{ "track_total_hits": true, "size": 500, "sort": [ { "_score": { "order": "desc" } } ], "version": true, "fields": [ { "field": "*", "include_unmapped": "true" }, { "field": "@timestamp", "format": "strict_date_optional_time" }, { "field": "analytics_log_disabled_at", "format": "strict_date_optional_time" }, { "field": "api_log_disabled_at", "format": "strict_date_optional_time" }, { "field": "aws.cloudtrail.digest.end_time", "format": "strict_date_optional_time" }, { "field": "aws.cloudtrail.digest.newest_event_time", "format": "strict_date_optional_time" }, { "field": "aws.cloudtrail.digest.oldest_event_time", "format": "strict_date_optional_time" }, { "field": "aws.cloudtrail.digest.start_time", "format": "strict_date_optional_time" }, { "field": "aws.cloudtrail.user_identity.session_context.creation_date", "format": "strict_date_optional_time" }, { "field": "azure.app_insights.end_date", "format": "strict_date_optional_time" }, { "field": "azure.app_insights.start_date", "format": "strict_date_optional_time" }, { "field": "azure.app_state.end_date", "format": "strict_date_optional_time" }, { "field": "azure.app_state.start_date", "format": "strict_date_optional_time" }, { "field": "azure.auditlogs.properties.activity_datetime", "format": "strict_date_optional_time" }, { "field": "azure.billing.usage_date", "format": "strict_date_optional_time" }, { "field": "azure.billing.usage_end", "format": "strict_date_optional_time" }, { "field": "azure.billing.usage_start", "format": "strict_date_optional_time" }, { "field": "azure.enqueued_time", "format": "strict_date_optional_time" }, { "field": "azure.signinlogs.properties.created_at", "format": "strict_date_optional_time" }, { "field": "beat.last_checkin", "format": "strict_date_optional_time" }, { "field": "beat.status.timestamp", "format": "strict_date_optional_time" }, { "field": "beat.verified_on", "format": "strict_date_optional_time" }, { "field": "beats_state.timestamp", "format": "strict_date_optional_time" }, { "field": "beats_stats.timestamp", "format": "strict_date_optional_time" }, { "field": "begun_at", "format": "strict_date_optional_time" }, { "field": "bucket_influencers.timestamp", "format": "strict_date_optional_time" }, { "field": "cef.extensions.agentReceiptTime", "format": "strict_date_optional_time" }, { "field": "cef.extensions.deviceCustomDate1", "format": "strict_date_optional_time" }, { "field": "cef.extensions.deviceCustomDate2", "format": "strict_date_optional_time" }, { "field": "cef.extensions.deviceReceiptTime", "format": "strict_date_optional_time" }, { "field": "cef.extensions.endTime", "format": "strict_date_optional_time" }, { "field": "cef.extensions.fileCreateTime", "format": "strict_date_optional_time" }, { "field": "cef.extensions.fileModificationTime", "format": "strict_date_optional_time" }, { "field": "cef.extensions.flexDate1", "format": "strict_date_optional_time" }, { "field": "cef.extensions.managerReceiptTime", "format": "strict_date_optional_time" }, { "field": "cef.extensions.oldFileCreateTime", "format": "strict_date_optional_time" }, { "field": "cef.extensions.oldFileModificationTime", "format": "strict_date_optional_time" }, { "field": "cef.extensions.startTime", "format": "strict_date_optional_time" }, { "field": "ceph.monitor_health.last_updated", "format": "strict_date_optional_time" }, { "field": "checkpoint.subs_exp", "format": "strict_date_optional_time" }, { "field": "cisco.amp.threat_hunting.incident_end_time", "format": "strict_date_optional_time" }, { "field": "cisco.amp.threat_hunting.incident_start_time", "format": "strict_date_optional_time" }, { "field": "cisco.amp.timestamp_nanoseconds", "format": "strict_date_optional_time" }, { "field": "completed_at", "format": "strict_date_optional_time" }, { "field": "configuration_block.last_updated", "format": "strict_date_optional_time" }, { "field": "confirmation_auto_sign_in_token_created_at", "format": "strict_date_optional_time" }, { "field": "confirmation_sent_at", "format": "strict_date_optional_time" }, { "field": "confirmed_at", "format": "strict_date_optional_time" }, { "field": "crawl_rules.created_at", "format": "strict_date_optional_time" }, { "field": "crawler_log_disabled_at", "format": "strict_date_optional_time" }, { "field": "create_time", "format": "strict_date_optional_time" }, { "field": "created_at", "format": "strict_date_optional_time" }, { "field": "crowdstrike.event.EndTimestamp", "format": "strict_date_optional_time" }, { "field": "crowdstrike.event.IncidentEndTime", "format": "strict_date_optional_time" }, { "field": "crowdstrike.event.IncidentStartTime", "format": "strict_date_optional_time" }, { "field": "crowdstrike.event.ProcessEndTime", "format": "strict_date_optional_time" }, { "field": "crowdstrike.event.ProcessStartTime", "format": "strict_date_optional_time" }, { "field": "crowdstrike.event.StartTimestamp", "format": "strict_date_optional_time" }, { "field": "crowdstrike.event.Timestamp", "format": "strict_date_optional_time" }, { "field": "crowdstrike.event.UTCTimestamp", "format": "strict_date_optional_time" }, { "field": "crowdstrike.metadata.eventCreationTime", "format": "strict_date_optional_time" }, { "field": "current_sign_in_at", "format": "strict_date_optional_time" }, { "field": "cyberarkpas.audit.iso_timestamp", "format": "strict_date_optional_time" }, { "field": "date", "format": "strict_date_optional_time" }, { "field": "date_nanos", "format": "strict_date_optional_time_nanos" }, { "field": "docker.container.created", "format": "strict_date_optional_time" }, { "field": "docker.healthcheck.event.end_date", "format": "strict_date_optional_time" }, { "field": "docker.healthcheck.event.start_date", "format": "strict_date_optional_time" }, { "field": "docker.image.created", "format": "strict_date_optional_time" }, { "field": "earliest_record_timestamp", "format": "strict_date_optional_time" }, { "field": "end_timestamp", "format": "strict_date_optional_time" }, { "field": "enrich_executing_policy_stats.task.start_time_in_millis", "format": "strict_date_optional_time" }, { "field": "enrolled_at", "format": "strict_date_optional_time" }, { "field": "enrollment_token.expires_on", "format": "strict_date_optional_time" }, { "field": "event.created", "format": "strict_date_optional_time" }, { "field": "event.end", "format": "strict_date_optional_time" }, { "field": "event.ingested", "format": "strict_date_optional_time" }, { "field": "event.start", "format": "strict_date_optional_time" }, { "field": "expire_at", "format": "strict_date_optional_time" }, { "field": "expires_at", "format": "strict_date_optional_time" }, { "field": "exponential_average_calculation_context.latest_timestamp", "format": "strict_date_optional_time" }, { "field": "failed_at", "format": "strict_date_optional_time" }, { "field": "file.accessed", "format": "strict_date_optional_time" }, { "field": "file.created", "format": "strict_date_optional_time" }, { "field": "file.ctime", "format": "strict_date_optional_time" }, { "field": "file.mtime", "format": "strict_date_optional_time" }, { "field": "file.x509.not_after", "format": "strict_date_optional_time" }, { "field": "file.x509.not_before", "format": "strict_date_optional_time" }, { "field": "finished_time", "format": "strict_date_optional_time" }, { "field": "forecast_create_timestamp", "format": "strict_date_optional_time" }, { "field": "forecast_end_timestamp", "format": "strict_date_optional_time" }, { "field": "forecast_expiry_timestamp", "format": "strict_date_optional_time" }, { "field": "forecast_start_timestamp", "format": "strict_date_optional_time" }, { "field": "free_trial_expires_at", "format": "strict_date_optional_time" }, { "field": "google_workspace.admin.email.log_search_filter.end_date", "format": "strict_date_optional_time" }, { "field": "google_workspace.admin.email.log_search_filter.start_date", "format": "strict_date_optional_time" }, { "field": "google_workspace.admin.user.birthdate", "format": "strict_date_optional_time" }, { "field": "gsuite.admin.email.log_search_filter.end_date", "format": "strict_date_optional_time" }, { "field": "gsuite.admin.email.log_search_filter.start_date", "format": "strict_date_optional_time" }, { "field": "gsuite.admin.user.birthdate", "format": "strict_date_optional_time" }, { "field": "home_telemetry_last_sent_at", "format": "strict_date_optional_time" }, { "field": "job_stats.data_counts.earliest_record_timestamp", "format": "strict_date_optional_time" }, { "field": "job_stats.data_counts.latest_record_timestamp", "format": "strict_date_optional_time" }, { "field": "juniper.srx.elapsed_time", "format": "strict_date_optional_time" }, { "field": "juniper.srx.epoch_time", "format": "strict_date_optional_time" }, { "field": "juniper.srx.timestamp", "format": "strict_date_optional_time" }, { "field": "kafka.block_timestamp", "format": "strict_date_optional_time" }, { "field": "kibana.task.scheduled", "format": "strict_date_optional_time" }, { "field": "kibana_stats.timestamp", "format": "strict_date_optional_time" }, { "field": "kubernetes.container.start_time", "format": "strict_date_optional_time" }, { "field": "kubernetes.event.metadata.timestamp.created", "format": "strict_date_optional_time" }, { "field": "kubernetes.event.timestamp.first_occurrence", "format": "strict_date_optional_time" }, { "field": "kubernetes.event.timestamp.last_occurrence", "format": "strict_date_optional_time" }, { "field": "kubernetes.node.start_time", "format": "strict_date_optional_time" }, { "field": "kubernetes.pod.start_time", "format": "strict_date_optional_time" }, { "field": "kubernetes.service.created", "format": "strict_date_optional_time" }, { "field": "kubernetes.storageclass.created", "format": "strict_date_optional_time" }, { "field": "kubernetes.system.start_time", "format": "strict_date_optional_time" }, { "field": "last_checkin", "format": "strict_date_optional_time" }, { "field": "last_created_at", "format": "strict_date_optional_time" }, { "field": "last_created_at_override", "format": "strict_date_optional_time" }, { "field": "last_data_time", "format": "strict_date_optional_time" }, { "field": "last_heartbeat_at", "format": "strict_date_optional_time" }, { "field": "last_indexed_at", "format": "strict_date_optional_time" }, { "field": "last_queried_at", "format": "strict_date_optional_time" }, { "field": "last_sign_in_at", "format": "strict_date_optional_time" }, { "field": "last_successful_crawl", "format": "strict_date_optional_time" }, { "field": "last_touched_at", "format": "strict_date_optional_time" }, { "field": "last_updated", "format": "strict_date_optional_time" }, { "field": "latest_empty_bucket_timestamp", "format": "strict_date_optional_time" }, { "field": "latest_record_time_stamp", "format": "strict_date_optional_time" }, { "field": "latest_record_timestamp", "format": "strict_date_optional_time" }, { "field": "latest_result_time_stamp", "format": "strict_date_optional_time" }, { "field": "latest_sparse_bucket_timestamp", "format": "strict_date_optional_time" }, { "field": "locked_at", "format": "strict_date_optional_time" }, { "field": "log_time", "format": "strict_date_optional_time" }, { "field": "logo_updated_at", "format": "strict_date_optional_time" }, { "field": "microsoft.defender_atp.lastUpdateTime", "format": "strict_date_optional_time" }, { "field": "microsoft.defender_atp.resolvedTime", "format": "strict_date_optional_time" }, { "field": "microsoft.m365_defender.alerts.creationTime", "format": "strict_date_optional_time" }, { "field": "microsoft.m365_defender.alerts.lastUpdatedTime", "format": "strict_date_optional_time" }, { "field": "microsoft.m365_defender.alerts.resolvedTime", "format": "strict_date_optional_time" }, { "field": "misp.campaign.first_seen", "format": "strict_date_optional_time" }, { "field": "misp.campaign.last_seen", "format": "strict_date_optional_time" }, { "field": "misp.intrusion_set.first_seen", "format": "strict_date_optional_time" }, { "field": "misp.intrusion_set.last_seen", "format": "strict_date_optional_time" }, { "field": "misp.observed_data.first_observed", "format": "strict_date_optional_time" }, { "field": "misp.observed_data.last_observed", "format": "strict_date_optional_time" }, { "field": "misp.report.published", "format": "strict_date_optional_time" }, { "field": "misp.threat_indicator.valid_from", "format": "strict_date_optional_time" }, { "field": "misp.threat_indicator.valid_until", "format": "strict_date_optional_time" }, { "field": "model_size_stats.log_time", "format": "strict_date_optional_time" }, { "field": "model_size_stats.timestamp", "format": "strict_date_optional_time" }, { "field": "modified_time", "format": "strict_date_optional_time" }, { "field": "mongodb.replstatus.server_date", "format": "strict_date_optional_time" }, { "field": "mongodb.status.background_flushing.last_finished", "format": "strict_date_optional_time" }, { "field": "mongodb.status.local_time", "format": "strict_date_optional_time" }, { "field": "mssql.transaction_log.stats.backup_time", "format": "strict_date_optional_time" }, { "field": "mysql.performance.events_statements.last.seen", "format": "strict_date_optional_time" }, { "field": "nats.server.time", "format": "strict_date_optional_time" }, { "field": "netflow.collection_time_milliseconds", "format": "strict_date_optional_time" }, { "field": "netflow.exporter.timestamp", "format": "strict_date_optional_time" }, { "field": "netflow.flow_end_microseconds", "format": "strict_date_optional_time" }, { "field": "netflow.flow_end_milliseconds", "format": "strict_date_optional_time" }, { "field": "netflow.flow_end_nanoseconds", "format": "strict_date_optional_time" }, { "field": "netflow.flow_end_seconds", "format": "strict_date_optional_time" }, { "field": "netflow.flow_start_microseconds", "format": "strict_date_optional_time" }, { "field": "netflow.flow_start_milliseconds", "format": "strict_date_optional_time" }, { "field": "netflow.flow_start_nanoseconds", "format": "strict_date_optional_time" }, { "field": "netflow.flow_start_seconds", "format": "strict_date_optional_time" }, { "field": "netflow.max_export_seconds", "format": "strict_date_optional_time" }, { "field": "netflow.max_flow_end_microseconds", "format": "strict_date_optional_time" }, { "field": "netflow.max_flow_end_milliseconds", "format": "strict_date_optional_time" }, { "field": "netflow.max_flow_end_nanoseconds", "format": "strict_date_optional_time" }, { "field": "netflow.max_flow_end_seconds", "format": "strict_date_optional_time" }, { "field": "netflow.min_export_seconds", "format": "strict_date_optional_time" }, { "field": "netflow.min_flow_start_microseconds", "format": "strict_date_optional_time" }, { "field": "netflow.min_flow_start_milliseconds", "format": "strict_date_optional_time" }, { "field": "netflow.min_flow_start_nanoseconds", "format": "strict_date_optional_time" }, { "field": "netflow.min_flow_start_seconds", "format": "strict_date_optional_time" }, { "field": "netflow.monitoring_interval_end_milli_seconds", "format": "strict_date_optional_time" }, { "field": "netflow.monitoring_interval_start_milli_seconds", "format": "strict_date_optional_time" }, { "field": "netflow.observation_time_microseconds", "format": "strict_date_optional_time" }, { "field": "netflow.observation_time_milliseconds", "format": "strict_date_optional_time" }, { "field": "netflow.observation_time_nanoseconds", "format": "strict_date_optional_time" }, { "field": "netflow.observation_time_seconds", "format": "strict_date_optional_time" }, { "field": "netflow.system_init_time_milliseconds", "format": "strict_date_optional_time" }, { "field": "okta.debug_context.debug_data.suspicious_activity.timestamp", "format": "strict_date_optional_time" }, { "field": "package.installed", "format": "strict_date_optional_time" }, { "field": "panw.panos.factorcompletiontime", "format": "strict_date_optional_time" }, { "field": "pensando.dfw.timestamp", "format": "strict_date_optional_time" }, { "field": "perform_at", "format": "strict_date_optional_time" }, { "field": "php_fpm.pool.start_time", "format": "strict_date_optional_time" }, { "field": "php_fpm.process.start_time", "format": "strict_date_optional_time" }, { "field": "postgresql.activity.backend_start", "format": "strict_date_optional_time" }, { "field": "postgresql.activity.query_start", "format": "strict_date_optional_time" }, { "field": "postgresql.activity.state_change", "format": "strict_date_optional_time" }, { "field": "postgresql.activity.transaction_start", "format": "strict_date_optional_time" }, { "field": "postgresql.bgwriter.stats_reset", "format": "strict_date_optional_time" }, { "field": "postgresql.database.stats_reset", "format": "strict_date_optional_time" }, { "field": "postgresql.log.session_start_time", "format": "strict_date_optional_time" }, { "field": "process.cpu.start_time", "format": "strict_date_optional_time" }, { "field": "process.parent.start", "format": "strict_date_optional_time" }, { "field": "process.start", "format": "strict_date_optional_time" }, { "field": "process_expiration", "format": "strict_date_optional_time" }, { "field": "processing_started_at", "format": "strict_date_optional_time" }, { "field": "remember_created_at", "format": "strict_date_optional_time" }, { "field": "reset_password_sent_at", "format": "strict_date_optional_time" }, { "field": "resolved_timestamp", "format": "strict_date_optional_time" }, { "field": "resume_at", "format": "strict_date_optional_time" }, { "field": "revoked_at", "format": "strict_date_optional_time" }, { "field": "rsa.internal.lc_ctime", "format": "strict_date_optional_time" }, { "field": "rsa.internal.time", "format": "strict_date_optional_time" }, { "field": "rsa.time.effective_time", "format": "strict_date_optional_time" }, { "field": "rsa.time.endtime", "format": "strict_date_optional_time" }, { "field": "rsa.time.event_queue_time", "format": "strict_date_optional_time" }, { "field": "rsa.time.event_time", "format": "strict_date_optional_time" }, { "field": "rsa.time.expire_time", "format": "strict_date_optional_time" }, { "field": "rsa.time.recorded_time", "format": "strict_date_optional_time" }, { "field": "rsa.time.stamp", "format": "strict_date_optional_time" }, { "field": "rsa.time.starttime", "format": "strict_date_optional_time" }, { "field": "seed_urls.created_at", "format": "strict_date_optional_time" }, { "field": "signal.original_event.created", "format": "strict_date_optional_time" }, { "field": "signal.original_event.end", "format": "strict_date_optional_time" }, { "field": "signal.original_event.ingested", "format": "strict_date_optional_time" }, { "field": "signal.original_event.start", "format": "strict_date_optional_time" }, { "field": "signal.original_time", "format": "strict_date_optional_time" }, { "field": "signal.rule.created_at", "format": "strict_date_optional_time" }, { "field": "signal.rule.updated_at", "format": "strict_date_optional_time" }, { "field": "signal.threshold_result.from", "format": "strict_date_optional_time" }, { "field": "snyk.vulnerabilities.disclosure_time", "format": "strict_date_optional_time" }, { "field": "snyk.vulnerabilities.introduced_date", "format": "strict_date_optional_time" }, { "field": "snyk.vulnerabilities.publication_time", "format": "strict_date_optional_time" }, { "field": "sophos.xg.date", "format": "strict_date_optional_time" }, { "field": "sophos.xg.eventtime", "format": "strict_date_optional_time" }, { "field": "sophos.xg.start_time", "format": "strict_date_optional_time" }, { "field": "sophos.xg.starttime", "format": "strict_date_optional_time" }, { "field": "sophos.xg.timestamp", "format": "strict_date_optional_time" }, { "field": "source_node.timestamp", "format": "strict_date_optional_time" }, { "field": "started_at", "format": "strict_date_optional_time" }, { "field": "status_update_at", "format": "strict_date_optional_time" }, { "field": "suricata.eve.alert.created_at", "format": "strict_date_optional_time" }, { "field": "suricata.eve.alert.updated_at", "format": "strict_date_optional_time" }, { "field": "suricata.eve.flow.end", "format": "strict_date_optional_time" }, { "field": "suricata.eve.flow.start", "format": "strict_date_optional_time" }, { "field": "suricata.eve.timestamp", "format": "strict_date_optional_time" }, { "field": "suricata.eve.tls.notafter", "format": "strict_date_optional_time" }, { "field": "suricata.eve.tls.notbefore", "format": "strict_date_optional_time" }, { "field": "system.audit.host.boottime", "format": "strict_date_optional_time" }, { "field": "system.audit.package.installtime", "format": "strict_date_optional_time" }, { "field": "system.audit.user.password.last_changed", "format": "strict_date_optional_time" }, { "field": "system.process.cpu.start_time", "format": "strict_date_optional_time" }, { "field": "system.service.state_since", "format": "strict_date_optional_time" }, { "field": "telemetry_last_sent_at", "format": "strict_date_optional_time" }, { "field": "threat.indicator.event.created", "format": "strict_date_optional_time" }, { "field": "threat.indicator.event.end", "format": "strict_date_optional_time" }, { "field": "threat.indicator.event.ingested", "format": "strict_date_optional_time" }, { "field": "threat.indicator.event.start", "format": "strict_date_optional_time" }, { "field": "threat.indicator.first_seen", "format": "strict_date_optional_time" }, { "field": "threat.indicator.last_seen", "format": "strict_date_optional_time" }, { "field": "threatintel.anomali.modified", "format": "strict_date_optional_time" }, { "field": "threatintel.anomali.valid_from", "format": "strict_date_optional_time" }, { "field": "threatintel.indicator.last_seen", "format": "strict_date_optional_time" }, { "field": "threatintel.misp.attribute.timestamp", "format": "strict_date_optional_time" }, { "field": "threatintel.misp.date", "format": "strict_date_optional_time" }, { "field": "threatintel.misp.publish_timestamp", "format": "strict_date_optional_time" }, { "field": "threatintel.misp.timestamp", "format": "strict_date_optional_time" }, { "field": "time_upper_bound_millis", "format": "strict_date_optional_time" }, { "field": "timestamp_millis", "format": "strict_date_optional_time" }, { "field": "tls.client.not_after", "format": "strict_date_optional_time" }, { "field": "tls.client.not_before", "format": "strict_date_optional_time" }, { "field": "tls.client.x509.not_after", "format": "strict_date_optional_time" }, { "field": "tls.client.x509.not_before", "format": "strict_date_optional_time" }, { "field": "tls.client_certificate.not_after", "format": "strict_date_optional_time" }, { "field": "tls.client_certificate.not_before", "format": "strict_date_optional_time" }, { "field": "tls.detailed.client_certificate.not_after", "format": "strict_date_optional_time" }, { "field": "tls.detailed.client_certificate.not_before", "format": "strict_date_optional_time" }, { "field": "tls.detailed.server_certificate.not_after", "format": "strict_date_optional_time" }, { "field": "tls.detailed.server_certificate.not_before", "format": "strict_date_optional_time" }, { "field": "tls.server.not_after", "format": "strict_date_optional_time" }, { "field": "tls.server.not_before", "format": "strict_date_optional_time" }, { "field": "tls.server.x509.not_after", "format": "strict_date_optional_time" }, { "field": "tls.server.x509.not_before", "format": "strict_date_optional_time" }, { "field": "tls.server_certificate.not_after", "format": "strict_date_optional_time" }, { "field": "tls.server_certificate.not_before", "format": "strict_date_optional_time" }, { "field": "unenrolled_at", "format": "strict_date_optional_time" }, { "field": "unenrollment_started_at", "format": "strict_date_optional_time" }, { "field": "update_timestamp", "format": "strict_date_optional_time" }, { "field": "updated_at", "format": "strict_date_optional_time" }, { "field": "upgrade_started_at", "format": "strict_date_optional_time" }, { "field": "upgraded_at", "format": "strict_date_optional_time" }, { "field": "winlog.time_created", "format": "strict_date_optional_time" }, { "field": "x509.not_after", "format": "strict_date_optional_time" }, { "field": "x509.not_before", "format": "strict_date_optional_time" }, { "field": "zeek.kerberos.valid.from", "format": "strict_date_optional_time" }, { "field": "zeek.kerberos.valid.until", "format": "strict_date_optional_time" }, { "field": "zeek.ntp.org_time", "format": "strict_date_optional_time" }, { "field": "zeek.ntp.rec_time", "format": "strict_date_optional_time" }, { "field": "zeek.ntp.ref_time", "format": "strict_date_optional_time" }, { "field": "zeek.ntp.xmt_time", "format": "strict_date_optional_time" }, { "field": "zeek.ocsp.revoke.time", "format": "strict_date_optional_time" }, { "field": "zeek.ocsp.update.next", "format": "strict_date_optional_time" }, { "field": "zeek.ocsp.update.this", "format": "strict_date_optional_time" }, { "field": "zeek.pe.compile_time", "format": "strict_date_optional_time" }, { "field": "zeek.smb_files.times.accessed", "format": "strict_date_optional_time" }, { "field": "zeek.smb_files.times.changed", "format": "strict_date_optional_time" }, { "field": "zeek.smb_files.times.created", "format": "strict_date_optional_time" }, { "field": "zeek.smb_files.times.modified", "format": "strict_date_optional_time" }, { "field": "zeek.smtp.date", "format": "strict_date_optional_time" }, { "field": "zeek.snmp.up_since", "format": "strict_date_optional_time" }, { "field": "zeek.x509.certificate.valid.from", "format": "strict_date_optional_time" }, { "field": "zeek.x509.certificate.valid.until", "format": "strict_date_optional_time" }, { "field": "zookeeper.server.version_date", "format": "strict_date_optional_time" }, { "field": "zoom.meeting.start_time", "format": "strict_date_optional_time" }, { "field": "zoom.participant.join_time", "format": "strict_date_optional_time" }, { "field": "zoom.participant.leave_time", "format": "strict_date_optional_time" }, { "field": "zoom.phone.answer_start_time", "format": "strict_date_optional_time" }, { "field": "zoom.phone.call_end_time", "format": "strict_date_optional_time" }, { "field": "zoom.phone.connected_start_time", "format": "strict_date_optional_time" }, { "field": "zoom.phone.date_time", "format": "strict_date_optional_time" }, { "field": "zoom.phone.ringing_start_time", "format": "strict_date_optional_time" }, { "field": "zoom.recording.recording_file.recording_end", "format": "strict_date_optional_time" }, { "field": "zoom.recording.recording_file.recording_start", "format": "strict_date_optional_time" }, { "field": "zoom.recording.start_time", "format": "strict_date_optional_time" }, { "field": "zoom.timestamp", "format": "strict_date_optional_time" }, { "field": "zoom.webinar.start_time", "format": "strict_date_optional_time" } ], "script_fields": {}, "stored_fields": [ "*" ], "runtime_mappings": {}, "_source": false, "query": { "bool": { "must": [], "filter": [ { "bool": { "should": [ { "match_phrase": { "event.action": "New-InboxRule" } } ], "minimum_should_match": 1 } } ], "should": [], "must_not": [] } }, "highlight": { "pre_tags": [ "@kibana-highlighted-field@" ], "post_tags": [ "@/kibana-highlighted-field@" ], "fields": { "*": {} }, "fragment_size": 2147483647 } }