This version of the OpenSearch documentation is no longer maintained. For the latest version, see the current documentation. For information about OpenSearch version maintenance, see Release Schedule and Maintenance Policy.

Mappings APIs

The following APIs can be used for a number of tasks related to mappings, from creating to getting and updating mappings.

Get Mappings View

This API returns a view of the fields contained in an index used as a log source.

Request fields

The following fields are used to get field mappings.

FieldTypeDescription
index_nameStringThe name of the index used for log ingestion.
rule_topicStringThe log type of the index.

Example request

  1. GET /_plugins/_security_analytics/mappings/view
  3. {
  4.    "index_name": "windows",
  5.    "rule_topic": "windows"
  6. }

Example response

  1. {
  2.     "properties": {
  3.         "windows-event_data-CommandLine": {
  4.             "path": "CommandLine",
  5.             "type": "alias"
  6.         },
  7.         "event_uid": {
  8.             "path": "EventID",
  9.             "type": "alias"
  10.         }
  11.     },
  12.     "unmapped_index_fields": [
  13.         "windows-event_data-CommandLine",
  14.         "unmapped_HiveName",
  15.         "src_ip",
  16.         "sha1",
  17.         "processPath",
  18.         "CallerProcessName",
  19.         "CallTrace",
  20.         "AuthenticationPackageName",
  21.         "AuditSourceName",
  22.         "AuditPolicyChanges",
  23.         "AttributeValue",
  24.         "AttributeLDAPDisplayName",
  25.         "ApplicationPath",
  26.         "Application",
  27.         "AllowedToDelegateTo",
  28.         "Address",
  29.         "Action",
  30.         "AccountType",
  31.         "AccountName",
  32.         "Accesses",
  33.         "AccessMask",
  34.         "AccessList"
  35.     ]
  36. }

Create Mappings

Example request

  1. POST /_plugins/_security_analytics/mappings
  3. {
  4.    "index_name": "windows",
  5.    "rule_topic": "windows",
  6.    "partial": true,
  7.    "alias_mappings": {
  8.         "properties": {
  9.             "event_uid": {
  10.             "type": "alias",
  11.             "path": "EventID"
  12.           }
  13.        }
  14.    }
  15. }

Example response

  1. {
  2.     "acknowledged": true
  3. }

Get Mappings

Example request

  1. GET /_plugins/_security_analytics/mappings

Example response

  1. {
  2.     "windows": {
  3.         "mappings": {
  4.             "properties": {
  5.                 "windows-event_data-CommandLine": {
  6.                     "type": "alias",
  7.                     "path": "CommandLine"
  8.                 },
  9.                 "event_uid": {
  10.                     "type": "alias",
  11.                     "path": "EventID"
  12.                 }
  13.             }
  14.         }
  15.     }
  16. }

Update Mappings

Example request

  1. PUT /_plugins/_security_analytics/mappings
  3. {
  4.    "index_name": "windows",
  5.    "field": "CommandLine",
  6.    "alias": "windows-event_data-CommandLine"
  7. }

Example response

  1. {
  2.     "acknowledged": true
  3. }