ import { i18n } from '@kbn/i18n';
 import { EuiText } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n/react';
 import { IIndexPattern } from 'src/plugins/data/public';
-// eslint-disable-next-line @kbn/eslint/no-restricted-paths
-import { AlertsContextValue } from '../../../../../triggers_actions_ui/public/application/context/alerts_context';
 import { InfraSource } from '../../../../common/http_api/source_api';
 import {
   Comparator,
@@ -31,16 +29,16 @@ import {
 import { Color, colorTransformer } from '../../../../common/color_palette';
 import { MetricsExplorerRow, MetricsExplorerAggregation } from '../../../../common/http_api';
 import { MetricExplorerSeriesChart } from '../../../pages/metrics/metrics_explorer/components/series_chart';
-import { MetricExpression, AlertContextMeta } from '../types';
+import { MetricExpression } from '../types';
 import { MetricsExplorerChartType } from '../../../pages/metrics/metrics_explorer/hooks/use_metrics_explorer_options';
 import { getChartTheme } from '../../../pages/metrics/metrics_explorer/components/helpers/get_chart_theme';
 import { createFormatterForMetric } from '../../../pages/metrics/metrics_explorer/components/helpers/create_formatter_for_metric';
 import { calculateDomain } from '../../../pages/metrics/metrics_explorer/components/helpers/calculate_domain';
 import { useMetricsExplorerChartData } from '../hooks/use_metrics_explorer_chart_data';
 import { getMetricId } from '../../../pages/metrics/metrics_explorer/components/helpers/get_metric_id';
+import { useKibanaContextForPlugin } from '../../../hooks/use_kibana';
 
 interface Props {
-  context: AlertsContextValue<AlertContextMeta>;
   expression: MetricExpression;
   derivedIndexPattern: IIndexPattern;
   source: InfraSource | null;
@@ -62,7 +60,6 @@ const TIME_LABELS = {
 
 export const ExpressionChart: React.FC<Props> = ({
   expression,
-  context,
   derivedIndexPattern,
   source,
   filterQuery,
@@ -70,19 +67,20 @@ export const ExpressionChart: React.FC<Props> = ({
 }) => {
   const { loading, data } = useMetricsExplorerChartData(
     expression,
-    context,
     derivedIndexPattern,
     source,
     filterQuery,
     groupBy
   );
 
+  const { uiSettings } = useKibanaContextForPlugin().services;
+
   const metric = {
     field: expression.metric,
     aggregation: expression.aggType as MetricsExplorerAggregation,
     color: Color.color0,
   };
-  const isDarkMode = context.uiSettings?.get('theme:darkMode') || false;
+  const isDarkMode = uiSettings?.get('theme:darkMode') || false;
   const dateFormatter = useMemo(() => {
     const firstSeries = first(data?.series);
     const firstTimestamp = first(firstSeries?.rows)?.timestamp;
diff --git a/x-pack/plugins/infra/public/alerting/metric_threshold/hooks/use_metrics_explorer_chart_data.ts b/x-pack/plugins/infra/public/alerting/metric_threshold/hooks/use_metrics_explorer_chart_data.ts
index a3d09742e9a57..a1ebc37b8e970 100644
--- a/x-pack/plugins/infra/public/alerting/metric_threshold/hooks/use_metrics_explorer_chart_data.ts
+++ b/x-pack/plugins/infra/public/alerting/metric_threshold/hooks/use_metrics_explorer_chart_data.ts
@@ -7,15 +7,12 @@
 import { IIndexPattern } from 'src/plugins/data/public';
 import { useMemo } from 'react';
 import { InfraSource } from '../../../../common/http_api/source_api';
-import { AlertContextMeta, MetricExpression } from '../types';
-// eslint-disable-next-line @kbn/eslint/no-restricted-paths
-import { AlertsContextValue } from '../../../../../triggers_actions_ui/public/application/context/alerts_context';
+import { MetricExpression } from '../types';
 import { MetricsExplorerOptions } from '../../../pages/metrics/metrics_explorer/hooks/use_metrics_explorer_options';
 import { useMetricsExplorerData } from '../../../pages/metrics/metrics_explorer/hooks/use_metrics_explorer_data';
 
 export const useMetricsExplorerChartData = (
   expression: MetricExpression,
-  context: AlertsContextValue<AlertContextMeta>,
   derivedIndexPattern: IIndexPattern,
   source: InfraSource | null,
   filterQuery?: string,
@@ -54,7 +51,6 @@ export const useMetricsExplorerChartData = (
     derivedIndexPattern,
     timerange,
     null,
-    null,
-    context.http.fetch
+    null
   );
 };
diff --git a/x-pack/plugins/infra/public/pages/metrics/metrics_explorer/hooks/use_metric_explorer_state.ts b/x-pack/plugins/infra/public/pages/metrics/metrics_explorer/hooks/use_metric_explorer_state.ts
index 4b46ed2efafc0..169bc9bcbcdb2 100644
--- a/x-pack/plugins/infra/public/pages/metrics/metrics_explorer/hooks/use_metric_explorer_state.ts
+++ b/x-pack/plugins/infra/public/pages/metrics/metrics_explorer/hooks/use_metric_explorer_state.ts
@@ -48,7 +48,6 @@ export const useMetricsExplorerState = (
     currentTimerange,
     afterKey,
     refreshSignal,
-    undefined,
     shouldLoadImmediately
   );
 
diff --git a/x-pack/plugins/infra/public/pages/metrics/metrics_explorer/hooks/use_metrics_explorer_data.ts b/x-pack/plugins/infra/public/pages/metrics/metrics_explorer/hooks/use_metrics_explorer_data.ts
index db1e4ec8e4db8..924f59eb0d1da 100644
--- a/x-pack/plugins/infra/public/pages/metrics/metrics_explorer/hooks/use_metrics_explorer_data.ts
+++ b/x-pack/plugins/infra/public/pages/metrics/metrics_explorer/hooks/use_metrics_explorer_data.ts
@@ -7,7 +7,6 @@
 import DateMath from '@elastic/datemath';
 import { isEqual } from 'lodash';
 import { useEffect, useState, useCallback } from 'react';
-import { HttpHandler } from 'src/core/public';
 import { IIndexPattern } from 'src/plugins/data/public';
 import { SourceQuery } from '../../../../../common/graphql/types';
 import {
@@ -30,11 +29,10 @@ export function useMetricsExplorerData(
   timerange: MetricsExplorerTimeOptions,
   afterKey: string | null | Record<string, string | null>,
   signal: any,
-  fetch?: HttpHandler,
   shouldLoadImmediately = true
 ) {
   const kibana = useKibana();
-  const fetchFn = fetch ? fetch : kibana.services.http?.fetch;
+  const fetchFn = kibana.services.http?.fetch;
   const [error, setError] = useState<Error | null>(null);
   const [loading, setLoading] = useState<boolean>(true);
   const [data, setData] = useState<MetricsExplorerResponse | null>(null);
diff --git a/x-pack/plugins/monitoring/kibana.json b/x-pack/plugins/monitoring/kibana.json
index a3d886b14cdfe..501b84dd8825d 100644
--- a/x-pack/plugins/monitoring/kibana.json
+++ b/x-pack/plugins/monitoring/kibana.json
@@ -24,5 +24,5 @@
   ],
   "server": true,
   "ui": true,
-  "requiredBundles": ["kibanaUtils", "home", "alerts", "kibanaReact", "licenseManagement", "triggersActionsUi"]
+  "requiredBundles": ["kibanaUtils", "home", "alerts", "kibanaReact", "licenseManagement"]
 }
diff --git a/x-pack/plugins/monitoring/public/alerts/alert_form.test.tsx b/x-pack/plugins/monitoring/public/alerts/alert_form.test.tsx
index c62f548dd6781..e4ee805c4b48f 100644
--- a/x-pack/plugins/monitoring/public/alerts/alert_form.test.tsx
+++ b/x-pack/plugins/monitoring/public/alerts/alert_form.test.tsx
@@ -18,7 +18,6 @@ import { alertTypeRegistryMock } from '../../../triggers_actions_ui/public/appli
 import { ValidationResult, Alert } from '../../../triggers_actions_ui/public/types';
 import { AlertForm } from '../../../triggers_actions_ui/public/application/sections/alert_form/alert_form';
 import ActionForm from '../../../triggers_actions_ui/public/application/sections/action_connector_form/action_form';
-import { AlertsContextProvider } from '../../../triggers_actions_ui/public/application/context/alerts_context';
 import { Legacy } from '../legacy_shims';
 import { I18nProvider } from '@kbn/i18n/react';
 import { createKibanaReactContext } from '../../../../../src/plugins/kibana_react/public';
@@ -100,7 +99,6 @@ describe('alert_form', () => {
     let wrapper: ReactWrapper<any>;
 
     beforeEach(async () => {
-      const coreStart = coreMock.createStart();
       alertTypeRegistry.list.mockReturnValue([alertType]);
       alertTypeRegistry.get.mockReturnValue(alertType);
       alertTypeRegistry.has.mockReturnValue(true);
@@ -108,12 +106,7 @@ describe('alert_form', () => {
       actionTypeRegistry.has.mockReturnValue(true);
       actionTypeRegistry.get.mockReturnValue(actionType);
 
-      const monitoringDependencies = {
-        toastNotifications: coreStart.notifications.toasts,
-        ...Legacy.shims.kibanaServices,
-        actionTypeRegistry,
-        alertTypeRegistry,
-      } as any;
+      const KibanaReactContext = createKibanaReactContext(Legacy.shims.kibanaServices);
 
       const initialAlert = ({
         name: 'test',
@@ -131,18 +124,18 @@ describe('alert_form', () => {
       } as unknown) as Alert;
 
       wrapper = mountWithIntl(
-        <AlertsContextProvider
-          value={{
-            ...monitoringDependencies,
-          }}
-        >
-          <AlertForm
-            alert={initialAlert}
-            dispatch={() => {}}
-            errors={{ name: [], interval: [] }}
-            operation="create"
-          />
-        </AlertsContextProvider>
+        <I18nProvider>
+          <KibanaReactContext.Provider>
+            <AlertForm
+              alert={initialAlert}
+              dispatch={() => {}}
+              errors={{ name: [], interval: [] }}
+              operation="create"
+              actionTypeRegistry={actionTypeRegistry}
+              alertTypeRegistry={alertTypeRegistry}
+            />
+          </KibanaReactContext.Provider>
+        </I18nProvider>
       );
 
       await act(async () => {
diff --git a/x-pack/plugins/monitoring/public/alerts/panel.tsx b/x-pack/plugins/monitoring/public/alerts/panel.tsx
index 99db6c8b3c945..fd09a3f9a6275 100644
--- a/x-pack/plugins/monitoring/public/alerts/panel.tsx
+++ b/x-pack/plugins/monitoring/public/alerts/panel.tsx
@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import React, { Fragment } from 'react';
+import React, { Fragment, useMemo } from 'react';
 import { i18n } from '@kbn/i18n';
 import { FormattedMessage } from '@kbn/i18n/react';
 import {
@@ -21,8 +21,6 @@ import {
 import { CommonAlertStatus, CommonAlertState, AlertMessage } from '../../common/types/alerts';
 import { Legacy } from '../legacy_shims';
 import { replaceTokens } from './lib/replace_tokens';
-import { AlertsContextProvider } from '../../../triggers_actions_ui/public';
-import { AlertEdit } from '../../../triggers_actions_ui/public';
 import { isInSetupMode, hideBottomBar, showBottomBar } from '../lib/setup_mode';
 import { BASE_ALERT_API_PATH } from '../../../alerts/common';
 import { SetupModeContext } from '../components/setup_mode/setup_mode_context';
@@ -44,6 +42,20 @@ export const AlertPanel: React.FC<Props> = (props: Props) => {
   const [isSaving, setIsSaving] = React.useState(false);
   const inSetupMode = isInSetupMode(React.useContext(SetupModeContext));
 
+  const flyoutUi = useMemo(
+    () =>
+      showFlyout &&
+      Legacy.shims.triggersActionsUi.getEditAlertFlyout({
+        initialAlert: alert.rawAlert,
+        onClose: () => {
+          setShowFlyout(false);
+          showBottomBar();
+        },
+      }),
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+    [showFlyout]
+  );
+
   if (!alert.rawAlert) {
     return null;
   }
@@ -105,29 +117,6 @@ export const AlertPanel: React.FC<Props> = (props: Props) => {
     setIsSaving(false);
   }
 
-  const flyoutUi = showFlyout ? (
-    <AlertsContextProvider
-      value={{
-        http: Legacy.shims.http,
-        actionTypeRegistry: Legacy.shims.actionTypeRegistry,
-        alertTypeRegistry: Legacy.shims.alertTypeRegistry,
-        toastNotifications: Legacy.shims.toastNotifications,
-        uiSettings: Legacy.shims.uiSettings,
-        docLinks: Legacy.shims.docLinks,
-        reloadAlerts: async () => {},
-        capabilities: Legacy.shims.capabilities,
-      }}
-    >
-      <AlertEdit
-        initialAlert={alert.rawAlert}
-        onClose={() => {
-          setShowFlyout(false);
-          showBottomBar();
-        }}
-      />
-    </AlertsContextProvider>
-  ) : null;
-
   const configurationUi = (
     <Fragment>
       <EuiFlexGroup justifyContent="spaceBetween" alignItems="center" gutterSize="m">
diff --git a/x-pack/plugins/monitoring/public/legacy_shims.ts b/x-pack/plugins/monitoring/public/legacy_shims.ts
index f2af4bd0b19a4..12a971391f62b 100644
--- a/x-pack/plugins/monitoring/public/legacy_shims.ts
+++ b/x-pack/plugins/monitoring/public/legacy_shims.ts
@@ -8,7 +8,7 @@ import { CoreStart, HttpSetup, IUiSettingsClient } from 'kibana/public';
 import { Observable } from 'rxjs';
 import { HttpRequestInit } from '../../../../src/core/public';
 import { MonitoringStartPluginDependencies } from './types';
-import { TriggersAndActionsUIPublicPluginSetup } from '../../triggers_actions_ui/public';
+import { TriggersAndActionsUIPublicPluginStart } from '../../triggers_actions_ui/public';
 // eslint-disable-next-line @kbn/eslint/no-restricted-paths
 import { TypeRegistry } from '../../triggers_actions_ui/public/application/type_registry';
 // eslint-disable-next-line @kbn/eslint/no-restricted-paths
@@ -59,7 +59,7 @@ export interface IShims {
     kfetchOptions?: KFetchKibanaOptions | undefined
   ) => Promise<any>;
   isCloud: boolean;
-  triggersActionsUi: TriggersAndActionsUIPublicPluginSetup;
+  triggersActionsUi: TriggersAndActionsUIPublicPluginStart;
   usageCollection: UsageCollectionSetup;
   kibanaServices: CoreStart & { usageCollection: UsageCollectionSetup };
 }
diff --git a/x-pack/plugins/monitoring/public/plugin.ts b/x-pack/plugins/monitoring/public/plugin.ts
index a228c540761b8..0439b47569e72 100644
--- a/x-pack/plugins/monitoring/public/plugin.ts
+++ b/x-pack/plugins/monitoring/public/plugin.ts
@@ -93,7 +93,7 @@ export class MonitoringPlugin
           isCloud: Boolean(plugins.cloud?.isCloudEnabled),
           pluginInitializerContext: this.initializerContext,
           externalConfig: this.getExternalConfig(),
-          triggersActionsUi: plugins.triggersActionsUi,
+          triggersActionsUi: pluginsStart.triggersActionsUi,
           usageCollection: plugins.usageCollection,
         };
 
diff --git a/x-pack/plugins/monitoring/public/types.ts b/x-pack/plugins/monitoring/public/types.ts
index 238af7276d586..db872691a5e7e 100644
--- a/x-pack/plugins/monitoring/public/types.ts
+++ b/x-pack/plugins/monitoring/public/types.ts
@@ -7,7 +7,7 @@
 import { PluginInitializerContext, CoreStart } from 'kibana/public';
 import { NavigationPublicPluginStart as NavigationStart } from '../../../../src/plugins/navigation/public';
 import { DataPublicPluginStart } from '../../../../src/plugins/data/public';
-import { TriggersAndActionsUIPublicPluginSetup } from '../../triggers_actions_ui/public';
+import { TriggersAndActionsUIPublicPluginStart } from '../../triggers_actions_ui/public';
 import { KibanaLegacyStart } from '../../../../src/plugins/kibana_legacy/public';
 import { UsageCollectionSetup } from '../../../../src/plugins/usage_collection/public';
 
@@ -23,6 +23,6 @@ export interface MonitoringStartPluginDependencies {
   isCloud: boolean;
   pluginInitializerContext: PluginInitializerContext;
   externalConfig: Array<Array<string | number> | Array<string | boolean>>;
-  triggersActionsUi: TriggersAndActionsUIPublicPluginSetup;
+  triggersActionsUi: TriggersAndActionsUIPublicPluginStart;
   usageCollection: UsageCollectionSetup;
 }
diff --git a/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/index.ts b/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/index.ts
index d3b5f14dcc9e7..59effdbf8f512 100644
--- a/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/index.ts
+++ b/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/index.ts
@@ -7,9 +7,9 @@ import { lazy } from 'react';
 import { i18n } from '@kbn/i18n';
 import { validateExpression } from './validation';
 import { GeoContainmentAlertParams } from './types';
-import { AlertTypeModel, AlertsContextValue } from '../../../../triggers_actions_ui/public';
+import { AlertTypeModel } from '../../../../triggers_actions_ui/public';
 
-export function getAlertType(): AlertTypeModel<GeoContainmentAlertParams, AlertsContextValue> {
+export function getAlertType(): AlertTypeModel<GeoContainmentAlertParams> {
   return {
     id: '.geo-containment',
     name: i18n.translate('xpack.stackAlerts.geoContainment.name.trackingContainment', {
diff --git a/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/__snapshots__/geo_containment_alert_type_expression.test.tsx.snap b/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/__snapshots__/geo_containment_alert_type_expression.test.tsx.snap
index cc8395455d89d..535c883aed536 100644
--- a/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/__snapshots__/geo_containment_alert_type_expression.test.tsx.snap
+++ b/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/__snapshots__/geo_containment_alert_type_expression.test.tsx.snap
@@ -16,13 +16,23 @@ exports[`should render BoundaryIndexExpression 1`] = `
         labelType="label"
       >
         <GeoIndexPatternSelect
-          IndexPatternSelectComponent={null}
-          http={null}
+          IndexPatternSelectComponent={[MockFunction]}
           includedGeoTypes={
             Array [
               "geo_shape",
             ]
           }
+          indexPatternService={
+            Object {
+              "clearCache": [MockFunction],
+              "createField": [MockFunction],
+              "createFieldList": [MockFunction],
+              "ensureDefaultIndexPattern": [MockFunction],
+              "find": [MockFunction],
+              "get": [MockFunction],
+              "make": [Function],
+            }
+          }
           onChange={[Function]}
         />
       </EuiFormRow>
@@ -82,13 +92,23 @@ exports[`should render EntityIndexExpression 1`] = `
         labelType="label"
       >
         <GeoIndexPatternSelect
-          IndexPatternSelectComponent={null}
-          http={null}
+          IndexPatternSelectComponent={[MockFunction]}
           includedGeoTypes={
             Array [
               "geo_point",
             ]
           }
+          indexPatternService={
+            Object {
+              "clearCache": [MockFunction],
+              "createField": [MockFunction],
+              "createFieldList": [MockFunction],
+              "ensureDefaultIndexPattern": [MockFunction],
+              "find": [MockFunction],
+              "get": [MockFunction],
+              "make": [Function],
+            }
+          }
           onChange={[Function]}
         />
       </EuiFormRow>
@@ -154,13 +174,23 @@ exports[`should render EntityIndexExpression w/ invalid flag if invalid 1`] = `
         labelType="label"
       >
         <GeoIndexPatternSelect
-          IndexPatternSelectComponent={null}
-          http={null}
+          IndexPatternSelectComponent={[MockFunction]}
           includedGeoTypes={
             Array [
               "geo_point",
             ]
           }
+          indexPatternService={
+            Object {
+              "clearCache": [MockFunction],
+              "createField": [MockFunction],
+              "createFieldList": [MockFunction],
+              "ensureDefaultIndexPattern": [MockFunction],
+              "find": [MockFunction],
+              "get": [MockFunction],
+              "make": [Function],
+            }
+          }
           onChange={[Function]}
         />
       </EuiFormRow>
diff --git a/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/expressions/boundary_index_expression.tsx b/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/expressions/boundary_index_expression.tsx
index a6a5aeb366cc5..f875e6179d82e 100644
--- a/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/expressions/boundary_index_expression.tsx
+++ b/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/expressions/boundary_index_expression.tsx
@@ -7,7 +7,10 @@
 import React, { Fragment, FunctionComponent, useEffect, useRef } from 'react';
 import { EuiFormRow } from '@elastic/eui';
 import { i18n } from '@kbn/i18n';
-import { IErrorObject, AlertsContextValue } from '../../../../../../triggers_actions_ui/public';
+import { DataPublicPluginStart } from 'src/plugins/data/public';
+import { HttpSetup } from 'kibana/public';
+import { useKibana } from '../../../../../../../../src/plugins/kibana_react/public';
+import { IErrorObject } from '../../../../../../triggers_actions_ui/public';
 import { ES_GEO_SHAPE_TYPES, GeoContainmentAlertParams } from '../../types';
 import { GeoIndexPatternSelect } from '../util_components/geo_index_pattern_select';
 import { SingleFieldSelect } from '../util_components/single_field_select';
@@ -17,29 +20,33 @@ import { IIndexPattern } from '../../../../../../../../src/plugins/data/common/i
 
 interface Props {
   alertParams: GeoContainmentAlertParams;
-  alertsContext: AlertsContextValue;
   errors: IErrorObject;
   boundaryIndexPattern: IIndexPattern;
   boundaryNameField?: string;
   setBoundaryIndexPattern: (boundaryIndexPattern?: IIndexPattern) => void;
   setBoundaryGeoField: (boundaryGeoField?: string) => void;
   setBoundaryNameField: (boundaryNameField?: string) => void;
+  data: DataPublicPluginStart;
+}
+
+interface KibanaDeps {
+  http: HttpSetup;
 }
 
 export const BoundaryIndexExpression: FunctionComponent<Props> = ({
   alertParams,
-  alertsContext,
   errors,
   boundaryIndexPattern,
   boundaryNameField,
   setBoundaryIndexPattern,
   setBoundaryGeoField,
   setBoundaryNameField,
+  data,
 }) => {
   // eslint-disable-next-line react-hooks/exhaustive-deps
   const BOUNDARY_NAME_ENTITY_TYPES = ['string', 'number', 'ip'];
-  const { dataUi, dataIndexPatterns, http } = alertsContext;
-  const IndexPatternSelect = (dataUi && dataUi.IndexPatternSelect) || null;
+  const { http } = useKibana<KibanaDeps>().services;
+  const IndexPatternSelect = (data.ui && data.ui.IndexPatternSelect) || null;
   const { boundaryGeoField } = alertParams;
   // eslint-disable-next-line react-hooks/exhaustive-deps
   const nothingSelected: IFieldType = {
@@ -110,7 +117,7 @@ export const BoundaryIndexExpression: FunctionComponent<Props> = ({
           }}
           value={boundaryIndexPattern.id}
           IndexPatternSelectComponent={IndexPatternSelect}
-          indexPatternService={dataIndexPatterns}
+          indexPatternService={data.indexPatterns}
           http={http}
           includedGeoTypes={ES_GEO_SHAPE_TYPES}
         />
diff --git a/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/expressions/entity_index_expression.tsx b/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/expressions/entity_index_expression.tsx
index 76edeac06ac9c..26b8a1a5165fb 100644
--- a/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/expressions/entity_index_expression.tsx
+++ b/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/expressions/entity_index_expression.tsx
@@ -8,9 +8,11 @@ import React, { Fragment, FunctionComponent, useEffect, useRef } from 'react';
 import { EuiFormRow } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n/react';
 import { i18n } from '@kbn/i18n';
+import { DataPublicPluginStart } from 'src/plugins/data/public';
+import { HttpSetup } from 'kibana/public';
+import { useKibana } from '../../../../../../../../src/plugins/kibana_react/public';
 import {
   IErrorObject,
-  AlertsContextValue,
   AlertTypeParamsExpressionProps,
 } from '../../../../../../triggers_actions_ui/public';
 import { ES_GEO_FIELD_TYPES } from '../../types';
@@ -23,7 +25,6 @@ import { IIndexPattern } from '../../../../../../../../src/plugins/data/common/i
 interface Props {
   dateField: string;
   geoField: string;
-  alertsContext: AlertsContextValue;
   errors: IErrorObject;
   setAlertParamsDate: (date: string) => void;
   setAlertParamsGeoField: (geoField: string) => void;
@@ -31,21 +32,26 @@ interface Props {
   setIndexPattern: (indexPattern: IIndexPattern) => void;
   indexPattern: IIndexPattern;
   isInvalid: boolean;
+  data: DataPublicPluginStart;
+}
+
+interface KibanaDeps {
+  http: HttpSetup;
 }
 
 export const EntityIndexExpression: FunctionComponent<Props> = ({
   setAlertParamsDate,
   setAlertParamsGeoField,
   errors,
-  alertsContext,
   setIndexPattern,
   indexPattern,
   isInvalid,
   dateField: timeField,
   geoField,
+  data,
 }) => {
-  const { dataUi, dataIndexPatterns, http } = alertsContext;
-  const IndexPatternSelect = (dataUi && dataUi.IndexPatternSelect) || null;
+  const { http } = useKibana<KibanaDeps>().services;
+  const IndexPatternSelect = (data.ui && data.ui.IndexPatternSelect) || null;
 
   const usePrevious = <T extends unknown>(value: T): T | undefined => {
     const ref = useRef<T>();
@@ -98,7 +104,7 @@ export const EntityIndexExpression: FunctionComponent<Props> = ({
           }}
           value={indexPattern.id}
           IndexPatternSelectComponent={IndexPatternSelect}
-          indexPatternService={dataIndexPatterns}
+          indexPatternService={data.indexPatterns}
           http={http}
           includedGeoTypes={ES_GEO_FIELD_TYPES}
         />
diff --git a/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/geo_containment_alert_type_expression.test.tsx b/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/geo_containment_alert_type_expression.test.tsx
index c35427bc6bc05..0c5f121943e02 100644
--- a/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/geo_containment_alert_type_expression.test.tsx
+++ b/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/geo_containment_alert_type_expression.test.tsx
@@ -8,22 +8,11 @@ import React from 'react';
 import { shallow } from 'enzyme';
 import { EntityIndexExpression } from './expressions/entity_index_expression';
 import { BoundaryIndexExpression } from './expressions/boundary_index_expression';
-import { ApplicationStart, DocLinksStart, HttpSetup, ToastsStart } from 'kibana/public';
-import {
-  ActionTypeRegistryContract,
-  AlertTypeRegistryContract,
-  IErrorObject,
-} from '../../../../../triggers_actions_ui/public';
+import { IErrorObject } from '../../../../../triggers_actions_ui/public';
 import { IIndexPattern } from '../../../../../../../src/plugins/data/common';
+import { dataPluginMock } from 'src/plugins/data/public/mocks';
 
-const alertsContext = {
-  http: (null as unknown) as HttpSetup,
-  alertTypeRegistry: (null as unknown) as AlertTypeRegistryContract,
-  actionTypeRegistry: (null as unknown) as ActionTypeRegistryContract,
-  toastNotifications: (null as unknown) as ToastsStart,
-  docLinks: (null as unknown) as DocLinksStart,
-  capabilities: (null as unknown) as ApplicationStart['capabilities'],
-};
+const dataStartMock = dataPluginMock.createStartContract();
 
 const alertParams = {
   index: '',
@@ -42,7 +31,6 @@ test('should render EntityIndexExpression', async () => {
     <EntityIndexExpression
       dateField={'testDateField'}
       geoField={'testGeoField'}
-      alertsContext={alertsContext}
       errors={{} as IErrorObject}
       setAlertParamsDate={() => {}}
       setAlertParamsGeoField={() => {}}
@@ -50,6 +38,7 @@ test('should render EntityIndexExpression', async () => {
       setIndexPattern={() => {}}
       indexPattern={('' as unknown) as IIndexPattern}
       isInvalid={false}
+      data={dataStartMock}
     />
   );
 
@@ -61,7 +50,6 @@ test('should render EntityIndexExpression w/ invalid flag if invalid', async ()
     <EntityIndexExpression
       dateField={'testDateField'}
       geoField={'testGeoField'}
-      alertsContext={alertsContext}
       errors={{} as IErrorObject}
       setAlertParamsDate={() => {}}
       setAlertParamsGeoField={() => {}}
@@ -69,6 +57,7 @@ test('should render EntityIndexExpression w/ invalid flag if invalid', async ()
       setIndexPattern={() => {}}
       indexPattern={('' as unknown) as IIndexPattern}
       isInvalid={true}
+      data={dataStartMock}
     />
   );
 
@@ -79,13 +68,13 @@ test('should render BoundaryIndexExpression', async () => {
   const component = shallow(
     <BoundaryIndexExpression
       alertParams={alertParams}
-      alertsContext={alertsContext}
       errors={{} as IErrorObject}
       boundaryIndexPattern={('' as unknown) as IIndexPattern}
       setBoundaryIndexPattern={() => {}}
       setBoundaryGeoField={() => {}}
       setBoundaryNameField={() => {}}
       boundaryNameField={'testNameField'}
+      data={dataStartMock}
     />
   );
 
diff --git a/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/index.tsx b/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/index.tsx
index 1c0b712566d59..cb8fd9a95e7ce 100644
--- a/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/index.tsx
+++ b/x-pack/plugins/stack_alerts/public/alert_types/geo_containment/query_builder/index.tsx
@@ -8,10 +8,7 @@ import React, { Fragment, useEffect, useState } from 'react';
 import { EuiCallOut, EuiFlexItem, EuiSpacer, EuiTitle } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n/react';
 import { i18n } from '@kbn/i18n';
-import {
-  AlertTypeParamsExpressionProps,
-  AlertsContextValue,
-} from '../../../../../triggers_actions_ui/public';
+import { AlertTypeParamsExpressionProps } from '../../../../../triggers_actions_ui/public';
 import { GeoContainmentAlertParams } from '../types';
 import { EntityIndexExpression } from './expressions/entity_index_expression';
 import { EntityByExpression } from './expressions/entity_by_expression';
@@ -52,8 +49,8 @@ function validateQuery(query: Query) {
 }
 
 export const GeoContainmentAlertTypeExpression: React.FunctionComponent<
-  AlertTypeParamsExpressionProps<GeoContainmentAlertParams, AlertsContextValue>
-> = ({ alertParams, alertInterval, setAlertParams, setAlertProperty, errors, alertsContext }) => {
+  AlertTypeParamsExpressionProps<GeoContainmentAlertParams>
+> = ({ alertParams, alertInterval, setAlertParams, setAlertProperty, errors, data }) => {
   const {
     index,
     indexId,
@@ -137,15 +134,15 @@ export const GeoContainmentAlertTypeExpression: React.FunctionComponent<
         boundaryGeoField: boundaryGeoField ?? DEFAULT_VALUES.BOUNDARY_GEO_FIELD,
         boundaryNameField: boundaryNameField ?? DEFAULT_VALUES.BOUNDARY_NAME_FIELD,
       });
-      if (!alertsContext.dataIndexPatterns) {
+      if (!data.indexPatterns) {
         return;
       }
       if (indexId) {
-        const _indexPattern = await alertsContext.dataIndexPatterns.get(indexId);
+        const _indexPattern = await data.indexPatterns.get(indexId);
         setIndexPattern(_indexPattern);
       }
       if (boundaryIndexId) {
-        const _boundaryIndexPattern = await alertsContext.dataIndexPatterns.get(boundaryIndexId);
+        const _boundaryIndexPattern = await data.indexPatterns.get(boundaryIndexId);
         setBoundaryIndexPattern(_boundaryIndexPattern);
       }
     };
@@ -175,7 +172,6 @@ export const GeoContainmentAlertTypeExpression: React.FunctionComponent<
       <EntityIndexExpression
         dateField={dateField}
         geoField={geoField}
-        alertsContext={alertsContext}
         errors={errors}
         setAlertParamsDate={(_date) => setAlertParams('dateField', _date)}
         setAlertParamsGeoField={(_geoField) => setAlertParams('geoField', _geoField)}
@@ -183,6 +179,7 @@ export const GeoContainmentAlertTypeExpression: React.FunctionComponent<
         setIndexPattern={setIndexPattern}
         indexPattern={indexPattern}
         isInvalid={!indexId || !dateField || !geoField}
+        data={data}
       />
       <EntityByExpression
         errors={errors}
@@ -220,7 +217,6 @@ export const GeoContainmentAlertTypeExpression: React.FunctionComponent<
       <EuiSpacer size="s" />
       <BoundaryIndexExpression
         alertParams={alertParams}
-        alertsContext={alertsContext}
         errors={errors}
         boundaryIndexPattern={boundaryIndexPattern}
         setBoundaryIndexPattern={setBoundaryIndexPattern}
@@ -233,6 +229,7 @@ export const GeoContainmentAlertTypeExpression: React.FunctionComponent<
             : setAlertParams('boundaryNameField', '')
         }
         boundaryNameField={boundaryNameField}
+        data={data}
       />
       <EuiSpacer size="s" />
       <EuiFlexItem>
diff --git a/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/index.ts b/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/index.ts
index 35f5648de40f3..cc8d78b53137e 100644
--- a/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/index.ts
+++ b/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/index.ts
@@ -7,9 +7,9 @@ import { lazy } from 'react';
 import { i18n } from '@kbn/i18n';
 import { validateExpression } from './validation';
 import { GeoThresholdAlertParams } from './types';
-import { AlertTypeModel, AlertsContextValue } from '../../../../triggers_actions_ui/public';
+import { AlertTypeModel } from '../../../../triggers_actions_ui/public';
 
-export function getAlertType(): AlertTypeModel<GeoThresholdAlertParams, AlertsContextValue> {
+export function getAlertType(): AlertTypeModel<GeoThresholdAlertParams> {
   return {
     id: '.geo-threshold',
     name: i18n.translate('xpack.stackAlerts.geoThreshold.name.trackingThreshold', {
diff --git a/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/__snapshots__/geo_threshold_alert_type_expression.test.tsx.snap b/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/__snapshots__/geo_threshold_alert_type_expression.test.tsx.snap
index dae168417b0bc..127dd2f3b8474 100644
--- a/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/__snapshots__/geo_threshold_alert_type_expression.test.tsx.snap
+++ b/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/__snapshots__/geo_threshold_alert_type_expression.test.tsx.snap
@@ -16,13 +16,23 @@ exports[`should render BoundaryIndexExpression 1`] = `
         labelType="label"
       >
         <GeoIndexPatternSelect
-          IndexPatternSelectComponent={null}
-          http={null}
+          IndexPatternSelectComponent={[MockFunction]}
           includedGeoTypes={
             Array [
               "geo_shape",
             ]
           }
+          indexPatternService={
+            Object {
+              "clearCache": [MockFunction],
+              "createField": [MockFunction],
+              "createFieldList": [MockFunction],
+              "ensureDefaultIndexPattern": [MockFunction],
+              "find": [MockFunction],
+              "get": [MockFunction],
+              "make": [Function],
+            }
+          }
           onChange={[Function]}
         />
       </EuiFormRow>
@@ -82,13 +92,23 @@ exports[`should render EntityIndexExpression 1`] = `
         labelType="label"
       >
         <GeoIndexPatternSelect
-          IndexPatternSelectComponent={null}
-          http={null}
+          IndexPatternSelectComponent={[MockFunction]}
           includedGeoTypes={
             Array [
               "geo_point",
             ]
           }
+          indexPatternService={
+            Object {
+              "clearCache": [MockFunction],
+              "createField": [MockFunction],
+              "createFieldList": [MockFunction],
+              "ensureDefaultIndexPattern": [MockFunction],
+              "find": [MockFunction],
+              "get": [MockFunction],
+              "make": [Function],
+            }
+          }
           onChange={[Function]}
         />
       </EuiFormRow>
@@ -154,13 +174,23 @@ exports[`should render EntityIndexExpression w/ invalid flag if invalid 1`] = `
         labelType="label"
       >
         <GeoIndexPatternSelect
-          IndexPatternSelectComponent={null}
-          http={null}
+          IndexPatternSelectComponent={[MockFunction]}
           includedGeoTypes={
             Array [
               "geo_point",
             ]
           }
+          indexPatternService={
+            Object {
+              "clearCache": [MockFunction],
+              "createField": [MockFunction],
+              "createFieldList": [MockFunction],
+              "ensureDefaultIndexPattern": [MockFunction],
+              "find": [MockFunction],
+              "get": [MockFunction],
+              "make": [Function],
+            }
+          }
           onChange={[Function]}
         />
       </EuiFormRow>
diff --git a/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/expressions/boundary_index_expression.tsx b/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/expressions/boundary_index_expression.tsx
index 6433845370ff7..93918c82d664c 100644
--- a/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/expressions/boundary_index_expression.tsx
+++ b/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/expressions/boundary_index_expression.tsx
@@ -7,7 +7,10 @@
 import React, { Fragment, FunctionComponent, useEffect, useRef } from 'react';
 import { EuiFormRow } from '@elastic/eui';
 import { i18n } from '@kbn/i18n';
-import { IErrorObject, AlertsContextValue } from '../../../../../../triggers_actions_ui/public';
+import { DataPublicPluginStart } from 'src/plugins/data/public';
+import { HttpSetup } from 'kibana/public';
+import { useKibana } from '../../../../../../../../src/plugins/kibana_react/public';
+import { IErrorObject } from '../../../../../../triggers_actions_ui/public';
 import { ES_GEO_SHAPE_TYPES, GeoThresholdAlertParams } from '../../types';
 import { GeoIndexPatternSelect } from '../util_components/geo_index_pattern_select';
 import { SingleFieldSelect } from '../util_components/single_field_select';
@@ -17,29 +20,33 @@ import { IIndexPattern } from '../../../../../../../../src/plugins/data/common/i
 
 interface Props {
   alertParams: GeoThresholdAlertParams;
-  alertsContext: AlertsContextValue;
   errors: IErrorObject;
   boundaryIndexPattern: IIndexPattern;
   boundaryNameField?: string;
   setBoundaryIndexPattern: (boundaryIndexPattern?: IIndexPattern) => void;
   setBoundaryGeoField: (boundaryGeoField?: string) => void;
   setBoundaryNameField: (boundaryNameField?: string) => void;
+  data: DataPublicPluginStart;
+}
+
+interface KibanaDeps {
+  http: HttpSetup;
 }
 
 export const BoundaryIndexExpression: FunctionComponent<Props> = ({
   alertParams,
-  alertsContext,
   errors,
   boundaryIndexPattern,
   boundaryNameField,
   setBoundaryIndexPattern,
   setBoundaryGeoField,
   setBoundaryNameField,
+  data,
 }) => {
   // eslint-disable-next-line react-hooks/exhaustive-deps
   const BOUNDARY_NAME_ENTITY_TYPES = ['string', 'number', 'ip'];
-  const { dataUi, dataIndexPatterns, http } = alertsContext;
-  const IndexPatternSelect = (dataUi && dataUi.IndexPatternSelect) || null;
+  const { http } = useKibana<KibanaDeps>().services;
+  const IndexPatternSelect = (data.ui && data.ui.IndexPatternSelect) || null;
   const { boundaryGeoField } = alertParams;
   // eslint-disable-next-line react-hooks/exhaustive-deps
   const nothingSelected: IFieldType = {
@@ -110,7 +117,7 @@ export const BoundaryIndexExpression: FunctionComponent<Props> = ({
           }}
           value={boundaryIndexPattern.id}
           IndexPatternSelectComponent={IndexPatternSelect}
-          indexPatternService={dataIndexPatterns}
+          indexPatternService={data.indexPatterns}
           http={http}
           includedGeoTypes={ES_GEO_SHAPE_TYPES}
         />
diff --git a/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/expressions/entity_index_expression.tsx b/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/expressions/entity_index_expression.tsx
index 0a722734ffc5a..aea1f2bbf56a4 100644
--- a/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/expressions/entity_index_expression.tsx
+++ b/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/expressions/entity_index_expression.tsx
@@ -8,9 +8,10 @@ import React, { Fragment, FunctionComponent, useEffect, useRef } from 'react';
 import { EuiFormRow } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n/react';
 import { i18n } from '@kbn/i18n';
+import { DataPublicPluginStart } from 'src/plugins/data/public';
+import { useKibana } from '../../../../../../../../src/plugins/kibana_react/public';
 import {
   IErrorObject,
-  AlertsContextValue,
   AlertTypeParamsExpressionProps,
 } from '../../../../../../triggers_actions_ui/public';
 import { ES_GEO_FIELD_TYPES } from '../../types';
@@ -23,7 +24,6 @@ import { IIndexPattern } from '../../../../../../../../src/plugins/data/common/i
 interface Props {
   dateField: string;
   geoField: string;
-  alertsContext: AlertsContextValue;
   errors: IErrorObject;
   setAlertParamsDate: (date: string) => void;
   setAlertParamsGeoField: (geoField: string) => void;
@@ -31,21 +31,22 @@ interface Props {
   setIndexPattern: (indexPattern: IIndexPattern) => void;
   indexPattern: IIndexPattern;
   isInvalid: boolean;
+  data: DataPublicPluginStart;
 }
 
 export const EntityIndexExpression: FunctionComponent<Props> = ({
   setAlertParamsDate,
   setAlertParamsGeoField,
   errors,
-  alertsContext,
   setIndexPattern,
   indexPattern,
   isInvalid,
   dateField: timeField,
   geoField,
+  data,
 }) => {
-  const { dataUi, dataIndexPatterns, http } = alertsContext;
-  const IndexPatternSelect = (dataUi && dataUi.IndexPatternSelect) || null;
+  const { http } = useKibana().services;
+  const IndexPatternSelect = (data.ui && data.ui.IndexPatternSelect) || null;
 
   const usePrevious = <T extends unknown>(value: T): T | undefined => {
     const ref = useRef<T>();
@@ -98,8 +99,8 @@ export const EntityIndexExpression: FunctionComponent<Props> = ({
           }}
           value={indexPattern.id}
           IndexPatternSelectComponent={IndexPatternSelect}
-          indexPatternService={dataIndexPatterns}
-          http={http}
+          indexPatternService={data.indexPatterns}
+          http={http!}
           includedGeoTypes={ES_GEO_FIELD_TYPES}
         />
       </EuiFormRow>
diff --git a/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/geo_threshold_alert_type_expression.test.tsx b/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/geo_threshold_alert_type_expression.test.tsx
index d115dbeb76e37..c8158b0a6feaa 100644
--- a/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/geo_threshold_alert_type_expression.test.tsx
+++ b/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/geo_threshold_alert_type_expression.test.tsx
@@ -8,22 +8,9 @@ import React from 'react';
 import { shallow } from 'enzyme';
 import { EntityIndexExpression } from './expressions/entity_index_expression';
 import { BoundaryIndexExpression } from './expressions/boundary_index_expression';
-import { ApplicationStart, DocLinksStart, HttpSetup, ToastsStart } from 'kibana/public';
-import {
-  ActionTypeRegistryContract,
-  AlertTypeRegistryContract,
-  IErrorObject,
-} from '../../../../../triggers_actions_ui/public';
+import { IErrorObject } from '../../../../../triggers_actions_ui/public';
 import { IIndexPattern } from '../../../../../../../src/plugins/data/common';
-
-const alertsContext = {
-  http: (null as unknown) as HttpSetup,
-  alertTypeRegistry: (null as unknown) as AlertTypeRegistryContract,
-  actionTypeRegistry: (null as unknown) as ActionTypeRegistryContract,
-  toastNotifications: (null as unknown) as ToastsStart,
-  docLinks: (null as unknown) as DocLinksStart,
-  capabilities: (null as unknown) as ApplicationStart['capabilities'],
-};
+import { dataPluginMock } from 'src/plugins/data/public/mocks';
 
 const alertParams = {
   index: '',
@@ -38,12 +25,13 @@ const alertParams = {
   boundaryGeoField: '',
 };
 
+const dataStartMock = dataPluginMock.createStartContract();
+
 test('should render EntityIndexExpression', async () => {
   const component = shallow(
     <EntityIndexExpression
       dateField={'testDateField'}
       geoField={'testGeoField'}
-      alertsContext={alertsContext}
       errors={{} as IErrorObject}
       setAlertParamsDate={() => {}}
       setAlertParamsGeoField={() => {}}
@@ -51,6 +39,7 @@ test('should render EntityIndexExpression', async () => {
       setIndexPattern={() => {}}
       indexPattern={('' as unknown) as IIndexPattern}
       isInvalid={false}
+      data={dataStartMock}
     />
   );
 
@@ -62,7 +51,6 @@ test('should render EntityIndexExpression w/ invalid flag if invalid', async ()
     <EntityIndexExpression
       dateField={'testDateField'}
       geoField={'testGeoField'}
-      alertsContext={alertsContext}
       errors={{} as IErrorObject}
       setAlertParamsDate={() => {}}
       setAlertParamsGeoField={() => {}}
@@ -70,6 +58,7 @@ test('should render EntityIndexExpression w/ invalid flag if invalid', async ()
       setIndexPattern={() => {}}
       indexPattern={('' as unknown) as IIndexPattern}
       isInvalid={true}
+      data={dataStartMock}
     />
   );
 
@@ -80,13 +69,13 @@ test('should render BoundaryIndexExpression', async () => {
   const component = shallow(
     <BoundaryIndexExpression
       alertParams={alertParams}
-      alertsContext={alertsContext}
       errors={{} as IErrorObject}
       boundaryIndexPattern={('' as unknown) as IIndexPattern}
       setBoundaryIndexPattern={() => {}}
       setBoundaryGeoField={() => {}}
       setBoundaryNameField={() => {}}
       boundaryNameField={'testNameField'}
+      data={dataStartMock}
     />
   );
 
diff --git a/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/index.tsx b/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/index.tsx
index a34b367668ec7..2a08a4b32f076 100644
--- a/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/index.tsx
+++ b/x-pack/plugins/stack_alerts/public/alert_types/geo_threshold/query_builder/index.tsx
@@ -22,7 +22,6 @@ import { i18n } from '@kbn/i18n';
 import {
   AlertTypeParamsExpressionProps,
   getTimeOptions,
-  AlertsContextValue,
 } from '../../../../../triggers_actions_ui/public';
 import { GeoThresholdAlertParams, TrackingEvent } from '../types';
 import { ExpressionWithPopover } from './util_components/expression_with_popover';
@@ -86,8 +85,8 @@ function validateQuery(query: Query) {
 }
 
 export const GeoThresholdAlertTypeExpression: React.FunctionComponent<
-  AlertTypeParamsExpressionProps<GeoThresholdAlertParams, AlertsContextValue>
-> = ({ alertParams, alertInterval, setAlertParams, setAlertProperty, errors, alertsContext }) => {
+  AlertTypeParamsExpressionProps<GeoThresholdAlertParams>
+> = ({ alertParams, alertInterval, setAlertParams, setAlertProperty, errors, data }) => {
   const {
     index,
     indexId,
@@ -181,15 +180,15 @@ export const GeoThresholdAlertTypeExpression: React.FunctionComponent<
         boundaryNameField: boundaryNameField ?? DEFAULT_VALUES.BOUNDARY_NAME_FIELD,
         delayOffsetWithUnits: delayOffsetWithUnits ?? DEFAULT_VALUES.DELAY_OFFSET_WITH_UNITS,
       });
-      if (!alertsContext.dataIndexPatterns) {
+      if (!data?.indexPatterns) {
         return;
       }
       if (indexId) {
-        const _indexPattern = await alertsContext.dataIndexPatterns.get(indexId);
+        const _indexPattern = await data?.indexPatterns.get(indexId);
         setIndexPattern(_indexPattern);
       }
       if (boundaryIndexId) {
-        const _boundaryIndexPattern = await alertsContext.dataIndexPatterns.get(boundaryIndexId);
+        const _boundaryIndexPattern = await data?.indexPatterns.get(boundaryIndexId);
         setBoundaryIndexPattern(_boundaryIndexPattern);
       }
       if (delayOffsetWithUnits) {
@@ -263,7 +262,6 @@ export const GeoThresholdAlertTypeExpression: React.FunctionComponent<
       <EntityIndexExpression
         dateField={dateField}
         geoField={geoField}
-        alertsContext={alertsContext}
         errors={errors}
         setAlertParamsDate={(_date) => setAlertParams('dateField', _date)}
         setAlertParamsGeoField={(_geoField) => setAlertParams('geoField', _geoField)}
@@ -271,6 +269,7 @@ export const GeoThresholdAlertTypeExpression: React.FunctionComponent<
         setIndexPattern={setIndexPattern}
         indexPattern={indexPattern}
         isInvalid={!indexId || !dateField || !geoField}
+        data={data}
       />
       <EntityByExpression
         errors={errors}
@@ -347,7 +346,6 @@ export const GeoThresholdAlertTypeExpression: React.FunctionComponent<
       <EuiSpacer size="s" />
       <BoundaryIndexExpression
         alertParams={alertParams}
-        alertsContext={alertsContext}
         errors={errors}
         boundaryIndexPattern={boundaryIndexPattern}
         setBoundaryIndexPattern={setBoundaryIndexPattern}
@@ -360,6 +358,7 @@ export const GeoThresholdAlertTypeExpression: React.FunctionComponent<
             : setAlertParams('boundaryNameField', '')
         }
         boundaryNameField={boundaryNameField}
+        data={data}
       />
       <EuiSpacer size="s" />
       <EuiFlexItem>
diff --git a/x-pack/plugins/stack_alerts/public/alert_types/threshold/expression.tsx b/x-pack/plugins/stack_alerts/public/alert_types/threshold/expression.tsx
index 274cd5a9d20dc..3c84f2a5d4f9c 100644
--- a/x-pack/plugins/stack_alerts/public/alert_types/threshold/expression.tsx
+++ b/x-pack/plugins/stack_alerts/public/alert_types/threshold/expression.tsx
@@ -24,6 +24,8 @@ import {
   EuiTitle,
 } from '@elastic/eui';
 import { EuiButtonIcon } from '@elastic/eui';
+import { HttpSetup } from 'kibana/public';
+import { useKibana } from '../../../../../../src/plugins/kibana_react/public';
 import {
   firstFieldOption,
   getIndexPatterns,
@@ -39,7 +41,6 @@ import {
   WhenExpression,
   builtInAggregationTypes,
   AlertTypeParamsExpressionProps,
-  AlertsContextValue,
 } from '../../../../triggers_actions_ui/public';
 import { ThresholdVisualization } from './visualization';
 import { IndexThresholdAlertParams } from './types';
@@ -66,9 +67,13 @@ const expressionFieldsWithValidation = [
   'timeWindowSize',
 ];
 
+interface KibanaDeps {
+  http: HttpSetup;
+}
+
 export const IndexThresholdAlertTypeExpression: React.FunctionComponent<
-  AlertTypeParamsExpressionProps<IndexThresholdAlertParams, AlertsContextValue>
-> = ({ alertParams, alertInterval, setAlertParams, setAlertProperty, errors, alertsContext }) => {
+  AlertTypeParamsExpressionProps<IndexThresholdAlertParams>
+> = ({ alertParams, alertInterval, setAlertParams, setAlertProperty, errors, charts, data }) => {
   const {
     index,
     timeField,
@@ -83,7 +88,7 @@ export const IndexThresholdAlertTypeExpression: React.FunctionComponent<
     timeWindowUnit,
   } = alertParams;
 
-  const { http } = alertsContext;
+  const { http } = useKibana<KibanaDeps>().services;
 
   const [indexPopoverOpen, setIndexPopoverOpen] = useState(false);
   const [indexPatterns, setIndexPatterns] = useState([]);
@@ -208,7 +213,7 @@ export const IndexThresholdAlertTypeExpression: React.FunctionComponent<
               });
               return;
             }
-            const currentEsFields = await getFields(http, indices);
+            const currentEsFields = await getFields(http!, indices);
             const timeFields = getTimeFieldOptions(currentEsFields);
 
             setEsFields(currentEsFields);
@@ -216,7 +221,7 @@ export const IndexThresholdAlertTypeExpression: React.FunctionComponent<
           }}
           onSearchChange={async (search) => {
             setIsIndiciesLoading(true);
-            setIndexOptions(await getIndexOptions(http, search, indexPatterns));
+            setIndexOptions(await getIndexOptions(http!, search, indexPatterns));
             setIsIndiciesLoading(false);
           }}
           onBlur={() => {
@@ -433,7 +438,8 @@ export const IndexThresholdAlertTypeExpression: React.FunctionComponent<
               alertInterval={alertInterval}
               aggregationTypes={builtInAggregationTypes}
               comparators={builtInComparators}
-              alertsContext={alertsContext}
+              charts={charts}
+              dataFieldsFormats={data!.fieldFormats}
             />
           </Fragment>
         )}
diff --git a/x-pack/plugins/stack_alerts/public/alert_types/threshold/index.ts b/x-pack/plugins/stack_alerts/public/alert_types/threshold/index.ts
index 93a8011de7e0e..f09d1630cd675 100644
--- a/x-pack/plugins/stack_alerts/public/alert_types/threshold/index.ts
+++ b/x-pack/plugins/stack_alerts/public/alert_types/threshold/index.ts
@@ -7,9 +7,9 @@ import { lazy } from 'react';
 import { i18n } from '@kbn/i18n';
 import { validateExpression } from './validation';
 import { IndexThresholdAlertParams } from './types';
-import { AlertTypeModel, AlertsContextValue } from '../../../../triggers_actions_ui/public';
+import { AlertTypeModel } from '../../../../triggers_actions_ui/public';
 
-export function getAlertType(): AlertTypeModel<IndexThresholdAlertParams, AlertsContextValue> {
+export function getAlertType(): AlertTypeModel<IndexThresholdAlertParams> {
   return {
     id: '.index-threshold',
     name: i18n.translate('xpack.stackAlerts.threshold.ui.alertType.nameText', {
diff --git a/x-pack/plugins/stack_alerts/public/alert_types/threshold/visualization.tsx b/x-pack/plugins/stack_alerts/public/alert_types/threshold/visualization.tsx
index 6145aa3671a7f..a3f27d7efb71f 100644
--- a/x-pack/plugins/stack_alerts/public/alert_types/threshold/visualization.tsx
+++ b/x-pack/plugins/stack_alerts/public/alert_types/threshold/visualization.tsx
@@ -29,15 +29,14 @@ import {
   EuiLoadingSpinner,
 } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n/react';
+import { ChartsPluginSetup } from 'src/plugins/charts/public';
+import { FieldFormatsStart } from 'src/plugins/data/public';
+import { useKibana } from '../../../../../../src/plugins/kibana_react/public';
 import {
   getThresholdAlertVisualizationData,
   GetThresholdAlertVisualizationDataParams,
 } from './index_threshold_api';
-import {
-  AlertsContextValue,
-  AggregationType,
-  Comparator,
-} from '../../../../triggers_actions_ui/public';
+import { AggregationType, Comparator } from '../../../../triggers_actions_ui/public';
 import { IndexThresholdAlertParams } from './types';
 import { parseDuration } from '../../../../alerts/common/parse_duration';
 
@@ -94,8 +93,9 @@ interface Props {
   comparators: {
     [key: string]: Comparator;
   };
-  alertsContext: AlertsContextValue;
   refreshRateInMilliseconds?: number;
+  charts: ChartsPluginSetup;
+  dataFieldsFormats: FieldFormatsStart;
 }
 
 const DEFAULT_REFRESH_RATE = 5000;
@@ -112,8 +112,9 @@ export const ThresholdVisualization: React.FunctionComponent<Props> = ({
   alertInterval,
   aggregationTypes,
   comparators,
-  alertsContext,
   refreshRateInMilliseconds = DEFAULT_REFRESH_RATE,
+  charts,
+  dataFieldsFormats,
 }) => {
   const {
     index,
@@ -128,8 +129,7 @@ export const ThresholdVisualization: React.FunctionComponent<Props> = ({
     groupBy,
     threshold,
   } = alertParams;
-  const { http, toastNotifications, charts, uiSettings, dataFieldsFormats } = alertsContext;
-
+  const { http, notifications, uiSettings } = useKibana().services;
   const [loadingState, setLoadingState] = useState<LoadingStateType | null>(null);
   const [error, setError] = useState<undefined | Error>(undefined);
   const [visualizationData, setVisualizationData] = useState<Record<string, MetricResult[]>>();
@@ -150,11 +150,11 @@ export const ThresholdVisualization: React.FunctionComponent<Props> = ({
       try {
         setLoadingState(loadingState ? LoadingStateType.Refresh : LoadingStateType.FirstLoad);
         setVisualizationData(
-          await getVisualizationData(alertWithoutActions, visualizeOptions, http)
+          await getVisualizationData(alertWithoutActions, visualizeOptions, http!)
         );
       } catch (e) {
-        if (toastNotifications) {
-          toastNotifications.addDanger({
+        if (notifications) {
+          notifications.toasts.addDanger({
             title: i18n.translate(
               'xpack.stackAlerts.threshold.ui.visualization.unableToLoadVisualizationMessage',
               { defaultMessage: 'Unable to load visualization' }
diff --git a/x-pack/plugins/triggers_actions_ui/README.md b/x-pack/plugins/triggers_actions_ui/README.md
index 28667741801f8..2d80dda964a0b 100644
--- a/x-pack/plugins/triggers_actions_ui/README.md
+++ b/x-pack/plugins/triggers_actions_ui/README.md
@@ -86,7 +86,6 @@ interface IndexThresholdProps {
   setAlertParams: (property: string, value: any) => void;
   setAlertProperty: (key: string, value: any) => void;
   errors: { [key: string]: string[] };
-  alertsContext: AlertsContextValue;
 }
 ```
 
@@ -96,7 +95,6 @@ interface IndexThresholdProps {
 |setAlertParams|Alert reducer method, which is used to create a new copy of alert object with the changed params property any subproperty value.|
 |setAlertProperty|Alert reducer method, which is used to create a new copy of alert object with the changed any direct alert property value.|
 |errors|Alert level errors tracking object.|
-|alertsContext|Alert context, which is used to pass down common objects like http client.|
 
 
 Alert reducer is defined on the AlertAdd functional component level and passed down to the subcomponents to provide a new state of Alert object:
@@ -181,7 +179,6 @@ export const IndexThresholdAlertTypeExpression: React.FunctionComponent<IndexThr
   setAlertParams,
   setAlertProperty,
   errors,
-  alertsContext,
 }) => {
 
   ....
@@ -244,7 +241,7 @@ Each alert type should be defined as `AlertTypeModel` object with the these prop
   iconClass: string;
   validate: (alertParams: any) => ValidationResult;
   alertParamsExpression: React.LazyExoticComponent<
-        ComponentType<AlertTypeParamsExpressionProps<AlertParamsType, AlertsContextValue>>
+        ComponentType<AlertTypeParamsExpressionProps<AlertParamsType>>
       >;
   defaultActionMessage?: string;
 ```
@@ -787,18 +784,15 @@ This component renders a standard EuiTitle foe each action group, wrapping the A
 ## Embed the Create Alert flyout within any Kibana plugin
 
 Follow the instructions bellow to embed the Create Alert flyout within any Kibana plugin:
-1. Add TriggersAndActionsUIPublicPluginSetup to Kibana plugin setup dependencies:
+1. Add TriggersAndActionsUIPublicPluginStart to Kibana plugin setup dependencies:
 
 ```
-triggersActionsUi: TriggersAndActionsUIPublicPluginSetup;
+triggersActionsUi: TriggersAndActionsUIPublicPluginStart;
 ```
-Then this dependency will be used to embed Create Alert flyout or register new alert/action type.
+Then this dependency will be used to embed Create Alert flyout.
 
-2. Add Create Alert flyout to React component:
+2. Add Create Alert flyout to React component using triggersActionsUi start contract:
 ```
-// import section
-import { AlertsContextProvider, AlertAdd } from '../../../../../../../triggers_actions_ui/public';
-
 // in the component state definition section
 const [alertFlyoutVisible, setAlertFlyoutVisibility] = useState<boolean>(false);
 
@@ -815,26 +809,22 @@ const [alertFlyoutVisible, setAlertFlyoutVisibility] = useState<boolean>(false);
   />
 </EuiButton>
 
+const AddAlertFlyout = useMemo(
+    () =>
+      triggersActionsUi.getAddAlertFlyout({
+        consumer: ALERTING_EXAMPLE_APP_ID,
+        addFlyoutVisible: alertFlyoutVisible,
+        setAddFlyoutVisibility: setAlertFlyoutVisibility,
+      }),
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+    [alertFlyoutVisible]
+);
+
 // in render section of component
-<AlertsContextProvider
-  value={{
-    http,
-    actionTypeRegistry: triggersActionsUi.actionTypeRegistry,
-    alertTypeRegistry: triggersActionsUi.alertTypeRegistry,
-    toastNotifications: toasts,
-    uiSettings,
-    docLinks,
-    charts,
-    dataFieldsFormats,
-    metadata: { test: 'some value', fields: ['test'] },
-  }}
->
-  <AlertAdd consumer={'watcher'} addFlyoutVisible={alertFlyoutVisible}
-    setAddFlyoutVisibility={setAlertFlyoutVisibility} />
-</AlertsContextProvider>
+  return <>{AddAlertFlyout}</>;
 ```
 
-AlertAdd Props definition:
+getAddAlertFlyout variables definition:
 ```
 interface AlertAddProps {
   consumer: string;
@@ -842,6 +832,9 @@ interface AlertAddProps {
   setAddFlyoutVisibility: React.Dispatch<React.SetStateAction<boolean>>;
   alertTypeId?: string;
   canChangeTrigger?: boolean;
+  initialValues?: Partial<Alert>;
+  reloadAlerts?: () => Promise<void>;
+  metadata?: MetaData;
 }
 ```
 
@@ -852,37 +845,8 @@ interface AlertAddProps {
 |setAddFlyoutVisibility|Function for changing visibility state of the Create Alert flyout.|
 |alertTypeId|Optional property to preselect alert type.|
 |canChangeTrigger|Optional property, that hides change alert type possibility.|
-
-AlertsContextProvider value options:
-```
-export interface AlertsContextValue<MetaData = Record<string, any>> {
-  reloadAlerts?: () => Promise<void>;
-  http: HttpSetup;
-  alertTypeRegistry: TypeRegistry<AlertTypeModel>;
-  actionTypeRegistry: TypeRegistry<ActionTypeModel>;
-  uiSettings?: IUiSettingsClient;
-  docLinks: DocLinksStart;
-  toastNotifications: Pick<
-    ToastsApi,
-    'get$' | 'add' | 'remove' | 'addSuccess' | 'addWarning' | 'addDanger' | 'addError'
-  >;
-  charts?: ChartsPluginSetup;
-  dataFieldsFormats?: Pick<FieldFormatsRegistry, 'register'>;
-  metadata?: MetaData;
-}
-```
-
-|Property|Description|
-|---|---|
 |reloadAlerts|Optional function, which will be executed if alert was saved sucsessfuly.|
-|http|HttpSetup needed for executing API calls.|
-|alertTypeRegistry|Registry for alert types.|
-|actionTypeRegistry|Registry for action types.|
-|uiSettings|Optional property, which is needed to display visualization of alert type expression. Will be changed after visualization refactoring.|
-|docLinks|Documentation Links, needed to link to the documentation from informational callouts.|
-|toastNotifications|Toast messages.|
-|charts|Optional property, which is needed to display visualization of alert type expression. Will be changed after visualization refactoring.|
-|dataFieldsFormats|Optional property, which is needed to display visualization of alert type expression. Will be changed after visualization refactoring.|
+|initialValues|Default values for Alert properties.|
 |metadata|Optional generic property, which allows to define component specific metadata. This metadata can be used for passing down preloaded data for Alert type expression component.|
 
 ## Build and register Action Types
@@ -1504,25 +1468,6 @@ interface ActionAccordionFormProps {
 |defaultActionMessage|Optional property, which allowes to define a message value for action with 'message' property.|
 |capabilities|Kibana core's Capabilities ApplicationStart['capabilities'].|
 
-
-AlertsContextProvider value options:
-```
-export interface AlertsContextValue {
-  reloadAlerts?: () => Promise<void>;
-  http: HttpSetup;
-  alertTypeRegistry: TypeRegistry<AlertTypeModel>;
-  actionTypeRegistry: TypeRegistry<ActionTypeModel>;
-  uiSettings?: IUiSettingsClient;
-  docLinks: DocLinksStart;
-  toastNotifications: Pick<
-    ToastsApi,
-    'get$' | 'add' | 'remove' | 'addSuccess' | 'addWarning' | 'addDanger' | 'addError'
-  >;
-  charts?: ChartsPluginSetup;
-  dataFieldsFormats?: Pick<FieldFormatsRegistry, 'register'>;
-}
-```
-
 |Property|Description|
 |---|---|
 |reloadAlerts|Optional function, which will be executed if alert was saved sucsessfuly.|
@@ -1618,32 +1563,6 @@ export interface ConnectorAddFlyoutProps {
 |setAddFlyoutVisibility|Function for changing visibility state of the Create Connector flyout.|
 |actionTypes|Optional property, that allows to define only specific action types list which is available for a current plugin.|
 
-ActionsConnectorsContextValue options:
-```
-export interface ActionsConnectorsContextValue {
-  http: HttpSetup;
-  actionTypeRegistry: TypeRegistry<ActionTypeModel>;
-  toastNotifications: Pick<
-    ToastsApi,
-    'get$' | 'add' | 'remove' | 'addSuccess' | 'addWarning' | 'addDanger' | 'addError'
-  >;
-  capabilities: ApplicationStart['capabilities'];
-  docLinks: DocLinksStart;
-  reloadConnectors?: () => Promise<void>;
-  consumer: string;
-}
-```
-
-|Property|Description|
-|---|---|
-|http|HttpSetup needed for executing API calls.|
-|actionTypeRegistry|Registry for action types.|
-|capabilities|Property, which is defining action current user usage capabilities like canSave or canDelete.|
-|toastNotifications|Toast messages.|
-|reloadConnectors|Optional function, which will be executed if connector was saved sucsessfuly, like reload list of connecotrs.|
-|consumer|Optional name of the plugin that creates an action.|
-
-
 ## Embed the Edit Connector flyout within any Kibana plugin
 
 Follow the instructions bellow to embed the Edit Connector flyout within any Kibana plugin:
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/components/health_check.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/components/health_check.test.tsx
index a51765fc3a720..be6c72eef6f9a 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/components/health_check.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/components/health_check.test.tsx
@@ -9,20 +9,20 @@ import { render } from '@testing-library/react';
 import { HealthCheck } from './health_check';
 
 import { act } from 'react-dom/test-utils';
-import { httpServiceMock } from '../../../../../../src/core/public/mocks';
 import { HealthContextProvider } from '../context/health_context';
+import { useKibana } from '../../common/lib/kibana';
+jest.mock('../../common/lib/kibana');
 
-const docLinks = { ELASTIC_WEBSITE_URL: 'elastic.co/', DOC_LINK_VERSION: 'current' };
-
-const http = httpServiceMock.createStartContract();
+const useKibanaMock = useKibana as jest.Mocked<typeof useKibana>;
 
 describe('health check', () => {
   test('renders spinner while health is loading', async () => {
-    http.get.mockImplementationOnce(() => new Promise(() => {}));
-
+    useKibanaMock().services.http.get = jest
+      .fn()
+      .mockImplementationOnce(() => new Promise(() => {}));
     const { queryByText, container } = render(
       <HealthContextProvider>
-        <HealthCheck http={http} docLinks={docLinks} waitForCheck={true}>
+        <HealthCheck waitForCheck={true}>
           <p>{'shouldnt render'}</p>
         </HealthCheck>
       </HealthContextProvider>
@@ -36,11 +36,13 @@ describe('health check', () => {
   });
 
   it('renders children immediately if waitForCheck is false', async () => {
-    http.get.mockImplementationOnce(() => new Promise(() => {}));
+    useKibanaMock().services.http.get = jest
+      .fn()
+      .mockImplementationOnce(() => new Promise(() => {}));
 
     const { queryByText, container } = render(
       <HealthContextProvider>
-        <HealthCheck http={http} docLinks={docLinks} waitForCheck={false}>
+        <HealthCheck waitForCheck={false}>
           <p>{'should render'}</p>
         </HealthCheck>
       </HealthContextProvider>
@@ -54,11 +56,12 @@ describe('health check', () => {
   });
 
   it('renders children if keys are enabled', async () => {
-    http.get.mockResolvedValue({ isSufficientlySecure: true, hasPermanentEncryptionKey: true });
-
+    useKibanaMock().services.http.get = jest
+      .fn()
+      .mockResolvedValue({ isSufficientlySecure: true, hasPermanentEncryptionKey: true });
     const { queryByText } = render(
       <HealthContextProvider>
-        <HealthCheck http={http} docLinks={docLinks} waitForCheck={true}>
+        <HealthCheck waitForCheck={true}>
           <p>{'should render'}</p>
         </HealthCheck>
       </HealthContextProvider>
@@ -70,14 +73,13 @@ describe('health check', () => {
   });
 
   test('renders warning if keys are disabled', async () => {
-    http.get.mockImplementationOnce(async () => ({
+    useKibanaMock().services.http.get = jest.fn().mockImplementationOnce(async () => ({
       isSufficientlySecure: false,
       hasPermanentEncryptionKey: true,
     }));
-
     const { queryAllByText } = render(
       <HealthContextProvider>
-        <HealthCheck http={http} docLinks={docLinks} waitForCheck={true}>
+        <HealthCheck waitForCheck={true}>
           <p>{'should render'}</p>
         </HealthCheck>
       </HealthContextProvider>
@@ -97,19 +99,18 @@ describe('health check', () => {
     );
 
     expect(action.getAttribute('href')).toMatchInlineSnapshot(
-      `"elastic.co/guide/en/kibana/current/configuring-tls.html"`
+      `"https://www.elastic.co/guide/en/kibana/mocked-test-branch/configuring-tls.html"`
     );
   });
 
   test('renders warning if encryption key is ephemeral', async () => {
-    http.get.mockImplementationOnce(async () => ({
+    useKibanaMock().services.http.get = jest.fn().mockImplementationOnce(async () => ({
       isSufficientlySecure: true,
       hasPermanentEncryptionKey: false,
     }));
-
     const { queryByText, queryByRole } = render(
       <HealthContextProvider>
-        <HealthCheck http={http} docLinks={docLinks} waitForCheck={true}>
+        <HealthCheck waitForCheck={true}>
           <p>{'should render'}</p>
         </HealthCheck>
       </HealthContextProvider>
@@ -126,19 +127,19 @@ describe('health check', () => {
     const action = queryByText(/Learn/i);
     expect(action!.textContent).toMatchInlineSnapshot(`"Learn how.(opens in a new tab or window)"`);
     expect(action!.getAttribute('href')).toMatchInlineSnapshot(
-      `"elastic.co/guide/en/kibana/current/alert-action-settings-kb.html#general-alert-action-settings"`
+      `"https://www.elastic.co/guide/en/kibana/mocked-test-branch/alert-action-settings-kb.html#general-alert-action-settings"`
     );
   });
 
   test('renders warning if encryption key is ephemeral and keys are disabled', async () => {
-    http.get.mockImplementationOnce(async () => ({
+    useKibanaMock().services.http.get = jest.fn().mockImplementationOnce(async () => ({
       isSufficientlySecure: false,
       hasPermanentEncryptionKey: false,
     }));
 
     const { queryByText } = render(
       <HealthContextProvider>
-        <HealthCheck http={http} docLinks={docLinks} waitForCheck={true}>
+        <HealthCheck waitForCheck={true}>
           <p>{'should render'}</p>
         </HealthCheck>
       </HealthContextProvider>
@@ -156,7 +157,7 @@ describe('health check', () => {
     const action = queryByText(/Learn/i);
     expect(action!.textContent).toMatchInlineSnapshot(`"Learn how(opens in a new tab or window)"`);
     expect(action!.getAttribute('href')).toMatchInlineSnapshot(
-      `"elastic.co/guide/en/kibana/current/alerting-getting-started.html#alerting-setup-prerequisites"`
+      `"https://www.elastic.co/guide/en/kibana/mocked-test-branch/alerting-getting-started.html#alerting-setup-prerequisites"`
     );
   });
 });
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/components/health_check.tsx b/x-pack/plugins/triggers_actions_ui/public/application/components/health_check.tsx
index c4d0b4976266e..0f20ade8187fd 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/components/health_check.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/components/health_check.tsx
@@ -12,28 +12,25 @@ import { FormattedMessage } from '@kbn/i18n/react';
 import { EuiLink, EuiLoadingSpinner } from '@elastic/eui';
 import { i18n } from '@kbn/i18n';
 
-import { DocLinksStart, HttpSetup } from 'kibana/public';
-
 import { EuiEmptyPrompt, EuiCode } from '@elastic/eui';
+import { DocLinksStart } from 'kibana/public';
 import { AlertingFrameworkHealth } from '../../types';
 import { health } from '../lib/alert_api';
 import './health_check.scss';
 import { useHealthContext } from '../context/health_context';
+import { useKibana } from '../../common/lib/kibana';
 
 interface Props {
-  docLinks: Pick<DocLinksStart, 'ELASTIC_WEBSITE_URL' | 'DOC_LINK_VERSION'>;
-  http: HttpSetup;
   inFlyout?: boolean;
   waitForCheck: boolean;
 }
 
 export const HealthCheck: React.FunctionComponent<Props> = ({
-  docLinks,
-  http,
   children,
   waitForCheck,
   inFlyout = false,
 }) => {
+  const { http, docLinks } = useKibana().services;
   const { setLoadingHealthCheck } = useHealthContext();
   const [alertingHealth, setAlertingHealth] = React.useState<Option<AlertingFrameworkHealth>>(none);
 
@@ -66,9 +63,10 @@ export const HealthCheck: React.FunctionComponent<Props> = ({
   );
 };
 
-type PromptErrorProps = Pick<Props, 'docLinks'> & {
+interface PromptErrorProps {
+  docLinks: Pick<DocLinksStart, 'ELASTIC_WEBSITE_URL' | 'DOC_LINK_VERSION'>;
   className?: string;
-};
+}
 
 const TlsAndEncryptionError = ({
   // eslint-disable-next-line @typescript-eslint/naming-convention
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/context/alerts_context.tsx b/x-pack/plugins/triggers_actions_ui/public/application/context/alerts_context.tsx
deleted file mode 100644
index 0b2f777d13f25..0000000000000
--- a/x-pack/plugins/triggers_actions_ui/public/application/context/alerts_context.tsx
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import React, { useContext, createContext } from 'react';
-import {
-  HttpSetup,
-  IUiSettingsClient,
-  ToastsStart,
-  DocLinksStart,
-  ApplicationStart,
-} from 'kibana/public';
-import { ChartsPluginSetup } from 'src/plugins/charts/public';
-import {
-  DataPublicPluginSetup,
-  DataPublicPluginStartUi,
-  IndexPatternsContract,
-} from 'src/plugins/data/public';
-import { KibanaFeature } from '../../../../features/common';
-import { AlertTypeRegistryContract, ActionTypeRegistryContract } from '../../types';
-
-export interface AlertsContextValue<MetaData = Record<string, any>> {
-  reloadAlerts?: () => Promise<void>;
-  http: HttpSetup;
-  alertTypeRegistry: AlertTypeRegistryContract;
-  actionTypeRegistry: ActionTypeRegistryContract;
-  toastNotifications: ToastsStart;
-  uiSettings?: IUiSettingsClient;
-  charts?: ChartsPluginSetup;
-  docLinks: DocLinksStart;
-  capabilities: ApplicationStart['capabilities'];
-  dataFieldsFormats?: DataPublicPluginSetup['fieldFormats'];
-  metadata?: MetaData;
-  dataUi?: DataPublicPluginStartUi;
-  dataIndexPatterns?: IndexPatternsContract;
-  kibanaFeatures?: KibanaFeature[];
-}
-
-const AlertsContext = createContext<AlertsContextValue>(null as any);
-
-export const AlertsContextProvider = ({
-  children,
-  value,
-}: {
-  value: AlertsContextValue;
-  children: React.ReactNode;
-}) => {
-  return <AlertsContext.Provider value={value}>{children}</AlertsContext.Provider>;
-};
-
-export const useAlertsContext = () => {
-  const ctx = useContext(AlertsContext);
-  if (!ctx) {
-    throw new Error('AlertsContext has not been set.');
-  }
-  return ctx;
-};
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/home.tsx b/x-pack/plugins/triggers_actions_ui/public/application/home.tsx
index 97faef6d49963..8f9e9c0a080c7 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/home.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/home.tsx
@@ -46,7 +46,6 @@ export const TriggersActionsUIHome: React.FunctionComponent<RouteComponentProps<
     application: { capabilities },
     setBreadcrumbs,
     docLinks,
-    http,
   } = useKibana().services;
 
   const canShowActions = hasShowActionsCapability(capabilities);
@@ -144,7 +143,7 @@ export const TriggersActionsUIHome: React.FunctionComponent<RouteComponentProps<
               path={routeToConnectors}
               component={() => (
                 <HealthContextProvider>
-                  <HealthCheck docLinks={docLinks} http={http} waitForCheck={true}>
+                  <HealthCheck waitForCheck={true}>
                     <ActionsConnectorsList />
                   </HealthCheck>
                 </HealthContextProvider>
@@ -156,7 +155,7 @@ export const TriggersActionsUIHome: React.FunctionComponent<RouteComponentProps<
             path={routeToAlerts}
             component={() => (
               <HealthContextProvider>
-                <HealthCheck docLinks={docLinks} http={http} inFlyout={true} waitForCheck={true}>
+                <HealthCheck inFlyout={true} waitForCheck={true}>
                   <AlertsList />
                 </HealthCheck>
               </HealthContextProvider>
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_details/components/alert_details.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_details/components/alert_details.tsx
index 03734779886b3..0c1b00d78d198 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_details/components/alert_details.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_details/components/alert_details.tsx
@@ -37,7 +37,6 @@ import {
 import { AlertInstancesRouteWithApi } from './alert_instances_route';
 import { ViewInApp } from './view_in_app';
 import { AlertEdit } from '../../alert_form';
-import { AlertsContextProvider } from '../../../context/alerts_context';
 import { routeToAlertDetails } from '../../../constants';
 import { alertsErrorReasonTranslationsMapping } from '../../alerts_list/translations';
 import { useKibana } from '../../../../common/lib/kibana';
@@ -62,15 +61,9 @@ export const AlertDetails: React.FunctionComponent<AlertDetailsProps> = ({
 }) => {
   const history = useHistory();
   const {
-    http,
-    notifications: { toasts },
     application: { capabilities },
     alertTypeRegistry,
     actionTypeRegistry,
-    uiSettings,
-    docLinks,
-    charts,
-    data,
     setBreadcrumbs,
     chrome,
   } = useKibana().services;
@@ -153,30 +146,16 @@ export const AlertDetails: React.FunctionComponent<AlertDetailsProps> = ({
                         />
                       </EuiButtonEmpty>
                       {editFlyoutVisible && (
-                        <AlertsContextProvider
-                          value={{
-                            http,
-                            actionTypeRegistry,
-                            alertTypeRegistry,
-                            toastNotifications: toasts,
-                            uiSettings,
-                            docLinks,
-                            charts,
-                            dataFieldsFormats: data.fieldFormats,
-                            reloadAlerts: setAlert,
-                            capabilities,
-                            dataUi: data.ui,
-                            dataIndexPatterns: data.indexPatterns,
+                        <AlertEdit
+                          initialAlert={alert}
+                          onClose={() => {
+                            setInitialAlert(alert);
+                            setEditFlyoutVisibility(false);
                           }}
-                        >
-                          <AlertEdit
-                            initialAlert={alert}
-                            onClose={() => {
-                              setInitialAlert(alert);
-                              setEditFlyoutVisibility(false);
-                            }}
-                          />
-                        </AlertsContextProvider>
+                          actionTypeRegistry={actionTypeRegistry}
+                          alertTypeRegistry={alertTypeRegistry}
+                          reloadAlerts={setAlert}
+                        />
                       )}
                     </Fragment>
                   </EuiFlexItem>
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_add.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_add.test.tsx
index 608a4482543e2..117abddb4d9d7 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_add.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_add.test.tsx
@@ -12,39 +12,34 @@ import { coreMock } from '../../../../../../../src/core/public/mocks';
 import AlertAdd from './alert_add';
 import { actionTypeRegistryMock } from '../../action_type_registry.mock';
 import { Alert, ValidationResult } from '../../../types';
-import { AlertsContextProvider, useAlertsContext } from '../../context/alerts_context';
 import { alertTypeRegistryMock } from '../../alert_type_registry.mock';
-import { chartPluginMock } from '../../../../../../../src/plugins/charts/public/mocks';
-import { dataPluginMock } from '../../../../../../../src/plugins/data/public/mocks';
 import { ReactWrapper } from 'enzyme';
 import { ALERTS_FEATURE_ID } from '../../../../../alerts/common';
-import { KibanaContextProvider } from '../../../../../../../src/plugins/kibana_react/public';
+import { useKibana } from '../../../common/lib/kibana';
+jest.mock('../../../common/lib/kibana');
 
 jest.mock('../../lib/alert_api', () => ({
   loadAlertTypes: jest.fn(),
-  health: jest.fn((async) => ({ isSufficientlySecure: true, hasPermanentEncryptionKey: true })),
+  health: jest.fn(() => ({ isSufficientlySecure: true, hasPermanentEncryptionKey: true })),
 }));
 
 const actionTypeRegistry = actionTypeRegistryMock.create();
 const alertTypeRegistry = alertTypeRegistryMock.create();
+const useKibanaMock = useKibana as jest.Mocked<typeof useKibana>;
 
 export const TestExpression: React.FunctionComponent<any> = () => {
-  const alertsContext = useAlertsContext();
-  const { metadata } = alertsContext;
-
   return (
     <EuiFormLabel>
       <FormattedMessage
         defaultMessage="Metadata: {val}. Fields: {fields}."
         id="xpack.triggersActionsUI.sections.alertAdd.metadataTest"
-        values={{ val: metadata!.test, fields: metadata!.fields.join(' ') }}
+        values={{ val: 'test', fields: '' }}
       />
     </EuiFormLabel>
   );
 };
 
 describe('alert_add', () => {
-  let deps: any;
   let wrapper: ReactWrapper<any>;
 
   async function setup(initialValues?: Partial<Alert>) {
@@ -80,15 +75,14 @@ describe('alert_add', () => {
         application: { capabilities },
       },
     ] = await mocks.getStartServices();
-    deps = {
-      toastNotifications: mocks.notifications.toasts,
-      http: mocks.http,
-      uiSettings: mocks.uiSettings,
-      data: dataPluginMock.createStartContract(),
-      charts: chartPluginMock.createStartContract(),
-      actionTypeRegistry,
-      alertTypeRegistry,
-      docLinks: { ELASTIC_WEBSITE_URL: '', DOC_LINK_VERSION: '' },
+    // eslint-disable-next-line react-hooks/rules-of-hooks
+    useKibanaMock().services.application.capabilities = {
+      ...capabilities,
+      alerts: {
+        show: true,
+        save: true,
+        delete: true,
+      },
     };
 
     mocks.http.get.mockResolvedValue({
@@ -132,37 +126,18 @@ describe('alert_add', () => {
     actionTypeRegistry.has.mockReturnValue(true);
 
     wrapper = mountWithIntl(
-      <KibanaContextProvider services={{ ...deps }}>
-        <AlertsContextProvider
-          value={{
-            reloadAlerts: () => {
-              return new Promise<void>(() => {});
-            },
-            http: deps.http,
-            actionTypeRegistry: deps.actionTypeRegistry,
-            alertTypeRegistry: deps.alertTypeRegistry,
-            toastNotifications: deps.toastNotifications,
-            uiSettings: deps.uiSettings,
-            docLinks: deps.docLinks,
-            metadata: { test: 'some value', fields: ['test'] },
-            capabilities: {
-              ...capabilities,
-              actions: {
-                delete: true,
-                save: true,
-                show: true,
-              },
-            },
-          }}
-        >
-          <AlertAdd
-            consumer={ALERTS_FEATURE_ID}
-            addFlyoutVisible={true}
-            setAddFlyoutVisibility={() => {}}
-            initialValues={initialValues}
-          />
-        </AlertsContextProvider>
-      </KibanaContextProvider>
+      <AlertAdd
+        consumer={ALERTS_FEATURE_ID}
+        addFlyoutVisible={true}
+        setAddFlyoutVisibility={() => {}}
+        initialValues={initialValues}
+        reloadAlerts={() => {
+          return new Promise<void>(() => {});
+        }}
+        actionTypeRegistry={actionTypeRegistry}
+        alertTypeRegistry={alertTypeRegistry}
+        metadata={{ test: 'some value', fields: ['test'] }}
+      />
     );
 
     // Wait for active space to resolve before requesting the component to update
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_add.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_add.tsx
index 34a4c909c65a9..03c8b539227a2 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_add.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_add.tsx
@@ -7,8 +7,13 @@ import React, { useCallback, useReducer, useMemo, useState, useEffect } from 're
 import { FormattedMessage } from '@kbn/i18n/react';
 import { EuiTitle, EuiFlyoutHeader, EuiFlyout, EuiFlyoutBody, EuiPortal } from '@elastic/eui';
 import { i18n } from '@kbn/i18n';
-import { useAlertsContext } from '../../context/alerts_context';
-import { Alert, AlertAction, IErrorObject } from '../../../types';
+import {
+  ActionTypeRegistryContract,
+  Alert,
+  AlertAction,
+  AlertTypeRegistryContract,
+  IErrorObject,
+} from '../../../types';
 import { AlertForm, isValidAlert, validateBaseProperties } from './alert_form';
 import { alertReducer, InitialAlert, InitialAlertReducer } from './alert_reducer';
 import { createAlert } from '../../lib/alert_api';
@@ -17,23 +22,32 @@ import { ConfirmAlertSave } from './confirm_alert_save';
 import { hasShowActionsCapability } from '../../lib/capabilities';
 import AlertAddFooter from './alert_add_footer';
 import { HealthContextProvider } from '../../context/health_context';
+import { useKibana } from '../../../common/lib/kibana';
 
-interface AlertAddProps {
+export interface AlertAddProps<MetaData = Record<string, any>> {
   consumer: string;
   addFlyoutVisible: boolean;
+  alertTypeRegistry: AlertTypeRegistryContract;
+  actionTypeRegistry: ActionTypeRegistryContract;
   setAddFlyoutVisibility: React.Dispatch<React.SetStateAction<boolean>>;
   alertTypeId?: string;
   canChangeTrigger?: boolean;
   initialValues?: Partial<Alert>;
+  reloadAlerts?: () => Promise<void>;
+  metadata?: MetaData;
 }
 
-export const AlertAdd = ({
+const AlertAdd = ({
   consumer,
   addFlyoutVisible,
+  alertTypeRegistry,
+  actionTypeRegistry,
   setAddFlyoutVisibility,
   canChangeTrigger,
   alertTypeId,
   initialValues,
+  reloadAlerts,
+  metadata,
 }: AlertAddProps) => {
   const initialAlert: InitialAlert = useMemo(
     () => ({
@@ -65,14 +79,10 @@ export const AlertAdd = ({
   };
 
   const {
-    reloadAlerts,
     http,
-    toastNotifications,
-    alertTypeRegistry,
-    actionTypeRegistry,
-    docLinks,
-    capabilities,
-  } = useAlertsContext();
+    notifications: { toasts },
+    application: { capabilities },
+  } = useKibana().services;
 
   const canShowActions = hasShowActionsCapability(capabilities);
 
@@ -127,7 +137,7 @@ export const AlertAdd = ({
     try {
       if (isValidAlert(alert, errors)) {
         const newAlert = await createAlert({ http, alert });
-        toastNotifications.addSuccess(
+        toasts.addSuccess(
           i18n.translate('xpack.triggersActionsUI.sections.alertAdd.saveSuccessNotificationText', {
             defaultMessage: 'Created alert "{alertName}"',
             values: {
@@ -138,7 +148,7 @@ export const AlertAdd = ({
         return newAlert;
       }
     } catch (errorRes) {
-      toastNotifications.addDanger(
+      toasts.addDanger(
         errorRes.body?.message ??
           i18n.translate('xpack.triggersActionsUI.sections.alertAdd.saveErrorNotificationText', {
             defaultMessage: 'Cannot create alert.',
@@ -166,7 +176,7 @@ export const AlertAdd = ({
           </EuiTitle>
         </EuiFlyoutHeader>
         <HealthContextProvider>
-          <HealthCheck docLinks={docLinks} http={http} inFlyout={true} waitForCheck={false}>
+          <HealthCheck inFlyout={true} waitForCheck={false}>
             <EuiFlyoutBody>
               <AlertForm
                 alert={alert}
@@ -179,6 +189,9 @@ export const AlertAdd = ({
                     defaultMessage: 'create',
                   }
                 )}
+                actionTypeRegistry={actionTypeRegistry}
+                alertTypeRegistry={alertTypeRegistry}
+                metadata={metadata}
               />
             </EuiFlyoutBody>
             <AlertAddFooter
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_edit.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_edit.test.tsx
index 11a35b313ef19..4af54bbb80e9f 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_edit.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_edit.test.tsx
@@ -9,16 +9,16 @@ import { act } from 'react-dom/test-utils';
 import { coreMock } from '../../../../../../../src/core/public/mocks';
 import { actionTypeRegistryMock } from '../../action_type_registry.mock';
 import { ValidationResult, Alert } from '../../../types';
-import { AlertsContextProvider } from '../../context/alerts_context';
 import { alertTypeRegistryMock } from '../../alert_type_registry.mock';
 import { ReactWrapper } from 'enzyme';
 import AlertEdit from './alert_edit';
-import { KibanaContextProvider } from '../../../../../../../src/plugins/kibana_react/public';
+import { useKibana } from '../../../common/lib/kibana';
+jest.mock('../../../common/lib/kibana');
 const actionTypeRegistry = actionTypeRegistryMock.create();
 const alertTypeRegistry = alertTypeRegistryMock.create();
+const useKibanaMock = useKibana as jest.Mocked<typeof useKibana>;
 
 describe('alert_edit', () => {
-  let deps: any;
   let wrapper: ReactWrapper<any>;
   let mockedCoreSetup: ReturnType<typeof coreMock.createSetup>;
 
@@ -32,17 +32,19 @@ describe('alert_edit', () => {
         application: { capabilities },
       },
     ] = await mockedCoreSetup.getStartServices();
-    deps = {
-      toastNotifications: mockedCoreSetup.notifications.toasts,
-      http: mockedCoreSetup.http,
-      uiSettings: mockedCoreSetup.uiSettings,
-      actionTypeRegistry,
-      alertTypeRegistry,
-      docLinks: { ELASTIC_WEBSITE_URL: '', DOC_LINK_VERSION: '' },
-      capabilities,
+    // eslint-disable-next-line react-hooks/rules-of-hooks
+    useKibanaMock().services.application.capabilities = {
+      ...capabilities,
+      alerts: {
+        show: true,
+        save: true,
+        delete: true,
+        execute: true,
+      },
     };
 
-    mockedCoreSetup.http.get.mockResolvedValue({
+    // eslint-disable-next-line react-hooks/rules-of-hooks
+    useKibanaMock().services.http.get = jest.fn().mockResolvedValue({
       isSufficientlySecure: true,
       hasPermanentEncryptionKey: true,
     });
@@ -122,24 +124,15 @@ describe('alert_edit', () => {
     actionTypeRegistry.has.mockReturnValue(true);
 
     wrapper = mountWithIntl(
-      <KibanaContextProvider services={deps}>
-        <AlertsContextProvider
-          value={{
-            reloadAlerts: () => {
-              return new Promise<void>(() => {});
-            },
-            http: deps!.http,
-            actionTypeRegistry: deps!.actionTypeRegistry,
-            alertTypeRegistry: deps!.alertTypeRegistry,
-            toastNotifications: deps!.toastNotifications,
-            uiSettings: deps!.uiSettings,
-            docLinks: deps.docLinks,
-            capabilities: deps!.capabilities,
-          }}
-        >
-          <AlertEdit onClose={() => {}} initialAlert={alert} />
-        </AlertsContextProvider>
-      </KibanaContextProvider>
+      <AlertEdit
+        onClose={() => {}}
+        initialAlert={alert}
+        reloadAlerts={() => {
+          return new Promise<void>(() => {});
+        }}
+        actionTypeRegistry={actionTypeRegistry}
+        alertTypeRegistry={alertTypeRegistry}
+      />
     );
     // Wait for active space to resolve before requesting the component to update
     await act(async () => {
@@ -155,15 +148,17 @@ describe('alert_edit', () => {
   });
 
   it('displays a toast message on save for server errors', async () => {
-    mockedCoreSetup.http.get.mockResolvedValue([]);
+    useKibanaMock().services.http.get = jest.fn().mockResolvedValue([]);
     await setup();
     const err = new Error() as any;
     err.body = {};
     err.body.message = 'Fail message';
-    mockedCoreSetup.http.put.mockRejectedValue(err);
+    useKibanaMock().services.http.put = jest.fn().mockRejectedValue(err);
     await act(async () => {
       wrapper.find('[data-test-subj="saveEditedAlertButton"]').first().simulate('click');
     });
-    expect(mockedCoreSetup.notifications.toasts.addDanger).toHaveBeenCalledWith('Fail message');
+    expect(useKibanaMock().services.notifications.toasts.addDanger).toHaveBeenCalledWith(
+      'Fail message'
+    );
   });
 });
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_edit.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_edit.tsx
index 2e2a77fa6afc3..dbf460d1778c6 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_edit.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_edit.tsx
@@ -20,20 +20,37 @@ import {
   EuiSpacer,
 } from '@elastic/eui';
 import { i18n } from '@kbn/i18n';
-import { useAlertsContext } from '../../context/alerts_context';
-import { Alert, AlertAction, IErrorObject } from '../../../types';
+import {
+  ActionTypeRegistryContract,
+  Alert,
+  AlertAction,
+  AlertTypeRegistryContract,
+  IErrorObject,
+} from '../../../types';
 import { AlertForm, validateBaseProperties } from './alert_form';
 import { alertReducer, ConcreteAlertReducer } from './alert_reducer';
 import { updateAlert } from '../../lib/alert_api';
 import { HealthCheck } from '../../components/health_check';
 import { HealthContextProvider } from '../../context/health_context';
+import { useKibana } from '../../../common/lib/kibana';
 
-interface AlertEditProps {
+export interface AlertEditProps<MetaData = Record<string, any>> {
   initialAlert: Alert;
+  alertTypeRegistry: AlertTypeRegistryContract;
+  actionTypeRegistry: ActionTypeRegistryContract;
   onClose(): void;
+  reloadAlerts?: () => Promise<void>;
+  metadata?: MetaData;
 }
 
-export const AlertEdit = ({ initialAlert, onClose }: AlertEditProps) => {
+export const AlertEdit = ({
+  initialAlert,
+  onClose,
+  reloadAlerts,
+  alertTypeRegistry,
+  actionTypeRegistry,
+  metadata,
+}: AlertEditProps) => {
   const [{ alert }, dispatch] = useReducer(alertReducer as ConcreteAlertReducer, {
     alert: initialAlert,
   });
@@ -44,13 +61,9 @@ export const AlertEdit = ({ initialAlert, onClose }: AlertEditProps) => {
   );
 
   const {
-    reloadAlerts,
     http,
-    toastNotifications,
-    alertTypeRegistry,
-    actionTypeRegistry,
-    docLinks,
-  } = useAlertsContext();
+    notifications: { toasts },
+  } = useKibana().services;
 
   const alertType = alertTypeRegistry.get(alert.alertTypeId);
 
@@ -76,7 +89,7 @@ export const AlertEdit = ({ initialAlert, onClose }: AlertEditProps) => {
   async function onSaveAlert(): Promise<Alert | undefined> {
     try {
       const newAlert = await updateAlert({ http, alert, id: alert.id });
-      toastNotifications.addSuccess(
+      toasts.addSuccess(
         i18n.translate('xpack.triggersActionsUI.sections.alertEdit.saveSuccessNotificationText', {
           defaultMessage: "Updated '{alertName}'",
           values: {
@@ -86,7 +99,7 @@ export const AlertEdit = ({ initialAlert, onClose }: AlertEditProps) => {
       );
       return newAlert;
     } catch (errorRes) {
-      toastNotifications.addDanger(
+      toasts.addDanger(
         errorRes.body?.message ??
           i18n.translate('xpack.triggersActionsUI.sections.alertEdit.saveErrorNotificationText', {
             defaultMessage: 'Cannot update alert.',
@@ -114,7 +127,7 @@ export const AlertEdit = ({ initialAlert, onClose }: AlertEditProps) => {
           </EuiTitle>
         </EuiFlyoutHeader>
         <HealthContextProvider>
-          <HealthCheck docLinks={docLinks} http={http} inFlyout={true} waitForCheck={true}>
+          <HealthCheck inFlyout={true} waitForCheck={true}>
             <EuiFlyoutBody>
               {hasActionsDisabled && (
                 <Fragment>
@@ -135,12 +148,15 @@ export const AlertEdit = ({ initialAlert, onClose }: AlertEditProps) => {
                 alert={alert}
                 dispatch={dispatch}
                 errors={errors}
+                actionTypeRegistry={actionTypeRegistry}
+                alertTypeRegistry={alertTypeRegistry}
                 canChangeTrigger={false}
                 setHasActionsDisabled={setHasActionsDisabled}
                 setHasActionsWithBrokenConnector={setHasActionsWithBrokenConnector}
                 operation="i18n.translate('xpack.triggersActionsUI.sections.alertEdit.operationName', {
                   defaultMessage: 'edit',
                 })"
+                metadata={metadata}
               />
             </EuiFlyoutBody>
             <EuiFlyoutFooter>
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_form.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_form.test.tsx
index 0d5972d075f42..785eaeb9059d7 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_form.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_form.test.tsx
@@ -11,22 +11,18 @@ import { actionTypeRegistryMock } from '../../action_type_registry.mock';
 import { alertTypeRegistryMock } from '../../alert_type_registry.mock';
 import { ValidationResult, Alert } from '../../../types';
 import { AlertForm } from './alert_form';
-import { AlertsContextProvider } from '../../context/alerts_context';
 import { coreMock } from 'src/core/public/mocks';
 import { ALERTS_FEATURE_ID, RecoveredActionGroup } from '../../../../../alerts/common';
+import { useKibana } from '../../../common/lib/kibana';
 
 const actionTypeRegistry = actionTypeRegistryMock.create();
 const alertTypeRegistry = alertTypeRegistryMock.create();
 jest.mock('../../lib/alert_api', () => ({
   loadAlertTypes: jest.fn(),
 }));
+jest.mock('../../../common/lib/kibana');
 
 describe('alert_form', () => {
-  beforeEach(() => {
-    jest.resetAllMocks();
-  });
-
-  let deps: any;
   const alertType = {
     id: 'my-alert-type',
     iconClass: 'test',
@@ -67,6 +63,7 @@ describe('alert_form', () => {
     alertParamsExpression: () => <Fragment />,
     requiresAppContext: true,
   };
+  const useKibanaMock = useKibana as jest.Mocked<typeof useKibana>;
 
   describe('alert_form create alert', () => {
     let wrapper: ReactWrapper<any>;
@@ -99,14 +96,14 @@ describe('alert_form', () => {
           application: { capabilities },
         },
       ] = await mocks.getStartServices();
-      deps = {
-        toastNotifications: mocks.notifications.toasts,
-        http: mocks.http,
-        uiSettings: mocks.uiSettings,
-        actionTypeRegistry,
-        alertTypeRegistry,
-        docLinks: { ELASTIC_WEBSITE_URL: '', DOC_LINK_VERSION: '' },
-        capabilities,
+      // eslint-disable-next-line react-hooks/rules-of-hooks
+      useKibanaMock().services.application.capabilities = {
+        ...capabilities,
+        alerts: {
+          show: true,
+          save: true,
+          delete: true,
+        },
       };
       alertTypeRegistry.list.mockReturnValue([alertType, alertTypeNonEditable]);
       alertTypeRegistry.has.mockReturnValue(true);
@@ -128,27 +125,14 @@ describe('alert_form', () => {
       } as unknown) as Alert;
 
       wrapper = mountWithIntl(
-        <AlertsContextProvider
-          value={{
-            reloadAlerts: () => {
-              return new Promise<void>(() => {});
-            },
-            http: deps!.http,
-            docLinks: deps.docLinks,
-            actionTypeRegistry: deps!.actionTypeRegistry,
-            alertTypeRegistry: deps!.alertTypeRegistry,
-            toastNotifications: deps!.toastNotifications,
-            uiSettings: deps!.uiSettings,
-            capabilities: deps!.capabilities,
-          }}
-        >
-          <AlertForm
-            alert={initialAlert}
-            dispatch={() => {}}
-            errors={{ name: [], interval: [] }}
-            operation="create"
-          />
-        </AlertsContextProvider>
+        <AlertForm
+          alert={initialAlert}
+          dispatch={() => {}}
+          errors={{ name: [], interval: [] }}
+          operation="create"
+          actionTypeRegistry={actionTypeRegistry}
+          alertTypeRegistry={alertTypeRegistry}
+        />
       );
 
       await act(async () => {
@@ -208,6 +192,7 @@ describe('alert_form', () => {
 
     async function setup() {
       const { loadAlertTypes } = jest.requireMock('../../lib/alert_api');
+
       loadAlertTypes.mockResolvedValue([
         {
           id: 'other-consumer-producer-alert-type',
@@ -250,14 +235,14 @@ describe('alert_form', () => {
           application: { capabilities },
         },
       ] = await mocks.getStartServices();
-      deps = {
-        toastNotifications: mocks.notifications.toasts,
-        http: mocks.http,
-        uiSettings: mocks.uiSettings,
-        actionTypeRegistry,
-        alertTypeRegistry,
-        docLinks: { ELASTIC_WEBSITE_URL: '', DOC_LINK_VERSION: '' },
-        capabilities,
+      // eslint-disable-next-line react-hooks/rules-of-hooks
+      useKibanaMock().services.application.capabilities = {
+        ...capabilities,
+        alerts: {
+          show: true,
+          save: true,
+          delete: true,
+        },
       };
       alertTypeRegistry.list.mockReturnValue([
         {
@@ -302,27 +287,14 @@ describe('alert_form', () => {
       } as unknown) as Alert;
 
       wrapper = mountWithIntl(
-        <AlertsContextProvider
-          value={{
-            reloadAlerts: () => {
-              return new Promise<void>(() => {});
-            },
-            http: deps!.http,
-            docLinks: deps.docLinks,
-            actionTypeRegistry: deps!.actionTypeRegistry,
-            alertTypeRegistry: deps!.alertTypeRegistry,
-            toastNotifications: deps!.toastNotifications,
-            uiSettings: deps!.uiSettings,
-            capabilities: deps!.capabilities,
-          }}
-        >
-          <AlertForm
-            alert={initialAlert}
-            dispatch={() => {}}
-            errors={{ name: [], interval: [] }}
-            operation="create"
-          />
-        </AlertsContextProvider>
+        <AlertForm
+          alert={initialAlert}
+          dispatch={() => {}}
+          errors={{ name: [], interval: [] }}
+          operation="create"
+          actionTypeRegistry={actionTypeRegistry}
+          alertTypeRegistry={alertTypeRegistry}
+        />
       );
 
       await act(async () => {
@@ -354,14 +326,6 @@ describe('alert_form', () => {
     let wrapper: ReactWrapper<any>;
 
     async function setup() {
-      const mockes = coreMock.createSetup();
-      deps = {
-        toastNotifications: mockes.notifications.toasts,
-        http: mockes.http,
-        uiSettings: mockes.uiSettings,
-        actionTypeRegistry,
-        alertTypeRegistry,
-      };
       alertTypeRegistry.list.mockReturnValue([alertType]);
       alertTypeRegistry.get.mockReturnValue(alertType);
       alertTypeRegistry.has.mockReturnValue(true);
@@ -385,27 +349,14 @@ describe('alert_form', () => {
       } as unknown) as Alert;
 
       wrapper = mountWithIntl(
-        <AlertsContextProvider
-          value={{
-            reloadAlerts: () => {
-              return new Promise<void>(() => {});
-            },
-            http: deps!.http,
-            docLinks: deps.docLinks,
-            actionTypeRegistry: deps!.actionTypeRegistry,
-            alertTypeRegistry: deps!.alertTypeRegistry,
-            toastNotifications: deps!.toastNotifications,
-            uiSettings: deps!.uiSettings,
-            capabilities: deps!.capabilities,
-          }}
-        >
-          <AlertForm
-            alert={initialAlert}
-            dispatch={() => {}}
-            errors={{ name: [], interval: [] }}
-            operation="create"
-          />
-        </AlertsContextProvider>
+        <AlertForm
+          alert={initialAlert}
+          dispatch={() => {}}
+          errors={{ name: [], interval: [] }}
+          operation="create"
+          actionTypeRegistry={actionTypeRegistry}
+          alertTypeRegistry={alertTypeRegistry}
+        />
       );
 
       await act(async () => {
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_form.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_form.tsx
index 5b0585e2cc798..c94086a6adab9 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_form.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_form.tsx
@@ -50,14 +50,16 @@ import {
   AlertTypeIndex,
   AlertType,
   ValidationResult,
+  AlertTypeRegistryContract,
+  ActionTypeRegistryContract,
 } from '../../../types';
 import { getTimeOptions } from '../../../common/lib/get_time_options';
-import { useAlertsContext } from '../../context/alerts_context';
 import { ActionForm } from '../action_connector_form';
 import { AlertActionParam, ALERTS_FEATURE_ID } from '../../../../../alerts/common';
 import { hasAllPrivilege, hasShowActionsCapability } from '../../lib/capabilities';
 import { SolutionFilter } from './solution_filter';
 import './alert_form.scss';
+import { useKibana } from '../../../common/lib/kibana';
 import { recoveredActionGroupMessage } from '../../constants';
 import { getDefaultsForActionParams } from '../../lib/get_defaults_for_action_params';
 
@@ -113,14 +115,17 @@ function getProducerFeatureName(producer: string, kibanaFeatures: KibanaFeature[
   return kibanaFeatures.find((featureItem) => featureItem.id === producer)?.name;
 }
 
-interface AlertFormProps {
+interface AlertFormProps<MetaData = Record<string, any>> {
   alert: InitialAlert;
   dispatch: React.Dispatch<AlertReducerAction>;
   errors: IErrorObject;
+  alertTypeRegistry: AlertTypeRegistryContract;
+  actionTypeRegistry: ActionTypeRegistryContract;
+  operation: string;
   canChangeTrigger?: boolean; // to hide Change trigger button
   setHasActionsDisabled?: (value: boolean) => void;
   setHasActionsWithBrokenConnector?: (value: boolean) => void;
-  operation: string;
+  metadata?: MetaData;
 }
 
 export const AlertForm = ({
@@ -131,17 +136,19 @@ export const AlertForm = ({
   setHasActionsDisabled,
   setHasActionsWithBrokenConnector,
   operation,
+  alertTypeRegistry,
+  actionTypeRegistry,
+  metadata,
 }: AlertFormProps) => {
-  const alertsContext = useAlertsContext();
   const {
     http,
-    toastNotifications,
-    alertTypeRegistry,
-    actionTypeRegistry,
+    notifications: { toasts },
     docLinks,
-    capabilities,
+    application: { capabilities },
     kibanaFeatures,
-  } = alertsContext;
+    charts,
+    data,
+  } = useKibana().services;
   const canShowActions = hasShowActionsCapability(capabilities);
 
   const [alertTypeModel, setAlertTypeModel] = useState<AlertTypeModel | null>(null);
@@ -207,7 +214,7 @@ export const AlertForm = ({
           new Map([...solutionsResult.entries()].sort(([, a], [, b]) => a.localeCompare(b)))
         );
       } catch (e) {
-        toastNotifications.addDanger({
+        toasts.addDanger({
           title: i18n.translate(
             'xpack.triggersActionsUI.sections.alertForm.unableToLoadAlertTypesMessage',
             { defaultMessage: 'Unable to load alert types' }
@@ -486,9 +493,11 @@ export const AlertForm = ({
               errors={errors}
               setAlertParams={setAlertParams}
               setAlertProperty={setAlertProperty}
-              alertsContext={alertsContext}
               defaultActionGroupId={defaultActionGroupId}
               actionGroups={selectedAlertType.actionGroups}
+              metadata={metadata}
+              charts={charts}
+              data={data}
             />
           </Suspense>
         </EuiErrorBoundary>
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_list/components/alerts_list.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_list/components/alerts_list.tsx
index 0a674b4d5486d..aaaf843d43eab 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_list/components/alerts_list.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_list/components/alerts_list.tsx
@@ -30,7 +30,6 @@ import {
 import { useHistory } from 'react-router-dom';
 
 import { isEmpty } from 'lodash';
-import { AlertsContextProvider } from '../../../context/alerts_context';
 import { ActionType, Alert, AlertTableItem, AlertTypeIndex, Pagination } from '../../../../types';
 import { AlertAdd } from '../../alert_form';
 import { BulkOperationPopover } from '../../common/components/bulk_operation_popover';
@@ -80,10 +79,6 @@ export const AlertsList: React.FunctionComponent = () => {
     application: { capabilities },
     alertTypeRegistry,
     actionTypeRegistry,
-    uiSettings,
-    docLinks,
-    charts,
-    data,
     kibanaFeatures,
   } = useKibana().services;
   const canExecuteActions = hasExecuteActionsCapability(capabilities);
@@ -619,7 +614,7 @@ export const AlertsList: React.FunctionComponent = () => {
   return (
     <section data-test-subj="alertsList">
       <DeleteModalConfirmation
-        onDeleted={async (deleted: string[]) => {
+        onDeleted={async () => {
           setAlertsToDelete([]);
           setSelectedIds([]);
           await loadAlertsData();
@@ -658,29 +653,14 @@ export const AlertsList: React.FunctionComponent = () => {
       ) : (
         noPermissionPrompt
       )}
-      <AlertsContextProvider
-        value={{
-          reloadAlerts: loadAlertsData,
-          http,
-          actionTypeRegistry,
-          alertTypeRegistry,
-          toastNotifications: toasts,
-          uiSettings,
-          docLinks,
-          charts,
-          dataFieldsFormats: data.fieldFormats,
-          capabilities,
-          dataUi: data.ui,
-          dataIndexPatterns: data.indexPatterns,
-          kibanaFeatures,
-        }}
-      >
-        <AlertAdd
-          consumer={ALERTS_FEATURE_ID}
-          addFlyoutVisible={alertFlyoutVisible}
-          setAddFlyoutVisibility={setAlertFlyoutVisibility}
-        />
-      </AlertsContextProvider>
+      <AlertAdd
+        consumer={ALERTS_FEATURE_ID}
+        addFlyoutVisible={alertFlyoutVisible}
+        setAddFlyoutVisibility={setAlertFlyoutVisibility}
+        actionTypeRegistry={actionTypeRegistry}
+        alertTypeRegistry={alertTypeRegistry}
+        reloadAlerts={loadAlertsData}
+      />
     </section>
   );
 };
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/common/components/with_actions_api_operations.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/common/components/with_actions_api_operations.tsx
index ff66d31044b08..79636056267fc 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/common/components/with_actions_api_operations.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/common/components/with_actions_api_operations.tsx
@@ -21,9 +21,6 @@ export function withActionOperations<T>(
 ): React.FunctionComponent<PropsWithOptionalApiHandlers<T>> {
   return (props: PropsWithOptionalApiHandlers<T>) => {
     const { http } = useKibana().services;
-    if (!http) {
-      throw new Error('KibanaContext has not been initalized correctly.');
-    }
     return (
       <WrappedComponent {...(props as T)} loadActionTypes={async () => loadActionTypes({ http })} />
     );
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/common/components/with_bulk_alert_api_operations.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/common/components/with_bulk_alert_api_operations.tsx
index 77f7631b6d63f..5656aa9de7795 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/common/components/with_bulk_alert_api_operations.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/common/components/with_bulk_alert_api_operations.tsx
@@ -70,9 +70,6 @@ export function withBulkAlertOperations<T>(
 ): React.FunctionComponent<PropsWithOptionalApiHandlers<T>> {
   return (props: PropsWithOptionalApiHandlers<T>) => {
     const { http } = useKibana().services;
-    if (!http) {
-      throw new Error('KibanaContext has not been initalized correctly.');
-    }
     return (
       <WrappedComponent
         {...(props as T)}
diff --git a/x-pack/plugins/triggers_actions_ui/public/common/get_add_alert_flyout.tsx b/x-pack/plugins/triggers_actions_ui/public/common/get_add_alert_flyout.tsx
new file mode 100644
index 0000000000000..2d36d85c0743c
--- /dev/null
+++ b/x-pack/plugins/triggers_actions_ui/public/common/get_add_alert_flyout.tsx
@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import React, { lazy, Suspense } from 'react';
+import type { AlertAddProps } from '../application/sections/alert_form/alert_add';
+
+export const getAddAlertFlyoutLazy = (props: AlertAddProps) => {
+  const AlertAddFlyoutLazy = lazy(() => import('../application/sections/alert_form/alert_add'));
+  return (
+    <Suspense fallback={null}>
+      <AlertAddFlyoutLazy {...props} />
+    </Suspense>
+  );
+};
diff --git a/x-pack/plugins/triggers_actions_ui/public/common/get_edit_alert_flyout.tsx b/x-pack/plugins/triggers_actions_ui/public/common/get_edit_alert_flyout.tsx
new file mode 100644
index 0000000000000..7966ffc798bc3
--- /dev/null
+++ b/x-pack/plugins/triggers_actions_ui/public/common/get_edit_alert_flyout.tsx
@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import React, { lazy, Suspense } from 'react';
+import type { AlertEditProps } from '../application/sections/alert_form/alert_edit';
+
+export const getEditAlertFlyoutLazy = (props: AlertEditProps) => {
+  const AlertEditFlyoutLazy = lazy(() => import('../application/sections/alert_form/alert_edit'));
+  return (
+    <Suspense fallback={null}>
+      <AlertEditFlyoutLazy {...props} />
+    </Suspense>
+  );
+};
diff --git a/x-pack/plugins/triggers_actions_ui/public/common/lib/kibana/kibana_react.mock.ts b/x-pack/plugins/triggers_actions_ui/public/common/lib/kibana/kibana_react.mock.ts
index ce1d9887bbb26..1e68ebcb930b5 100644
--- a/x-pack/plugins/triggers_actions_ui/public/common/lib/kibana/kibana_react.mock.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/common/lib/kibana/kibana_react.mock.ts
@@ -23,7 +23,6 @@ export const createStartServicesMock = (): TriggersAndActionsUiServices => {
       get: jest.fn(),
       list: jest.fn(),
     } as AlertTypeRegistryContract,
-    notifications: core.notifications,
     dataPlugin: jest.fn(),
     navigateToApp: jest.fn(),
     alerts: {
diff --git a/x-pack/plugins/triggers_actions_ui/public/index.ts b/x-pack/plugins/triggers_actions_ui/public/index.ts
index 6955a94326145..e6680e9d44731 100644
--- a/x-pack/plugins/triggers_actions_ui/public/index.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/index.ts
@@ -6,7 +6,6 @@
 
 import { Plugin } from './plugin';
 
-export { AlertsContextProvider, AlertsContextValue } from './application/context/alerts_context';
 export { AlertAdd } from './application/sections/alert_form';
 export {
   AlertEdit,
diff --git a/x-pack/plugins/triggers_actions_ui/public/plugin.ts b/x-pack/plugins/triggers_actions_ui/public/plugin.ts
index 365eac9c031b4..f2c8957400fa5 100644
--- a/x-pack/plugins/triggers_actions_ui/public/plugin.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/plugin.ts
@@ -28,6 +28,10 @@ import type { ConnectorAddFlyoutProps } from './application/sections/action_conn
 import type { ConnectorEditFlyoutProps } from './application/sections/action_connector_form/connector_edit_flyout';
 import { getAddConnectorFlyoutLazy } from './common/get_add_connector_flyout';
 import { getEditConnectorFlyoutLazy } from './common/get_edit_connector_flyout';
+import { getAddAlertFlyoutLazy } from './common/get_add_alert_flyout';
+import { getEditAlertFlyoutLazy } from './common/get_edit_alert_flyout';
+import { AlertAddProps } from './application/sections/alert_form/alert_add';
+import { AlertEditProps } from './application/sections/alert_form/alert_edit';
 
 export interface TriggersAndActionsUIPublicPluginSetup {
   actionTypeRegistry: TypeRegistry<ActionTypeModel>;
@@ -39,10 +43,16 @@ export interface TriggersAndActionsUIPublicPluginStart {
   alertTypeRegistry: TypeRegistry<AlertTypeModel>;
   getAddConnectorFlyout: (
     props: Omit<ConnectorAddFlyoutProps, 'actionTypeRegistry'>
-  ) => ReactElement<ConnectorAddFlyoutProps> | null;
+  ) => ReactElement<ConnectorAddFlyoutProps>;
   getEditConnectorFlyout: (
     props: Omit<ConnectorEditFlyoutProps, 'actionTypeRegistry'>
-  ) => ReactElement<ConnectorEditFlyoutProps> | null;
+  ) => ReactElement<ConnectorEditFlyoutProps>;
+  getAddAlertFlyout: (
+    props: Omit<AlertAddProps, 'actionTypeRegistry' | 'alertTypeRegistry'>
+  ) => ReactElement<AlertAddProps>;
+  getEditAlertFlyout: (
+    props: Omit<AlertEditProps, 'actionTypeRegistry' | 'alertTypeRegistry'>
+  ) => ReactElement<AlertEditProps>;
 }
 
 interface PluginsSetup {
@@ -152,6 +162,24 @@ export class Plugin
           actionTypeRegistry: this.actionTypeRegistry,
         });
       },
+      getAddAlertFlyout: (
+        props: Omit<AlertAddProps, 'actionTypeRegistry' | 'alertTypeRegistry'>
+      ) => {
+        return getAddAlertFlyoutLazy({
+          ...props,
+          actionTypeRegistry: this.actionTypeRegistry,
+          alertTypeRegistry: this.alertTypeRegistry,
+        });
+      },
+      getEditAlertFlyout: (
+        props: Omit<AlertEditProps, 'actionTypeRegistry' | 'alertTypeRegistry'>
+      ) => {
+        return getEditAlertFlyoutLazy({
+          ...props,
+          actionTypeRegistry: this.actionTypeRegistry,
+          alertTypeRegistry: this.alertTypeRegistry,
+        });
+      },
     };
   }
 
diff --git a/x-pack/plugins/triggers_actions_ui/public/types.ts b/x-pack/plugins/triggers_actions_ui/public/types.ts
index 8c69643f19b8d..1e11102516fc1 100644
--- a/x-pack/plugins/triggers_actions_ui/public/types.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/types.ts
@@ -6,6 +6,8 @@
 import type { PublicMethodsOf } from '@kbn/utility-types';
 import type { DocLinksStart } from 'kibana/public';
 import { ComponentType } from 'react';
+import { ChartsPluginSetup } from 'src/plugins/charts/public';
+import { DataPublicPluginStart } from 'src/plugins/data/public';
 import { ActionGroup, AlertActionParam } from '../../alerts/common';
 import { ActionType } from '../../actions/common';
 import { TypeRegistry } from './application/type_registry';
@@ -158,7 +160,7 @@ export interface AlertTableItem extends Alert {
 
 export interface AlertTypeParamsExpressionProps<
   AlertParamsType = unknown,
-  AlertsContextValue = unknown
+  MetaData = Record<string, any>
 > {
   alertParams: AlertParamsType;
   alertInterval: string;
@@ -166,12 +168,14 @@ export interface AlertTypeParamsExpressionProps<
   setAlertParams: (property: string, value: any) => void;
   setAlertProperty: <Key extends keyof Alert>(key: Key, value: Alert[Key] | null) => void;
   errors: IErrorObject;
-  alertsContext: AlertsContextValue;
   defaultActionGroupId: string;
   actionGroups: ActionGroup[];
+  metadata?: MetaData;
+  charts: ChartsPluginSetup;
+  data: DataPublicPluginStart;
 }
 
-export interface AlertTypeModel<AlertParamsType = any, AlertsContextValue = any> {
+export interface AlertTypeModel<AlertParamsType = any> {
   id: string;
   name: string | JSX.Element;
   description: string;
@@ -180,9 +184,7 @@ export interface AlertTypeModel<AlertParamsType = any, AlertsContextValue = any>
   validate: (alertParams: AlertParamsType) => ValidationResult;
   alertParamsExpression:
     | React.FunctionComponent<any>
-    | React.LazyExoticComponent<
-        ComponentType<AlertTypeParamsExpressionProps<AlertParamsType, AlertsContextValue>>
-      >;
+    | React.LazyExoticComponent<ComponentType<AlertTypeParamsExpressionProps<AlertParamsType>>>;
   requiresAppContext: boolean;
   defaultActionMessage?: string;
 }
diff --git a/x-pack/plugins/uptime/public/apps/uptime_app.tsx b/x-pack/plugins/uptime/public/apps/uptime_app.tsx
index 9535cfdb8c8b0..9bbcde041a794 100644
--- a/x-pack/plugins/uptime/public/apps/uptime_app.tsx
+++ b/x-pack/plugins/uptime/public/apps/uptime_app.tsx
@@ -25,10 +25,7 @@ import {
 import { CommonlyUsedRange } from '../components/common/uptime_date_picker';
 import { setBasePath } from '../state/actions';
 import { PageRouter } from '../routes';
-import {
-  UptimeAlertsContextProvider,
-  UptimeAlertsFlyoutWrapper,
-} from '../components/overview/alerts';
+import { UptimeAlertsFlyoutWrapper } from '../components/overview/alerts';
 import { store } from '../state';
 import { kibanaService } from '../state/kibana_service';
 import { ScopedHistory } from '../../../../../src/core/public';
@@ -110,16 +107,14 @@ const Application = (props: UptimeAppProps) => {
                   <UptimeSettingsContextProvider {...props}>
                     <UptimeThemeContextProvider darkMode={darkMode}>
                       <UptimeStartupPluginsContextProvider {...startPlugins}>
-                        <UptimeAlertsContextProvider>
-                          <EuiPage className="app-wrapper-panel " data-test-subj="uptimeApp">
-                            <RedirectAppLinks application={core.application}>
-                              <main>
-                                <UptimeAlertsFlyoutWrapper />
-                                <PageRouter />
-                              </main>
-                            </RedirectAppLinks>
-                          </EuiPage>
-                        </UptimeAlertsContextProvider>
+                        <EuiPage className="app-wrapper-panel " data-test-subj="uptimeApp">
+                          <RedirectAppLinks application={core.application}>
+                            <main>
+                              <UptimeAlertsFlyoutWrapper />
+                              <PageRouter />
+                            </main>
+                          </RedirectAppLinks>
+                        </EuiPage>
                       </UptimeStartupPluginsContextProvider>
                     </UptimeThemeContextProvider>
                   </UptimeSettingsContextProvider>
diff --git a/x-pack/plugins/uptime/public/components/common/alerts/uptime_edit_alert_flyout.tsx b/x-pack/plugins/uptime/public/components/common/alerts/uptime_edit_alert_flyout.tsx
index cdc3632545c5c..4dec97f6558df 100644
--- a/x-pack/plugins/uptime/public/components/common/alerts/uptime_edit_alert_flyout.tsx
+++ b/x-pack/plugins/uptime/public/components/common/alerts/uptime_edit_alert_flyout.tsx
@@ -4,8 +4,12 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React from 'react';
-import { Alert, AlertEdit } from '../../../../../../plugins/triggers_actions_ui/public';
+import React, { useMemo } from 'react';
+import { useKibana } from '../../../../../../../src/plugins/kibana_react/public';
+import {
+  Alert,
+  TriggersAndActionsUIPublicPluginStart,
+} from '../../../../../../plugins/triggers_actions_ui/public';
 
 interface Props {
   alertFlyoutVisible: boolean;
@@ -13,6 +17,10 @@ interface Props {
   setAlertFlyoutVisibility: React.Dispatch<React.SetStateAction<boolean>>;
 }
 
+interface KibanaDeps {
+  triggersActionsUi: TriggersAndActionsUIPublicPluginStart;
+}
+
 export const UptimeEditAlertFlyoutComponent = ({
   alertFlyoutVisible,
   initialAlert,
@@ -21,5 +29,16 @@ export const UptimeEditAlertFlyoutComponent = ({
   const onClose = () => {
     setAlertFlyoutVisibility(false);
   };
-  return alertFlyoutVisible ? <AlertEdit initialAlert={initialAlert} onClose={onClose} /> : null;
+  const { triggersActionsUi } = useKibana<KibanaDeps>().services;
+
+  const EditAlertFlyout = useMemo(
+    () =>
+      triggersActionsUi.getEditAlertFlyout({
+        initialAlert,
+        onClose,
+      }),
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+    []
+  );
+  return <>{alertFlyoutVisible && EditAlertFlyout}</>;
 };
diff --git a/x-pack/plugins/uptime/public/components/monitor/ml/__tests__/ml_integerations.test.tsx b/x-pack/plugins/uptime/public/components/monitor/ml/__tests__/ml_integerations.test.tsx
index 10b3a90414eb5..95774e3208168 100644
--- a/x-pack/plugins/uptime/public/components/monitor/ml/__tests__/ml_integerations.test.tsx
+++ b/x-pack/plugins/uptime/public/components/monitor/ml/__tests__/ml_integerations.test.tsx
@@ -8,7 +8,10 @@ import React from 'react';
 import { MLIntegrationComponent } from '../ml_integeration';
 import { renderWithRouter, shallowWithRouter } from '../../../../lib';
 import * as redux from 'react-redux';
+import { KibanaContextProvider } from '../../../../../../../../src/plugins/kibana_react/public';
+import { coreMock } from 'src/core/public/mocks';
 
+const core = coreMock.createStart();
 describe('ML Integrations', () => {
   beforeEach(() => {
     const spy = jest.spyOn(redux, 'useDispatch');
@@ -24,7 +27,13 @@ describe('ML Integrations', () => {
   });
 
   it('renders without errors', () => {
-    const wrapper = renderWithRouter(<MLIntegrationComponent />);
+    const wrapper = renderWithRouter(
+      <KibanaContextProvider
+        services={{ ...core, triggersActionsUi: { getEditAlertFlyout: jest.fn() } }}
+      >
+        <MLIntegrationComponent />
+      </KibanaContextProvider>
+    );
     expect(wrapper).toMatchSnapshot();
   });
 });
diff --git a/x-pack/plugins/uptime/public/components/monitor/ml/__tests__/ml_job_link.test.tsx b/x-pack/plugins/uptime/public/components/monitor/ml/__tests__/ml_job_link.test.tsx
index fbd66e7077a77..581fe1cbf9b10 100644
--- a/x-pack/plugins/uptime/public/components/monitor/ml/__tests__/ml_job_link.test.tsx
+++ b/x-pack/plugins/uptime/public/components/monitor/ml/__tests__/ml_job_link.test.tsx
@@ -5,9 +5,12 @@
  */
 
 import React from 'react';
+import { coreMock } from 'src/core/public/mocks';
 import { renderWithRouter, shallowWithRouter } from '../../../../lib';
 import { MLJobLink } from '../ml_job_link';
+import { KibanaContextProvider } from '../../../../../../../../src/plugins/kibana_react/public';
 
+const core = coreMock.createStart();
 describe('ML JobLink', () => {
   it('shallow renders without errors', () => {
     const wrapper = shallowWithRouter(
@@ -18,7 +21,11 @@ describe('ML JobLink', () => {
 
   it('renders without errors', () => {
     const wrapper = renderWithRouter(
-      <MLJobLink dateRange={{ to: '', from: '' }} basePath="" monitorId="testMonitor" />
+      <KibanaContextProvider
+        services={{ ...core, triggersActionsUi: { getEditAlertFlyout: jest.fn() } }}
+      >
+        <MLJobLink dateRange={{ to: '', from: '' }} basePath="" monitorId="testMonitor" />
+      </KibanaContextProvider>
     );
     expect(wrapper).toMatchSnapshot();
   });
diff --git a/x-pack/plugins/uptime/public/components/monitor/ml/__tests__/ml_manage_job.test.tsx b/x-pack/plugins/uptime/public/components/monitor/ml/__tests__/ml_manage_job.test.tsx
index 841c577a4014b..0db6841c32aaf 100644
--- a/x-pack/plugins/uptime/public/components/monitor/ml/__tests__/ml_manage_job.test.tsx
+++ b/x-pack/plugins/uptime/public/components/monitor/ml/__tests__/ml_manage_job.test.tsx
@@ -5,10 +5,13 @@
  */
 
 import React from 'react';
+import { coreMock } from 'src/core/public/mocks';
 import { ManageMLJobComponent } from '../manage_ml_job';
 import * as redux from 'react-redux';
 import { renderWithRouter, shallowWithRouter } from '../../../../lib';
+import { KibanaContextProvider } from '../../../../../../../../src/plugins/kibana_react/public';
 
+const core = coreMock.createStart();
 describe('Manage ML Job', () => {
   it('shallow renders without errors', () => {
     jest.spyOn(redux, 'useSelector').mockReturnValue(true);
@@ -25,7 +28,11 @@ describe('Manage ML Job', () => {
     jest.spyOn(redux, 'useSelector').mockReturnValue(true);
 
     const wrapper = renderWithRouter(
-      <ManageMLJobComponent hasMLJob={true} onEnableJob={jest.fn()} onJobDelete={jest.fn()} />
+      <KibanaContextProvider
+        services={{ ...core, triggersActionsUi: { getEditAlertFlyout: jest.fn() } }}
+      >
+        <ManageMLJobComponent hasMLJob={true} onEnableJob={jest.fn()} onJobDelete={jest.fn()} />
+      </KibanaContextProvider>
     );
     expect(wrapper).toMatchSnapshot();
   });
diff --git a/x-pack/plugins/uptime/public/components/overview/alerts/index.ts b/x-pack/plugins/uptime/public/components/overview/alerts/index.ts
index 5ca0f4c3fe8a7..cb13c76122c9e 100644
--- a/x-pack/plugins/uptime/public/components/overview/alerts/index.ts
+++ b/x-pack/plugins/uptime/public/components/overview/alerts/index.ts
@@ -6,6 +6,5 @@
 
 export { AlertMonitorStatusComponent } from './alert_monitor_status';
 export { ToggleAlertFlyoutButtonComponent } from './toggle_alert_flyout_button';
-export { UptimeAlertsContextProvider } from './uptime_alerts_context_provider';
 export { UptimeAlertsFlyoutWrapperComponent } from './uptime_alerts_flyout_wrapper';
 export * from './alerts_containers';
diff --git a/x-pack/plugins/uptime/public/components/overview/alerts/uptime_alerts_context_provider.tsx b/x-pack/plugins/uptime/public/components/overview/alerts/uptime_alerts_context_provider.tsx
deleted file mode 100644
index 6b919eb8a0852..0000000000000
--- a/x-pack/plugins/uptime/public/components/overview/alerts/uptime_alerts_context_provider.tsx
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import React from 'react';
-import {
-  HttpStart,
-  NotificationsStart,
-  IUiSettingsClient,
-  DocLinksStart,
-  ApplicationStart,
-} from 'src/core/public';
-import { DataPublicPluginStart } from '../../../../../../../src/plugins/data/public';
-import { ChartsPluginStart } from '../../../../../../../src/plugins/charts/public';
-import {
-  AlertsContextProvider,
-  TriggersAndActionsUIPublicPluginStart,
-} from '../../../../../../plugins/triggers_actions_ui/public';
-import { useKibana } from '../../../../../../../src/plugins/kibana_react/public';
-
-interface KibanaDeps {
-  http: HttpStart;
-  notifications: NotificationsStart;
-  uiSettings: IUiSettingsClient;
-  docLinks: DocLinksStart;
-  application: ApplicationStart;
-
-  data: DataPublicPluginStart;
-  charts: ChartsPluginStart;
-  triggersActionsUi: TriggersAndActionsUIPublicPluginStart;
-}
-
-export const UptimeAlertsContextProvider: React.FC = ({ children }) => {
-  const {
-    services: {
-      data: { fieldFormats },
-      http,
-      charts,
-      notifications,
-      triggersActionsUi: { actionTypeRegistry, alertTypeRegistry },
-      uiSettings,
-      docLinks,
-      application: { capabilities },
-    },
-  } = useKibana<KibanaDeps>();
-
-  return (
-    <AlertsContextProvider
-      value={{
-        actionTypeRegistry,
-        alertTypeRegistry,
-        charts,
-        docLinks,
-        dataFieldsFormats: fieldFormats,
-        http,
-        toastNotifications: notifications?.toasts,
-        uiSettings,
-        capabilities,
-      }}
-    >
-      {children}
-    </AlertsContextProvider>
-  );
-};
diff --git a/x-pack/plugins/uptime/public/components/overview/alerts/uptime_alerts_flyout_wrapper.tsx b/x-pack/plugins/uptime/public/components/overview/alerts/uptime_alerts_flyout_wrapper.tsx
index de4e67cfe8edc..7995cf88df9ba 100644
--- a/x-pack/plugins/uptime/public/components/overview/alerts/uptime_alerts_flyout_wrapper.tsx
+++ b/x-pack/plugins/uptime/public/components/overview/alerts/uptime_alerts_flyout_wrapper.tsx
@@ -4,8 +4,9 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React from 'react';
-import { AlertAdd } from '../../../../../../plugins/triggers_actions_ui/public';
+import React, { useMemo } from 'react';
+import { useKibana } from '../../../../../../../src/plugins/kibana_react/public';
+import { TriggersAndActionsUIPublicPluginStart } from '../../../../../../plugins/triggers_actions_ui/public';
 
 interface Props {
   alertFlyoutVisible: boolean;
@@ -13,18 +14,29 @@ interface Props {
   setAlertFlyoutVisibility: React.Dispatch<React.SetStateAction<boolean>>;
 }
 
+interface KibanaDeps {
+  triggersActionsUi: TriggersAndActionsUIPublicPluginStart;
+}
+
 export const UptimeAlertsFlyoutWrapperComponent = ({
   alertFlyoutVisible,
   alertTypeId,
   setAlertFlyoutVisibility,
-}: Props) => (
-  <AlertAdd
-    addFlyoutVisible={alertFlyoutVisible}
-    consumer="uptime"
-    setAddFlyoutVisibility={setAlertFlyoutVisibility}
-    alertTypeId={alertTypeId}
-    // if we don't have an alert type pre-specified, we need to
-    // let the user choose
-    canChangeTrigger={!alertTypeId}
-  />
-);
+}: Props) => {
+  const { triggersActionsUi } = useKibana<KibanaDeps>().services;
+
+  const AddAlertFlyout = useMemo(
+    () =>
+      triggersActionsUi.getAddAlertFlyout({
+        consumer: 'uptime',
+        addFlyoutVisible: alertFlyoutVisible,
+        setAddFlyoutVisibility: setAlertFlyoutVisibility,
+        alertTypeId,
+        canChangeTrigger: !alertTypeId,
+      }),
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+    [alertFlyoutVisible, alertTypeId]
+  );
+
+  return <>{AddAlertFlyout}</>;
+};