From e8581cf16f4f93f2bbde7532c3a52427a48576ba Mon Sep 17 00:00:00 2001
From: Ying Mao <ying.mao@elastic.co>
Date: Wed, 16 Nov 2022 16:09:34 -0500
Subject: [PATCH 01/42] wip

---
 .../ecs_component_template.ts                 |   25 +
 .../technical_component_template.ts           |   19 +
 .../assets/field_maps/alert_field_map.ts      |  210 +
 .../assets/field_maps/ecs_field_map.ts        | 7288 +++++++++++++++++
 .../experimental_rule_field_map.test.ts       |   25 +
 .../field_maps/experimental_rule_field_map.ts |   15 +
 .../technical_rule_field_map.test.ts          |  269 +
 .../field_maps/technical_rule_field_map.ts    |  219 +
 .../assets/ecs_legacy_template.json           | 7182 ++++++++++++++++
 .../common/alert_schema/field_map/index.ts    |   10 +
 .../field_map/merge_field_maps.ts             |   49 +
 .../runtime_type_from_fieldmap.test.ts        |   95 +
 .../field_map/runtime_type_from_fieldmap.ts   |  139 +
 .../common/alert_schema/field_map/types.ts    |   16 +
 .../alert_schema/parse_technical_fields.ts    |   37 +
 .../scripts/create_schema_from_mapping.js     |   55 +
 .../alert_schema/scripts/generate_schemas.sh  |   22 +
 .../alert_schema/scripts/lib/line_writer.js   |   40 +
 .../server/alerts_service/alerts_service.ts   |  147 +
 .../default_lifecycle_policy.ts               |   32 +
 .../alerting/server/alerts_service/types.ts   |    6 +
 x-pack/plugins/alerting/server/plugin.ts      |   10 +
 22 files changed, 15910 insertions(+)
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/assets/component_templates/ecs_component_template.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/assets/component_templates/technical_component_template.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/assets/field_maps/alert_field_map.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/assets/field_maps/ecs_field_map.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/assets/field_maps/experimental_rule_field_map.test.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/assets/field_maps/experimental_rule_field_map.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/assets/field_maps/technical_rule_field_map.test.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/assets/field_maps/technical_rule_field_map.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/component_templates/assets/ecs_legacy_template.json
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/field_map/index.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/field_map/merge_field_maps.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/field_map/runtime_type_from_fieldmap.test.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/field_map/runtime_type_from_fieldmap.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/field_map/types.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/parse_technical_fields.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.js
 create mode 100755 x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/scripts/lib/line_writer.js
 create mode 100644 x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
 create mode 100644 x-pack/plugins/alerting/server/alerts_service/default_lifecycle_policy.ts
 create mode 100644 x-pack/plugins/alerting/server/alerts_service/types.ts

diff --git a/x-pack/plugins/alerting/common/alert_schema/assets/component_templates/ecs_component_template.ts b/x-pack/plugins/alerting/common/alert_schema/assets/component_templates/ecs_component_template.ts
new file mode 100644
index 00000000000000..8e956ba0004a24
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/assets/component_templates/ecs_component_template.ts
@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { merge } from 'lodash';
+import { mappingFromFieldMap } from '../../mapping_from_field_map';
+import { ClusterPutComponentTemplateBody } from '../../types';
+import { ecsFieldMap } from '../field_maps/ecs_field_map';
+import { technicalRuleFieldMap } from '../field_maps/technical_rule_field_map';
+
+export const ecsComponentTemplate: ClusterPutComponentTemplateBody = {
+  template: {
+    settings: {
+      number_of_shards: 1,
+      'index.mapping.total_fields.limit': 1700,
+    },
+    mappings: merge(
+      {},
+      mappingFromFieldMap(ecsFieldMap, 'strict'),
+      mappingFromFieldMap(technicalRuleFieldMap, 'strict')
+    ),
+  },
+};
diff --git a/x-pack/plugins/alerting/common/alert_schema/assets/component_templates/technical_component_template.ts b/x-pack/plugins/alerting/common/alert_schema/assets/component_templates/technical_component_template.ts
new file mode 100644
index 00000000000000..e110be339d0a0f
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/assets/component_templates/technical_component_template.ts
@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { mappingFromFieldMap } from '../../mapping_from_field_map';
+import { ClusterPutComponentTemplateBody } from '../../types';
+import { technicalRuleFieldMap } from '../field_maps/technical_rule_field_map';
+
+export const technicalComponentTemplate: ClusterPutComponentTemplateBody = {
+  template: {
+    settings: {
+      number_of_shards: 1,
+    },
+    mappings: mappingFromFieldMap(technicalRuleFieldMap, 'strict'),
+  },
+};
diff --git a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/alert_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/alert_field_map.ts
new file mode 100644
index 00000000000000..b8bb4605edd318
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/alert_field_map.ts
@@ -0,0 +1,210 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import * as Fields from '@kbn/rule-data-utils';
+
+export const alertFieldMap = {
+  [Fields.ALERT_RULE_PARAMETERS]: { type: 'flattened', ignore_above: 4096 },
+  [Fields.ALERT_RULE_TYPE_ID]: { type: 'keyword', required: true },
+  [Fields.ALERT_RULE_CONSUMER]: { type: 'keyword', required: true },
+  [Fields.ALERT_RULE_PRODUCER]: { type: 'keyword', required: true },
+  [Fields.SPACE_IDS]: { type: 'keyword', array: true, required: true },
+  [Fields.ALERT_UUID]: { type: 'keyword', required: true },
+  [Fields.ALERT_INSTANCE_ID]: { type: 'keyword', required: true },
+  [Fields.ALERT_START]: { type: 'date' },
+  [Fields.ALERT_TIME_RANGE]: {
+    type: 'date_range',
+    format: 'epoch_millis||strict_date_optional_time',
+  },
+  [Fields.ALERT_END]: { type: 'date' },
+  [Fields.ALERT_DURATION]: { type: 'long' },
+  [Fields.ALERT_SEVERITY]: { type: 'keyword' },
+  [Fields.ALERT_STATUS]: { type: 'keyword', required: true },
+  [Fields.ALERT_FLAPPING]: { type: 'boolean' },
+  [Fields.VERSION]: {
+    type: 'version',
+    array: false,
+    required: false,
+  },
+  [Fields.ECS_VERSION]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RISK_SCORE]: {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_WORKFLOW_STATUS]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_WORKFLOW_USER]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_WORKFLOW_REASON]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_SYSTEM_STATUS]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_ACTION_GROUP]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_REASON]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_AUTHOR]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_CATEGORY]: {
+    type: 'keyword',
+    array: false,
+    required: true,
+  },
+  [Fields.ALERT_RULE_UUID]: {
+    type: 'keyword',
+    array: false,
+    required: true,
+  },
+  [Fields.ALERT_RULE_CREATED_AT]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_CREATED_BY]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_DESCRIPTION]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_ENABLED]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_EXECUTION_UUID]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_FROM]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_INTERVAL]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_LICENSE]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_NAME]: {
+    type: 'keyword',
+    array: false,
+    required: true,
+  },
+  [Fields.ALERT_RULE_NOTE]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_REFERENCES]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  [Fields.ALERT_RULE_RULE_ID]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_RULE_NAME_OVERRIDE]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_TAGS]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  [Fields.ALERT_RULE_TO]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_TYPE]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_UPDATED_AT]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_UPDATED_BY]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_VERSION]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_SUPPRESSION_FIELD]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  [Fields.ALERT_SUPPRESSION_VALUE]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  [Fields.ALERT_SUPPRESSION_START]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_SUPPRESSION_END]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_SUPPRESSION_DOCS_COUNT]: {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+} as const;
+
+export type TechnicalRuleFieldMap = typeof technicalRuleFieldMap;
diff --git a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/ecs_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/ecs_field_map.ts
new file mode 100644
index 00000000000000..e4cf087d86df34
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/ecs_field_map.ts
@@ -0,0 +1,7288 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/* This file is generated by x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js,
+do not manually edit
+*/
+
+export const ecsFieldMap = {
+  '@timestamp': {
+    type: 'date',
+    array: false,
+    required: true,
+  },
+  'agent.build.original': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'agent.ephemeral_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'agent.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'agent.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'agent.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'agent.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.address': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.as.number': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'client.as.organization.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'client.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.geo.city_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.geo.continent_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.geo.continent_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.geo.country_iso_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.geo.country_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.geo.location': {
+    type: 'geo_point',
+    array: false,
+    required: false,
+  },
+  'client.geo.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.geo.postal_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.geo.region_iso_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.geo.region_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.geo.timezone': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.ip': {
+    type: 'ip',
+    array: false,
+    required: false,
+  },
+  'client.mac': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.nat.ip': {
+    type: 'ip',
+    array: false,
+    required: false,
+  },
+  'client.nat.port': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'client.packets': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'client.port': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'client.registered_domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.subdomain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.top_level_domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.user.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.user.email': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.user.full_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.user.group.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.user.group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.user.group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.user.hash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'client.user.roles': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'cloud.account.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.account.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.availability_zone': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.instance.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.instance.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.machine.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.origin.account.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.origin.account.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.origin.availability_zone': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.origin.instance.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.origin.instance.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.origin.machine.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.origin.project.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.origin.project.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.origin.provider': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.origin.region': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.origin.service.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.project.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.project.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.provider': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.region': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.service.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.target.account.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.target.account.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.target.availability_zone': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.target.instance.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.target.instance.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.target.machine.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.target.project.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.target.project.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.target.provider': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.target.region': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'cloud.target.service.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'container.cpu.usage': {
+    type: 'scaled_float',
+    array: false,
+    required: false,
+    scaling_factor: 1000,
+  },
+  'container.disk.read.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'container.disk.write.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'container.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'container.image.hash.all': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'container.image.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'container.image.tag': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'container.labels': {
+    type: 'object',
+    array: false,
+    required: false,
+  },
+  'container.memory.usage': {
+    type: 'scaled_float',
+    array: false,
+    required: false,
+    scaling_factor: 1000,
+  },
+  'container.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'container.network.egress.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'container.network.ingress.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'container.runtime': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.address': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.as.number': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'destination.as.organization.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'destination.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.geo.city_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.geo.continent_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.geo.continent_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.geo.country_iso_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.geo.country_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.geo.location': {
+    type: 'geo_point',
+    array: false,
+    required: false,
+  },
+  'destination.geo.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.geo.postal_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.geo.region_iso_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.geo.region_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.geo.timezone': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.ip': {
+    type: 'ip',
+    array: false,
+    required: false,
+  },
+  'destination.mac': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.nat.ip': {
+    type: 'ip',
+    array: false,
+    required: false,
+  },
+  'destination.nat.port': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'destination.packets': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'destination.port': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'destination.registered_domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.subdomain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.top_level_domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.user.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.user.email': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.user.full_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.user.group.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.user.group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.user.group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.user.hash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'destination.user.roles': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'device.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'device.manufacturer': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'device.model.identifier': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'device.model.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.code_signature.digest_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.code_signature.exists': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'dll.code_signature.signing_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.code_signature.status': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.code_signature.subject_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.code_signature.team_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.code_signature.timestamp': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'dll.code_signature.trusted': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'dll.code_signature.valid': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'dll.hash.md5': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.hash.sha1': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.hash.sha256': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.hash.sha384': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.hash.sha512': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.hash.ssdeep': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.hash.tlsh': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.path': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.pe.architecture': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.pe.company': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.pe.description': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.pe.file_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.pe.imphash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.pe.original_file_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.pe.pehash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dll.pe.product': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dns.answers': {
+    type: 'object',
+    array: true,
+    required: false,
+  },
+  'dns.answers.class': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dns.answers.data': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dns.answers.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dns.answers.ttl': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'dns.answers.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dns.header_flags': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'dns.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dns.op_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dns.question.class': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dns.question.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dns.question.registered_domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dns.question.subdomain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dns.question.top_level_domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dns.question.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dns.resolved_ip': {
+    type: 'ip',
+    array: true,
+    required: false,
+  },
+  'dns.response_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'dns.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'ecs.version': {
+    type: 'keyword',
+    array: false,
+    required: true,
+  },
+  'email.attachments': {
+    type: 'nested',
+    array: true,
+    required: false,
+  },
+  'email.attachments.file.extension': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'email.attachments.file.hash.md5': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'email.attachments.file.hash.sha1': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'email.attachments.file.hash.sha256': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'email.attachments.file.hash.sha384': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'email.attachments.file.hash.sha512': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'email.attachments.file.hash.ssdeep': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'email.attachments.file.hash.tlsh': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'email.attachments.file.mime_type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'email.attachments.file.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'email.attachments.file.size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'email.bcc.address': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'email.cc.address': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'email.content_type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'email.delivery_timestamp': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'email.direction': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'email.from.address': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'email.local_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'email.message_id': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'email.origination_timestamp': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'email.reply_to.address': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'email.sender.address': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'email.subject': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'email.to.address': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'email.x_mailer': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'error.code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'error.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'error.message': {
+    type: 'match_only_text',
+    array: false,
+    required: false,
+  },
+  'error.stack_trace': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'error.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'event.action': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'event.agent_id_status': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'event.category': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'event.code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'event.created': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'event.dataset': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'event.duration': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'event.end': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'event.hash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'event.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'event.ingested': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'event.kind': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'event.module': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'event.original': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'event.outcome': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'event.provider': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'event.reason': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'event.reference': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'event.risk_score': {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+  'event.risk_score_norm': {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+  'event.sequence': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'event.severity': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'event.start': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'event.timezone': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'event.type': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'event.url': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'faas.coldstart': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'faas.execution': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'faas.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'faas.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'faas.trigger': {
+    type: 'nested',
+    array: false,
+    required: false,
+  },
+  'faas.trigger.request_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'faas.trigger.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'faas.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.accessed': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'file.attributes': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'file.code_signature.digest_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.code_signature.exists': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'file.code_signature.signing_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.code_signature.status': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.code_signature.subject_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.code_signature.team_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.code_signature.timestamp': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'file.code_signature.trusted': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'file.code_signature.valid': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'file.created': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'file.ctime': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'file.device': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.directory': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.drive_letter': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.architecture': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.byte_order': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.cpu_type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.creation_date': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'file.elf.exports': {
+    type: 'flattened',
+    array: true,
+    required: false,
+  },
+  'file.elf.header.abi_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.header.class': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.header.data': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.header.entrypoint': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'file.elf.header.object_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.header.os_abi': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.header.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.header.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.imports': {
+    type: 'flattened',
+    array: true,
+    required: false,
+  },
+  'file.elf.sections': {
+    type: 'nested',
+    array: true,
+    required: false,
+  },
+  'file.elf.sections.chi2': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'file.elf.sections.entropy': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'file.elf.sections.flags': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.sections.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.sections.physical_offset': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.sections.physical_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'file.elf.sections.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.sections.virtual_address': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'file.elf.sections.virtual_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'file.elf.segments': {
+    type: 'nested',
+    array: true,
+    required: false,
+  },
+  'file.elf.segments.sections': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.segments.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.elf.shared_libraries': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'file.elf.telfhash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.extension': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.fork_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.gid': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.group': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.hash.md5': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.hash.sha1': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.hash.sha256': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.hash.sha384': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.hash.sha512': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.hash.ssdeep': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.hash.tlsh': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.inode': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.mime_type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.mode': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.mtime': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'file.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.owner': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.path': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.pe.architecture': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.pe.company': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.pe.description': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.pe.file_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.pe.imphash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.pe.original_file_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.pe.pehash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.pe.product': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'file.target_path': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.uid': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.x509.alternative_names': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'file.x509.issuer.common_name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'file.x509.issuer.country': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'file.x509.issuer.distinguished_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.x509.issuer.locality': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'file.x509.issuer.organization': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'file.x509.issuer.organizational_unit': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'file.x509.issuer.state_or_province': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'file.x509.not_after': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'file.x509.not_before': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'file.x509.public_key_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.x509.public_key_curve': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.x509.public_key_exponent': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'file.x509.public_key_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'file.x509.serial_number': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.x509.signature_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.x509.subject.common_name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'file.x509.subject.country': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'file.x509.subject.distinguished_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'file.x509.subject.locality': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'file.x509.subject.organization': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'file.x509.subject.organizational_unit': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'file.x509.subject.state_or_province': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'file.x509.version_number': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'group.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.architecture': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.boot.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.cpu.usage': {
+    type: 'scaled_float',
+    array: false,
+    required: false,
+    scaling_factor: 1000,
+  },
+  'host.disk.read.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'host.disk.write.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'host.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.geo.city_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.geo.continent_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.geo.continent_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.geo.country_iso_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.geo.country_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.geo.location': {
+    type: 'geo_point',
+    array: false,
+    required: false,
+  },
+  'host.geo.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.geo.postal_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.geo.region_iso_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.geo.region_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.geo.timezone': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.hostname': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.ip': {
+    type: 'ip',
+    array: true,
+    required: false,
+  },
+  'host.mac': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'host.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.network.egress.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'host.network.egress.packets': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'host.network.ingress.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'host.network.ingress.packets': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'host.os.family': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.os.full': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.os.kernel': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.os.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.os.platform': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.os.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.os.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.pid_ns_ino': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.risk.calculated_level': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.risk.calculated_score': {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+  'host.risk.calculated_score_norm': {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+  'host.risk.static_level': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.risk.static_score': {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+  'host.risk.static_score_norm': {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+  'host.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'host.uptime': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'http.request.body.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'http.request.body.content': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'http.request.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'http.request.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'http.request.method': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'http.request.mime_type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'http.request.referrer': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'http.response.body.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'http.response.body.content': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'http.response.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'http.response.mime_type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'http.response.status_code': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'http.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  labels: {
+    type: 'object',
+    array: false,
+    required: false,
+  },
+  'log.file.path': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'log.level': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'log.logger': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'log.origin.file.line': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'log.origin.file.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'log.origin.function': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'log.syslog': {
+    type: 'object',
+    array: false,
+    required: false,
+  },
+  'log.syslog.appname': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'log.syslog.facility.code': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'log.syslog.facility.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'log.syslog.hostname': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'log.syslog.msgid': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'log.syslog.priority': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'log.syslog.procid': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'log.syslog.severity.code': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'log.syslog.severity.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'log.syslog.structured_data': {
+    type: 'flattened',
+    array: false,
+    required: false,
+  },
+  'log.syslog.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  message: {
+    type: 'match_only_text',
+    array: false,
+    required: false,
+  },
+  'network.application': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'network.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'network.community_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'network.direction': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'network.forwarded_ip': {
+    type: 'ip',
+    array: false,
+    required: false,
+  },
+  'network.iana_number': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'network.inner': {
+    type: 'object',
+    array: false,
+    required: false,
+  },
+  'network.inner.vlan.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'network.inner.vlan.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'network.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'network.packets': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'network.protocol': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'network.transport': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'network.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'network.vlan.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'network.vlan.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.egress': {
+    type: 'object',
+    array: false,
+    required: false,
+  },
+  'observer.egress.interface.alias': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.egress.interface.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.egress.interface.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.egress.vlan.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.egress.vlan.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.egress.zone': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.geo.city_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.geo.continent_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.geo.continent_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.geo.country_iso_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.geo.country_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.geo.location': {
+    type: 'geo_point',
+    array: false,
+    required: false,
+  },
+  'observer.geo.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.geo.postal_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.geo.region_iso_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.geo.region_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.geo.timezone': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.hostname': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.ingress': {
+    type: 'object',
+    array: false,
+    required: false,
+  },
+  'observer.ingress.interface.alias': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.ingress.interface.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.ingress.interface.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.ingress.vlan.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.ingress.vlan.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.ingress.zone': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.ip': {
+    type: 'ip',
+    array: true,
+    required: false,
+  },
+  'observer.mac': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'observer.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.os.family': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.os.full': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.os.kernel': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.os.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.os.platform': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.os.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.os.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.product': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.serial_number': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.vendor': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'observer.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'orchestrator.api_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'orchestrator.cluster.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'orchestrator.cluster.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'orchestrator.cluster.url': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'orchestrator.cluster.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'orchestrator.namespace': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'orchestrator.organization': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'orchestrator.resource.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'orchestrator.resource.ip': {
+    type: 'ip',
+    array: true,
+    required: false,
+  },
+  'orchestrator.resource.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'orchestrator.resource.parent.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'orchestrator.resource.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'orchestrator.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'organization.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'organization.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'package.architecture': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'package.build_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'package.checksum': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'package.description': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'package.install_scope': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'package.installed': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'package.license': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'package.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'package.path': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'package.reference': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'package.size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'package.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'package.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.args': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'process.args_count': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.code_signature.digest_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.code_signature.exists': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'process.code_signature.signing_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.code_signature.status': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.code_signature.subject_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.code_signature.team_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.code_signature.timestamp': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'process.code_signature.trusted': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'process.code_signature.valid': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'process.command_line': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'process.elf.architecture': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.elf.byte_order': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.elf.cpu_type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.elf.creation_date': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'process.elf.exports': {
+    type: 'flattened',
+    array: true,
+    required: false,
+  },
+  'process.elf.header.abi_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.elf.header.class': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.elf.header.data': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.elf.header.entrypoint': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.elf.header.object_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.elf.header.os_abi': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.elf.header.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.elf.header.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.elf.imports': {
+    type: 'flattened',
+    array: true,
+    required: false,
+  },
+  'process.elf.sections': {
+    type: 'nested',
+    array: true,
+    required: false,
+  },
+  'process.elf.sections.chi2': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.elf.sections.entropy': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.elf.sections.flags': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.elf.sections.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.elf.sections.physical_offset': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.elf.sections.physical_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.elf.sections.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.elf.sections.virtual_address': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.elf.sections.virtual_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.elf.segments': {
+    type: 'nested',
+    array: true,
+    required: false,
+  },
+  'process.elf.segments.sections': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.elf.segments.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.elf.shared_libraries': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'process.elf.telfhash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.end': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'process.entity_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.args': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'process.entry_leader.args_count': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.attested_groups.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.attested_user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.attested_user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.command_line': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.entity_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.entry_meta.source.ip': {
+    type: 'ip',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.entry_meta.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.executable': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.interactive': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.parent.entity_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.parent.pid': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.parent.session_leader.entity_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.parent.session_leader.pid': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.parent.session_leader.start': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.parent.start': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.pid': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.real_group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.real_group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.real_user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.real_user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.same_as_process': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.saved_group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.saved_group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.saved_user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.saved_user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.start': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.supplemental_groups.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.supplemental_groups.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.tty': {
+    type: 'object',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.tty.char_device.major': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.tty.char_device.minor': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.entry_leader.working_directory': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.env_vars': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'process.executable': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.exit_code': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.args': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'process.group_leader.args_count': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.command_line': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.entity_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.executable': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.interactive': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.pid': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.real_group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.real_group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.real_user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.real_user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.same_as_process': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.saved_group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.saved_group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.saved_user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.saved_user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.start': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.supplemental_groups.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.supplemental_groups.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.tty': {
+    type: 'object',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.tty.char_device.major': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.tty.char_device.minor': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.working_directory': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.hash.md5': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.hash.sha1': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.hash.sha256': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.hash.sha384': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.hash.sha512': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.hash.ssdeep': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.hash.tlsh': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.interactive': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'process.io': {
+    type: 'object',
+    array: false,
+    required: false,
+  },
+  'process.io.bytes_skipped': {
+    type: 'object',
+    array: true,
+    required: false,
+  },
+  'process.io.bytes_skipped.length': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.io.bytes_skipped.offset': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.io.max_bytes_per_process_exceeded': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'process.io.text': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'process.io.total_bytes_captured': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.io.total_bytes_skipped': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.io.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.args': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'process.parent.args_count': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.parent.code_signature.digest_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.code_signature.exists': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'process.parent.code_signature.signing_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.code_signature.status': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.code_signature.subject_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.code_signature.team_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.code_signature.timestamp': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'process.parent.code_signature.trusted': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'process.parent.code_signature.valid': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'process.parent.command_line': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.architecture': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.byte_order': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.cpu_type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.creation_date': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.exports': {
+    type: 'flattened',
+    array: true,
+    required: false,
+  },
+  'process.parent.elf.header.abi_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.header.class': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.header.data': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.header.entrypoint': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.header.object_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.header.os_abi': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.header.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.header.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.imports': {
+    type: 'flattened',
+    array: true,
+    required: false,
+  },
+  'process.parent.elf.sections': {
+    type: 'nested',
+    array: true,
+    required: false,
+  },
+  'process.parent.elf.sections.chi2': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.sections.entropy': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.sections.flags': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.sections.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.sections.physical_offset': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.sections.physical_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.sections.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.sections.virtual_address': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.sections.virtual_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.segments': {
+    type: 'nested',
+    array: true,
+    required: false,
+  },
+  'process.parent.elf.segments.sections': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.segments.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.elf.shared_libraries': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'process.parent.elf.telfhash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.end': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'process.parent.entity_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.executable': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.exit_code': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.parent.group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.group_leader.entity_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.group_leader.pid': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.parent.group_leader.start': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'process.parent.hash.md5': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.hash.sha1': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.hash.sha256': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.hash.sha384': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.hash.sha512': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.hash.ssdeep': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.hash.tlsh': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.interactive': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'process.parent.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.pe.architecture': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.pe.company': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.pe.description': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.pe.file_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.pe.imphash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.pe.original_file_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.pe.pehash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.pe.product': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.pgid': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.parent.pid': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.parent.real_group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.real_group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.real_user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.real_user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.saved_group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.saved_group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.saved_user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.saved_user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.start': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'process.parent.supplemental_groups.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.supplemental_groups.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.thread.id': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.parent.thread.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.title': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.tty': {
+    type: 'object',
+    array: false,
+    required: false,
+  },
+  'process.parent.tty.char_device.major': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.parent.tty.char_device.minor': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.parent.uptime': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.parent.user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.parent.working_directory': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.pe.architecture': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.pe.company': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.pe.description': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.pe.file_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.pe.imphash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.pe.original_file_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.pe.pehash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.pe.product': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.pgid': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.pid': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.previous.args': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'process.previous.args_count': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.previous.executable': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.real_group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.real_group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.real_user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.real_user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.saved_group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.saved_group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.saved_user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.saved_user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.args': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'process.session_leader.args_count': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.command_line': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.entity_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.executable': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.interactive': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.parent.entity_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.parent.pid': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.parent.session_leader.entity_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.parent.session_leader.pid': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.parent.session_leader.start': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.parent.start': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.pid': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.real_group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.real_group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.real_user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.real_user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.same_as_process': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.saved_group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.saved_group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.saved_user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.saved_user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.start': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.supplemental_groups.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.supplemental_groups.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.tty': {
+    type: 'object',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.tty.char_device.major': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.tty.char_device.minor': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.working_directory': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.start': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'process.supplemental_groups.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.supplemental_groups.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.thread.id': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.thread.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.title': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.tty': {
+    type: 'object',
+    array: false,
+    required: false,
+  },
+  'process.tty.char_device.major': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.tty.char_device.minor': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.tty.columns': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.tty.rows': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.uptime': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'process.user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.working_directory': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'registry.data.bytes': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'registry.data.strings': {
+    type: 'wildcard',
+    array: true,
+    required: false,
+  },
+  'registry.data.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'registry.hive': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'registry.key': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'registry.path': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'registry.value': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'related.hash': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'related.hosts': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'related.ip': {
+    type: 'ip',
+    array: true,
+    required: false,
+  },
+  'related.user': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'rule.author': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'rule.category': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'rule.description': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'rule.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'rule.license': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'rule.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'rule.reference': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'rule.ruleset': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'rule.uuid': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'rule.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.address': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.as.number': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'server.as.organization.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'server.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.geo.city_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.geo.continent_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.geo.continent_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.geo.country_iso_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.geo.country_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.geo.location': {
+    type: 'geo_point',
+    array: false,
+    required: false,
+  },
+  'server.geo.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.geo.postal_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.geo.region_iso_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.geo.region_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.geo.timezone': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.ip': {
+    type: 'ip',
+    array: false,
+    required: false,
+  },
+  'server.mac': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.nat.ip': {
+    type: 'ip',
+    array: false,
+    required: false,
+  },
+  'server.nat.port': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'server.packets': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'server.port': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'server.registered_domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.subdomain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.top_level_domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.user.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.user.email': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.user.full_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.user.group.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.user.group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.user.group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.user.hash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'server.user.roles': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'service.address': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.environment': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.ephemeral_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.node.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.node.role': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.node.roles': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'service.origin.address': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.origin.environment': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.origin.ephemeral_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.origin.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.origin.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.origin.node.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.origin.node.role': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.origin.node.roles': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'service.origin.state': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.origin.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.origin.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.state': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.target.address': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.target.environment': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.target.ephemeral_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.target.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.target.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.target.node.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.target.node.role': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.target.node.roles': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'service.target.state': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.target.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.target.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'service.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.address': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.as.number': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'source.as.organization.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.bytes': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'source.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.geo.city_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.geo.continent_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.geo.continent_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.geo.country_iso_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.geo.country_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.geo.location': {
+    type: 'geo_point',
+    array: false,
+    required: false,
+  },
+  'source.geo.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.geo.postal_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.geo.region_iso_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.geo.region_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.geo.timezone': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.ip': {
+    type: 'ip',
+    array: false,
+    required: false,
+  },
+  'source.mac': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.nat.ip': {
+    type: 'ip',
+    array: false,
+    required: false,
+  },
+  'source.nat.port': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'source.packets': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'source.port': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'source.registered_domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.subdomain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.top_level_domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.user.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.user.email': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.user.full_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.user.group.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.user.group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.user.group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.user.hash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'source.user.roles': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'span.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  tags: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments': {
+    type: 'nested',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator': {
+    type: 'object',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.as.number': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.as.organization.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.confidence': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.description': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.email.address': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.accessed': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.attributes': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.code_signature.digest_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.code_signature.exists': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.code_signature.signing_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.code_signature.status': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.code_signature.subject_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.code_signature.team_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.code_signature.timestamp': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.code_signature.trusted': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.code_signature.valid': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.created': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.ctime': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.device': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.directory': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.drive_letter': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.architecture': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.byte_order': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.cpu_type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.creation_date': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.exports': {
+    type: 'flattened',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.header.abi_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.header.class': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.header.data': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.header.entrypoint': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.header.object_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.header.os_abi': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.header.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.header.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.imports': {
+    type: 'flattened',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.sections': {
+    type: 'nested',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.sections.chi2': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.sections.entropy': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.sections.flags': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.sections.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.sections.physical_offset': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.sections.physical_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.sections.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.sections.virtual_address': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.sections.virtual_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.segments': {
+    type: 'nested',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.segments.sections': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.segments.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.shared_libraries': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.elf.telfhash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.extension': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.fork_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.gid': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.group': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.hash.md5': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.hash.sha1': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.hash.sha256': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.hash.sha384': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.hash.sha512': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.hash.ssdeep': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.hash.tlsh': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.inode': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.mime_type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.mode': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.mtime': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.owner': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.path': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.pe.architecture': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.pe.company': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.pe.description': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.pe.file_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.pe.imphash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.pe.original_file_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.pe.pehash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.pe.product': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.target_path': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.uid': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.alternative_names': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.issuer.common_name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.issuer.country': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.issuer.distinguished_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.issuer.locality': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.issuer.organization': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.issuer.organizational_unit': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.issuer.state_or_province': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.not_after': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.not_before': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.public_key_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.public_key_curve': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.public_key_exponent': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.public_key_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.serial_number': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.signature_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.subject.common_name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.subject.country': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.subject.distinguished_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.subject.locality': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.subject.organization': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.subject.organizational_unit': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.subject.state_or_province': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.file.x509.version_number': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.first_seen': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.geo.city_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.geo.continent_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.geo.continent_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.geo.country_iso_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.geo.country_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.geo.location': {
+    type: 'geo_point',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.geo.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.geo.postal_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.geo.region_iso_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.geo.region_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.geo.timezone': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.ip': {
+    type: 'ip',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.last_seen': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.marking.tlp.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.modified_at': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.port': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.provider': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.reference': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.registry.data.bytes': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.registry.data.strings': {
+    type: 'wildcard',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.registry.data.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.registry.hive': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.registry.key': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.registry.path': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.registry.value': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.scanner_stats': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.sightings': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.url.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.url.extension': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.url.fragment': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.url.full': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.url.original': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.url.password': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.url.path': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.url.port': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.url.query': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.url.registered_domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.url.scheme': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.url.subdomain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.url.top_level_domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.url.username': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.alternative_names': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.issuer.common_name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.issuer.country': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.issuer.distinguished_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.issuer.locality': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.issuer.organization': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.issuer.organizational_unit': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.issuer.state_or_province': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.not_after': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.not_before': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.public_key_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.public_key_curve': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.public_key_exponent': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.public_key_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.serial_number': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.signature_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.subject.common_name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.subject.country': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.subject.distinguished_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.subject.locality': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.subject.organization': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.subject.organizational_unit': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.subject.state_or_province': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.enrichments.indicator.x509.version_number': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.matched.atomic': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.matched.field': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.matched.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.matched.index': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.matched.occurred': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.enrichments.matched.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.feed.dashboard_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.feed.description': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.feed.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.feed.reference': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.framework': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.group.alias': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.group.reference': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.as.number': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.as.organization.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.confidence': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.description': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.email.address': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.accessed': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.attributes': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.code_signature.digest_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.code_signature.exists': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.code_signature.signing_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.code_signature.status': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.code_signature.subject_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.code_signature.team_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.code_signature.timestamp': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.code_signature.trusted': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.code_signature.valid': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.created': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.ctime': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.device': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.directory': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.drive_letter': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.architecture': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.byte_order': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.cpu_type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.creation_date': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.exports': {
+    type: 'flattened',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.elf.header.abi_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.header.class': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.header.data': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.header.entrypoint': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.header.object_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.header.os_abi': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.header.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.header.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.imports': {
+    type: 'flattened',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.elf.sections': {
+    type: 'nested',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.elf.sections.chi2': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.sections.entropy': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.sections.flags': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.sections.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.sections.physical_offset': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.sections.physical_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.sections.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.sections.virtual_address': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.sections.virtual_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.segments': {
+    type: 'nested',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.elf.segments.sections': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.segments.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.elf.shared_libraries': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.elf.telfhash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.extension': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.fork_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.gid': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.group': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.hash.md5': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.hash.sha1': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.hash.sha256': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.hash.sha384': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.hash.sha512': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.hash.ssdeep': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.hash.tlsh': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.inode': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.mime_type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.mode': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.mtime': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.owner': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.path': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.pe.architecture': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.pe.company': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.pe.description': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.pe.file_version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.pe.imphash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.pe.original_file_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.pe.pehash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.pe.product': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.target_path': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.uid': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.x509.alternative_names': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.x509.issuer.common_name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.x509.issuer.country': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.x509.issuer.distinguished_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.x509.issuer.locality': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.x509.issuer.organization': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.x509.issuer.organizational_unit': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.x509.issuer.state_or_province': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.x509.not_after': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.x509.not_before': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.x509.public_key_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.x509.public_key_curve': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.x509.public_key_exponent': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.x509.public_key_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.x509.serial_number': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.x509.signature_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.x509.subject.common_name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.x509.subject.country': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.x509.subject.distinguished_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.file.x509.subject.locality': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.x509.subject.organization': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.x509.subject.organizational_unit': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.x509.subject.state_or_province': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.file.x509.version_number': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.first_seen': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.geo.city_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.geo.continent_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.geo.continent_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.geo.country_iso_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.geo.country_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.geo.location': {
+    type: 'geo_point',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.geo.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.geo.postal_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.geo.region_iso_code': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.geo.region_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.geo.timezone': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.ip': {
+    type: 'ip',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.last_seen': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.marking.tlp': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.modified_at': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.port': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.provider': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.reference': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.registry.data.bytes': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.registry.data.strings': {
+    type: 'wildcard',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.registry.data.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.registry.hive': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.registry.key': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.registry.path': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.registry.value': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.scanner_stats': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.sightings': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.url.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.url.extension': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.url.fragment': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.url.full': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.url.original': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.url.password': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.url.path': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.url.port': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.url.query': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.url.registered_domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.url.scheme': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.url.subdomain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.url.top_level_domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.url.username': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.x509.alternative_names': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.x509.issuer.common_name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.x509.issuer.country': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.x509.issuer.distinguished_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.x509.issuer.locality': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.x509.issuer.organization': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.x509.issuer.organizational_unit': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.x509.issuer.state_or_province': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.x509.not_after': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.x509.not_before': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.x509.public_key_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.x509.public_key_curve': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.x509.public_key_exponent': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.x509.public_key_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.x509.serial_number': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.x509.signature_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.x509.subject.common_name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.x509.subject.country': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.x509.subject.distinguished_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.indicator.x509.subject.locality': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.x509.subject.organization': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.x509.subject.organizational_unit': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.x509.subject.state_or_province': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.indicator.x509.version_number': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.software.alias': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.software.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.software.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.software.platforms': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.software.reference': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.software.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'threat.tactic.id': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.tactic.name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.tactic.reference': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.technique.id': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.technique.name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.technique.reference': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.technique.subtechnique.id': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.technique.subtechnique.name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.technique.subtechnique.reference': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'threat.threat.indicator.marking.tlp.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.cipher': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.client.certificate': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.client.certificate_chain': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.client.hash.md5': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.client.hash.sha1': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.client.hash.sha256': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.client.issuer': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.client.ja3': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.client.not_after': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'tls.client.not_before': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'tls.client.server_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.client.subject': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.client.supported_ciphers': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.client.x509.alternative_names': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.client.x509.issuer.common_name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.client.x509.issuer.country': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.client.x509.issuer.distinguished_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.client.x509.issuer.locality': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.client.x509.issuer.organization': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.client.x509.issuer.organizational_unit': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.client.x509.issuer.state_or_province': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.client.x509.not_after': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'tls.client.x509.not_before': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'tls.client.x509.public_key_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.client.x509.public_key_curve': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.client.x509.public_key_exponent': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'tls.client.x509.public_key_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'tls.client.x509.serial_number': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.client.x509.signature_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.client.x509.subject.common_name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.client.x509.subject.country': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.client.x509.subject.distinguished_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.client.x509.subject.locality': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.client.x509.subject.organization': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.client.x509.subject.organizational_unit': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.client.x509.subject.state_or_province': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.client.x509.version_number': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.curve': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.established': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'tls.next_protocol': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.resumed': {
+    type: 'boolean',
+    array: false,
+    required: false,
+  },
+  'tls.server.certificate': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.server.certificate_chain': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.server.hash.md5': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.server.hash.sha1': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.server.hash.sha256': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.server.issuer': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.server.ja3s': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.server.not_after': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'tls.server.not_before': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'tls.server.subject': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.server.x509.alternative_names': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.server.x509.issuer.common_name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.server.x509.issuer.country': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.server.x509.issuer.distinguished_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.server.x509.issuer.locality': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.server.x509.issuer.organization': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.server.x509.issuer.organizational_unit': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.server.x509.issuer.state_or_province': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.server.x509.not_after': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'tls.server.x509.not_before': {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  'tls.server.x509.public_key_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.server.x509.public_key_curve': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.server.x509.public_key_exponent': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'tls.server.x509.public_key_size': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'tls.server.x509.serial_number': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.server.x509.signature_algorithm': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.server.x509.subject.common_name': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.server.x509.subject.country': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.server.x509.subject.distinguished_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.server.x509.subject.locality': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.server.x509.subject.organization': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.server.x509.subject.organizational_unit': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.server.x509.subject.state_or_province': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'tls.server.x509.version_number': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'tls.version_protocol': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'trace.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'transaction.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'url.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'url.extension': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'url.fragment': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'url.full': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'url.original': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'url.password': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'url.path': {
+    type: 'wildcard',
+    array: false,
+    required: false,
+  },
+  'url.port': {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  'url.query': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'url.registered_domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'url.scheme': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'url.subdomain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'url.top_level_domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'url.username': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.changes.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.changes.email': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.changes.full_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.changes.group.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.changes.group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.changes.group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.changes.hash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.changes.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.changes.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.changes.roles': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'user.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.effective.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.effective.email': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.effective.full_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.effective.group.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.effective.group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.effective.group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.effective.hash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.effective.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.effective.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.effective.roles': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'user.email': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.full_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.group.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.hash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.risk.calculated_level': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.risk.calculated_score': {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+  'user.risk.calculated_score_norm': {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+  'user.risk.static_level': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.risk.static_score': {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+  'user.risk.static_score_norm': {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+  'user.roles': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'user.target.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.target.email': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.target.full_name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.target.group.domain': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.target.group.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.target.group.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.target.hash': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.target.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.target.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user.target.roles': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'user_agent.device.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user_agent.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user_agent.original': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user_agent.os.family': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user_agent.os.full': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user_agent.os.kernel': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user_agent.os.name': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user_agent.os.platform': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user_agent.os.type': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user_agent.os.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'user_agent.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'vulnerability.category': {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  'vulnerability.classification': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'vulnerability.description': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'vulnerability.enumeration': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'vulnerability.id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'vulnerability.reference': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'vulnerability.report_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'vulnerability.scanner.vendor': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'vulnerability.score.base': {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+  'vulnerability.score.environmental': {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+  'vulnerability.score.temporal': {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+  'vulnerability.score.version': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'vulnerability.severity': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+} as const;
+
+export type EcsFieldMap = typeof ecsFieldMap;
diff --git a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/experimental_rule_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/experimental_rule_field_map.test.ts
new file mode 100644
index 00000000000000..4e2d591bf88bd0
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/experimental_rule_field_map.test.ts
@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { experimentalRuleFieldMap } from './experimental_rule_field_map';
+
+// This test purely exists to see what the resultant mappings are and
+// make it obvious when some dependency results in the mappings changing
+it('matches snapshot', () => {
+  expect(experimentalRuleFieldMap).toMatchInlineSnapshot(`
+    Object {
+      "kibana.alert.evaluation.threshold": Object {
+        "scaling_factor": 100,
+        "type": "scaled_float",
+      },
+      "kibana.alert.evaluation.value": Object {
+        "scaling_factor": 100,
+        "type": "scaled_float",
+      },
+    }
+  `);
+});
diff --git a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/experimental_rule_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/experimental_rule_field_map.ts
new file mode 100644
index 00000000000000..92f93015309c0b
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/experimental_rule_field_map.ts
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import * as Fields from '../../technical_rule_data_field_names';
+
+export const experimentalRuleFieldMap = {
+  [Fields.ALERT_EVALUATION_THRESHOLD]: { type: 'scaled_float', scaling_factor: 100 },
+  [Fields.ALERT_EVALUATION_VALUE]: { type: 'scaled_float', scaling_factor: 100 },
+} as const;
+
+export type ExperimentalRuleFieldMap = typeof experimentalRuleFieldMap;
diff --git a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/technical_rule_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/technical_rule_field_map.test.ts
new file mode 100644
index 00000000000000..e546f339d2b886
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/technical_rule_field_map.test.ts
@@ -0,0 +1,269 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { technicalRuleFieldMap } from './technical_rule_field_map';
+
+// This test purely exists to see what the resultant mappings are and
+// make it obvious when some dependency results in the mappings changing
+it('matches snapshot', () => {
+  expect(technicalRuleFieldMap).toMatchInlineSnapshot(`
+    Object {
+      "@timestamp": Object {
+        "array": false,
+        "required": true,
+        "type": "date",
+      },
+      "ecs.version": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "event.action": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "event.kind": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.action_group": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.duration.us": Object {
+        "type": "long",
+      },
+      "kibana.alert.end": Object {
+        "type": "date",
+      },
+      "kibana.alert.flapping": Object {
+        "type": "boolean",
+      },
+      "kibana.alert.instance.id": Object {
+        "required": true,
+        "type": "keyword",
+      },
+      "kibana.alert.reason": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.risk_score": Object {
+        "array": false,
+        "required": false,
+        "type": "float",
+      },
+      "kibana.alert.rule.author": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.category": Object {
+        "array": false,
+        "required": true,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.consumer": Object {
+        "required": true,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.created_at": Object {
+        "array": false,
+        "required": false,
+        "type": "date",
+      },
+      "kibana.alert.rule.created_by": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.description": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.enabled": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.execution.uuid": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.from": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.interval": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.license": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.name": Object {
+        "array": false,
+        "required": true,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.note": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.parameters": Object {
+        "ignore_above": 4096,
+        "type": "flattened",
+      },
+      "kibana.alert.rule.producer": Object {
+        "required": true,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.references": Object {
+        "array": true,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.rule_id": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.rule_name_override": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.rule_type_id": Object {
+        "required": true,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.tags": Object {
+        "array": true,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.to": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.type": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.updated_at": Object {
+        "array": false,
+        "required": false,
+        "type": "date",
+      },
+      "kibana.alert.rule.updated_by": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.uuid": Object {
+        "array": false,
+        "required": true,
+        "type": "keyword",
+      },
+      "kibana.alert.rule.version": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.severity": Object {
+        "type": "keyword",
+      },
+      "kibana.alert.start": Object {
+        "type": "date",
+      },
+      "kibana.alert.status": Object {
+        "required": true,
+        "type": "keyword",
+      },
+      "kibana.alert.suppression.docs_count": Object {
+        "array": false,
+        "required": false,
+        "type": "long",
+      },
+      "kibana.alert.suppression.end": Object {
+        "array": false,
+        "required": false,
+        "type": "date",
+      },
+      "kibana.alert.suppression.start": Object {
+        "array": false,
+        "required": false,
+        "type": "date",
+      },
+      "kibana.alert.suppression.terms.field": Object {
+        "array": true,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.suppression.terms.value": Object {
+        "array": true,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.system_status": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.time_range": Object {
+        "format": "epoch_millis||strict_date_optional_time",
+        "type": "date_range",
+      },
+      "kibana.alert.uuid": Object {
+        "required": true,
+        "type": "keyword",
+      },
+      "kibana.alert.workflow_reason": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.workflow_status": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.workflow_user": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.space_ids": Object {
+        "array": true,
+        "required": true,
+        "type": "keyword",
+      },
+      "kibana.version": Object {
+        "array": false,
+        "required": false,
+        "type": "version",
+      },
+      "tags": Object {
+        "array": true,
+        "required": false,
+        "type": "keyword",
+      },
+    }
+  `);
+});
diff --git a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/technical_rule_field_map.ts
new file mode 100644
index 00000000000000..aeebe987e20de6
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/technical_rule_field_map.ts
@@ -0,0 +1,219 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { pickWithPatterns } from '../../pick_with_patterns';
+import * as Fields from '../../technical_rule_data_field_names';
+import { ecsFieldMap } from './ecs_field_map';
+
+export const technicalRuleFieldMap = {
+  ...pickWithPatterns(
+    ecsFieldMap,
+    Fields.TIMESTAMP,
+    Fields.EVENT_KIND,
+    Fields.EVENT_ACTION,
+    Fields.TAGS
+  ),
+  [Fields.ALERT_RULE_PARAMETERS]: { type: 'flattened', ignore_above: 4096 },
+  [Fields.ALERT_RULE_TYPE_ID]: { type: 'keyword', required: true },
+  [Fields.ALERT_RULE_CONSUMER]: { type: 'keyword', required: true },
+  [Fields.ALERT_RULE_PRODUCER]: { type: 'keyword', required: true },
+  [Fields.SPACE_IDS]: { type: 'keyword', array: true, required: true },
+  [Fields.ALERT_UUID]: { type: 'keyword', required: true },
+  [Fields.ALERT_INSTANCE_ID]: { type: 'keyword', required: true },
+  [Fields.ALERT_START]: { type: 'date' },
+  [Fields.ALERT_TIME_RANGE]: {
+    type: 'date_range',
+    format: 'epoch_millis||strict_date_optional_time',
+  },
+  [Fields.ALERT_END]: { type: 'date' },
+  [Fields.ALERT_DURATION]: { type: 'long' },
+  [Fields.ALERT_SEVERITY]: { type: 'keyword' },
+  [Fields.ALERT_STATUS]: { type: 'keyword', required: true },
+  [Fields.ALERT_FLAPPING]: { type: 'boolean' },
+  [Fields.VERSION]: {
+    type: 'version',
+    array: false,
+    required: false,
+  },
+  [Fields.ECS_VERSION]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RISK_SCORE]: {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_WORKFLOW_STATUS]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_WORKFLOW_USER]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_WORKFLOW_REASON]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_SYSTEM_STATUS]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_ACTION_GROUP]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_REASON]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_AUTHOR]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_CATEGORY]: {
+    type: 'keyword',
+    array: false,
+    required: true,
+  },
+  [Fields.ALERT_RULE_UUID]: {
+    type: 'keyword',
+    array: false,
+    required: true,
+  },
+  [Fields.ALERT_RULE_CREATED_AT]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_CREATED_BY]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_DESCRIPTION]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_ENABLED]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_EXECUTION_UUID]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_FROM]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_INTERVAL]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_LICENSE]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_NAME]: {
+    type: 'keyword',
+    array: false,
+    required: true,
+  },
+  [Fields.ALERT_RULE_NOTE]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_REFERENCES]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  [Fields.ALERT_RULE_RULE_ID]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_RULE_NAME_OVERRIDE]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_TAGS]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  [Fields.ALERT_RULE_TO]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_TYPE]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_UPDATED_AT]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_UPDATED_BY]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_RULE_VERSION]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_SUPPRESSION_FIELD]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  [Fields.ALERT_SUPPRESSION_VALUE]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  [Fields.ALERT_SUPPRESSION_START]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_SUPPRESSION_END]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  [Fields.ALERT_SUPPRESSION_DOCS_COUNT]: {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+} as const;
+
+export type TechnicalRuleFieldMap = typeof technicalRuleFieldMap;
diff --git a/x-pack/plugins/alerting/common/alert_schema/component_templates/assets/ecs_legacy_template.json b/x-pack/plugins/alerting/common/alert_schema/component_templates/assets/ecs_legacy_template.json
new file mode 100644
index 00000000000000..d0ce120bb28b99
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/component_templates/assets/ecs_legacy_template.json
@@ -0,0 +1,7182 @@
+{
+  "index_patterns": [
+    "try-ecs-*"
+  ],
+  "mappings": {
+    "_meta": {
+      "version": "8.6.0-dev"
+    },
+    "date_detection": false,
+    "dynamic_templates": [
+      {
+        "strings_as_keyword": {
+          "mapping": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "match_mapping_type": "string"
+        }
+      }
+    ],
+    "properties": {
+      "@timestamp": {
+        "type": "date"
+      },
+      "agent": {
+        "properties": {
+          "build": {
+            "properties": {
+              "original": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "ephemeral_id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "client": {
+        "properties": {
+          "address": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "as": {
+            "properties": {
+              "number": {
+                "type": "long"
+              },
+              "organization": {
+                "properties": {
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          },
+          "bytes": {
+            "type": "long"
+          },
+          "domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "geo": {
+            "properties": {
+              "city_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "location": {
+                "type": "geo_point"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "ip": {
+            "type": "ip"
+          },
+          "mac": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "nat": {
+            "properties": {
+              "ip": {
+                "type": "ip"
+              },
+              "port": {
+                "type": "long"
+              }
+            }
+          },
+          "packets": {
+            "type": "long"
+          },
+          "port": {
+            "type": "long"
+          },
+          "registered_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "top_level_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "user": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "cloud": {
+        "properties": {
+          "account": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "availability_zone": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "instance": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "machine": {
+            "properties": {
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "origin": {
+            "properties": {
+              "account": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "availability_zone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "instance": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "machine": {
+                "properties": {
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "project": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "provider": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "service": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          },
+          "project": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "provider": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "region": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "service": {
+            "properties": {
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "target": {
+            "properties": {
+              "account": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "availability_zone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "instance": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "machine": {
+                "properties": {
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "project": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "provider": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "service": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      "container": {
+        "properties": {
+          "cpu": {
+            "properties": {
+              "usage": {
+                "scaling_factor": 1000,
+                "type": "scaled_float"
+              }
+            }
+          },
+          "disk": {
+            "properties": {
+              "read": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              },
+              "write": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              }
+            }
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "image": {
+            "properties": {
+              "hash": {
+                "properties": {
+                  "all": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tag": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "labels": {
+            "type": "object"
+          },
+          "memory": {
+            "properties": {
+              "usage": {
+                "scaling_factor": 1000,
+                "type": "scaled_float"
+              }
+            }
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "network": {
+            "properties": {
+              "egress": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              },
+              "ingress": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              }
+            }
+          },
+          "runtime": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "data_stream": {
+        "properties": {
+          "dataset": {
+            "type": "constant_keyword"
+          },
+          "namespace": {
+            "type": "constant_keyword"
+          },
+          "type": {
+            "type": "constant_keyword"
+          }
+        }
+      },
+      "destination": {
+        "properties": {
+          "address": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "as": {
+            "properties": {
+              "number": {
+                "type": "long"
+              },
+              "organization": {
+                "properties": {
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          },
+          "bytes": {
+            "type": "long"
+          },
+          "domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "geo": {
+            "properties": {
+              "city_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "location": {
+                "type": "geo_point"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "ip": {
+            "type": "ip"
+          },
+          "mac": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "nat": {
+            "properties": {
+              "ip": {
+                "type": "ip"
+              },
+              "port": {
+                "type": "long"
+              }
+            }
+          },
+          "packets": {
+            "type": "long"
+          },
+          "port": {
+            "type": "long"
+          },
+          "registered_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "top_level_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "user": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "device": {
+        "properties": {
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "manufacturer": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "model": {
+            "properties": {
+              "identifier": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "dll": {
+        "properties": {
+          "code_signature": {
+            "properties": {
+              "digest_algorithm": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exists": {
+                "type": "boolean"
+              },
+              "signing_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "status": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subject_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "team_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "timestamp": {
+                "type": "date"
+              },
+              "trusted": {
+                "type": "boolean"
+              },
+              "valid": {
+                "type": "boolean"
+              }
+            }
+          },
+          "hash": {
+            "properties": {
+              "md5": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha1": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha256": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha384": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha512": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ssdeep": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tlsh": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "path": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "pe": {
+            "properties": {
+              "architecture": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "company": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "description": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "file_version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imphash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "original_file_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "pehash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "product": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "dns": {
+        "properties": {
+          "answers": {
+            "properties": {
+              "class": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "data": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ttl": {
+                "type": "long"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            },
+            "type": "object"
+          },
+          "header_flags": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "op_code": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "question": {
+            "properties": {
+              "class": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "registered_domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subdomain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "top_level_domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "resolved_ip": {
+            "type": "ip"
+          },
+          "response_code": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "ecs": {
+        "properties": {
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "email": {
+        "properties": {
+          "attachments": {
+            "properties": {
+              "file": {
+                "properties": {
+                  "extension": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "hash": {
+                    "properties": {
+                      "md5": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha1": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha256": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha384": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha512": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "ssdeep": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "tlsh": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "mime_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "size": {
+                    "type": "long"
+                  }
+                }
+              }
+            },
+            "type": "nested"
+          },
+          "bcc": {
+            "properties": {
+              "address": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "cc": {
+            "properties": {
+              "address": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "content_type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "delivery_timestamp": {
+            "type": "date"
+          },
+          "direction": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "from": {
+            "properties": {
+              "address": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "local_id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "message_id": {
+            "type": "wildcard"
+          },
+          "origination_timestamp": {
+            "type": "date"
+          },
+          "reply_to": {
+            "properties": {
+              "address": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "sender": {
+            "properties": {
+              "address": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "subject": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "to": {
+            "properties": {
+              "address": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "x_mailer": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "error": {
+        "properties": {
+          "code": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "message": {
+            "type": "match_only_text"
+          },
+          "stack_trace": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "event": {
+        "properties": {
+          "action": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "agent_id_status": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "category": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "code": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "created": {
+            "type": "date"
+          },
+          "dataset": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "duration": {
+            "type": "long"
+          },
+          "end": {
+            "type": "date"
+          },
+          "hash": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "ingested": {
+            "type": "date"
+          },
+          "kind": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "module": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "original": {
+            "doc_values": false,
+            "index": false,
+            "type": "keyword"
+          },
+          "outcome": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "provider": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "reason": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "reference": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "risk_score": {
+            "type": "float"
+          },
+          "risk_score_norm": {
+            "type": "float"
+          },
+          "sequence": {
+            "type": "long"
+          },
+          "severity": {
+            "type": "long"
+          },
+          "start": {
+            "type": "date"
+          },
+          "timezone": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "url": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "faas": {
+        "properties": {
+          "coldstart": {
+            "type": "boolean"
+          },
+          "execution": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "trigger": {
+            "properties": {
+              "request_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            },
+            "type": "nested"
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "file": {
+        "properties": {
+          "accessed": {
+            "type": "date"
+          },
+          "attributes": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "code_signature": {
+            "properties": {
+              "digest_algorithm": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exists": {
+                "type": "boolean"
+              },
+              "signing_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "status": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subject_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "team_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "timestamp": {
+                "type": "date"
+              },
+              "trusted": {
+                "type": "boolean"
+              },
+              "valid": {
+                "type": "boolean"
+              }
+            }
+          },
+          "created": {
+            "type": "date"
+          },
+          "ctime": {
+            "type": "date"
+          },
+          "device": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "directory": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "drive_letter": {
+            "ignore_above": 1,
+            "type": "keyword"
+          },
+          "elf": {
+            "properties": {
+              "architecture": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "byte_order": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "cpu_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "creation_date": {
+                "type": "date"
+              },
+              "exports": {
+                "type": "flattened"
+              },
+              "header": {
+                "properties": {
+                  "abi_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "class": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "data": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entrypoint": {
+                    "type": "long"
+                  },
+                  "object_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "os_abi": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "sections": {
+                "properties": {
+                  "chi2": {
+                    "type": "long"
+                  },
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_offset": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "virtual_address": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
+              },
+              "segments": {
+                "properties": {
+                  "sections": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "nested"
+              },
+              "shared_libraries": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "telfhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "extension": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "fork_name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "gid": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "group": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "hash": {
+            "properties": {
+              "md5": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha1": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha256": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha384": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha512": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ssdeep": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tlsh": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "inode": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "mime_type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "mode": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "mtime": {
+            "type": "date"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "owner": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "path": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "pe": {
+            "properties": {
+              "architecture": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "company": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "description": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "file_version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imphash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "original_file_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "pehash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "product": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "size": {
+            "type": "long"
+          },
+          "target_path": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "uid": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "x509": {
+            "properties": {
+              "alternative_names": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "issuer": {
+                "properties": {
+                  "common_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "country": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "distinguished_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "locality": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "organization": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "organizational_unit": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "state_or_province": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "not_after": {
+                "type": "date"
+              },
+              "not_before": {
+                "type": "date"
+              },
+              "public_key_algorithm": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "public_key_curve": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "public_key_exponent": {
+                "doc_values": false,
+                "index": false,
+                "type": "long"
+              },
+              "public_key_size": {
+                "type": "long"
+              },
+              "serial_number": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "signature_algorithm": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subject": {
+                "properties": {
+                  "common_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "country": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "distinguished_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "locality": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "organization": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "organizational_unit": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "state_or_province": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "version_number": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "group": {
+        "properties": {
+          "domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "host": {
+        "properties": {
+          "architecture": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "boot": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "cpu": {
+            "properties": {
+              "usage": {
+                "scaling_factor": 1000,
+                "type": "scaled_float"
+              }
+            }
+          },
+          "disk": {
+            "properties": {
+              "read": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              },
+              "write": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              }
+            }
+          },
+          "domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "geo": {
+            "properties": {
+              "city_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "location": {
+                "type": "geo_point"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "hostname": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "ip": {
+            "type": "ip"
+          },
+          "mac": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "network": {
+            "properties": {
+              "egress": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  },
+                  "packets": {
+                    "type": "long"
+                  }
+                }
+              },
+              "ingress": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  },
+                  "packets": {
+                    "type": "long"
+                  }
+                }
+              }
+            }
+          },
+          "os": {
+            "properties": {
+              "family": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "kernel": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "platform": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "pid_ns_ino": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "risk": {
+            "properties": {
+              "calculated_level": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "calculated_score": {
+                "type": "float"
+              },
+              "calculated_score_norm": {
+                "type": "float"
+              },
+              "static_level": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "static_score": {
+                "type": "float"
+              },
+              "static_score_norm": {
+                "type": "float"
+              }
+            }
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "uptime": {
+            "type": "long"
+          }
+        }
+      },
+      "http": {
+        "properties": {
+          "request": {
+            "properties": {
+              "body": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  },
+                  "content": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "type": "wildcard"
+                  }
+                }
+              },
+              "bytes": {
+                "type": "long"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "method": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "mime_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "referrer": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "response": {
+            "properties": {
+              "body": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  },
+                  "content": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "type": "wildcard"
+                  }
+                }
+              },
+              "bytes": {
+                "type": "long"
+              },
+              "mime_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "status_code": {
+                "type": "long"
+              }
+            }
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "labels": {
+        "type": "object"
+      },
+      "log": {
+        "properties": {
+          "file": {
+            "properties": {
+              "path": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "level": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "logger": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "origin": {
+            "properties": {
+              "file": {
+                "properties": {
+                  "line": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "function": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "syslog": {
+            "properties": {
+              "appname": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "facility": {
+                "properties": {
+                  "code": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hostname": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "msgid": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "priority": {
+                "type": "long"
+              },
+              "procid": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "severity": {
+                "properties": {
+                  "code": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "structured_data": {
+                "type": "flattened"
+              },
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            },
+            "type": "object"
+          }
+        }
+      },
+      "message": {
+        "type": "match_only_text"
+      },
+      "network": {
+        "properties": {
+          "application": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "bytes": {
+            "type": "long"
+          },
+          "community_id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "direction": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "forwarded_ip": {
+            "type": "ip"
+          },
+          "iana_number": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "inner": {
+            "properties": {
+              "vlan": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            },
+            "type": "object"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "packets": {
+            "type": "long"
+          },
+          "protocol": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "transport": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "vlan": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "observer": {
+        "properties": {
+          "egress": {
+            "properties": {
+              "interface": {
+                "properties": {
+                  "alias": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "vlan": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "zone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            },
+            "type": "object"
+          },
+          "geo": {
+            "properties": {
+              "city_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "location": {
+                "type": "geo_point"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "hostname": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "ingress": {
+            "properties": {
+              "interface": {
+                "properties": {
+                  "alias": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "vlan": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "zone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            },
+            "type": "object"
+          },
+          "ip": {
+            "type": "ip"
+          },
+          "mac": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "os": {
+            "properties": {
+              "family": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "kernel": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "platform": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "product": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "serial_number": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "vendor": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "orchestrator": {
+        "properties": {
+          "api_version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "cluster": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "url": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "namespace": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "organization": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "resource": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ip": {
+                "type": "ip"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "parent": {
+                "properties": {
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "organization": {
+        "properties": {
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "package": {
+        "properties": {
+          "architecture": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "build_version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "checksum": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "description": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "install_scope": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "installed": {
+            "type": "date"
+          },
+          "license": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "path": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "reference": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "size": {
+            "type": "long"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "process": {
+        "properties": {
+          "args": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "args_count": {
+            "type": "long"
+          },
+          "code_signature": {
+            "properties": {
+              "digest_algorithm": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exists": {
+                "type": "boolean"
+              },
+              "signing_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "status": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subject_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "team_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "timestamp": {
+                "type": "date"
+              },
+              "trusted": {
+                "type": "boolean"
+              },
+              "valid": {
+                "type": "boolean"
+              }
+            }
+          },
+          "command_line": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "elf": {
+            "properties": {
+              "architecture": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "byte_order": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "cpu_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "creation_date": {
+                "type": "date"
+              },
+              "exports": {
+                "type": "flattened"
+              },
+              "header": {
+                "properties": {
+                  "abi_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "class": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "data": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entrypoint": {
+                    "type": "long"
+                  },
+                  "object_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "os_abi": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "sections": {
+                "properties": {
+                  "chi2": {
+                    "type": "long"
+                  },
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_offset": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "virtual_address": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
+              },
+              "segments": {
+                "properties": {
+                  "sections": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "nested"
+              },
+              "shared_libraries": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "telfhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "end": {
+            "type": "date"
+          },
+          "entity_id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "entry_leader": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "attested_groups": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "attested_user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "entry_meta": {
+                "properties": {
+                  "source": {
+                    "properties": {
+                      "ip": {
+                        "type": "ip"
+                      }
+                    }
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "parent": {
+                "properties": {
+                  "entity_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pid": {
+                    "type": "long"
+                  },
+                  "session_leader": {
+                    "properties": {
+                      "entity_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "pid": {
+                        "type": "long"
+                      },
+                      "start": {
+                        "type": "date"
+                      }
+                    }
+                  },
+                  "start": {
+                    "type": "date"
+                  }
+                }
+              },
+              "pid": {
+                "type": "long"
+              },
+              "real_group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "same_as_process": {
+                "type": "boolean"
+              },
+              "saved_group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
+                    "properties": {
+                      "major": {
+                        "type": "long"
+                      },
+                      "minor": {
+                        "type": "long"
+                      }
+                    }
+                  }
+                },
+                "type": "object"
+              },
+              "user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "env_vars": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "executable": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "exit_code": {
+            "type": "long"
+          },
+          "group_leader": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "pid": {
+                "type": "long"
+              },
+              "real_group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "same_as_process": {
+                "type": "boolean"
+              },
+              "saved_group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
+                    "properties": {
+                      "major": {
+                        "type": "long"
+                      },
+                      "minor": {
+                        "type": "long"
+                      }
+                    }
+                  }
+                },
+                "type": "object"
+              },
+              "user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "hash": {
+            "properties": {
+              "md5": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha1": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha256": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha384": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha512": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ssdeep": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tlsh": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "interactive": {
+            "type": "boolean"
+          },
+          "io": {
+            "properties": {
+              "bytes_skipped": {
+                "properties": {
+                  "length": {
+                    "type": "long"
+                  },
+                  "offset": {
+                    "type": "long"
+                  }
+                },
+                "type": "object"
+              },
+              "max_bytes_per_process_exceeded": {
+                "type": "boolean"
+              },
+              "text": {
+                "type": "wildcard"
+              },
+              "total_bytes_captured": {
+                "type": "long"
+              },
+              "total_bytes_skipped": {
+                "type": "long"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            },
+            "type": "object"
+          },
+          "name": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "parent": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "code_signature": {
+                "properties": {
+                  "digest_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exists": {
+                    "type": "boolean"
+                  },
+                  "signing_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "status": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "team_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "trusted": {
+                    "type": "boolean"
+                  },
+                  "valid": {
+                    "type": "boolean"
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "elf": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "byte_order": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "cpu_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "creation_date": {
+                    "type": "date"
+                  },
+                  "exports": {
+                    "type": "flattened"
+                  },
+                  "header": {
+                    "properties": {
+                      "abi_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "class": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "data": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entrypoint": {
+                        "type": "long"
+                      },
+                      "object_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "os_abi": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "sections": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "virtual_address": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "segments": {
+                    "properties": {
+                      "sections": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "shared_libraries": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "telfhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "end": {
+                "type": "date"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exit_code": {
+                "type": "long"
+              },
+              "group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "group_leader": {
+                "properties": {
+                  "entity_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pid": {
+                    "type": "long"
+                  },
+                  "start": {
+                    "type": "date"
+                  }
+                }
+              },
+              "hash": {
+                "properties": {
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha384": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha512": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "ssdeep": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tlsh": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "pe": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "company": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "description": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "file_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imphash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "original_file_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pehash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "product": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "pgid": {
+                "type": "long"
+              },
+              "pid": {
+                "type": "long"
+              },
+              "real_group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "thread": {
+                "properties": {
+                  "id": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "title": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
+                    "properties": {
+                      "major": {
+                        "type": "long"
+                      },
+                      "minor": {
+                        "type": "long"
+                      }
+                    }
+                  }
+                },
+                "type": "object"
+              },
+              "uptime": {
+                "type": "long"
+              },
+              "user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "pe": {
+            "properties": {
+              "architecture": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "company": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "description": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "file_version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imphash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "original_file_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "pehash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "product": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "pgid": {
+            "type": "long"
+          },
+          "pid": {
+            "type": "long"
+          },
+          "previous": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "real_group": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "real_user": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "saved_group": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "saved_user": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "session_leader": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "parent": {
+                "properties": {
+                  "entity_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pid": {
+                    "type": "long"
+                  },
+                  "session_leader": {
+                    "properties": {
+                      "entity_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "pid": {
+                        "type": "long"
+                      },
+                      "start": {
+                        "type": "date"
+                      }
+                    }
+                  },
+                  "start": {
+                    "type": "date"
+                  }
+                }
+              },
+              "pid": {
+                "type": "long"
+              },
+              "real_group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "same_as_process": {
+                "type": "boolean"
+              },
+              "saved_group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
+                    "properties": {
+                      "major": {
+                        "type": "long"
+                      },
+                      "minor": {
+                        "type": "long"
+                      }
+                    }
+                  }
+                },
+                "type": "object"
+              },
+              "user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "start": {
+            "type": "date"
+          },
+          "supplemental_groups": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "thread": {
+            "properties": {
+              "id": {
+                "type": "long"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "title": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "tty": {
+            "properties": {
+              "char_device": {
+                "properties": {
+                  "major": {
+                    "type": "long"
+                  },
+                  "minor": {
+                    "type": "long"
+                  }
+                }
+              },
+              "columns": {
+                "type": "long"
+              },
+              "rows": {
+                "type": "long"
+              }
+            },
+            "type": "object"
+          },
+          "uptime": {
+            "type": "long"
+          },
+          "user": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "working_directory": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "registry": {
+        "properties": {
+          "data": {
+            "properties": {
+              "bytes": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "strings": {
+                "type": "wildcard"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "hive": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "key": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "path": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "value": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "related": {
+        "properties": {
+          "hash": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "hosts": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "ip": {
+            "type": "ip"
+          },
+          "user": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "rule": {
+        "properties": {
+          "author": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "category": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "description": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "license": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "reference": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "ruleset": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "uuid": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "server": {
+        "properties": {
+          "address": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "as": {
+            "properties": {
+              "number": {
+                "type": "long"
+              },
+              "organization": {
+                "properties": {
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          },
+          "bytes": {
+            "type": "long"
+          },
+          "domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "geo": {
+            "properties": {
+              "city_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "location": {
+                "type": "geo_point"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "ip": {
+            "type": "ip"
+          },
+          "mac": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "nat": {
+            "properties": {
+              "ip": {
+                "type": "ip"
+              },
+              "port": {
+                "type": "long"
+              }
+            }
+          },
+          "packets": {
+            "type": "long"
+          },
+          "port": {
+            "type": "long"
+          },
+          "registered_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "top_level_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "user": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "service": {
+        "properties": {
+          "address": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "environment": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "ephemeral_id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "node": {
+            "properties": {
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "role": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "origin": {
+            "properties": {
+              "address": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "environment": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ephemeral_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "node": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "role": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "state": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "state": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "target": {
+            "properties": {
+              "address": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "environment": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ephemeral_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "node": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "role": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "state": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "source": {
+        "properties": {
+          "address": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "as": {
+            "properties": {
+              "number": {
+                "type": "long"
+              },
+              "organization": {
+                "properties": {
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          },
+          "bytes": {
+            "type": "long"
+          },
+          "domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "geo": {
+            "properties": {
+              "city_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "location": {
+                "type": "geo_point"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "ip": {
+            "type": "ip"
+          },
+          "mac": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "nat": {
+            "properties": {
+              "ip": {
+                "type": "ip"
+              },
+              "port": {
+                "type": "long"
+              }
+            }
+          },
+          "packets": {
+            "type": "long"
+          },
+          "port": {
+            "type": "long"
+          },
+          "registered_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "top_level_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "user": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "span": {
+        "properties": {
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "tags": {
+        "ignore_above": 1024,
+        "type": "keyword"
+      },
+      "threat": {
+        "properties": {
+          "enrichments": {
+            "properties": {
+              "indicator": {
+                "properties": {
+                  "as": {
+                    "properties": {
+                      "number": {
+                        "type": "long"
+                      },
+                      "organization": {
+                        "properties": {
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    }
+                  },
+                  "confidence": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "description": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "properties": {
+                      "address": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "file": {
+                    "properties": {
+                      "accessed": {
+                        "type": "date"
+                      },
+                      "attributes": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "code_signature": {
+                        "properties": {
+                          "digest_algorithm": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "exists": {
+                            "type": "boolean"
+                          },
+                          "signing_id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "status": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "subject_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "team_id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "timestamp": {
+                            "type": "date"
+                          },
+                          "trusted": {
+                            "type": "boolean"
+                          },
+                          "valid": {
+                            "type": "boolean"
+                          }
+                        }
+                      },
+                      "created": {
+                        "type": "date"
+                      },
+                      "ctime": {
+                        "type": "date"
+                      },
+                      "device": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "directory": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "drive_letter": {
+                        "ignore_above": 1,
+                        "type": "keyword"
+                      },
+                      "elf": {
+                        "properties": {
+                          "architecture": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "byte_order": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "cpu_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "creation_date": {
+                            "type": "date"
+                          },
+                          "exports": {
+                            "type": "flattened"
+                          },
+                          "header": {
+                            "properties": {
+                              "abi_version": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "class": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "data": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "entrypoint": {
+                                "type": "long"
+                              },
+                              "object_version": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "os_abi": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "version": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "imports": {
+                            "type": "flattened"
+                          },
+                          "sections": {
+                            "properties": {
+                              "chi2": {
+                                "type": "long"
+                              },
+                              "entropy": {
+                                "type": "long"
+                              },
+                              "flags": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_offset": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_size": {
+                                "type": "long"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "virtual_address": {
+                                "type": "long"
+                              },
+                              "virtual_size": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "nested"
+                          },
+                          "segments": {
+                            "properties": {
+                              "sections": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            },
+                            "type": "nested"
+                          },
+                          "shared_libraries": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "telfhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "extension": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "fork_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "gid": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "hash": {
+                        "properties": {
+                          "md5": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha1": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha256": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha384": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha512": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "ssdeep": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "tlsh": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "inode": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "mime_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "mode": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "mtime": {
+                        "type": "date"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "owner": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "path": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "pe": {
+                        "properties": {
+                          "architecture": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "company": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "description": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "file_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imphash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "original_file_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "pehash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "product": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "size": {
+                        "type": "long"
+                      },
+                      "target_path": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "uid": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "x509": {
+                        "properties": {
+                          "alternative_names": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "issuer": {
+                            "properties": {
+                              "common_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "distinguished_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "locality": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "organization": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "organizational_unit": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "state_or_province": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "not_after": {
+                            "type": "date"
+                          },
+                          "not_before": {
+                            "type": "date"
+                          },
+                          "public_key_algorithm": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "public_key_curve": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "public_key_exponent": {
+                            "doc_values": false,
+                            "index": false,
+                            "type": "long"
+                          },
+                          "public_key_size": {
+                            "type": "long"
+                          },
+                          "serial_number": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "signature_algorithm": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "subject": {
+                            "properties": {
+                              "common_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "distinguished_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "locality": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "organization": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "organizational_unit": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "state_or_province": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "version_number": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    }
+                  },
+                  "first_seen": {
+                    "type": "date"
+                  },
+                  "geo": {
+                    "properties": {
+                      "city_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "continent_code": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "continent_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "country_iso_code": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "country_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "location": {
+                        "type": "geo_point"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "postal_code": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "region_iso_code": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "region_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "timezone": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "ip": {
+                    "type": "ip"
+                  },
+                  "last_seen": {
+                    "type": "date"
+                  },
+                  "marking": {
+                    "properties": {
+                      "tlp": {
+                        "properties": {
+                          "version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    }
+                  },
+                  "modified_at": {
+                    "type": "date"
+                  },
+                  "port": {
+                    "type": "long"
+                  },
+                  "provider": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "reference": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "registry": {
+                    "properties": {
+                      "data": {
+                        "properties": {
+                          "bytes": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "strings": {
+                            "type": "wildcard"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hive": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "key": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "path": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "value": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "scanner_stats": {
+                    "type": "long"
+                  },
+                  "sightings": {
+                    "type": "long"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "url": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "extension": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "fragment": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "full": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "type": "wildcard"
+                      },
+                      "original": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "type": "wildcard"
+                      },
+                      "password": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "path": {
+                        "type": "wildcard"
+                      },
+                      "port": {
+                        "type": "long"
+                      },
+                      "query": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "registered_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "scheme": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subdomain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "top_level_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "username": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "x509": {
+                    "properties": {
+                      "alternative_names": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "issuer": {
+                        "properties": {
+                          "common_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "distinguished_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "locality": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "organization": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "organizational_unit": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "state_or_province": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "not_after": {
+                        "type": "date"
+                      },
+                      "not_before": {
+                        "type": "date"
+                      },
+                      "public_key_algorithm": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "public_key_curve": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "public_key_exponent": {
+                        "doc_values": false,
+                        "index": false,
+                        "type": "long"
+                      },
+                      "public_key_size": {
+                        "type": "long"
+                      },
+                      "serial_number": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "signature_algorithm": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subject": {
+                        "properties": {
+                          "common_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "distinguished_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "locality": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "organization": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "organizational_unit": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "state_or_province": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "version_number": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  }
+                },
+                "type": "object"
+              },
+              "matched": {
+                "properties": {
+                  "atomic": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "field": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "index": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "occurred": {
+                    "type": "date"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            },
+            "type": "nested"
+          },
+          "feed": {
+            "properties": {
+              "dashboard_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "description": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "reference": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "framework": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "group": {
+            "properties": {
+              "alias": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "reference": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "indicator": {
+            "properties": {
+              "as": {
+                "properties": {
+                  "number": {
+                    "type": "long"
+                  },
+                  "organization": {
+                    "properties": {
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  }
+                }
+              },
+              "confidence": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "description": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "properties": {
+                  "address": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "file": {
+                "properties": {
+                  "accessed": {
+                    "type": "date"
+                  },
+                  "attributes": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "code_signature": {
+                    "properties": {
+                      "digest_algorithm": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "exists": {
+                        "type": "boolean"
+                      },
+                      "signing_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "status": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subject_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "team_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "timestamp": {
+                        "type": "date"
+                      },
+                      "trusted": {
+                        "type": "boolean"
+                      },
+                      "valid": {
+                        "type": "boolean"
+                      }
+                    }
+                  },
+                  "created": {
+                    "type": "date"
+                  },
+                  "ctime": {
+                    "type": "date"
+                  },
+                  "device": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "directory": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "drive_letter": {
+                    "ignore_above": 1,
+                    "type": "keyword"
+                  },
+                  "elf": {
+                    "properties": {
+                      "architecture": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "byte_order": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "cpu_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "creation_date": {
+                        "type": "date"
+                      },
+                      "exports": {
+                        "type": "flattened"
+                      },
+                      "header": {
+                        "properties": {
+                          "abi_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "class": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "data": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "entrypoint": {
+                            "type": "long"
+                          },
+                          "object_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "os_abi": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "sections": {
+                        "properties": {
+                          "chi2": {
+                            "type": "long"
+                          },
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "flags": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_offset": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "virtual_address": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "segments": {
+                        "properties": {
+                          "sections": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "shared_libraries": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "telfhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "extension": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "fork_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "gid": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "hash": {
+                    "properties": {
+                      "md5": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha1": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha256": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha384": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha512": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "ssdeep": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "tlsh": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "inode": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "mime_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "mode": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "mtime": {
+                    "type": "date"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "owner": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "path": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pe": {
+                    "properties": {
+                      "architecture": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "company": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "description": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "file_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imphash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "original_file_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "pehash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "product": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "size": {
+                    "type": "long"
+                  },
+                  "target_path": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "uid": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "x509": {
+                    "properties": {
+                      "alternative_names": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "issuer": {
+                        "properties": {
+                          "common_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "distinguished_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "locality": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "organization": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "organizational_unit": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "state_or_province": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "not_after": {
+                        "type": "date"
+                      },
+                      "not_before": {
+                        "type": "date"
+                      },
+                      "public_key_algorithm": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "public_key_curve": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "public_key_exponent": {
+                        "doc_values": false,
+                        "index": false,
+                        "type": "long"
+                      },
+                      "public_key_size": {
+                        "type": "long"
+                      },
+                      "serial_number": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "signature_algorithm": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subject": {
+                        "properties": {
+                          "common_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "distinguished_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "locality": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "organization": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "organizational_unit": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "state_or_province": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "version_number": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  }
+                }
+              },
+              "first_seen": {
+                "type": "date"
+              },
+              "geo": {
+                "properties": {
+                  "city_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "continent_code": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "continent_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "country_iso_code": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "country_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "location": {
+                    "type": "geo_point"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "postal_code": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "region_iso_code": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "region_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "timezone": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "ip": {
+                "type": "ip"
+              },
+              "last_seen": {
+                "type": "date"
+              },
+              "marking": {
+                "properties": {
+                  "tlp": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "modified_at": {
+                "type": "date"
+              },
+              "port": {
+                "type": "long"
+              },
+              "provider": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "reference": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "registry": {
+                "properties": {
+                  "data": {
+                    "properties": {
+                      "bytes": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "strings": {
+                        "type": "wildcard"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hive": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "key": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "path": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "value": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "scanner_stats": {
+                "type": "long"
+              },
+              "sightings": {
+                "type": "long"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "url": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "extension": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "fragment": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "type": "wildcard"
+                  },
+                  "original": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "type": "wildcard"
+                  },
+                  "password": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "path": {
+                    "type": "wildcard"
+                  },
+                  "port": {
+                    "type": "long"
+                  },
+                  "query": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "registered_domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "scheme": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subdomain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "top_level_domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "username": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "x509": {
+                "properties": {
+                  "alternative_names": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "issuer": {
+                    "properties": {
+                      "common_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "country": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "distinguished_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "locality": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organization": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organizational_unit": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "state_or_province": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "not_after": {
+                    "type": "date"
+                  },
+                  "not_before": {
+                    "type": "date"
+                  },
+                  "public_key_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "public_key_curve": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "public_key_exponent": {
+                    "doc_values": false,
+                    "index": false,
+                    "type": "long"
+                  },
+                  "public_key_size": {
+                    "type": "long"
+                  },
+                  "serial_number": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "signature_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject": {
+                    "properties": {
+                      "common_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "country": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "distinguished_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "locality": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organization": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organizational_unit": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "state_or_province": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "version_number": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          },
+          "software": {
+            "properties": {
+              "alias": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "platforms": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "reference": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "tactic": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "reference": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "technique": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "reference": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subtechnique": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "reference": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          },
+          "threat": {
+            "properties": {
+              "indicator": {
+                "properties": {
+                  "marking": {
+                    "properties": {
+                      "tlp": {
+                        "properties": {
+                          "version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      "tls": {
+        "properties": {
+          "cipher": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "client": {
+            "properties": {
+              "certificate": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "certificate_chain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "hash": {
+                "properties": {
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "issuer": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ja3": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "not_after": {
+                "type": "date"
+              },
+              "not_before": {
+                "type": "date"
+              },
+              "server_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subject": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "supported_ciphers": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "x509": {
+                "properties": {
+                  "alternative_names": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "issuer": {
+                    "properties": {
+                      "common_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "country": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "distinguished_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "locality": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organization": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organizational_unit": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "state_or_province": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "not_after": {
+                    "type": "date"
+                  },
+                  "not_before": {
+                    "type": "date"
+                  },
+                  "public_key_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "public_key_curve": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "public_key_exponent": {
+                    "doc_values": false,
+                    "index": false,
+                    "type": "long"
+                  },
+                  "public_key_size": {
+                    "type": "long"
+                  },
+                  "serial_number": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "signature_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject": {
+                    "properties": {
+                      "common_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "country": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "distinguished_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "locality": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organization": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organizational_unit": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "state_or_province": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "version_number": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          },
+          "curve": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "established": {
+            "type": "boolean"
+          },
+          "next_protocol": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "resumed": {
+            "type": "boolean"
+          },
+          "server": {
+            "properties": {
+              "certificate": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "certificate_chain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "hash": {
+                "properties": {
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "issuer": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ja3s": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "not_after": {
+                "type": "date"
+              },
+              "not_before": {
+                "type": "date"
+              },
+              "subject": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "x509": {
+                "properties": {
+                  "alternative_names": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "issuer": {
+                    "properties": {
+                      "common_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "country": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "distinguished_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "locality": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organization": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organizational_unit": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "state_or_province": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "not_after": {
+                    "type": "date"
+                  },
+                  "not_before": {
+                    "type": "date"
+                  },
+                  "public_key_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "public_key_curve": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "public_key_exponent": {
+                    "doc_values": false,
+                    "index": false,
+                    "type": "long"
+                  },
+                  "public_key_size": {
+                    "type": "long"
+                  },
+                  "serial_number": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "signature_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject": {
+                    "properties": {
+                      "common_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "country": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "distinguished_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "locality": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organization": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organizational_unit": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "state_or_province": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "version_number": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "version_protocol": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "trace": {
+        "properties": {
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "transaction": {
+        "properties": {
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "url": {
+        "properties": {
+          "domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "extension": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "fragment": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "full": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "original": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "password": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "path": {
+            "type": "wildcard"
+          },
+          "port": {
+            "type": "long"
+          },
+          "query": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "registered_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "scheme": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "top_level_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "username": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "user": {
+        "properties": {
+          "changes": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "effective": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "email": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "full_name": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "group": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "hash": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "risk": {
+            "properties": {
+              "calculated_level": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "calculated_score": {
+                "type": "float"
+              },
+              "calculated_score_norm": {
+                "type": "float"
+              },
+              "static_level": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "static_score": {
+                "type": "float"
+              },
+              "static_score_norm": {
+                "type": "float"
+              }
+            }
+          },
+          "roles": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "target": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "user_agent": {
+        "properties": {
+          "device": {
+            "properties": {
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "original": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "os": {
+            "properties": {
+              "family": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "kernel": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "platform": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "vulnerability": {
+        "properties": {
+          "category": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "classification": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "description": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "enumeration": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "reference": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "report_id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "scanner": {
+            "properties": {
+              "vendor": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "score": {
+            "properties": {
+              "base": {
+                "type": "float"
+              },
+              "environmental": {
+                "type": "float"
+              },
+              "temporal": {
+                "type": "float"
+              },
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "severity": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      }
+    }
+  },
+  "order": 1,
+  "settings": {
+    "index": {
+      "mapping": {
+        "total_fields": {
+          "limit": 10000
+        }
+      },
+      "refresh_interval": "5s"
+    }
+  }
+}
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_map/index.ts b/x-pack/plugins/alerting/common/alert_schema/field_map/index.ts
new file mode 100644
index 00000000000000..fac8575b8af48e
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/field_map/index.ts
@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export * from './merge_field_maps';
+export * from './runtime_type_from_fieldmap';
+export * from './types';
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_map/merge_field_maps.ts b/x-pack/plugins/alerting/common/alert_schema/field_map/merge_field_maps.ts
new file mode 100644
index 00000000000000..124de243352ea3
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/field_map/merge_field_maps.ts
@@ -0,0 +1,49 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { FieldMap } from './types';
+
+export function mergeFieldMaps<T1 extends FieldMap, T2 extends FieldMap>(
+  first: T1,
+  second: T2
+): T1 & T2 {
+  const conflicts: Array<Record<string, [{ type: string }, { type: string }]>> = [];
+
+  Object.keys(second).forEach((name) => {
+    const field = second[name];
+
+    const parts = name.split('.');
+
+    const parents = parts.slice(0, parts.length - 2).map((part, index, array) => {
+      return [...array.slice(0, index - 1), part].join('.');
+    });
+
+    parents
+      .filter((parent) => first[parent] !== undefined)
+      .forEach((parent) => {
+        conflicts.push({
+          [parent]: [{ type: 'object' }, first[parent]!],
+        });
+      });
+
+    if (first[name]) {
+      conflicts.push({
+        [name]: [field, first[name]],
+      });
+    }
+  });
+
+  if (conflicts.length) {
+    const err = new Error(`Could not merge mapping due to conflicts`);
+    Object.assign(err, { conflicts });
+    throw err;
+  }
+
+  return {
+    ...first,
+    ...second,
+  };
+}
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_map/runtime_type_from_fieldmap.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_map/runtime_type_from_fieldmap.test.ts
new file mode 100644
index 00000000000000..0acf80bfb42e52
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/field_map/runtime_type_from_fieldmap.test.ts
@@ -0,0 +1,95 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { runtimeTypeFromFieldMap } from './runtime_type_from_fieldmap';
+
+describe('runtimeTypeFromFieldMap', () => {
+  const fieldmapRt = runtimeTypeFromFieldMap({
+    keywordField: { type: 'keyword' },
+    longField: { type: 'long' },
+    requiredKeywordField: { type: 'keyword', required: true },
+    multiKeywordField: { type: 'keyword', array: true },
+  } as const);
+
+  it('accepts both singular and array fields', () => {
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: 'keyword',
+      })
+    ).toBe(true);
+
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: ['keyword'],
+      })
+    ).toBe(true);
+
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: ['keyword'],
+        multiKeywordField: 'keyword',
+      })
+    ).toBe(true);
+
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: ['keyword'],
+        multiKeywordField: ['keyword'],
+      })
+    ).toBe(true);
+  });
+
+  it('fails on invalid data types', () => {
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: 2,
+      })
+    ).toBe(false);
+
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: [2],
+      })
+    ).toBe(false);
+
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: ['keyword'],
+        longField: ['keyword'],
+      })
+    ).toBe(false);
+
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: ['keyword'],
+        longField: [3],
+      })
+    ).toBe(true);
+
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: ['keyword'],
+        longField: 3,
+      })
+    ).toBe(true);
+  });
+
+  it('outputs to single or array values', () => {
+    expect(
+      fieldmapRt.encode({
+        requiredKeywordField: ['required'],
+        keywordField: 'keyword',
+        longField: [3, 2],
+        multiKeywordField: ['keyword', 'foo'],
+      })
+    ).toEqual({
+      requiredKeywordField: 'required',
+      keywordField: 'keyword',
+      longField: 3,
+      multiKeywordField: ['keyword', 'foo'],
+    });
+  });
+});
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_map/runtime_type_from_fieldmap.ts b/x-pack/plugins/alerting/common/alert_schema/field_map/runtime_type_from_fieldmap.ts
new file mode 100644
index 00000000000000..55ffb1302f96d5
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/field_map/runtime_type_from_fieldmap.ts
@@ -0,0 +1,139 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { Optional } from 'utility-types';
+import { mapValues, pickBy } from 'lodash';
+import { either } from 'fp-ts/lib/Either';
+import * as t from 'io-ts';
+import { FieldMap } from './types';
+
+const NumberFromString = new t.Type(
+  'NumberFromString',
+  (u): u is number => typeof u === 'number',
+  (u, c) =>
+    either.chain(t.string.validate(u, c), (s) => {
+      const d = Number(s);
+      return isNaN(d) ? t.failure(u, c) : t.success(d);
+    }),
+  (a) => a
+);
+
+const BooleanFromString = new t.Type(
+  'BooleanFromString',
+  (u): u is boolean => typeof u === 'boolean',
+  (u, c) =>
+    either.chain(t.string.validate(u, c), (s) => {
+      switch (s.toLowerCase().trim()) {
+        case '1':
+        case 'true':
+        case 'yes':
+          return t.success(true);
+        case '0':
+        case 'false':
+        case 'no':
+        case null:
+          return t.success(false);
+        default:
+          return t.failure(u, c);
+      }
+    }),
+  (a) => a
+);
+
+const esFieldTypeMap = {
+  keyword: t.string,
+  version: t.string,
+  text: t.string,
+  date: t.string,
+  boolean: t.union([t.number, BooleanFromString]),
+  byte: t.union([t.number, NumberFromString]),
+  long: t.union([t.number, NumberFromString]),
+  integer: t.union([t.number, NumberFromString]),
+  short: t.union([t.number, NumberFromString]),
+  double: t.union([t.number, NumberFromString]),
+  float: t.union([t.number, NumberFromString]),
+  scaled_float: t.union([t.number, NumberFromString]),
+  unsigned_long: t.union([t.number, NumberFromString]),
+  flattened: t.UnknownRecord,
+};
+
+type EsFieldTypeMap = typeof esFieldTypeMap;
+
+type EsFieldTypeOf<T extends string> = T extends keyof EsFieldTypeMap
+  ? EsFieldTypeMap[T]
+  : t.UnknownC;
+
+type CastArray<T extends t.Type<any>> = t.Type<
+  t.TypeOf<T> | Array<t.TypeOf<T>>,
+  Array<t.TypeOf<T>>,
+  unknown
+>;
+type CastSingle<T extends t.Type<any>> = t.Type<
+  t.TypeOf<T> | Array<t.TypeOf<T>>,
+  t.TypeOf<T>,
+  unknown
+>;
+
+const createCastArrayRt = <T extends t.Type<any>>(type: T): CastArray<T> => {
+  const union = t.union([type, t.array(type)]);
+
+  return new t.Type('castArray', union.is, union.validate, (a) => (Array.isArray(a) ? a : [a]));
+};
+
+const createCastSingleRt = <T extends t.Type<any>>(type: T): CastSingle<T> => {
+  const union = t.union([type, t.array(type)]);
+
+  return new t.Type('castSingle', union.is, union.validate, (a) => (Array.isArray(a) ? a[0] : a));
+};
+
+type SetOptional<T extends FieldMap> = Optional<
+  T,
+  {
+    [key in keyof T]: T[key]['required'] extends true ? never : key;
+  }[keyof T]
+>;
+
+type OutputOfField<T extends { type: string; array?: boolean }> = T['array'] extends true
+  ? Array<t.OutputOf<EsFieldTypeOf<T['type']>>>
+  : t.OutputOf<EsFieldTypeOf<T['type']>>;
+
+type TypeOfField<T extends { type: string; array?: boolean }> =
+  | t.TypeOf<EsFieldTypeOf<T['type']>>
+  | Array<t.TypeOf<EsFieldTypeOf<T['type']>>>;
+
+type OutputOf<T extends FieldMap> = {
+  [key in keyof T]: OutputOfField<Exclude<T[key], undefined>>;
+};
+
+type TypeOf<T extends FieldMap> = {
+  [key in keyof T]: TypeOfField<Exclude<T[key], undefined>>;
+};
+
+export type TypeOfFieldMap<T extends FieldMap> = TypeOf<SetOptional<T>>;
+export type OutputOfFieldMap<T extends FieldMap> = OutputOf<SetOptional<T>>;
+
+export type FieldMapType<T extends FieldMap> = t.Type<TypeOfFieldMap<T>, OutputOfFieldMap<T>>;
+
+export function runtimeTypeFromFieldMap<TFieldMap extends FieldMap>(
+  fieldMap: TFieldMap
+): FieldMapType<TFieldMap> {
+  function mapToType(fields: FieldMap) {
+    return mapValues(fields, (field) => {
+      const type =
+        field.type in esFieldTypeMap
+          ? esFieldTypeMap[field.type as keyof EsFieldTypeMap]
+          : t.unknown;
+
+      return field.array ? createCastArrayRt(type) : createCastSingleRt(type);
+    });
+  }
+
+  const required = pickBy(fieldMap, (field) => field.required);
+  return t.intersection([
+    t.exact(t.partial(mapToType(fieldMap))),
+    t.type(mapToType(required)),
+  ]) as unknown as FieldMapType<TFieldMap>;
+}
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_map/types.ts b/x-pack/plugins/alerting/common/alert_schema/field_map/types.ts
new file mode 100644
index 00000000000000..6eeffa12400fe2
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/field_map/types.ts
@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export interface FieldMap {
+  [key: string]: {
+    type: string;
+    required?: boolean;
+    array?: boolean;
+    path?: string;
+    scaling_factor?: number;
+  };
+}
diff --git a/x-pack/plugins/alerting/common/alert_schema/parse_technical_fields.ts b/x-pack/plugins/alerting/common/alert_schema/parse_technical_fields.ts
new file mode 100644
index 00000000000000..c5b7d0425f2453
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/parse_technical_fields.ts
@@ -0,0 +1,37 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { isLeft } from 'fp-ts/lib/Either';
+import { PathReporter } from 'io-ts/lib/PathReporter';
+import { pick } from 'lodash';
+import {
+  technicalRuleFieldMap,
+  TechnicalRuleFieldMap,
+} from './assets/field_maps/technical_rule_field_map';
+import { runtimeTypeFromFieldMap } from './field_map';
+
+const technicalFieldRuntimeType =
+  runtimeTypeFromFieldMap<TechnicalRuleFieldMap>(technicalRuleFieldMap);
+
+export const parseTechnicalFields = (input: unknown, partial = false) => {
+  const decodePartial = (alert: unknown) => {
+    const limitedFields = pick(technicalRuleFieldMap, Object.keys(alert as object));
+    const partialTechnicalFieldRuntimeType = runtimeTypeFromFieldMap<TechnicalRuleFieldMap>(
+      limitedFields as unknown as TechnicalRuleFieldMap
+    );
+    return partialTechnicalFieldRuntimeType.decode(alert);
+  };
+
+  const validate = partial ? decodePartial(input) : technicalFieldRuntimeType.decode(input);
+
+  if (isLeft(validate)) {
+    throw new Error(PathReporter.report(validate).join('\n'));
+  }
+  return technicalFieldRuntimeType.encode(validate.right);
+};
+
+export type ParsedTechnicalFields = ReturnType<typeof parseTechnicalFields>;
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.js b/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.js
new file mode 100644
index 00000000000000..980949bff40842
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.js
@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+const path = require('path');
+const fs = require('fs');
+const util = require('util');
+const yaml = require('js-yaml');
+const { exec: execCb } = require('child_process');
+const { reduce } = require('lodash');
+const LineWriter = require('./lib/line_writer');
+
+const exists = util.promisify(fs.exists);
+const readFile = util.promisify(fs.readFile);
+const writeFile = util.promisify(fs.writeFile);
+const exec = util.promisify(execCb);
+
+const ecsDir = path.resolve(__dirname, '../../../../../../ecs');
+const ecsYamlFilename = path.join(ecsDir, 'generated/ecs/ecs_flat.yml');
+
+const outputDir = path.join(__dirname, '../assets/field_maps');
+const outputFieldMapFilename = path.join(outputDir, 'ecs_field_map.ts');
+
+async function createSchema() {
+  if (process.argv.length < 3) {
+    logError(`Error no mapping file specified`);
+  }
+
+  const mappingFile = process.argv[2];
+  // eslint-disable-next-line import/no-dynamic-require
+  const template = require(mappingFile);
+
+  const lineWriter = LineWriter.createLineWriter();
+  generateSchemaLines(lineWriter, null, template.mappings);
+  // last line will have an extraneous comma
+  const schemaLines = lineWriter.getContent().replace(/,$/, '');
+
+  const contents = getSchemaFileContents(ecsVersion, schemaLines);
+  const schemaCode = `${contents}\n`;
+
+  writeGeneratedFile(EVENT_LOG_CONFIG_SCHEMA_FILE, schemaCode);
+  console.log('generated:', EVENT_LOG_CONFIG_SCHEMA_FILE);
+}
+
+function logError(message) {
+  console.log(`error: ${message}`);
+  process.exit(1);
+}
+
+createSchema().catch((err) => {
+  console.log(err);
+  process.exit(1);
+});
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
new file mode 100755
index 00000000000000..8ef4e9a41301b0
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+echo --- Getting ECS template
+
+# Pin to a specific commit
+# ECS_VERSION=8.6
+# git clone --depth 1 -b $ECS_VERSION https://github.com/elastic/ecs.git ./ecs
+
+# cp ./ecs/generated/elasticsearch/legacy/template.json ../component_templates/assets/ecs_legacy_template.json
+
+# rm -rf ./ecs
+
+echo --- Generating ECS schema from template
+
+node create_schema_from_mapping.js ../component_templates/assets/ecs_legacy_template.json
+
+echo --- Generating Alert schema from template
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/lib/line_writer.js b/x-pack/plugins/alerting/common/alert_schema/scripts/lib/line_writer.js
new file mode 100644
index 00000000000000..f61405e230215a
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/lib/line_writer.js
@@ -0,0 +1,40 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+const INDENT_LENGTH = 2;
+const INDENT = ''.padStart(INDENT_LENGTH);
+
+module.exports = {
+  createLineWriter,
+};
+
+class LineWriter {
+  constructor() {
+    this._indent = '';
+    this._lines = [];
+  }
+
+  addLine(line) {
+    this._lines.push(`${this._indent}${line}`);
+  }
+
+  indent() {
+    this._indent = `${this._indent}${INDENT}`;
+  }
+
+  dedent() {
+    this._indent = this._indent.substr(INDENT_LENGTH);
+  }
+
+  getContent() {
+    return this._lines.join('\n');
+  }
+}
+
+function createLineWriter() {
+  return new LineWriter();
+}
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
new file mode 100644
index 00000000000000..410a02dd942728
--- /dev/null
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -0,0 +1,147 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ClusterPutComponentTemplateRequest } from '@elastic/elasticsearch/lib/api/types';
+import { Logger, ElasticsearchClient } from '@kbn/core/server';
+import { ecsComponentTemplate } from './schema/lib/ecsComponentTemplate';
+import { ILM_POLICY_NAME, DEFAULT_ILM_POLICY } from './default_lifecycle_policy';
+
+interface AlertsServiceParams {
+  logger: Logger;
+  elasticsearchClientPromise: Promise<ElasticsearchClient>;
+}
+interface IAlertsService {
+  /**
+   * Initializes all the ES resources used by the alerts client
+   * - ILM policy
+   * - Component templates
+   * - Index templates
+   * - Concrete write index
+   *
+   * Not using data streams because those are meant for append-only data
+   * and we expect to mutate these documents
+   */
+  initialize(): void;
+}
+
+export class AlertsService implements IAlertsService {
+  private initialized: boolean;
+
+  constructor(private readonly options: AlertsServiceParams) {
+    this.initialized = false;
+  }
+
+  public initialize() {
+    // Only initialize once
+    if (this.initialized) return;
+    this.initialized = true;
+
+    this.options.logger.debug(`Initializing resources for AlertsService`);
+
+    // Using setImmediate to call async function but run it immediately
+    setImmediate(async () => {
+      const esClient = await this.options.elasticsearchClientPromise;
+
+      // todo wrap all calls in retry
+      await this.createOrUpdateIlmPolicy(esClient);
+      await this.createOrUpdateComponentTemplates(esClient);
+      //      await this.createOrUpdateIndexTemplate(esClient);
+
+      // TODO - check if it exists first
+      //      await this.createConcreteWriteIndex(esClient);
+    });
+  }
+
+  /**
+   * Creates ILM policy if it doesn't already exist, updates it if it does
+   */
+  private async createOrUpdateIlmPolicy(esClient: ElasticsearchClient) {
+    this.options.logger.info(`Installing ILM policy ${ILM_POLICY_NAME}`);
+
+    try {
+      await esClient.ilm.putLifecycle({
+        name: ILM_POLICY_NAME,
+        body: DEFAULT_ILM_POLICY,
+      });
+    } catch (err) {
+      this.options.logger.error(`Error installing ILM policy ${ILM_POLICY_NAME} - ${err.message}`);
+      throw err;
+    }
+  }
+
+  private async createOrUpdateComponentTemplates(esClient: ElasticsearchClient) {
+    await Promise.all([
+      // this.createOrUpdateComponentTemplate(esClient, ALERTS_COMPONENT_TEMPLATE_NAME, {}),
+      this.createOrUpdateComponentTemplate(esClient, ecsComponentTemplate),
+    ]);
+  }
+
+  private async createOrUpdateComponentTemplate(
+    esClient: ElasticsearchClient,
+    template: ClusterPutComponentTemplateRequest
+  ) {
+    this.options.logger.info(`Installing component template ${template.name}`);
+
+    try {
+      await esClient.cluster.putComponentTemplate(template);
+    } catch (err) {
+      this.options.logger.error(
+        `Error installing component template ${template.name} - ${err.message}`
+      );
+      throw err;
+    }
+  }
+
+  // private async createOrUpdateIndexTemplate(esClient: ElasticsearchClient) {
+  //   this.options.logger.info(`Installing index template`);
+
+  //   try {
+  //     await esClient.indices.putIndexTemplate({
+  //       name: INDEX_TEMPLATE_NAME,
+  //       index_patterns: [`${DEFAULT_ALERTS_INDEX}*`],
+  //       // composed_of: [],
+  //       template: {
+  //         settings: {
+  //           hidden: true,
+  //           index: {
+  //             lifecycle: {
+  //               name: ILM_POLICY_NAME,
+  //               rollover_alias: DEFAULT_ALERTS_INDEX,
+  //             },
+  //           },
+  //         },
+  //         mappings: {
+  //           dynamic: true,
+  //         },
+  //       },
+  //     });
+  //   } catch (err) {
+  //     this.options.logger.error(`Error installing index template - ${err.message}`);
+  //     throw err;
+  //   }
+  // }
+
+  // private async createConcreteWriteIndex(esClient: ElasticsearchClient) {
+  //   this.options.logger.info(`Creating concrete write index`);
+
+  //   try {
+  //     await esClient.indices.create({
+  //       index: `${DEFAULT_ALERTS_INDEX}-000001`,
+  //       aliases: {
+  //         [DEFAULT_ALERTS_INDEX]: {
+  //           is_write_index: true,
+  //         },
+  //       },
+  //     });
+  //   } catch (err) {
+  //     this.options.logger.error(`Error creating concrete write index - ${err.message}`);
+  //     // throw err;
+  //   }
+  // }
+
+  private async installWithRetry() {}
+}
diff --git a/x-pack/plugins/alerting/server/alerts_service/default_lifecycle_policy.ts b/x-pack/plugins/alerting/server/alerts_service/default_lifecycle_policy.ts
new file mode 100644
index 00000000000000..d1195d3c129145
--- /dev/null
+++ b/x-pack/plugins/alerting/server/alerts_service/default_lifecycle_policy.ts
@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/**
+ * Default alert index ILM policy
+ * - _meta.managed: notify users this is a managed policy and should be modified
+ *     at their own risk
+ * - no delete phase as we want to keep these indices around indefinitely
+ */
+
+export const ILM_POLICY_NAME = 'alerts-default-ilm-policy';
+export const DEFAULT_ILM_POLICY = {
+  policy: {
+    _meta: {
+      managed: true,
+    },
+    phases: {
+      hot: {
+        actions: {
+          rollover: {
+            max_age: '30d',
+            max_primary_shard_size: '50gb',
+          },
+        },
+      },
+    },
+  },
+};
diff --git a/x-pack/plugins/alerting/server/alerts_service/types.ts b/x-pack/plugins/alerting/server/alerts_service/types.ts
new file mode 100644
index 00000000000000..1fec1c76430ebd
--- /dev/null
+++ b/x-pack/plugins/alerting/server/alerts_service/types.ts
@@ -0,0 +1,6 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
diff --git a/x-pack/plugins/alerting/server/plugin.ts b/x-pack/plugins/alerting/server/plugin.ts
index 48d1bfee78e404..1f2c644bb582cb 100644
--- a/x-pack/plugins/alerting/server/plugin.ts
+++ b/x-pack/plugins/alerting/server/plugin.ts
@@ -80,6 +80,7 @@ import { getSecurityHealth, SecurityHealth } from './lib/get_security_health';
 import { registerNodeCollector, registerClusterCollector, InMemoryMetrics } from './monitoring';
 import { getRuleTaskTimeout } from './lib/get_rule_task_timeout';
 import { getActionsConfigMap } from './lib/get_actions_config_map';
+import { AlertsService } from './alerts_service/alerts_service';
 
 export const EVENT_LOG_PROVIDER = 'alerting';
 export const EVENT_LOG_ACTIONS = {
@@ -175,6 +176,7 @@ export class AlertingPlugin {
   private kibanaBaseUrl: string | undefined;
   private usageCounter: UsageCounter | undefined;
   private inMemoryMetrics: InMemoryMetrics;
+  private alertsService?: AlertsService;
 
   constructor(initializerContext: PluginInitializerContext) {
     this.config = initializerContext.config.get();
@@ -232,6 +234,14 @@ export class AlertingPlugin {
     });
     this.ruleTypeRegistry = ruleTypeRegistry;
 
+    this.alertsService = new AlertsService({
+      logger: this.logger,
+      elasticsearchClientPromise: core
+        .getStartServices()
+        .then(([{ elasticsearch }]) => elasticsearch.client.asInternalUser),
+    });
+    this.alertsService!.initialize();
+
     const usageCollection = plugins.usageCollection;
     if (usageCollection) {
       registerAlertingUsageCollector(

From 017676e3034cd7b2acce2dba428db83811e0ec3b Mon Sep 17 00:00:00 2001
From: Ying Mao <ying.mao@elastic.co>
Date: Thu, 17 Nov 2022 10:22:46 -0500
Subject: [PATCH 02/42] wip

---
 .../field_maps/alert_field_map.ts             |    0
 .../{assets => }/field_maps/ecs_field_map.ts  | 1778 ++++++++++++++++-
 .../{field_map => field_maps}/index.ts        |    0
 .../field_maps/mapping_from_field_map.test.ts |  169 ++
 .../field_maps/mapping_from_field_map.ts      |   52 +
 .../merge_field_maps.ts                       |    0
 .../runtime_type_from_fieldmap.test.ts        |    0
 .../runtime_type_from_fieldmap.ts             |    0
 .../{field_map => field_maps}/types.ts        |    2 +
 .../scripts/generate_ecs_fieldmap.js          |  105 +
 10 files changed, 2078 insertions(+), 28 deletions(-)
 rename x-pack/plugins/alerting/common/alert_schema/{assets => }/field_maps/alert_field_map.ts (100%)
 rename x-pack/plugins/alerting/common/alert_schema/{assets => }/field_maps/ecs_field_map.ts (78%)
 rename x-pack/plugins/alerting/common/alert_schema/{field_map => field_maps}/index.ts (100%)
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts
 rename x-pack/plugins/alerting/common/alert_schema/{field_map => field_maps}/merge_field_maps.ts (100%)
 rename x-pack/plugins/alerting/common/alert_schema/{field_map => field_maps}/runtime_type_from_fieldmap.test.ts (100%)
 rename x-pack/plugins/alerting/common/alert_schema/{field_map => field_maps}/runtime_type_from_fieldmap.ts (100%)
 rename x-pack/plugins/alerting/common/alert_schema/{field_map => field_maps}/types.ts (80%)
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js

diff --git a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/alert_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts
similarity index 100%
rename from x-pack/plugins/alerting/common/alert_schema/assets/field_maps/alert_field_map.ts
rename to x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts
diff --git a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/ecs_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts
similarity index 78%
rename from x-pack/plugins/alerting/common/alert_schema/assets/field_maps/ecs_field_map.ts
rename to x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts
index e4cf087d86df34..50cb59c83cdb9d 100644
--- a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/ecs_field_map.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts
@@ -6,8 +6,8 @@
  */
 
 /* This file is generated by x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js,
-do not manually edit
-*/
+      do not manually edit
+      */
 
 export const ecsFieldMap = {
   '@timestamp': {
@@ -19,36 +19,43 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'agent.ephemeral_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'agent.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'agent.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'agent.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'agent.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.address': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.as.number': {
     type: 'long',
@@ -59,6 +66,14 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'client.as.organization.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'client.bytes': {
     type: 'long',
@@ -69,31 +84,37 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.geo.city_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.geo.continent_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.geo.continent_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.geo.country_iso_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.geo.country_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.geo.location': {
     type: 'geo_point',
@@ -104,26 +125,31 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.geo.postal_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.geo.region_iso_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.geo.region_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.geo.timezone': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.ip': {
     type: 'ip',
@@ -134,6 +160,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.nat.ip': {
     type: 'ip',
@@ -159,231 +186,291 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.subdomain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.top_level_domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.user.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.user.email': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.user.full_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'client.user.full_name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'client.user.group.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.user.group.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.user.group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.user.hash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.user.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'client.user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'client.user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'client.user.roles': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.account.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.account.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.availability_zone': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.instance.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.instance.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.machine.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.origin.account.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.origin.account.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.origin.availability_zone': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.origin.instance.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.origin.instance.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.origin.machine.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.origin.project.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.origin.project.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.origin.provider': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.origin.region': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.origin.service.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.project.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.project.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.provider': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.region': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.service.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.target.account.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.target.account.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.target.availability_zone': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.target.instance.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.target.instance.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.target.machine.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.target.project.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.target.project.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.target.provider': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.target.region': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'cloud.target.service.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'container.cpu.usage': {
     type: 'scaled_float',
@@ -405,21 +492,25 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'container.image.hash.all': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'container.image.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'container.image.tag': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'container.labels': {
     type: 'object',
@@ -436,6 +527,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'container.network.egress.bytes': {
     type: 'long',
@@ -451,11 +543,28 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+  },
+  'data_stream.dataset': {
+    type: 'constant_keyword',
+    array: false,
+    required: false,
+  },
+  'data_stream.namespace': {
+    type: 'constant_keyword',
+    array: false,
+    required: false,
+  },
+  'data_stream.type': {
+    type: 'constant_keyword',
+    array: false,
+    required: false,
   },
   'destination.address': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.as.number': {
     type: 'long',
@@ -466,6 +575,14 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'destination.as.organization.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'destination.bytes': {
     type: 'long',
@@ -476,31 +593,37 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.geo.city_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.geo.continent_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.geo.continent_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.geo.country_iso_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.geo.country_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.geo.location': {
     type: 'geo_point',
@@ -511,26 +634,31 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.geo.postal_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.geo.region_iso_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.geo.region_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.geo.timezone': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.ip': {
     type: 'ip',
@@ -541,6 +669,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.nat.ip': {
     type: 'ip',
@@ -566,91 +695,99 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.subdomain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.top_level_domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.user.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.user.email': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.user.full_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'destination.user.full_name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'destination.user.group.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.user.group.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.user.group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.user.hash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.user.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'destination.user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'destination.user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'destination.user.roles': {
     type: 'keyword',
     array: true,
     required: false,
-  },
-  'device.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  'device.manufacturer': {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  'device.model.identifier': {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  'device.model.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
+    ignore_above: 1024,
   },
   'dll.code_signature.digest_algorithm': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.code_signature.exists': {
     type: 'boolean',
@@ -661,21 +798,25 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.code_signature.status': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.code_signature.subject_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.code_signature.team_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.code_signature.timestamp': {
     type: 'date',
@@ -696,86 +837,103 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.hash.sha1': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.hash.sha256': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.hash.sha384': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.hash.sha512': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.hash.ssdeep': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.hash.tlsh': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.path': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.pe.architecture': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.pe.company': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.pe.description': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.pe.file_version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.pe.imphash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.pe.original_file_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.pe.pehash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dll.pe.product': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dns.answers': {
     type: 'object',
@@ -786,16 +944,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dns.answers.data': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dns.answers.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dns.answers.ttl': {
     type: 'long',
@@ -806,51 +967,61 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dns.header_flags': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'dns.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dns.op_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dns.question.class': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dns.question.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dns.question.registered_domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dns.question.subdomain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dns.question.top_level_domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dns.question.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dns.resolved_ip': {
     type: 'ip',
@@ -861,16 +1032,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'dns.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'ecs.version': {
     type: 'keyword',
     array: false,
     required: true,
+    ignore_above: 1024,
   },
   'email.attachments': {
     type: 'nested',
@@ -881,51 +1055,61 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'email.attachments.file.hash.md5': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'email.attachments.file.hash.sha1': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'email.attachments.file.hash.sha256': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'email.attachments.file.hash.sha384': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'email.attachments.file.hash.sha512': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'email.attachments.file.hash.ssdeep': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'email.attachments.file.hash.tlsh': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'email.attachments.file.mime_type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'email.attachments.file.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'email.attachments.file.size': {
     type: 'long',
@@ -936,16 +1120,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'email.cc.address': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'email.content_type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'email.delivery_timestamp': {
     type: 'date',
@@ -956,16 +1143,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'email.from.address': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'email.local_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'email.message_id': {
     type: 'wildcard',
@@ -981,36 +1171,50 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'email.sender.address': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'email.subject': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'email.subject.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'email.to.address': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'email.x_mailer': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'error.code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'error.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'error.message': {
     type: 'match_only_text',
@@ -1021,31 +1225,43 @@ export const ecsFieldMap = {
     type: 'wildcard',
     array: false,
     required: false,
+    multi_fields: [
+      {
+        flat_name: 'error.stack_trace.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'error.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'event.action': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'event.agent_id_status': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'event.category': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'event.code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'event.created': {
     type: 'date',
@@ -1056,6 +1272,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'event.duration': {
     type: 'long',
@@ -1071,11 +1288,13 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'event.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'event.ingested': {
     type: 'date',
@@ -1086,36 +1305,44 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'event.module': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'event.original': {
     type: 'keyword',
     array: false,
     required: false,
+    doc_values: false,
+    index: false,
   },
   'event.outcome': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'event.provider': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'event.reason': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'event.reference': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'event.risk_score': {
     type: 'float',
@@ -1146,16 +1373,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'event.type': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'event.url': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'faas.coldstart': {
     type: 'boolean',
@@ -1166,16 +1396,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'faas.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'faas.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'faas.trigger': {
     type: 'nested',
@@ -1186,16 +1419,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'faas.trigger.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'faas.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.accessed': {
     type: 'date',
@@ -1206,11 +1442,13 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'file.code_signature.digest_algorithm': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.code_signature.exists': {
     type: 'boolean',
@@ -1221,21 +1459,25 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.code_signature.status': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.code_signature.subject_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.code_signature.team_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.code_signature.timestamp': {
     type: 'date',
@@ -1266,31 +1508,37 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.directory': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.drive_letter': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1,
   },
   'file.elf.architecture': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.byte_order': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.cpu_type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.creation_date': {
     type: 'date',
@@ -1306,16 +1554,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.header.class': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.header.data': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.header.entrypoint': {
     type: 'long',
@@ -1326,21 +1577,25 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.header.os_abi': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.header.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.header.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.imports': {
     type: 'flattened',
@@ -1366,16 +1621,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.sections.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.sections.physical_offset': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.sections.physical_size': {
     type: 'long',
@@ -1386,6 +1644,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.sections.virtual_address': {
     type: 'long',
@@ -1406,91 +1665,109 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.segments.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.shared_libraries': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'file.elf.telfhash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.extension': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.fork_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.gid': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.group': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.hash.md5': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.hash.sha1': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.hash.sha256': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.hash.sha384': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.hash.sha512': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.hash.ssdeep': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.hash.tlsh': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.inode': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.mime_type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.mode': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.mtime': {
     type: 'date',
@@ -1501,56 +1778,74 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.owner': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.path': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'file.path.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'file.pe.architecture': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.pe.company': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.pe.description': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.pe.file_version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.pe.imphash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.pe.original_file_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.pe.pehash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.pe.product': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.size': {
     type: 'long',
@@ -1561,56 +1856,74 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'file.target_path.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'file.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.uid': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.alternative_names': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.issuer.common_name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.issuer.country': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.issuer.distinguished_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.issuer.locality': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.issuer.organization': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.issuer.organizational_unit': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.issuer.state_or_province': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.not_after': {
     type: 'date',
@@ -1626,16 +1939,20 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.public_key_curve': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.public_key_exponent': {
     type: 'long',
     array: false,
     required: false,
+    doc_values: false,
+    index: false,
   },
   'file.x509.public_key_size': {
     type: 'long',
@@ -1646,76 +1963,91 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.signature_algorithm': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.subject.common_name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.subject.country': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.subject.distinguished_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.subject.locality': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.subject.organization': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.subject.organizational_unit': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.subject.state_or_province': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'file.x509.version_number': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'group.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'group.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.architecture': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.boot.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.cpu.usage': {
     type: 'scaled_float',
@@ -1737,31 +2069,37 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.geo.city_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.geo.continent_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.geo.continent_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.geo.country_iso_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.geo.country_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.geo.location': {
     type: 'geo_point',
@@ -1772,36 +2110,43 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.geo.postal_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.geo.region_iso_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.geo.region_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.geo.timezone': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.hostname': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.ip': {
     type: 'ip',
@@ -1812,11 +2157,13 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'host.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.network.egress.bytes': {
     type: 'long',
@@ -1842,46 +2189,69 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.os.full': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'host.os.full.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'host.os.kernel': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.os.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'host.os.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'host.os.platform': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.os.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.os.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.pid_ns_ino': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.risk.calculated_level': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.risk.calculated_score': {
     type: 'float',
@@ -1897,6 +2267,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.risk.static_score': {
     type: 'float',
@@ -1912,6 +2283,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'host.uptime': {
     type: 'long',
@@ -1927,6 +2299,13 @@ export const ecsFieldMap = {
     type: 'wildcard',
     array: false,
     required: false,
+    multi_fields: [
+      {
+        flat_name: 'http.request.body.content.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'http.request.bytes': {
     type: 'long',
@@ -1937,21 +2316,25 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'http.request.method': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'http.request.mime_type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'http.request.referrer': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'http.response.body.bytes': {
     type: 'long',
@@ -1962,6 +2345,13 @@ export const ecsFieldMap = {
     type: 'wildcard',
     array: false,
     required: false,
+    multi_fields: [
+      {
+        flat_name: 'http.response.body.content.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'http.response.bytes': {
     type: 'long',
@@ -1972,6 +2362,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'http.response.status_code': {
     type: 'long',
@@ -1982,6 +2373,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   labels: {
     type: 'object',
@@ -1992,16 +2384,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'log.level': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'log.logger': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'log.origin.file.line': {
     type: 'long',
@@ -2012,11 +2407,13 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'log.origin.function': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'log.syslog': {
     type: 'object',
@@ -2027,6 +2424,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'log.syslog.facility.code': {
     type: 'long',
@@ -2037,16 +2435,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'log.syslog.hostname': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'log.syslog.msgid': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'log.syslog.priority': {
     type: 'long',
@@ -2057,6 +2458,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'log.syslog.severity.code': {
     type: 'long',
@@ -2067,6 +2469,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'log.syslog.structured_data': {
     type: 'flattened',
@@ -2077,6 +2480,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   message: {
     type: 'match_only_text',
@@ -2087,6 +2491,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'network.bytes': {
     type: 'long',
@@ -2097,11 +2502,13 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'network.direction': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'network.forwarded_ip': {
     type: 'ip',
@@ -2112,6 +2519,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'network.inner': {
     type: 'object',
@@ -2122,16 +2530,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'network.inner.vlan.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'network.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'network.packets': {
     type: 'long',
@@ -2142,26 +2553,31 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'network.transport': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'network.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'network.vlan.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'network.vlan.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.egress': {
     type: 'object',
@@ -2172,56 +2588,67 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.egress.interface.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.egress.interface.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.egress.vlan.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.egress.vlan.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.egress.zone': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.geo.city_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.geo.continent_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.geo.continent_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.geo.country_iso_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.geo.country_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.geo.location': {
     type: 'geo_point',
@@ -2232,31 +2659,37 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.geo.postal_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.geo.region_iso_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.geo.region_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.geo.timezone': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.hostname': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.ingress': {
     type: 'object',
@@ -2267,31 +2700,37 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.ingress.interface.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.ingress.interface.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.ingress.vlan.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.ingress.vlan.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.ingress.zone': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.ip': {
     type: 'ip',
@@ -2302,111 +2741,147 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'observer.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.os.family': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.os.full': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'observer.os.full.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'observer.os.kernel': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.os.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'observer.os.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'observer.os.platform': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.os.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.os.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.product': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.serial_number': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.vendor': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'observer.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'orchestrator.api_version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'orchestrator.cluster.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'orchestrator.cluster.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'orchestrator.cluster.url': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'orchestrator.cluster.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'orchestrator.namespace': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'orchestrator.organization': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'orchestrator.resource.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'orchestrator.resource.ip': {
     type: 'ip',
@@ -2417,56 +2892,74 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'orchestrator.resource.parent.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'orchestrator.resource.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'orchestrator.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'organization.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'organization.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'organization.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'package.architecture': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'package.build_version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'package.checksum': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'package.description': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'package.install_scope': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'package.installed': {
     type: 'date',
@@ -2477,21 +2970,25 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'package.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'package.path': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'package.reference': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'package.size': {
     type: 'long',
@@ -2502,16 +2999,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'package.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.args': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'process.args_count': {
     type: 'long',
@@ -2522,6 +3022,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.code_signature.exists': {
     type: 'boolean',
@@ -2532,21 +3033,25 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.code_signature.status': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.code_signature.subject_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.code_signature.team_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.code_signature.timestamp': {
     type: 'date',
@@ -2567,21 +3072,31 @@ export const ecsFieldMap = {
     type: 'wildcard',
     array: false,
     required: false,
+    multi_fields: [
+      {
+        flat_name: 'process.command_line.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.elf.architecture': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.byte_order': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.cpu_type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.creation_date': {
     type: 'date',
@@ -2597,16 +3112,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.header.class': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.header.data': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.header.entrypoint': {
     type: 'long',
@@ -2617,21 +3135,25 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.header.os_abi': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.header.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.header.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.imports': {
     type: 'flattened',
@@ -2657,16 +3179,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.sections.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.sections.physical_offset': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.sections.physical_size': {
     type: 'long',
@@ -2677,6 +3202,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.sections.virtual_address': {
     type: 'long',
@@ -2697,21 +3223,25 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.segments.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.shared_libraries': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'process.elf.telfhash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.end': {
     type: 'date',
@@ -2722,11 +3252,13 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.args': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.args_count': {
     type: 'long',
@@ -2737,26 +3269,44 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.attested_user.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.attested_user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.entry_leader.attested_user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.entry_leader.command_line': {
     type: 'wildcard',
     array: false,
     required: false,
+    multi_fields: [
+      {
+        flat_name: 'process.entry_leader.command_line.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.entry_leader.entity_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.entry_meta.source.ip': {
     type: 'ip',
@@ -2767,21 +3317,32 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.executable': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.entry_leader.executable.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.entry_leader.group.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.interactive': {
     type: 'boolean',
@@ -2792,11 +3353,20 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.entry_leader.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.entry_leader.parent.entity_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.parent.pid': {
     type: 'long',
@@ -2807,6 +3377,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.parent.session_leader.pid': {
     type: 'long',
@@ -2832,21 +3403,32 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.real_group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.real_user.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.real_user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.entry_leader.real_user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.entry_leader.same_as_process': {
     type: 'boolean',
@@ -2857,21 +3439,32 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.saved_group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.saved_user.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.saved_user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.entry_leader.saved_user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.entry_leader.start': {
     type: 'date',
@@ -2882,11 +3475,13 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.supplemental_groups.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.tty': {
     type: 'object',
@@ -2907,26 +3502,52 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.entry_leader.user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.entry_leader.user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.entry_leader.working_directory': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.entry_leader.working_directory.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.env_vars': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'process.executable': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.executable.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.exit_code': {
     type: 'long',
@@ -2937,6 +3558,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'process.group_leader.args_count': {
     type: 'long',
@@ -2947,26 +3569,44 @@ export const ecsFieldMap = {
     type: 'wildcard',
     array: false,
     required: false,
+    multi_fields: [
+      {
+        flat_name: 'process.group_leader.command_line.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.group_leader.entity_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.group_leader.executable': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.group_leader.executable.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.group_leader.group.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.group_leader.group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.group_leader.interactive': {
     type: 'boolean',
@@ -2977,6 +3617,14 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.group_leader.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.group_leader.pid': {
     type: 'long',
@@ -2987,21 +3635,32 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.group_leader.real_group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.group_leader.real_user.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.group_leader.real_user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.group_leader.real_user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.group_leader.same_as_process': {
     type: 'boolean',
@@ -3012,21 +3671,32 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.group_leader.saved_group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.group_leader.saved_user.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.group_leader.saved_user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.group_leader.saved_user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.group_leader.start': {
     type: 'date',
@@ -3037,11 +3707,13 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.group_leader.supplemental_groups.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.group_leader.tty': {
     type: 'object',
@@ -3062,51 +3734,75 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.group_leader.user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.group_leader.user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.group_leader.working_directory': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.group_leader.working_directory.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.hash.md5': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.hash.sha1': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.hash.sha256': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.hash.sha384': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.hash.sha512': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.hash.ssdeep': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.hash.tlsh': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.interactive': {
     type: 'boolean',
@@ -3157,16 +3853,26 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.parent.args': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.args_count': {
     type: 'long',
@@ -3177,6 +3883,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.code_signature.exists': {
     type: 'boolean',
@@ -3187,21 +3894,25 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.code_signature.status': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.code_signature.subject_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.code_signature.team_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.code_signature.timestamp': {
     type: 'date',
@@ -3222,21 +3933,31 @@ export const ecsFieldMap = {
     type: 'wildcard',
     array: false,
     required: false,
+    multi_fields: [
+      {
+        flat_name: 'process.parent.command_line.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.parent.elf.architecture': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.byte_order': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.cpu_type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.creation_date': {
     type: 'date',
@@ -3252,16 +3973,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.header.class': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.header.data': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.header.entrypoint': {
     type: 'long',
@@ -3272,21 +3996,25 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.header.os_abi': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.header.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.header.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.imports': {
     type: 'flattened',
@@ -3312,16 +4040,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.sections.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.sections.physical_offset': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.sections.physical_size': {
     type: 'long',
@@ -3332,6 +4063,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.sections.virtual_address': {
     type: 'long',
@@ -3352,21 +4084,25 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.segments.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.shared_libraries': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.elf.telfhash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.end': {
     type: 'date',
@@ -3377,11 +4113,20 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.executable': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.parent.executable.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.parent.exit_code': {
     type: 'long',
@@ -3392,16 +4137,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.group_leader.entity_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.group_leader.pid': {
     type: 'long',
@@ -3417,36 +4165,43 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.hash.sha1': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.hash.sha256': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.hash.sha384': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.hash.sha512': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.hash.ssdeep': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.hash.tlsh': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.interactive': {
     type: 'boolean',
@@ -3457,46 +4212,62 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.parent.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.parent.pe.architecture': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.pe.company': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.pe.description': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.pe.file_version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.pe.imphash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.pe.original_file_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.pe.pehash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.pe.product': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.pgid': {
     type: 'long',
@@ -3512,41 +4283,63 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.real_group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.real_user.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.real_user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.parent.real_user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.parent.saved_group.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.saved_group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.saved_user.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.saved_user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.parent.saved_user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.parent.start': {
     type: 'date',
@@ -3557,11 +4350,13 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.supplemental_groups.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.thread.id': {
     type: 'long',
@@ -3572,11 +4367,20 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.title': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.parent.title.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.parent.tty': {
     type: 'object',
@@ -3602,56 +4406,81 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.parent.user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.parent.user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.parent.working_directory': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.parent.working_directory.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.pe.architecture': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.pe.company': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.pe.description': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.pe.file_version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.pe.imphash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.pe.original_file_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.pe.pehash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.pe.product': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.pgid': {
     type: 'long',
@@ -3667,6 +4496,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'process.previous.args_count': {
     type: 'long',
@@ -3677,51 +4507,82 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.previous.executable.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.real_group.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.real_group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.real_user.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.real_user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.real_user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.saved_group.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.saved_group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.saved_user.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.saved_user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.saved_user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.session_leader.args': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'process.session_leader.args_count': {
     type: 'long',
@@ -3732,26 +4593,44 @@ export const ecsFieldMap = {
     type: 'wildcard',
     array: false,
     required: false,
+    multi_fields: [
+      {
+        flat_name: 'process.session_leader.command_line.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.session_leader.entity_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.session_leader.executable': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.session_leader.executable.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.session_leader.group.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.session_leader.group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.session_leader.interactive': {
     type: 'boolean',
@@ -3762,11 +4641,20 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.session_leader.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.session_leader.parent.entity_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.session_leader.parent.pid': {
     type: 'long',
@@ -3777,6 +4665,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.session_leader.parent.session_leader.pid': {
     type: 'long',
@@ -3802,21 +4691,32 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.session_leader.real_group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.session_leader.real_user.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.session_leader.real_user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.session_leader.real_user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.session_leader.same_as_process': {
     type: 'boolean',
@@ -3827,21 +4727,32 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.session_leader.saved_group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.session_leader.saved_user.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.session_leader.saved_user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.session_leader.saved_user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.session_leader.start': {
     type: 'date',
@@ -3852,11 +4763,13 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.session_leader.supplemental_groups.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.session_leader.tty': {
     type: 'object',
@@ -3877,16 +4790,33 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.session_leader.user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.session_leader.user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.session_leader.working_directory': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.session_leader.working_directory.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.start': {
     type: 'date',
@@ -3897,11 +4827,13 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.supplemental_groups.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.thread.id': {
     type: 'long',
@@ -3912,11 +4844,20 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.title': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.title.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.tty': {
     type: 'object',
@@ -3952,21 +4893,39 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'process.user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'process.working_directory': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'process.working_directory.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'registry.data.bytes': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'registry.data.strings': {
     type: 'wildcard',
@@ -3977,36 +4936,43 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'registry.hive': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'registry.key': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'registry.path': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'registry.value': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'related.hash': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'related.hosts': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'related.ip': {
     type: 'ip',
@@ -4017,61 +4983,73 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'rule.author': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'rule.category': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'rule.description': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'rule.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'rule.license': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'rule.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'rule.reference': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'rule.ruleset': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'rule.uuid': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'rule.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.address': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.as.number': {
     type: 'long',
@@ -4082,6 +5060,14 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'server.as.organization.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'server.bytes': {
     type: 'long',
@@ -4092,31 +5078,37 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.geo.city_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.geo.continent_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.geo.continent_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.geo.country_iso_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.geo.country_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.geo.location': {
     type: 'geo_point',
@@ -4127,26 +5119,31 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.geo.postal_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.geo.region_iso_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.geo.region_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.geo.timezone': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.ip': {
     type: 'ip',
@@ -4157,6 +5154,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.nat.ip': {
     type: 'ip',
@@ -4182,236 +5180,297 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.subdomain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.top_level_domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.user.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.user.email': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.user.full_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'server.user.full_name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'server.user.group.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.user.group.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.user.group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.user.hash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.user.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'server.user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'server.user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'server.user.roles': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'service.address': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.environment': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.ephemeral_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.node.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.node.role': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.node.roles': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'service.origin.address': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.origin.environment': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.origin.ephemeral_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.origin.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.origin.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.origin.node.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.origin.node.role': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.origin.node.roles': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'service.origin.state': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.origin.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.origin.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.state': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.target.address': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.target.environment': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.target.ephemeral_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.target.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.target.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.target.node.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.target.node.role': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.target.node.roles': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'service.target.state': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.target.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.target.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'service.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.address': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.as.number': {
     type: 'long',
@@ -4422,6 +5481,14 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'source.as.organization.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'source.bytes': {
     type: 'long',
@@ -4432,31 +5499,37 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.geo.city_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.geo.continent_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.geo.continent_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.geo.country_iso_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.geo.country_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.geo.location': {
     type: 'geo_point',
@@ -4467,26 +5540,31 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.geo.postal_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.geo.region_iso_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.geo.region_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.geo.timezone': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.ip': {
     type: 'ip',
@@ -4497,6 +5575,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.nat.ip': {
     type: 'ip',
@@ -4522,76 +5601,105 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.subdomain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.top_level_domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.user.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.user.email': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.user.full_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'source.user.full_name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'source.user.group.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.user.group.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.user.group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.user.hash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.user.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'source.user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'source.user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'source.user.roles': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'span.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   tags: {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments': {
     type: 'nested',
@@ -4612,21 +5720,32 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'threat.enrichments.indicator.as.organization.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'threat.enrichments.indicator.confidence': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.description': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.email.address': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.accessed': {
     type: 'date',
@@ -4637,11 +5756,13 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.code_signature.digest_algorithm': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.code_signature.exists': {
     type: 'boolean',
@@ -4652,21 +5773,25 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.code_signature.status': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.code_signature.subject_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.code_signature.team_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.code_signature.timestamp': {
     type: 'date',
@@ -4697,31 +5822,37 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.directory': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.drive_letter': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1,
   },
   'threat.enrichments.indicator.file.elf.architecture': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.byte_order': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.cpu_type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.creation_date': {
     type: 'date',
@@ -4737,16 +5868,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.header.class': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.header.data': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.header.entrypoint': {
     type: 'long',
@@ -4757,21 +5891,25 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.header.os_abi': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.header.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.header.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.imports': {
     type: 'flattened',
@@ -4797,16 +5935,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.sections.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.sections.physical_offset': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.sections.physical_size': {
     type: 'long',
@@ -4817,6 +5958,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.sections.virtual_address': {
     type: 'long',
@@ -4837,91 +5979,109 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.segments.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.shared_libraries': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.elf.telfhash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.extension': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.fork_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.gid': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.group': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.hash.md5': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.hash.sha1': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.hash.sha256': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.hash.sha384': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.hash.sha512': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.hash.ssdeep': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.hash.tlsh': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.inode': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.mime_type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.mode': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.mtime': {
     type: 'date',
@@ -4932,56 +6092,74 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.owner': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.path': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'threat.enrichments.indicator.file.path.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'threat.enrichments.indicator.file.pe.architecture': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.pe.company': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.pe.description': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.pe.file_version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.pe.imphash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.pe.original_file_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.pe.pehash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.pe.product': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.size': {
     type: 'long',
@@ -4992,56 +6170,74 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'threat.enrichments.indicator.file.target_path.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'threat.enrichments.indicator.file.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.uid': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.alternative_names': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.issuer.common_name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.issuer.country': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.issuer.distinguished_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.issuer.locality': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.issuer.organization': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.issuer.organizational_unit': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.issuer.state_or_province': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.not_after': {
     type: 'date',
@@ -5057,16 +6253,20 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.public_key_curve': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.public_key_exponent': {
     type: 'long',
     array: false,
     required: false,
+    doc_values: false,
+    index: false,
   },
   'threat.enrichments.indicator.file.x509.public_key_size': {
     type: 'long',
@@ -5077,51 +6277,61 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.signature_algorithm': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.subject.common_name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.subject.country': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.subject.distinguished_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.subject.locality': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.subject.organization': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.subject.organizational_unit': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.subject.state_or_province': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.file.x509.version_number': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.first_seen': {
     type: 'date',
@@ -5132,26 +6342,31 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.geo.continent_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.geo.continent_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.geo.country_iso_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.geo.country_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.geo.location': {
     type: 'geo_point',
@@ -5162,26 +6377,31 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.geo.postal_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.geo.region_iso_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.geo.region_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.geo.timezone': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.ip': {
     type: 'ip',
@@ -5193,10 +6413,11 @@ export const ecsFieldMap = {
     array: false,
     required: false,
   },
-  'threat.enrichments.indicator.marking.tlp.version': {
+  'threat.enrichments.indicator.marking.tlp': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.modified_at': {
     type: 'date',
@@ -5212,16 +6433,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.reference': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.registry.data.bytes': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.registry.data.strings': {
     type: 'wildcard',
@@ -5232,26 +6456,31 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.registry.hive': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.registry.key': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.registry.path': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.registry.value': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.scanner_stats': {
     type: 'long',
@@ -5267,36 +6496,55 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.url.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.url.extension': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.url.fragment': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.url.full': {
     type: 'wildcard',
     array: false,
     required: false,
+    multi_fields: [
+      {
+        flat_name: 'threat.enrichments.indicator.url.full.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'threat.enrichments.indicator.url.original': {
     type: 'wildcard',
     array: false,
     required: false,
+    multi_fields: [
+      {
+        flat_name: 'threat.enrichments.indicator.url.original.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'threat.enrichments.indicator.url.password': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.url.path': {
     type: 'wildcard',
@@ -5312,71 +6560,85 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.url.registered_domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.url.scheme': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.url.subdomain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.url.top_level_domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.url.username': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.alternative_names': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.issuer.common_name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.issuer.country': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.issuer.distinguished_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.issuer.locality': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.issuer.organization': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.issuer.organizational_unit': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.issuer.state_or_province': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.not_after': {
     type: 'date',
@@ -5392,16 +6654,20 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.public_key_curve': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.public_key_exponent': {
     type: 'long',
     array: false,
     required: false,
+    doc_values: false,
+    index: false,
   },
   'threat.enrichments.indicator.x509.public_key_size': {
     type: 'long',
@@ -5412,71 +6678,85 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.signature_algorithm': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.subject.common_name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.subject.country': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.subject.distinguished_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.subject.locality': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.subject.organization': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.subject.organizational_unit': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.subject.state_or_province': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.indicator.x509.version_number': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.matched.atomic': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.matched.field': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.matched.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.matched.index': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.enrichments.matched.occurred': {
     type: 'date',
@@ -5487,51 +6767,61 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.feed.dashboard_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.feed.description': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.feed.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.feed.reference': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.framework': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.group.alias': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.group.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.group.reference': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.as.number': {
     type: 'long',
@@ -5542,21 +6832,32 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'threat.indicator.as.organization.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'threat.indicator.confidence': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.description': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.email.address': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.accessed': {
     type: 'date',
@@ -5567,11 +6868,13 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.code_signature.digest_algorithm': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.code_signature.exists': {
     type: 'boolean',
@@ -5582,21 +6885,25 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.code_signature.status': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.code_signature.subject_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.code_signature.team_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.code_signature.timestamp': {
     type: 'date',
@@ -5627,31 +6934,37 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.directory': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.drive_letter': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1,
   },
   'threat.indicator.file.elf.architecture': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.byte_order': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.cpu_type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.creation_date': {
     type: 'date',
@@ -5667,16 +6980,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.header.class': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.header.data': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.header.entrypoint': {
     type: 'long',
@@ -5687,21 +7003,25 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.header.os_abi': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.header.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.header.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.imports': {
     type: 'flattened',
@@ -5727,16 +7047,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.sections.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.sections.physical_offset': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.sections.physical_size': {
     type: 'long',
@@ -5747,6 +7070,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.sections.virtual_address': {
     type: 'long',
@@ -5767,91 +7091,109 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.segments.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.shared_libraries': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.elf.telfhash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.extension': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.fork_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.gid': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.group': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.hash.md5': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.hash.sha1': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.hash.sha256': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.hash.sha384': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.hash.sha512': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.hash.ssdeep': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.hash.tlsh': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.inode': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.mime_type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.mode': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.mtime': {
     type: 'date',
@@ -5862,56 +7204,74 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.owner': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.path': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'threat.indicator.file.path.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'threat.indicator.file.pe.architecture': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.pe.company': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.pe.description': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.pe.file_version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.pe.imphash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.pe.original_file_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.pe.pehash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.pe.product': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.size': {
     type: 'long',
@@ -5922,56 +7282,74 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'threat.indicator.file.target_path.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'threat.indicator.file.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.uid': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.alternative_names': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.issuer.common_name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.issuer.country': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.issuer.distinguished_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.issuer.locality': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.issuer.organization': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.issuer.organizational_unit': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.issuer.state_or_province': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.not_after': {
     type: 'date',
@@ -5987,16 +7365,20 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.public_key_curve': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.public_key_exponent': {
     type: 'long',
     array: false,
     required: false,
+    doc_values: false,
+    index: false,
   },
   'threat.indicator.file.x509.public_key_size': {
     type: 'long',
@@ -6007,51 +7389,61 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.signature_algorithm': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.subject.common_name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.subject.country': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.subject.distinguished_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.subject.locality': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.subject.organization': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.subject.organizational_unit': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.subject.state_or_province': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.file.x509.version_number': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.first_seen': {
     type: 'date',
@@ -6062,26 +7454,31 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.geo.continent_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.geo.continent_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.geo.country_iso_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.geo.country_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.geo.location': {
     type: 'geo_point',
@@ -6092,26 +7489,31 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.geo.postal_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.geo.region_iso_code': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.geo.region_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.geo.timezone': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.ip': {
     type: 'ip',
@@ -6127,6 +7529,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.modified_at': {
     type: 'date',
@@ -6142,16 +7545,19 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.reference': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.registry.data.bytes': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.registry.data.strings': {
     type: 'wildcard',
@@ -6162,26 +7568,31 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.registry.hive': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.registry.key': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.registry.path': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.registry.value': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.scanner_stats': {
     type: 'long',
@@ -6197,36 +7608,55 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.url.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.url.extension': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.url.fragment': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.url.full': {
     type: 'wildcard',
     array: false,
     required: false,
+    multi_fields: [
+      {
+        flat_name: 'threat.indicator.url.full.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'threat.indicator.url.original': {
     type: 'wildcard',
     array: false,
     required: false,
+    multi_fields: [
+      {
+        flat_name: 'threat.indicator.url.original.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'threat.indicator.url.password': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.url.path': {
     type: 'wildcard',
@@ -6242,71 +7672,85 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.url.registered_domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.url.scheme': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.url.subdomain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.url.top_level_domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.url.username': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.alternative_names': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.issuer.common_name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.issuer.country': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.issuer.distinguished_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.issuer.locality': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.issuer.organization': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.issuer.organizational_unit': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.issuer.state_or_province': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.not_after': {
     type: 'date',
@@ -6322,16 +7766,20 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.public_key_curve': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.public_key_exponent': {
     type: 'long',
     array: false,
     required: false,
+    doc_values: false,
+    index: false,
   },
   'threat.indicator.x509.public_key_size': {
     type: 'long',
@@ -6342,171 +7790,213 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.signature_algorithm': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.subject.common_name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.subject.country': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.subject.distinguished_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.subject.locality': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.subject.organization': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.subject.organizational_unit': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.subject.state_or_province': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.indicator.x509.version_number': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.software.alias': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.software.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.software.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.software.platforms': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.software.reference': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.software.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'threat.tactic.id': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.tactic.name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.tactic.reference': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.technique.id': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.technique.name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'threat.technique.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'threat.technique.reference': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.technique.subtechnique.id': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'threat.technique.subtechnique.name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'threat.technique.subtechnique.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'threat.technique.subtechnique.reference': {
     type: 'keyword',
     array: true,
     required: false,
-  },
-  'threat.threat.indicator.marking.tlp.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
+    ignore_above: 1024,
   },
   'tls.cipher': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.certificate': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.certificate_chain': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.hash.md5': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.hash.sha1': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.hash.sha256': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.issuer': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.ja3': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.not_after': {
     type: 'date',
@@ -6522,56 +8012,67 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.subject': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.supported_ciphers': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.alternative_names': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.issuer.common_name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.issuer.country': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.issuer.distinguished_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.issuer.locality': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.issuer.organization': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.issuer.organizational_unit': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.issuer.state_or_province': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.not_after': {
     type: 'date',
@@ -6587,16 +8088,20 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.public_key_curve': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.public_key_exponent': {
     type: 'long',
     array: false,
     required: false,
+    doc_values: false,
+    index: false,
   },
   'tls.client.x509.public_key_size': {
     type: 'long',
@@ -6607,56 +8112,67 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.signature_algorithm': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.subject.common_name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.subject.country': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.subject.distinguished_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.subject.locality': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.subject.organization': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.subject.organizational_unit': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.subject.state_or_province': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.client.x509.version_number': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.curve': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.established': {
     type: 'boolean',
@@ -6667,6 +8183,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.resumed': {
     type: 'boolean',
@@ -6677,36 +8194,43 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.certificate_chain': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.hash.md5': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.hash.sha1': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.hash.sha256': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.issuer': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.ja3s': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.not_after': {
     type: 'date',
@@ -6722,46 +8246,55 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.alternative_names': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.issuer.common_name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.issuer.country': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.issuer.distinguished_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.issuer.locality': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.issuer.organization': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.issuer.organizational_unit': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.issuer.state_or_province': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.not_after': {
     type: 'date',
@@ -6777,16 +8310,20 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.public_key_curve': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.public_key_exponent': {
     type: 'long',
     array: false,
     required: false,
+    doc_values: false,
+    index: false,
   },
   'tls.server.x509.public_key_size': {
     type: 'long',
@@ -6797,101 +8334,133 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.signature_algorithm': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.subject.common_name': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.subject.country': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.subject.distinguished_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.subject.locality': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.subject.organization': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.subject.organizational_unit': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.subject.state_or_province': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'tls.server.x509.version_number': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'tls.version_protocol': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'trace.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'transaction.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'url.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'url.extension': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'url.fragment': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'url.full': {
     type: 'wildcard',
     array: false,
     required: false,
+    multi_fields: [
+      {
+        flat_name: 'url.full.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'url.original': {
     type: 'wildcard',
     array: false,
     required: false,
+    multi_fields: [
+      {
+        flat_name: 'url.original.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'url.password': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'url.path': {
     type: 'wildcard',
@@ -6907,181 +8476,259 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'url.registered_domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'url.scheme': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'url.subdomain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'url.top_level_domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'url.username': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.changes.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.changes.email': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.changes.full_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'user.changes.full_name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'user.changes.group.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.changes.group.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.changes.group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.changes.hash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.changes.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.changes.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'user.changes.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'user.changes.roles': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'user.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.effective.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.effective.email': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.effective.full_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'user.effective.full_name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'user.effective.group.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.effective.group.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.effective.group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.effective.hash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.effective.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.effective.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'user.effective.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'user.effective.roles': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'user.email': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.full_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'user.full_name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'user.group.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.group.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.hash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'user.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'user.risk.calculated_level': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.risk.calculated_score': {
     type: 'float',
@@ -7097,6 +8744,7 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.risk.static_score': {
     type: 'float',
@@ -7112,151 +8760,223 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'user.target.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.target.email': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.target.full_name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'user.target.full_name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'user.target.group.domain': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.target.group.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.target.group.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.target.hash': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.target.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user.target.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'user.target.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'user.target.roles': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'user_agent.device.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user_agent.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user_agent.original': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'user_agent.original.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'user_agent.os.family': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user_agent.os.full': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'user_agent.os.full.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'user_agent.os.kernel': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user_agent.os.name': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'user_agent.os.name.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'user_agent.os.platform': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user_agent.os.type': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user_agent.os.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'user_agent.version': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'vulnerability.category': {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   'vulnerability.classification': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'vulnerability.description': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
+    multi_fields: [
+      {
+        flat_name: 'vulnerability.description.text',
+        name: 'text',
+        type: 'match_only_text',
+      },
+    ],
   },
   'vulnerability.enumeration': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'vulnerability.id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'vulnerability.reference': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'vulnerability.report_id': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'vulnerability.scanner.vendor': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'vulnerability.score.base': {
     type: 'float',
@@ -7277,11 +8997,13 @@ export const ecsFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
   'vulnerability.severity': {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
 } as const;
 
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_map/index.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/index.ts
similarity index 100%
rename from x-pack/plugins/alerting/common/alert_schema/field_map/index.ts
rename to x-pack/plugins/alerting/common/alert_schema/field_maps/index.ts
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
new file mode 100644
index 00000000000000..a474f5aa126000
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
@@ -0,0 +1,169 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { mappingFromFieldMap } from './mapping_from_field_map';
+
+describe('mappingFromFieldMap', () => {
+  const fieldMap = {
+    date_field: {
+      type: 'date',
+      array: false,
+      required: true,
+    },
+    keyword_field: {
+      type: 'keyword',
+      array: false,
+      required: false,
+      ignore_above: 1024,
+    },
+    long_field: {
+      type: 'long',
+      array: false,
+      required: false,
+    },
+    multifield_field: {
+      type: 'keyword',
+      array: false,
+      required: false,
+      ignore_above: 1024,
+      multi_fields: [
+        {
+          flat_name: 'multifield_field.text',
+          name: 'text',
+          type: 'match_only_text',
+        },
+      ],
+    },
+    geopoint_field: {
+      type: 'geo_point',
+      array: false,
+      required: false,
+    },
+    ip_field: {
+      type: 'ip',
+      array: false,
+      required: false,
+    },
+    array_field: {
+      type: 'keyword',
+      array: true,
+      required: false,
+      ignore_above: 1024,
+    },
+    nested_array_field: {
+      type: 'nested',
+      array: false,
+      required: false,
+    },
+    'nested_array_field.field1': {
+      type: 'keyword',
+      array: false,
+      required: false,
+      ignore_above: 1024,
+    },
+    'nested_array_field.field2': {
+      type: 'keyword',
+      array: false,
+      required: false,
+      ignore_above: 1024,
+    },
+    scaled_float_field: {
+      type: 'scaled_float',
+      array: false,
+      required: false,
+      scaling_factor: 1000,
+    },
+    constant_keyword_field: {
+      type: 'constant_keyword',
+      array: false,
+      required: false,
+    },
+    'parent_field.child1': {
+      type: 'keyword',
+      array: false,
+      required: false,
+      ignore_above: 1024,
+    },
+    'parent_field.child2': {
+      type: 'keyword',
+      array: false,
+      required: false,
+      ignore_above: 1024,
+    },
+  };
+  const expectedMapping = {
+    properties: {
+      array_field: {
+        ignore_above: 1024,
+        type: 'keyword',
+      },
+      constant_keyword_field: {
+        type: 'constant_keyword',
+      },
+      date_field: {
+        type: 'date',
+      },
+      geopoint_field: {
+        type: 'geo_point',
+      },
+      ip_field: {
+        type: 'ip',
+      },
+      keyword_field: {
+        ignore_above: 1024,
+        type: 'keyword',
+      },
+      long_field: {
+        type: 'long',
+      },
+      multifield_field: {
+        fields: {
+          text: {
+            type: 'match_only_text',
+          },
+        },
+        ignore_above: 1024,
+        type: 'keyword',
+      },
+      nested_array_field: {
+        properties: {
+          field1: {
+            ignore_above: 1024,
+            type: 'keyword',
+          },
+          field2: {
+            ignore_above: 1024,
+            type: 'keyword',
+          },
+        },
+        type: 'nested',
+      },
+      parent_field: {
+        properties: {
+          child1: {
+            ignore_above: 1024,
+            type: 'keyword',
+          },
+          child2: {
+            ignore_above: 1024,
+            type: 'keyword',
+          },
+        },
+      },
+      scaled_float_field: {
+        scaling_factor: 1000,
+        type: 'scaled_float',
+      },
+    },
+  };
+  it('correctly creates mapping from field map', () => {
+    expect(mappingFromFieldMap(fieldMap)).toEqual({ dynamic: 'strict', ...expectedMapping });
+  });
+
+  it('uses dynamic setting if specified', () => {
+    expect(mappingFromFieldMap(fieldMap, true)).toEqual({ dynamic: true, ...expectedMapping });
+  });
+});
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts
new file mode 100644
index 00000000000000..ae7eb25f25b3a0
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts
@@ -0,0 +1,52 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
+import { set } from '@kbn/safer-lodash-set';
+import { FieldMap } from './types';
+
+export function mappingFromFieldMap(
+  fieldMap: FieldMap,
+  dynamic: 'strict' | boolean = 'strict'
+): estypes.MappingTypeMapping {
+  const mappings = {
+    dynamic,
+    properties: {},
+  };
+
+  const fields = Object.keys(fieldMap).map((key) => {
+    const field = fieldMap[key];
+    return {
+      name: key,
+      ...field,
+    };
+  });
+
+  fields.forEach((field) => {
+    // eslint-disable-next-line @typescript-eslint/naming-convention
+    const { name, required, array, multi_fields, ...rest } = field;
+
+    const mapped = multi_fields
+      ? {
+          ...rest,
+          // eslint-disable-next-line @typescript-eslint/naming-convention
+          fields: multi_fields.reduce((acc, multi_field) => {
+            return {
+              ...acc,
+              [multi_field.name]: {
+                type: multi_field.type,
+              },
+            };
+          }, {}),
+        }
+      : rest;
+
+    set(mappings.properties, field.name.split('.').join('.properties.'), mapped);
+  });
+
+  return mappings;
+}
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_map/merge_field_maps.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/merge_field_maps.ts
similarity index 100%
rename from x-pack/plugins/alerting/common/alert_schema/field_map/merge_field_maps.ts
rename to x-pack/plugins/alerting/common/alert_schema/field_maps/merge_field_maps.ts
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_map/runtime_type_from_fieldmap.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.test.ts
similarity index 100%
rename from x-pack/plugins/alerting/common/alert_schema/field_map/runtime_type_from_fieldmap.test.ts
rename to x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.test.ts
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_map/runtime_type_from_fieldmap.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.ts
similarity index 100%
rename from x-pack/plugins/alerting/common/alert_schema/field_map/runtime_type_from_fieldmap.ts
rename to x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.ts
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_map/types.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts
similarity index 80%
rename from x-pack/plugins/alerting/common/alert_schema/field_map/types.ts
rename to x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts
index 6eeffa12400fe2..8deecfd0f9c63a 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_map/types.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts
@@ -11,6 +11,8 @@ export interface FieldMap {
     required?: boolean;
     array?: boolean;
     path?: string;
+    ignore_above?: number;
     scaling_factor?: number;
+    multi_fields?: Array<{ flat_name: string; name: string; type: string }>;
   };
 }
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js
new file mode 100644
index 00000000000000..534f231d0b3c49
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js
@@ -0,0 +1,105 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+const path = require('path');
+const fs = require('fs');
+const util = require('util');
+const https = require('https');
+const yaml = require('js-yaml');
+const { exec: execCb } = require('child_process');
+const { reduce } = require('lodash');
+
+const readFile = util.promisify(fs.readFile);
+const writeFile = util.promisify(fs.writeFile);
+const exec = util.promisify(execCb);
+
+const ecsYmlUrlPrefix = `https://raw.githubusercontent.com/elastic/ecs/v8.5.2/generated/ecs/`;
+const ecsYmlFilename = `ecs_flat.yml`;
+
+const outputDir = path.join(__dirname, '../../alert_schema/field_maps');
+
+const outputFieldMapFilename = path.join(outputDir, 'ecs_field_map.ts');
+
+async function generate() {
+  https.get(
+    `${ecsYmlUrlPrefix}${ecsYmlFilename}`,
+    (response) => {
+      const filePath = fs.createWriteStream(ecsYmlFilename);
+      response.pipe(filePath);
+      filePath.on('finish', async () => {
+        filePath.close();
+        console.log(`Successfully downloaded ${ecsYmlUrlPrefix}${ecsYmlFilename}`);
+
+        const flatYaml = await yaml.safeLoad(await readFile(ecsYmlFilename));
+
+        const fields = reduce(
+          flatYaml,
+          (fieldsObj, value, key) => {
+            const field = {
+              type: value.type,
+              array: value.normalize.includes('array'),
+              required: !!value.required,
+            };
+
+            if (value.scaling_factor) {
+              field.scaling_factor = value.scaling_factor;
+            }
+
+            if (value.ignore_above) {
+              field.ignore_above = value.ignore_above;
+            }
+
+            if (null != value.doc_values) {
+              field.doc_values = value.doc_values;
+            }
+
+            if (null != value.index) {
+              field.index = value.index;
+            }
+
+            if (value.multi_fields) {
+              field.multi_fields = value.multi_fields;
+            }
+
+            fieldsObj[key] = field;
+
+            return fieldsObj;
+          },
+          {}
+        );
+
+        await Promise.all([
+          writeFile(
+            outputFieldMapFilename,
+            `
+      /* This file is generated by x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js,
+      do not manually edit
+      */
+
+          export const ecsFieldMap = ${JSON.stringify(fields, null, 2)} as const
+
+          export type EcsFieldMap = typeof ecsFieldMap;
+          `,
+            { encoding: 'utf-8' }
+          ).then(() => {
+            return exec(`node scripts/eslint --fix ${outputFieldMapFilename}`);
+          }),
+        ]);
+
+        console.log(`Successfully generated fieldmap at ${outputFieldMapFilename}`);
+      });
+    },
+    (err) => {
+      console.log(`Error downloading ${ecsYmlUrlPrefix}${ecsYmlFilename} - ${err.message}`);
+      process.exit(1);
+    }
+  );
+}
+
+generate().catch((err) => {
+  console.log(err);
+  process.exit(1);
+});

From c241bbd197113481db89a0a05608649ad8828254 Mon Sep 17 00:00:00 2001
From: Ying Mao <ying.mao@elastic.co>
Date: Thu, 17 Nov 2022 14:10:13 -0500
Subject: [PATCH 03/42] Got ECS and alert field maps ready. Generating and
 installing component templates

---
 packages/kbn-rule-data-utils/index.ts         |    1 +
 .../src/default_alerts_as_data.ts             |  291 +
 .../src/technical_field_names.ts              |   88 +-
 .../ecs_component_template.ts                 |   25 -
 .../technical_component_template.ts           |   19 -
 .../experimental_rule_field_map.test.ts       |   25 -
 .../field_maps/experimental_rule_field_map.ts |   15 -
 .../technical_rule_field_map.test.ts          |  269 -
 .../field_maps/technical_rule_field_map.ts    |  219 -
 .../alerts_component_template.ts              |   22 +
 .../assets/ecs_legacy_template.json           | 7182 -----------------
 .../ecs_component_template.ts                 |   22 +
 .../field_maps/alert_field_map.ts             |  419 +-
 .../alert_schema/field_maps/ecs_field_map.ts  |    2 +-
 .../field_maps/mapping_from_field_map.test.ts |   16 +
 .../field_maps/mapping_from_field_map.ts      |   10 +-
 .../field_maps/merge_field_maps.ts            |   86 +-
 .../runtime_type_from_fieldmap.test.ts        |  156 +-
 .../field_maps/runtime_type_from_fieldmap.ts  |  266 +-
 .../common/alert_schema/field_maps/types.ts   |   16 +-
 .../alert_schema/{field_maps => }/index.ts    |    5 +-
 .../alert_schema/parse_technical_fields.ts    |   50 +-
 .../scripts/create_schema_from_mapping.js     |   99 +-
 .../scripts/generate_ecs_fieldmap.js          |    5 +-
 .../alert_schema/scripts/generate_schemas.sh  |   18 +-
 x-pack/plugins/alerting/common/index.ts       |    1 +
 .../server/alerts_service/alerts_service.ts   |    4 +-
 27 files changed, 1104 insertions(+), 8227 deletions(-)
 create mode 100644 packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/assets/component_templates/ecs_component_template.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/assets/component_templates/technical_component_template.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/assets/field_maps/experimental_rule_field_map.test.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/assets/field_maps/experimental_rule_field_map.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/assets/field_maps/technical_rule_field_map.test.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/assets/field_maps/technical_rule_field_map.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/component_templates/alerts_component_template.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/component_templates/assets/ecs_legacy_template.json
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/component_templates/ecs_component_template.ts
 rename x-pack/plugins/alerting/common/alert_schema/{field_maps => }/index.ts (59%)

diff --git a/packages/kbn-rule-data-utils/index.ts b/packages/kbn-rule-data-utils/index.ts
index ddf6215aaba900..62ba19c420f9fc 100644
--- a/packages/kbn-rule-data-utils/index.ts
+++ b/packages/kbn-rule-data-utils/index.ts
@@ -6,6 +6,7 @@
  * Side Public License, v 1.
  */
 
+export * from './src/default_alerts_as_data';
 export * from './src/technical_field_names';
 export * from './src/alerts_as_data_rbac';
 export * from './src/alerts_as_data_severity';
diff --git a/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts b/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
new file mode 100644
index 00000000000000..f5f18cfcf3dbee
--- /dev/null
+++ b/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
@@ -0,0 +1,291 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { ValuesType } from 'utility-types';
+
+// TODO - add comments for all these dang fields
+const KIBANA_NAMESPACE = 'kibana' as const;
+const ALERT_NAMESPACE = `${KIBANA_NAMESPACE}.alert` as const;
+const ALERT_ORIGINAL_EVENT_NAMESPACE = `${ALERT_NAMESPACE}.original_event` as const;
+const ALERT_THRESHOLD_RESULT_NAMESPACE = `${ALERT_NAMESPACE}.threshold_result` as const;
+const ALERT_RULE_NAMESPACE = `${ALERT_NAMESPACE}.rule` as const;
+
+const ALERT_ACTION_GROUP = `${ALERT_NAMESPACE}.action_group` as const;
+const ALERT_DURATION = `${ALERT_NAMESPACE}.duration.us` as const;
+const ALERT_END = `${ALERT_NAMESPACE}.end` as const;
+const ALERT_EVALUATION_RESULTS = `${ALERT_NAMESPACE}.evaluation_results` as const;
+const ALERT_EVALUATION_RESULTS_THRESHOLDS_COMPARATOR =
+  `${ALERT_NAMESPACE}.evaluation_results.thresholds.comparator` as const;
+const ALERT_EVALUATION_RESULTS_THRESHOLDS_TYPE =
+  `${ALERT_NAMESPACE}.evaluation_results.thresholds.type` as const;
+const ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE =
+  `${ALERT_NAMESPACE}.evaluation_results.thresholds.value` as const;
+const ALERT_EVALUATION_RESULTS_VALUE = `${ALERT_NAMESPACE}.evaluation_results.value` as const;
+const ALERT_FLAPPING = `${ALERT_NAMESPACE}.flapping` as const;
+const ALERT_ID = `${ALERT_NAMESPACE}.id` as const;
+const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const;
+const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const;
+const ALERT_RULE_CATEGORY = `${ALERT_RULE_NAMESPACE}.category` as const;
+const ALERT_RULE_CONSUMER = `${ALERT_RULE_NAMESPACE}.consumer` as const;
+const ALERT_RULE_EXECUTION_UUID = `${ALERT_RULE_NAMESPACE}.execution.uuid` as const;
+const ALERT_RULE_NAME = `${ALERT_RULE_NAMESPACE}.name` as const;
+const ALERT_RULE_PARAMETERS = `${ALERT_RULE_NAMESPACE}.parameters` as const;
+const ALERT_RULE_PRODUCER = `${ALERT_RULE_NAMESPACE}.producer` as const;
+const ALERT_RULE_TAGS = `${ALERT_RULE_NAMESPACE}.tags` as const;
+const ALERT_RULE_TYPE_ID = `${ALERT_RULE_NAMESPACE}.rule_type_id` as const;
+const ALERT_RULE_UUID = `${ALERT_RULE_NAMESPACE}.uuid` as const;
+const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const;
+const ALERT_START = `${ALERT_NAMESPACE}.start` as const;
+const ALERT_STATUS = `${ALERT_NAMESPACE}.status` as const;
+const ALERT_TIME_RANGE = `${ALERT_NAMESPACE}.time_range` as const;
+const ALERT_UUID = `${ALERT_NAMESPACE}.uuid` as const;
+const ALERT_WORKFLOW_STATUS = `${ALERT_NAMESPACE}.workflow_status` as const;
+const ANOMALY_BUCKET_SPAN_MINUTES = `anomaly.bucket_span.minutes` as const;
+const ANOMALY_START = `anomaly.start` as const;
+const MONITOR_ID = `monitor.id` as const;
+const MONITOR_NAME = `monitor.name` as const;
+const MONITOR_TYPE = `monitor.type` as const;
+const PROCESSOR_EVENT = `processor.event` as const;
+const TRANSACTION_TYPE = `transaction.type` as const;
+const TRANSACTION_NAME = `transaction.name` as const;
+const SPACE_IDS = `${KIBANA_NAMESPACE}.space_ids` as const;
+const VERSION = `${KIBANA_NAMESPACE}.version` as const;
+
+const ALERT_ANCESTORS = `${ALERT_NAMESPACE}.ancestors` as const;
+const ALERT_ANCESTORS_DEPTH = `${ALERT_NAMESPACE}.ancestors.depth` as const;
+const ALERT_ANCESTORS_ID = `${ALERT_NAMESPACE}.ancestors.id` as const;
+const ALERT_ANCESTORS_INDEX = `${ALERT_NAMESPACE}.ancestors.index` as const;
+const ALERT_ANCESTORS_RULE = `${ALERT_NAMESPACE}.ancestors.rule` as const;
+const ALERT_ANCESTORS_TYPE = `${ALERT_NAMESPACE}.ancestors.type` as const;
+const ALERT_DEPTH = `${ALERT_NAMESPACE}.depth` as const;
+const ALERT_GROUP_ID = `${ALERT_NAMESPACE}.group.id` as const;
+const ALERT_GROUP_INDEX = `${ALERT_NAMESPACE}.group.index` as const;
+const ALERT_ORIGINAL_EVENT_ACTION = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.action` as const;
+const ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS =
+  `${ALERT_ORIGINAL_EVENT_NAMESPACE}.agent_id_status` as const;
+const ALERT_ORIGINAL_EVENT_CATEGORY = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.category` as const;
+const ALERT_ORIGINAL_EVENT_CODE = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.code` as const;
+const ALERT_ORIGINAL_EVENT_CREATED = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.created` as const;
+const ALERT_ORIGINAL_EVENT_DATASET = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.dataset` as const;
+const ALERT_ORIGINAL_EVENT_DURATION = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.duration` as const;
+const ALERT_ORIGINAL_EVENT_END = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.end` as const;
+const ALERT_ORIGINAL_EVENT_HASH = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.hash` as const;
+const ALERT_ORIGINAL_EVENT_ID = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.id` as const;
+const ALERT_ORIGINAL_EVENT_INGESTED = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.ingested` as const;
+const ALERT_ORIGINAL_EVENT_KIND = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.kind` as const;
+const ALERT_ORIGINAL_EVENT_MODULE = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.module` as const;
+const ALERT_ORIGINAL_EVENT_ORIGINAL = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.original` as const;
+const ALERT_ORIGINAL_EVENT_OUTCOME = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.outcome` as const;
+const ALERT_ORIGINAL_EVENT_PROVIDER = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.provider` as const;
+const ALERT_ORIGINAL_EVENT_REASON = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.reason` as const;
+const ALERT_ORIGINAL_EVENT_REFERENCE = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.reference` as const;
+const ALERT_ORIGINAL_EVENT_RISK_SCORE = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.risk_score` as const;
+const ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM =
+  `${ALERT_ORIGINAL_EVENT_NAMESPACE}.risk_score_norm` as const;
+const ALERT_ORIGINAL_EVENT_SEQUENCE = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.sequence` as const;
+const ALERT_ORIGINAL_EVENT_SEVERITY = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.severity` as const;
+const ALERT_ORIGINAL_EVENT_START = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.start` as const;
+const ALERT_ORIGINAL_EVENT_TIMEZONE = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.timezone` as const;
+const ALERT_ORIGINAL_EVENT_TYPE = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.type` as const;
+const ALERT_ORIGINAL_EVENT_URL = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.url` as const;
+const ALERT_ORIGINAL_TIME = `${ALERT_NAMESPACE}.original_time` as const;
+const ALERT_THRESHOLD_RESULT_CARDINALITY =
+  `${ALERT_THRESHOLD_RESULT_NAMESPACE}.cardinality` as const;
+const ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD =
+  `${ALERT_THRESHOLD_RESULT_NAMESPACE}.cardinality.field` as const;
+const ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE =
+  `${ALERT_THRESHOLD_RESULT_NAMESPACE}.cardinality.value` as const;
+const ALERT_THRESHOLD_RESULT_COUNT = `${ALERT_THRESHOLD_RESULT_NAMESPACE}.count` as const;
+const ALERT_THRESHOLD_RESULT_FROM = `${ALERT_THRESHOLD_RESULT_NAMESPACE}.from` as const;
+const ALERT_THRESHOLD_RESULT_TERMS = `${ALERT_THRESHOLD_RESULT_NAMESPACE}.terms` as const;
+const ALERT_THRESHOLD_RESULT_TERMS_FIELD =
+  `${ALERT_THRESHOLD_RESULT_NAMESPACE}.terms.field` as const;
+const ALERT_THRESHOLD_RESULT_TERMS_VALUE =
+  `${ALERT_THRESHOLD_RESULT_NAMESPACE}.terms.value` as const;
+const ALERT_NEW_TERMS = `${ALERT_NAMESPACE}.new_terms` as const;
+
+const namespaces = {
+  KIBANA_NAMESPACE,
+  ALERT_NAMESPACE,
+  ALERT_RULE_NAMESPACE,
+};
+
+const fields = {
+  ALERT_ACTION_GROUP,
+  ALERT_ANCESTORS,
+  ALERT_ANCESTORS_DEPTH,
+  ALERT_ANCESTORS_ID,
+  ALERT_ANCESTORS_INDEX,
+  ALERT_ANCESTORS_RULE,
+  ALERT_ANCESTORS_TYPE,
+  ALERT_DEPTH,
+  ALERT_DURATION,
+  ALERT_END,
+  ALERT_EVALUATION_RESULTS,
+  ALERT_EVALUATION_RESULTS_THRESHOLDS_COMPARATOR,
+  ALERT_EVALUATION_RESULTS_THRESHOLDS_TYPE,
+  ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE,
+  ALERT_EVALUATION_RESULTS_VALUE,
+  ALERT_FLAPPING,
+  ALERT_GROUP_ID,
+  ALERT_GROUP_INDEX,
+  ALERT_ID,
+  ALERT_NEW_TERMS,
+  ALERT_ORIGINAL_EVENT_ACTION,
+  ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS,
+  ALERT_ORIGINAL_EVENT_CATEGORY,
+  ALERT_ORIGINAL_EVENT_CODE,
+  ALERT_ORIGINAL_EVENT_CREATED,
+  ALERT_ORIGINAL_EVENT_DATASET,
+  ALERT_ORIGINAL_EVENT_DURATION,
+  ALERT_ORIGINAL_EVENT_END,
+  ALERT_ORIGINAL_EVENT_HASH,
+  ALERT_ORIGINAL_EVENT_ID,
+  ALERT_ORIGINAL_EVENT_INGESTED,
+  ALERT_ORIGINAL_EVENT_KIND,
+  ALERT_ORIGINAL_EVENT_MODULE,
+  ALERT_ORIGINAL_EVENT_ORIGINAL,
+  ALERT_ORIGINAL_EVENT_OUTCOME,
+  ALERT_ORIGINAL_EVENT_PROVIDER,
+  ALERT_ORIGINAL_EVENT_REASON,
+  ALERT_ORIGINAL_EVENT_REFERENCE,
+  ALERT_ORIGINAL_EVENT_RISK_SCORE,
+  ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM,
+  ALERT_ORIGINAL_EVENT_SEQUENCE,
+  ALERT_ORIGINAL_EVENT_SEVERITY,
+  ALERT_ORIGINAL_EVENT_START,
+  ALERT_ORIGINAL_EVENT_TIMEZONE,
+  ALERT_ORIGINAL_EVENT_TYPE,
+  ALERT_ORIGINAL_EVENT_URL,
+  ALERT_ORIGINAL_TIME,
+  ALERT_REASON,
+  ALERT_RISK_SCORE,
+  ALERT_RULE_CATEGORY,
+  ALERT_RULE_CONSUMER,
+  ALERT_RULE_EXECUTION_UUID,
+  ALERT_RULE_NAME,
+  ALERT_RULE_PARAMETERS,
+  ALERT_RULE_PRODUCER,
+  ALERT_RULE_TAGS,
+  ALERT_RULE_TYPE_ID,
+  ALERT_RULE_UUID,
+  ALERT_SEVERITY,
+  ALERT_START,
+  ALERT_STATUS,
+  ALERT_THRESHOLD_RESULT_CARDINALITY,
+  ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD,
+  ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE,
+  ALERT_THRESHOLD_RESULT_COUNT,
+  ALERT_THRESHOLD_RESULT_FROM,
+  ALERT_THRESHOLD_RESULT_TERMS,
+  ALERT_THRESHOLD_RESULT_TERMS_FIELD,
+  ALERT_THRESHOLD_RESULT_TERMS_VALUE,
+  ALERT_TIME_RANGE,
+  ALERT_UUID,
+  ALERT_WORKFLOW_STATUS,
+  ANOMALY_BUCKET_SPAN_MINUTES,
+  ANOMALY_START,
+  MONITOR_ID,
+  MONITOR_NAME,
+  MONITOR_TYPE,
+  PROCESSOR_EVENT,
+  SPACE_IDS,
+  TRANSACTION_TYPE,
+  TRANSACTION_NAME,
+  VERSION,
+};
+
+export {
+  ALERT_ACTION_GROUP,
+  ALERT_ANCESTORS,
+  ALERT_ANCESTORS_DEPTH,
+  ALERT_ANCESTORS_ID,
+  ALERT_ANCESTORS_INDEX,
+  ALERT_ANCESTORS_RULE,
+  ALERT_ANCESTORS_TYPE,
+  ALERT_DEPTH,
+  ALERT_DURATION,
+  ALERT_END,
+  ALERT_EVALUATION_RESULTS,
+  ALERT_EVALUATION_RESULTS_THRESHOLDS_COMPARATOR,
+  ALERT_EVALUATION_RESULTS_THRESHOLDS_TYPE,
+  ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE,
+  ALERT_EVALUATION_RESULTS_VALUE,
+  ALERT_FLAPPING,
+  ALERT_GROUP_ID,
+  ALERT_GROUP_INDEX,
+  ALERT_ID,
+  ALERT_NEW_TERMS,
+  ALERT_ORIGINAL_EVENT_ACTION,
+  ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS,
+  ALERT_ORIGINAL_EVENT_CATEGORY,
+  ALERT_ORIGINAL_EVENT_CODE,
+  ALERT_ORIGINAL_EVENT_CREATED,
+  ALERT_ORIGINAL_EVENT_DATASET,
+  ALERT_ORIGINAL_EVENT_DURATION,
+  ALERT_ORIGINAL_EVENT_END,
+  ALERT_ORIGINAL_EVENT_HASH,
+  ALERT_ORIGINAL_EVENT_ID,
+  ALERT_ORIGINAL_EVENT_INGESTED,
+  ALERT_ORIGINAL_EVENT_KIND,
+  ALERT_ORIGINAL_EVENT_MODULE,
+  ALERT_ORIGINAL_EVENT_ORIGINAL,
+  ALERT_ORIGINAL_EVENT_OUTCOME,
+  ALERT_ORIGINAL_EVENT_PROVIDER,
+  ALERT_ORIGINAL_EVENT_REASON,
+  ALERT_ORIGINAL_EVENT_REFERENCE,
+  ALERT_ORIGINAL_EVENT_RISK_SCORE,
+  ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM,
+  ALERT_ORIGINAL_EVENT_SEQUENCE,
+  ALERT_ORIGINAL_EVENT_SEVERITY,
+  ALERT_ORIGINAL_EVENT_START,
+  ALERT_ORIGINAL_EVENT_TIMEZONE,
+  ALERT_ORIGINAL_EVENT_TYPE,
+  ALERT_ORIGINAL_EVENT_URL,
+  ALERT_ORIGINAL_TIME,
+  ALERT_REASON,
+  ALERT_RISK_SCORE,
+  ALERT_RULE_CATEGORY,
+  ALERT_RULE_CONSUMER,
+  ALERT_RULE_EXECUTION_UUID,
+  ALERT_RULE_NAME,
+  ALERT_RULE_PARAMETERS,
+  ALERT_RULE_PRODUCER,
+  ALERT_RULE_TAGS,
+  ALERT_RULE_TYPE_ID,
+  ALERT_RULE_UUID,
+  ALERT_SEVERITY,
+  ALERT_START,
+  ALERT_STATUS,
+  ALERT_THRESHOLD_RESULT_CARDINALITY,
+  ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD,
+  ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE,
+  ALERT_THRESHOLD_RESULT_COUNT,
+  ALERT_THRESHOLD_RESULT_FROM,
+  ALERT_THRESHOLD_RESULT_TERMS,
+  ALERT_THRESHOLD_RESULT_TERMS_FIELD,
+  ALERT_THRESHOLD_RESULT_TERMS_VALUE,
+  ALERT_TIME_RANGE,
+  ALERT_UUID,
+  ALERT_WORKFLOW_STATUS,
+  ANOMALY_BUCKET_SPAN_MINUTES,
+  ANOMALY_START,
+  MONITOR_ID,
+  MONITOR_NAME,
+  MONITOR_TYPE,
+  PROCESSOR_EVENT,
+  SPACE_IDS,
+  TRANSACTION_TYPE,
+  TRANSACTION_NAME,
+  VERSION,
+  ALERT_NAMESPACE,
+  ALERT_RULE_NAMESPACE,
+  KIBANA_NAMESPACE,
+};
+
+export type DefaultAlertFieldName = ValuesType<typeof fields & typeof namespaces>;
diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts
index 6b51906cca1ef0..b7313065abba56 100644
--- a/packages/kbn-rule-data-utils/src/technical_field_names.ts
+++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@@ -7,41 +7,51 @@
  */
 
 import { ValuesType } from 'utility-types';
+import {
+  KIBANA_NAMESPACE,
+  ALERT_ACTION_GROUP,
+  ALERT_DURATION,
+  ALERT_END,
+  ALERT_FLAPPING,
+  ALERT_REASON,
+  ALERT_RISK_SCORE,
+  ALERT_RULE_CATEGORY,
+  ALERT_RULE_CONSUMER,
+  ALERT_RULE_EXECUTION_UUID,
+  ALERT_RULE_NAME,
+  ALERT_RULE_PARAMETERS,
+  ALERT_RULE_PRODUCER,
+  ALERT_RULE_TAGS,
+  ALERT_RULE_TYPE_ID,
+  ALERT_RULE_UUID,
+  ALERT_SEVERITY,
+  ALERT_START,
+  ALERT_STATUS,
+  ALERT_TIME_RANGE,
+  ALERT_UUID,
+  ALERT_WORKFLOW_STATUS,
+  SPACE_IDS,
+  VERSION,
+  ALERT_NAMESPACE,
+  ALERT_RULE_NAMESPACE,
+} from './default_alerts_as_data';
 
-const KIBANA_NAMESPACE = 'kibana' as const;
-
-const ALERT_NAMESPACE = `${KIBANA_NAMESPACE}.alert` as const;
-const ALERT_RULE_NAMESPACE = `${ALERT_NAMESPACE}.rule` as const;
 const ALERT_RULE_THREAT_NAMESPACE = `${ALERT_RULE_NAMESPACE}.threat` as const;
 
 const ECS_VERSION = 'ecs.version' as const;
 const EVENT_ACTION = 'event.action' as const;
 const EVENT_KIND = 'event.kind' as const;
 const EVENT_MODULE = 'event.module' as const;
-const SPACE_IDS = `${KIBANA_NAMESPACE}.space_ids` as const;
 const TAGS = 'tags' as const;
 const TIMESTAMP = '@timestamp' as const;
-const VERSION = `${KIBANA_NAMESPACE}.version` as const;
 
 // Fields pertaining to the alert
-const ALERT_ACTION_GROUP = `${ALERT_NAMESPACE}.action_group` as const;
 const ALERT_BUILDING_BLOCK_TYPE = `${ALERT_NAMESPACE}.building_block_type` as const;
-const ALERT_DURATION = `${ALERT_NAMESPACE}.duration.us` as const;
-const ALERT_END = `${ALERT_NAMESPACE}.end` as const;
 const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const;
 const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const;
-const ALERT_FLAPPING = `${ALERT_NAMESPACE}.flapping` as const;
 const ALERT_INSTANCE_ID = `${ALERT_NAMESPACE}.instance.id` as const;
-const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const;
-const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const;
-const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const;
-const ALERT_START = `${ALERT_NAMESPACE}.start` as const;
-const ALERT_TIME_RANGE = `${ALERT_NAMESPACE}.time_range` as const;
-const ALERT_STATUS = `${ALERT_NAMESPACE}.status` as const;
 const ALERT_SYSTEM_STATUS = `${ALERT_NAMESPACE}.system_status` as const;
-const ALERT_UUID = `${ALERT_NAMESPACE}.uuid` as const;
 const ALERT_WORKFLOW_REASON = `${ALERT_NAMESPACE}.workflow_reason` as const;
-const ALERT_WORKFLOW_STATUS = `${ALERT_NAMESPACE}.workflow_status` as const;
 const ALERT_WORKFLOW_USER = `${ALERT_NAMESPACE}.workflow_user` as const;
 const ALERT_SUPPRESSION_META = `${ALERT_NAMESPACE}.suppression` as const;
 const ALERT_SUPPRESSION_TERMS = `${ALERT_SUPPRESSION_META}.terms` as const;
@@ -58,22 +68,16 @@ const ALERT_RULE_CREATED_BY = `${ALERT_RULE_NAMESPACE}.created_by` as const;
 const ALERT_RULE_DESCRIPTION = `${ALERT_RULE_NAMESPACE}.description` as const;
 const ALERT_RULE_ENABLED = `${ALERT_RULE_NAMESPACE}.enabled` as const;
 const ALERT_RULE_EXCEPTIONS_LIST = `${ALERT_RULE_NAMESPACE}.exceptions_list` as const;
-const ALERT_RULE_EXECUTION_UUID = `${ALERT_RULE_NAMESPACE}.execution.uuid` as const;
 const ALERT_RULE_FROM = `${ALERT_RULE_NAMESPACE}.from` as const;
 const ALERT_RULE_INTERVAL = `${ALERT_RULE_NAMESPACE}.interval` as const;
 const ALERT_RULE_LICENSE = `${ALERT_RULE_NAMESPACE}.license` as const;
-const ALERT_RULE_CATEGORY = `${ALERT_RULE_NAMESPACE}.category` as const;
-const ALERT_RULE_NAME = `${ALERT_RULE_NAMESPACE}.name` as const;
 const ALERT_RULE_NAMESPACE_FIELD = `${ALERT_RULE_NAMESPACE}.namespace` as const;
 const ALERT_RULE_NOTE = `${ALERT_RULE_NAMESPACE}.note` as const;
-const ALERT_RULE_PARAMETERS = `${ALERT_RULE_NAMESPACE}.parameters` as const;
 const ALERT_RULE_REFERENCES = `${ALERT_RULE_NAMESPACE}.references` as const;
 const ALERT_RULE_RULE_ID = `${ALERT_RULE_NAMESPACE}.rule_id` as const;
 const ALERT_RULE_RULE_NAME_OVERRIDE = `${ALERT_RULE_NAMESPACE}.rule_name_override` as const;
-const ALERT_RULE_TAGS = `${ALERT_RULE_NAMESPACE}.tags` as const;
 const ALERT_RULE_TO = `${ALERT_RULE_NAMESPACE}.to` as const;
 const ALERT_RULE_TYPE = `${ALERT_RULE_NAMESPACE}.type` as const;
-const ALERT_RULE_TYPE_ID = `${ALERT_RULE_NAMESPACE}.rule_type_id` as const;
 const ALERT_RULE_UPDATED_AT = `${ALERT_RULE_NAMESPACE}.updated_at` as const;
 const ALERT_RULE_UPDATED_BY = `${ALERT_RULE_NAMESPACE}.updated_by` as const;
 const ALERT_RULE_VERSION = `${ALERT_RULE_NAMESPACE}.version` as const;
@@ -94,16 +98,6 @@ const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME =
 const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE =
   `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.reference` as const;
 
-// the feature instantiating a rule type.
-// Rule created in stack --> alerts
-// Rule created in siem --> siem
-const ALERT_RULE_CONSUMER = `${ALERT_RULE_NAMESPACE}.consumer` as const;
-// the plugin that registered the rule type.
-// Rule type apm.error_rate --> apm
-// Rule type siem.signals --> siem
-const ALERT_RULE_PRODUCER = `${ALERT_RULE_NAMESPACE}.producer` as const;
-const ALERT_RULE_UUID = `${ALERT_RULE_NAMESPACE}.uuid` as const;
-
 const namespaces = {
   KIBANA_NAMESPACE,
   ALERT_NAMESPACE,
@@ -185,23 +179,11 @@ const fields = {
 };
 
 export {
-  ALERT_ACTION_GROUP,
   ALERT_BUILDING_BLOCK_TYPE,
-  ALERT_DURATION,
-  ALERT_END,
   ALERT_EVALUATION_THRESHOLD,
   ALERT_EVALUATION_VALUE,
-  ALERT_FLAPPING,
   ALERT_INSTANCE_ID,
-  ALERT_NAMESPACE,
-  ALERT_RULE_NAMESPACE,
-  ALERT_RULE_CONSUMER,
-  ALERT_RULE_PRODUCER,
-  ALERT_REASON,
-  ALERT_RISK_SCORE,
-  ALERT_STATUS,
   ALERT_WORKFLOW_REASON,
-  ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_USER,
   ALERT_RULE_AUTHOR,
   ALERT_RULE_CREATED_AT,
@@ -209,36 +191,24 @@ export {
   ALERT_RULE_DESCRIPTION,
   ALERT_RULE_ENABLED,
   ALERT_RULE_EXCEPTIONS_LIST,
-  ALERT_RULE_EXECUTION_UUID,
   ALERT_RULE_FROM,
   ALERT_RULE_INTERVAL,
   ALERT_RULE_LICENSE,
-  ALERT_RULE_NAME,
   ALERT_RULE_NAMESPACE_FIELD,
   ALERT_RULE_NOTE,
-  ALERT_RULE_PARAMETERS,
   ALERT_RULE_REFERENCES,
   ALERT_RULE_RULE_ID,
   ALERT_RULE_RULE_NAME_OVERRIDE,
-  ALERT_RULE_TAGS,
   ALERT_RULE_TO,
   ALERT_RULE_TYPE,
-  ALERT_RULE_TYPE_ID,
   ALERT_RULE_UPDATED_AT,
   ALERT_RULE_UPDATED_BY,
   ALERT_RULE_VERSION,
-  ALERT_SEVERITY,
-  ALERT_START,
-  ALERT_TIME_RANGE,
   ALERT_SYSTEM_STATUS,
-  ALERT_UUID,
   ECS_VERSION,
   EVENT_ACTION,
   EVENT_KIND,
   EVENT_MODULE,
-  KIBANA_NAMESPACE,
-  ALERT_RULE_UUID,
-  ALERT_RULE_CATEGORY,
   ALERT_THREAT_FRAMEWORK,
   ALERT_THREAT_TACTIC_ID,
   ALERT_THREAT_TACTIC_NAME,
@@ -257,8 +227,6 @@ export {
   ALERT_SUPPRESSION_DOCS_COUNT,
   TAGS,
   TIMESTAMP,
-  SPACE_IDS,
-  VERSION,
 };
 
 export type TechnicalRuleDataFieldName = ValuesType<typeof fields & typeof namespaces>;
diff --git a/x-pack/plugins/alerting/common/alert_schema/assets/component_templates/ecs_component_template.ts b/x-pack/plugins/alerting/common/alert_schema/assets/component_templates/ecs_component_template.ts
deleted file mode 100644
index 8e956ba0004a24..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/assets/component_templates/ecs_component_template.ts
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-import { merge } from 'lodash';
-import { mappingFromFieldMap } from '../../mapping_from_field_map';
-import { ClusterPutComponentTemplateBody } from '../../types';
-import { ecsFieldMap } from '../field_maps/ecs_field_map';
-import { technicalRuleFieldMap } from '../field_maps/technical_rule_field_map';
-
-export const ecsComponentTemplate: ClusterPutComponentTemplateBody = {
-  template: {
-    settings: {
-      number_of_shards: 1,
-      'index.mapping.total_fields.limit': 1700,
-    },
-    mappings: merge(
-      {},
-      mappingFromFieldMap(ecsFieldMap, 'strict'),
-      mappingFromFieldMap(technicalRuleFieldMap, 'strict')
-    ),
-  },
-};
diff --git a/x-pack/plugins/alerting/common/alert_schema/assets/component_templates/technical_component_template.ts b/x-pack/plugins/alerting/common/alert_schema/assets/component_templates/technical_component_template.ts
deleted file mode 100644
index e110be339d0a0f..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/assets/component_templates/technical_component_template.ts
+++ /dev/null
@@ -1,19 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { mappingFromFieldMap } from '../../mapping_from_field_map';
-import { ClusterPutComponentTemplateBody } from '../../types';
-import { technicalRuleFieldMap } from '../field_maps/technical_rule_field_map';
-
-export const technicalComponentTemplate: ClusterPutComponentTemplateBody = {
-  template: {
-    settings: {
-      number_of_shards: 1,
-    },
-    mappings: mappingFromFieldMap(technicalRuleFieldMap, 'strict'),
-  },
-};
diff --git a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/experimental_rule_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/experimental_rule_field_map.test.ts
deleted file mode 100644
index 4e2d591bf88bd0..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/experimental_rule_field_map.test.ts
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { experimentalRuleFieldMap } from './experimental_rule_field_map';
-
-// This test purely exists to see what the resultant mappings are and
-// make it obvious when some dependency results in the mappings changing
-it('matches snapshot', () => {
-  expect(experimentalRuleFieldMap).toMatchInlineSnapshot(`
-    Object {
-      "kibana.alert.evaluation.threshold": Object {
-        "scaling_factor": 100,
-        "type": "scaled_float",
-      },
-      "kibana.alert.evaluation.value": Object {
-        "scaling_factor": 100,
-        "type": "scaled_float",
-      },
-    }
-  `);
-});
diff --git a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/experimental_rule_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/experimental_rule_field_map.ts
deleted file mode 100644
index 92f93015309c0b..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/experimental_rule_field_map.ts
+++ /dev/null
@@ -1,15 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import * as Fields from '../../technical_rule_data_field_names';
-
-export const experimentalRuleFieldMap = {
-  [Fields.ALERT_EVALUATION_THRESHOLD]: { type: 'scaled_float', scaling_factor: 100 },
-  [Fields.ALERT_EVALUATION_VALUE]: { type: 'scaled_float', scaling_factor: 100 },
-} as const;
-
-export type ExperimentalRuleFieldMap = typeof experimentalRuleFieldMap;
diff --git a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/technical_rule_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/technical_rule_field_map.test.ts
deleted file mode 100644
index e546f339d2b886..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/technical_rule_field_map.test.ts
+++ /dev/null
@@ -1,269 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { technicalRuleFieldMap } from './technical_rule_field_map';
-
-// This test purely exists to see what the resultant mappings are and
-// make it obvious when some dependency results in the mappings changing
-it('matches snapshot', () => {
-  expect(technicalRuleFieldMap).toMatchInlineSnapshot(`
-    Object {
-      "@timestamp": Object {
-        "array": false,
-        "required": true,
-        "type": "date",
-      },
-      "ecs.version": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "event.action": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "event.kind": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.action_group": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.duration.us": Object {
-        "type": "long",
-      },
-      "kibana.alert.end": Object {
-        "type": "date",
-      },
-      "kibana.alert.flapping": Object {
-        "type": "boolean",
-      },
-      "kibana.alert.instance.id": Object {
-        "required": true,
-        "type": "keyword",
-      },
-      "kibana.alert.reason": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.risk_score": Object {
-        "array": false,
-        "required": false,
-        "type": "float",
-      },
-      "kibana.alert.rule.author": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.category": Object {
-        "array": false,
-        "required": true,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.consumer": Object {
-        "required": true,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.created_at": Object {
-        "array": false,
-        "required": false,
-        "type": "date",
-      },
-      "kibana.alert.rule.created_by": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.description": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.enabled": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.execution.uuid": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.from": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.interval": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.license": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.name": Object {
-        "array": false,
-        "required": true,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.note": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.parameters": Object {
-        "ignore_above": 4096,
-        "type": "flattened",
-      },
-      "kibana.alert.rule.producer": Object {
-        "required": true,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.references": Object {
-        "array": true,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.rule_id": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.rule_name_override": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.rule_type_id": Object {
-        "required": true,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.tags": Object {
-        "array": true,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.to": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.type": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.updated_at": Object {
-        "array": false,
-        "required": false,
-        "type": "date",
-      },
-      "kibana.alert.rule.updated_by": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.uuid": Object {
-        "array": false,
-        "required": true,
-        "type": "keyword",
-      },
-      "kibana.alert.rule.version": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.severity": Object {
-        "type": "keyword",
-      },
-      "kibana.alert.start": Object {
-        "type": "date",
-      },
-      "kibana.alert.status": Object {
-        "required": true,
-        "type": "keyword",
-      },
-      "kibana.alert.suppression.docs_count": Object {
-        "array": false,
-        "required": false,
-        "type": "long",
-      },
-      "kibana.alert.suppression.end": Object {
-        "array": false,
-        "required": false,
-        "type": "date",
-      },
-      "kibana.alert.suppression.start": Object {
-        "array": false,
-        "required": false,
-        "type": "date",
-      },
-      "kibana.alert.suppression.terms.field": Object {
-        "array": true,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.suppression.terms.value": Object {
-        "array": true,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.system_status": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.time_range": Object {
-        "format": "epoch_millis||strict_date_optional_time",
-        "type": "date_range",
-      },
-      "kibana.alert.uuid": Object {
-        "required": true,
-        "type": "keyword",
-      },
-      "kibana.alert.workflow_reason": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.workflow_status": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.alert.workflow_user": Object {
-        "array": false,
-        "required": false,
-        "type": "keyword",
-      },
-      "kibana.space_ids": Object {
-        "array": true,
-        "required": true,
-        "type": "keyword",
-      },
-      "kibana.version": Object {
-        "array": false,
-        "required": false,
-        "type": "version",
-      },
-      "tags": Object {
-        "array": true,
-        "required": false,
-        "type": "keyword",
-      },
-    }
-  `);
-});
diff --git a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/technical_rule_field_map.ts
deleted file mode 100644
index aeebe987e20de6..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/assets/field_maps/technical_rule_field_map.ts
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { pickWithPatterns } from '../../pick_with_patterns';
-import * as Fields from '../../technical_rule_data_field_names';
-import { ecsFieldMap } from './ecs_field_map';
-
-export const technicalRuleFieldMap = {
-  ...pickWithPatterns(
-    ecsFieldMap,
-    Fields.TIMESTAMP,
-    Fields.EVENT_KIND,
-    Fields.EVENT_ACTION,
-    Fields.TAGS
-  ),
-  [Fields.ALERT_RULE_PARAMETERS]: { type: 'flattened', ignore_above: 4096 },
-  [Fields.ALERT_RULE_TYPE_ID]: { type: 'keyword', required: true },
-  [Fields.ALERT_RULE_CONSUMER]: { type: 'keyword', required: true },
-  [Fields.ALERT_RULE_PRODUCER]: { type: 'keyword', required: true },
-  [Fields.SPACE_IDS]: { type: 'keyword', array: true, required: true },
-  [Fields.ALERT_UUID]: { type: 'keyword', required: true },
-  [Fields.ALERT_INSTANCE_ID]: { type: 'keyword', required: true },
-  [Fields.ALERT_START]: { type: 'date' },
-  [Fields.ALERT_TIME_RANGE]: {
-    type: 'date_range',
-    format: 'epoch_millis||strict_date_optional_time',
-  },
-  [Fields.ALERT_END]: { type: 'date' },
-  [Fields.ALERT_DURATION]: { type: 'long' },
-  [Fields.ALERT_SEVERITY]: { type: 'keyword' },
-  [Fields.ALERT_STATUS]: { type: 'keyword', required: true },
-  [Fields.ALERT_FLAPPING]: { type: 'boolean' },
-  [Fields.VERSION]: {
-    type: 'version',
-    array: false,
-    required: false,
-  },
-  [Fields.ECS_VERSION]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RISK_SCORE]: {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_WORKFLOW_STATUS]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_WORKFLOW_USER]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_WORKFLOW_REASON]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_SYSTEM_STATUS]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_ACTION_GROUP]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_REASON]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_AUTHOR]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_CATEGORY]: {
-    type: 'keyword',
-    array: false,
-    required: true,
-  },
-  [Fields.ALERT_RULE_UUID]: {
-    type: 'keyword',
-    array: false,
-    required: true,
-  },
-  [Fields.ALERT_RULE_CREATED_AT]: {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_CREATED_BY]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_DESCRIPTION]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_ENABLED]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_EXECUTION_UUID]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_FROM]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_INTERVAL]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_LICENSE]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_NAME]: {
-    type: 'keyword',
-    array: false,
-    required: true,
-  },
-  [Fields.ALERT_RULE_NOTE]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_REFERENCES]: {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  [Fields.ALERT_RULE_RULE_ID]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_RULE_NAME_OVERRIDE]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_TAGS]: {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  [Fields.ALERT_RULE_TO]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_TYPE]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_UPDATED_AT]: {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_UPDATED_BY]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_VERSION]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_SUPPRESSION_FIELD]: {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  [Fields.ALERT_SUPPRESSION_VALUE]: {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  [Fields.ALERT_SUPPRESSION_START]: {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_SUPPRESSION_END]: {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_SUPPRESSION_DOCS_COUNT]: {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-} as const;
-
-export type TechnicalRuleFieldMap = typeof technicalRuleFieldMap;
diff --git a/x-pack/plugins/alerting/common/alert_schema/component_templates/alerts_component_template.ts b/x-pack/plugins/alerting/common/alert_schema/component_templates/alerts_component_template.ts
new file mode 100644
index 00000000000000..6adc40a79c2170
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/component_templates/alerts_component_template.ts
@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ClusterPutComponentTemplateRequest } from '@elastic/elasticsearch/lib/api/types';
+import { mappingFromFieldMap } from '../field_maps/mapping_from_field_map';
+import { alertFieldMap } from '../field_maps/alert_field_map';
+
+export const ALERTS_COMPONENT_TEMPLATE_NAME = 'alerts-default-component-template';
+export const alertsComponentTemplate: ClusterPutComponentTemplateRequest = {
+  name: ALERTS_COMPONENT_TEMPLATE_NAME,
+  template: {
+    settings: {
+      number_of_shards: 1,
+      'index.mapping.total_fields.limit': 100,
+    },
+    mappings: mappingFromFieldMap(alertFieldMap, 'strict'),
+  },
+};
diff --git a/x-pack/plugins/alerting/common/alert_schema/component_templates/assets/ecs_legacy_template.json b/x-pack/plugins/alerting/common/alert_schema/component_templates/assets/ecs_legacy_template.json
deleted file mode 100644
index d0ce120bb28b99..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/component_templates/assets/ecs_legacy_template.json
+++ /dev/null
@@ -1,7182 +0,0 @@
-{
-  "index_patterns": [
-    "try-ecs-*"
-  ],
-  "mappings": {
-    "_meta": {
-      "version": "8.6.0-dev"
-    },
-    "date_detection": false,
-    "dynamic_templates": [
-      {
-        "strings_as_keyword": {
-          "mapping": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "match_mapping_type": "string"
-        }
-      }
-    ],
-    "properties": {
-      "@timestamp": {
-        "type": "date"
-      },
-      "agent": {
-        "properties": {
-          "build": {
-            "properties": {
-              "original": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "ephemeral_id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "name": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "type": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "client": {
-        "properties": {
-          "address": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "as": {
-            "properties": {
-              "number": {
-                "type": "long"
-              },
-              "organization": {
-                "properties": {
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              }
-            }
-          },
-          "bytes": {
-            "type": "long"
-          },
-          "domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "geo": {
-            "properties": {
-              "city_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "continent_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "continent_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "country_iso_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "country_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "location": {
-                "type": "geo_point"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "postal_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "region_iso_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "region_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "timezone": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "ip": {
-            "type": "ip"
-          },
-          "mac": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "nat": {
-            "properties": {
-              "ip": {
-                "type": "ip"
-              },
-              "port": {
-                "type": "long"
-              }
-            }
-          },
-          "packets": {
-            "type": "long"
-          },
-          "port": {
-            "type": "long"
-          },
-          "registered_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "subdomain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "top_level_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "user": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "roles": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          }
-        }
-      },
-      "cloud": {
-        "properties": {
-          "account": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "availability_zone": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "instance": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "machine": {
-            "properties": {
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "origin": {
-            "properties": {
-              "account": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "availability_zone": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "instance": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "machine": {
-                "properties": {
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "project": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "provider": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "region": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "service": {
-                "properties": {
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              }
-            }
-          },
-          "project": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "provider": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "region": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "service": {
-            "properties": {
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "target": {
-            "properties": {
-              "account": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "availability_zone": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "instance": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "machine": {
-                "properties": {
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "project": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "provider": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "region": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "service": {
-                "properties": {
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              }
-            }
-          }
-        }
-      },
-      "container": {
-        "properties": {
-          "cpu": {
-            "properties": {
-              "usage": {
-                "scaling_factor": 1000,
-                "type": "scaled_float"
-              }
-            }
-          },
-          "disk": {
-            "properties": {
-              "read": {
-                "properties": {
-                  "bytes": {
-                    "type": "long"
-                  }
-                }
-              },
-              "write": {
-                "properties": {
-                  "bytes": {
-                    "type": "long"
-                  }
-                }
-              }
-            }
-          },
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "image": {
-            "properties": {
-              "hash": {
-                "properties": {
-                  "all": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tag": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "labels": {
-            "type": "object"
-          },
-          "memory": {
-            "properties": {
-              "usage": {
-                "scaling_factor": 1000,
-                "type": "scaled_float"
-              }
-            }
-          },
-          "name": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "network": {
-            "properties": {
-              "egress": {
-                "properties": {
-                  "bytes": {
-                    "type": "long"
-                  }
-                }
-              },
-              "ingress": {
-                "properties": {
-                  "bytes": {
-                    "type": "long"
-                  }
-                }
-              }
-            }
-          },
-          "runtime": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "data_stream": {
-        "properties": {
-          "dataset": {
-            "type": "constant_keyword"
-          },
-          "namespace": {
-            "type": "constant_keyword"
-          },
-          "type": {
-            "type": "constant_keyword"
-          }
-        }
-      },
-      "destination": {
-        "properties": {
-          "address": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "as": {
-            "properties": {
-              "number": {
-                "type": "long"
-              },
-              "organization": {
-                "properties": {
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              }
-            }
-          },
-          "bytes": {
-            "type": "long"
-          },
-          "domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "geo": {
-            "properties": {
-              "city_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "continent_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "continent_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "country_iso_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "country_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "location": {
-                "type": "geo_point"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "postal_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "region_iso_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "region_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "timezone": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "ip": {
-            "type": "ip"
-          },
-          "mac": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "nat": {
-            "properties": {
-              "ip": {
-                "type": "ip"
-              },
-              "port": {
-                "type": "long"
-              }
-            }
-          },
-          "packets": {
-            "type": "long"
-          },
-          "port": {
-            "type": "long"
-          },
-          "registered_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "subdomain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "top_level_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "user": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "roles": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          }
-        }
-      },
-      "device": {
-        "properties": {
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "manufacturer": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "model": {
-            "properties": {
-              "identifier": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          }
-        }
-      },
-      "dll": {
-        "properties": {
-          "code_signature": {
-            "properties": {
-              "digest_algorithm": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exists": {
-                "type": "boolean"
-              },
-              "signing_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "status": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "subject_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "team_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "timestamp": {
-                "type": "date"
-              },
-              "trusted": {
-                "type": "boolean"
-              },
-              "valid": {
-                "type": "boolean"
-              }
-            }
-          },
-          "hash": {
-            "properties": {
-              "md5": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha1": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha256": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha384": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha512": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "ssdeep": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tlsh": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "name": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "path": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "pe": {
-            "properties": {
-              "architecture": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "company": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "description": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "file_version": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "imphash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "original_file_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "pehash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "product": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          }
-        }
-      },
-      "dns": {
-        "properties": {
-          "answers": {
-            "properties": {
-              "class": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "data": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "ttl": {
-                "type": "long"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            },
-            "type": "object"
-          },
-          "header_flags": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "op_code": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "question": {
-            "properties": {
-              "class": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "registered_domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "subdomain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "top_level_domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "resolved_ip": {
-            "type": "ip"
-          },
-          "response_code": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "type": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "ecs": {
-        "properties": {
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "email": {
-        "properties": {
-          "attachments": {
-            "properties": {
-              "file": {
-                "properties": {
-                  "extension": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "hash": {
-                    "properties": {
-                      "md5": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha1": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha256": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha384": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha512": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ssdeep": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "tlsh": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "mime_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "size": {
-                    "type": "long"
-                  }
-                }
-              }
-            },
-            "type": "nested"
-          },
-          "bcc": {
-            "properties": {
-              "address": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "cc": {
-            "properties": {
-              "address": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "content_type": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "delivery_timestamp": {
-            "type": "date"
-          },
-          "direction": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "from": {
-            "properties": {
-              "address": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "local_id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "message_id": {
-            "type": "wildcard"
-          },
-          "origination_timestamp": {
-            "type": "date"
-          },
-          "reply_to": {
-            "properties": {
-              "address": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "sender": {
-            "properties": {
-              "address": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "subject": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "to": {
-            "properties": {
-              "address": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "x_mailer": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "error": {
-        "properties": {
-          "code": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "message": {
-            "type": "match_only_text"
-          },
-          "stack_trace": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "type": "wildcard"
-          },
-          "type": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "event": {
-        "properties": {
-          "action": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "agent_id_status": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "category": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "code": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "created": {
-            "type": "date"
-          },
-          "dataset": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "duration": {
-            "type": "long"
-          },
-          "end": {
-            "type": "date"
-          },
-          "hash": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "ingested": {
-            "type": "date"
-          },
-          "kind": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "module": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "original": {
-            "doc_values": false,
-            "index": false,
-            "type": "keyword"
-          },
-          "outcome": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "provider": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "reason": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "reference": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "risk_score": {
-            "type": "float"
-          },
-          "risk_score_norm": {
-            "type": "float"
-          },
-          "sequence": {
-            "type": "long"
-          },
-          "severity": {
-            "type": "long"
-          },
-          "start": {
-            "type": "date"
-          },
-          "timezone": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "type": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "url": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "faas": {
-        "properties": {
-          "coldstart": {
-            "type": "boolean"
-          },
-          "execution": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "name": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "trigger": {
-            "properties": {
-              "request_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            },
-            "type": "nested"
-          },
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "file": {
-        "properties": {
-          "accessed": {
-            "type": "date"
-          },
-          "attributes": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "code_signature": {
-            "properties": {
-              "digest_algorithm": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exists": {
-                "type": "boolean"
-              },
-              "signing_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "status": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "subject_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "team_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "timestamp": {
-                "type": "date"
-              },
-              "trusted": {
-                "type": "boolean"
-              },
-              "valid": {
-                "type": "boolean"
-              }
-            }
-          },
-          "created": {
-            "type": "date"
-          },
-          "ctime": {
-            "type": "date"
-          },
-          "device": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "directory": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "drive_letter": {
-            "ignore_above": 1,
-            "type": "keyword"
-          },
-          "elf": {
-            "properties": {
-              "architecture": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "byte_order": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "cpu_type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "creation_date": {
-                "type": "date"
-              },
-              "exports": {
-                "type": "flattened"
-              },
-              "header": {
-                "properties": {
-                  "abi_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "class": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "data": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entrypoint": {
-                    "type": "long"
-                  },
-                  "object_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "os_abi": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "imports": {
-                "type": "flattened"
-              },
-              "sections": {
-                "properties": {
-                  "chi2": {
-                    "type": "long"
-                  },
-                  "entropy": {
-                    "type": "long"
-                  },
-                  "flags": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "physical_offset": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "physical_size": {
-                    "type": "long"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "virtual_address": {
-                    "type": "long"
-                  },
-                  "virtual_size": {
-                    "type": "long"
-                  }
-                },
-                "type": "nested"
-              },
-              "segments": {
-                "properties": {
-                  "sections": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                },
-                "type": "nested"
-              },
-              "shared_libraries": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "telfhash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "extension": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "fork_name": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "gid": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "group": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "hash": {
-            "properties": {
-              "md5": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha1": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha256": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha384": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha512": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "ssdeep": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tlsh": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "inode": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "mime_type": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "mode": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "mtime": {
-            "type": "date"
-          },
-          "name": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "owner": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "path": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "pe": {
-            "properties": {
-              "architecture": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "company": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "description": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "file_version": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "imphash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "original_file_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "pehash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "product": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "size": {
-            "type": "long"
-          },
-          "target_path": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "type": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "uid": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "x509": {
-            "properties": {
-              "alternative_names": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "issuer": {
-                "properties": {
-                  "common_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "country": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "distinguished_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "locality": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "organization": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "organizational_unit": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "state_or_province": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "not_after": {
-                "type": "date"
-              },
-              "not_before": {
-                "type": "date"
-              },
-              "public_key_algorithm": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "public_key_curve": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "public_key_exponent": {
-                "doc_values": false,
-                "index": false,
-                "type": "long"
-              },
-              "public_key_size": {
-                "type": "long"
-              },
-              "serial_number": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "signature_algorithm": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "subject": {
-                "properties": {
-                  "common_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "country": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "distinguished_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "locality": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "organization": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "organizational_unit": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "state_or_province": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "version_number": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          }
-        }
-      },
-      "group": {
-        "properties": {
-          "domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "name": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "host": {
-        "properties": {
-          "architecture": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "boot": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "cpu": {
-            "properties": {
-              "usage": {
-                "scaling_factor": 1000,
-                "type": "scaled_float"
-              }
-            }
-          },
-          "disk": {
-            "properties": {
-              "read": {
-                "properties": {
-                  "bytes": {
-                    "type": "long"
-                  }
-                }
-              },
-              "write": {
-                "properties": {
-                  "bytes": {
-                    "type": "long"
-                  }
-                }
-              }
-            }
-          },
-          "domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "geo": {
-            "properties": {
-              "city_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "continent_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "continent_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "country_iso_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "country_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "location": {
-                "type": "geo_point"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "postal_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "region_iso_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "region_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "timezone": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "hostname": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "ip": {
-            "type": "ip"
-          },
-          "mac": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "name": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "network": {
-            "properties": {
-              "egress": {
-                "properties": {
-                  "bytes": {
-                    "type": "long"
-                  },
-                  "packets": {
-                    "type": "long"
-                  }
-                }
-              },
-              "ingress": {
-                "properties": {
-                  "bytes": {
-                    "type": "long"
-                  },
-                  "packets": {
-                    "type": "long"
-                  }
-                }
-              }
-            }
-          },
-          "os": {
-            "properties": {
-              "family": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "full": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "kernel": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "platform": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "version": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "pid_ns_ino": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "risk": {
-            "properties": {
-              "calculated_level": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "calculated_score": {
-                "type": "float"
-              },
-              "calculated_score_norm": {
-                "type": "float"
-              },
-              "static_level": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "static_score": {
-                "type": "float"
-              },
-              "static_score_norm": {
-                "type": "float"
-              }
-            }
-          },
-          "type": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "uptime": {
-            "type": "long"
-          }
-        }
-      },
-      "http": {
-        "properties": {
-          "request": {
-            "properties": {
-              "body": {
-                "properties": {
-                  "bytes": {
-                    "type": "long"
-                  },
-                  "content": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "type": "wildcard"
-                  }
-                }
-              },
-              "bytes": {
-                "type": "long"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "method": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "mime_type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "referrer": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "response": {
-            "properties": {
-              "body": {
-                "properties": {
-                  "bytes": {
-                    "type": "long"
-                  },
-                  "content": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "type": "wildcard"
-                  }
-                }
-              },
-              "bytes": {
-                "type": "long"
-              },
-              "mime_type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "status_code": {
-                "type": "long"
-              }
-            }
-          },
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "labels": {
-        "type": "object"
-      },
-      "log": {
-        "properties": {
-          "file": {
-            "properties": {
-              "path": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "level": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "logger": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "origin": {
-            "properties": {
-              "file": {
-                "properties": {
-                  "line": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "function": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "syslog": {
-            "properties": {
-              "appname": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "facility": {
-                "properties": {
-                  "code": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hostname": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "msgid": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "priority": {
-                "type": "long"
-              },
-              "procid": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "severity": {
-                "properties": {
-                  "code": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "structured_data": {
-                "type": "flattened"
-              },
-              "version": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            },
-            "type": "object"
-          }
-        }
-      },
-      "message": {
-        "type": "match_only_text"
-      },
-      "network": {
-        "properties": {
-          "application": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "bytes": {
-            "type": "long"
-          },
-          "community_id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "direction": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "forwarded_ip": {
-            "type": "ip"
-          },
-          "iana_number": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "inner": {
-            "properties": {
-              "vlan": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              }
-            },
-            "type": "object"
-          },
-          "name": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "packets": {
-            "type": "long"
-          },
-          "protocol": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "transport": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "type": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "vlan": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          }
-        }
-      },
-      "observer": {
-        "properties": {
-          "egress": {
-            "properties": {
-              "interface": {
-                "properties": {
-                  "alias": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "vlan": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "zone": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            },
-            "type": "object"
-          },
-          "geo": {
-            "properties": {
-              "city_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "continent_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "continent_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "country_iso_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "country_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "location": {
-                "type": "geo_point"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "postal_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "region_iso_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "region_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "timezone": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "hostname": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "ingress": {
-            "properties": {
-              "interface": {
-                "properties": {
-                  "alias": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "vlan": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "zone": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            },
-            "type": "object"
-          },
-          "ip": {
-            "type": "ip"
-          },
-          "mac": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "name": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "os": {
-            "properties": {
-              "family": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "full": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "kernel": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "platform": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "version": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "product": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "serial_number": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "type": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "vendor": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "orchestrator": {
-        "properties": {
-          "api_version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "cluster": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "url": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "version": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "namespace": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "organization": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "resource": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "ip": {
-                "type": "ip"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "parent": {
-                "properties": {
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "type": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "organization": {
-        "properties": {
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "name": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "package": {
-        "properties": {
-          "architecture": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "build_version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "checksum": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "description": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "install_scope": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "installed": {
-            "type": "date"
-          },
-          "license": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "name": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "path": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "reference": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "size": {
-            "type": "long"
-          },
-          "type": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "process": {
-        "properties": {
-          "args": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "args_count": {
-            "type": "long"
-          },
-          "code_signature": {
-            "properties": {
-              "digest_algorithm": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exists": {
-                "type": "boolean"
-              },
-              "signing_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "status": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "subject_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "team_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "timestamp": {
-                "type": "date"
-              },
-              "trusted": {
-                "type": "boolean"
-              },
-              "valid": {
-                "type": "boolean"
-              }
-            }
-          },
-          "command_line": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "type": "wildcard"
-          },
-          "elf": {
-            "properties": {
-              "architecture": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "byte_order": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "cpu_type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "creation_date": {
-                "type": "date"
-              },
-              "exports": {
-                "type": "flattened"
-              },
-              "header": {
-                "properties": {
-                  "abi_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "class": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "data": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entrypoint": {
-                    "type": "long"
-                  },
-                  "object_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "os_abi": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "imports": {
-                "type": "flattened"
-              },
-              "sections": {
-                "properties": {
-                  "chi2": {
-                    "type": "long"
-                  },
-                  "entropy": {
-                    "type": "long"
-                  },
-                  "flags": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "physical_offset": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "physical_size": {
-                    "type": "long"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "virtual_address": {
-                    "type": "long"
-                  },
-                  "virtual_size": {
-                    "type": "long"
-                  }
-                },
-                "type": "nested"
-              },
-              "segments": {
-                "properties": {
-                  "sections": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                },
-                "type": "nested"
-              },
-              "shared_libraries": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "telfhash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "end": {
-            "type": "date"
-          },
-          "entity_id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "entry_leader": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "attested_groups": {
-                "properties": {
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "attested_user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entry_meta": {
-                "properties": {
-                  "source": {
-                    "properties": {
-                      "ip": {
-                        "type": "ip"
-                      }
-                    }
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "parent": {
-                "properties": {
-                  "entity_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pid": {
-                    "type": "long"
-                  },
-                  "session_leader": {
-                    "properties": {
-                      "entity_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "pid": {
-                        "type": "long"
-                      },
-                      "start": {
-                        "type": "date"
-                      }
-                    }
-                  },
-                  "start": {
-                    "type": "date"
-                  }
-                }
-              },
-              "pid": {
-                "type": "long"
-              },
-              "real_group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
-                    "properties": {
-                      "major": {
-                        "type": "long"
-                      },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
-                  }
-                },
-                "type": "object"
-              },
-              "user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "env_vars": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "executable": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "exit_code": {
-            "type": "long"
-          },
-          "group_leader": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "pid": {
-                "type": "long"
-              },
-              "real_group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
-                    "properties": {
-                      "major": {
-                        "type": "long"
-                      },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
-                  }
-                },
-                "type": "object"
-              },
-              "user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "hash": {
-            "properties": {
-              "md5": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha1": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha256": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha384": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha512": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "ssdeep": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tlsh": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "interactive": {
-            "type": "boolean"
-          },
-          "io": {
-            "properties": {
-              "bytes_skipped": {
-                "properties": {
-                  "length": {
-                    "type": "long"
-                  },
-                  "offset": {
-                    "type": "long"
-                  }
-                },
-                "type": "object"
-              },
-              "max_bytes_per_process_exceeded": {
-                "type": "boolean"
-              },
-              "text": {
-                "type": "wildcard"
-              },
-              "total_bytes_captured": {
-                "type": "long"
-              },
-              "total_bytes_skipped": {
-                "type": "long"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            },
-            "type": "object"
-          },
-          "name": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "parent": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "code_signature": {
-                "properties": {
-                  "digest_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exists": {
-                    "type": "boolean"
-                  },
-                  "signing_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "status": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subject_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "team_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "timestamp": {
-                    "type": "date"
-                  },
-                  "trusted": {
-                    "type": "boolean"
-                  },
-                  "valid": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "elf": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "byte_order": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "cpu_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "exports": {
-                    "type": "flattened"
-                  },
-                  "header": {
-                    "properties": {
-                      "abi_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "class": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "data": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entrypoint": {
-                        "type": "long"
-                      },
-                      "object_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "os_abi": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "sections": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "virtual_address": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "segments": {
-                    "properties": {
-                      "sections": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "shared_libraries": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "telfhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "end": {
-                "type": "date"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exit_code": {
-                "type": "long"
-              },
-              "group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "group_leader": {
-                "properties": {
-                  "entity_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pid": {
-                    "type": "long"
-                  },
-                  "start": {
-                    "type": "date"
-                  }
-                }
-              },
-              "hash": {
-                "properties": {
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha384": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "tlsh": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "pe": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pehash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "pgid": {
-                "type": "long"
-              },
-              "pid": {
-                "type": "long"
-              },
-              "real_group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "thread": {
-                "properties": {
-                  "id": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "title": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
-                    "properties": {
-                      "major": {
-                        "type": "long"
-                      },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
-                  }
-                },
-                "type": "object"
-              },
-              "uptime": {
-                "type": "long"
-              },
-              "user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "pe": {
-            "properties": {
-              "architecture": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "company": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "description": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "file_version": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "imphash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "original_file_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "pehash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "product": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "pgid": {
-            "type": "long"
-          },
-          "pid": {
-            "type": "long"
-          },
-          "previous": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "real_group": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "real_user": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "saved_group": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "saved_user": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "session_leader": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "parent": {
-                "properties": {
-                  "entity_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pid": {
-                    "type": "long"
-                  },
-                  "session_leader": {
-                    "properties": {
-                      "entity_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "pid": {
-                        "type": "long"
-                      },
-                      "start": {
-                        "type": "date"
-                      }
-                    }
-                  },
-                  "start": {
-                    "type": "date"
-                  }
-                }
-              },
-              "pid": {
-                "type": "long"
-              },
-              "real_group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
-                    "properties": {
-                      "major": {
-                        "type": "long"
-                      },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
-                  }
-                },
-                "type": "object"
-              },
-              "user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "start": {
-            "type": "date"
-          },
-          "supplemental_groups": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "thread": {
-            "properties": {
-              "id": {
-                "type": "long"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "title": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "tty": {
-            "properties": {
-              "char_device": {
-                "properties": {
-                  "major": {
-                    "type": "long"
-                  },
-                  "minor": {
-                    "type": "long"
-                  }
-                }
-              },
-              "columns": {
-                "type": "long"
-              },
-              "rows": {
-                "type": "long"
-              }
-            },
-            "type": "object"
-          },
-          "uptime": {
-            "type": "long"
-          },
-          "user": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "working_directory": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "registry": {
-        "properties": {
-          "data": {
-            "properties": {
-              "bytes": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "strings": {
-                "type": "wildcard"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "hive": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "key": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "path": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "value": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "related": {
-        "properties": {
-          "hash": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "hosts": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "ip": {
-            "type": "ip"
-          },
-          "user": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "rule": {
-        "properties": {
-          "author": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "category": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "description": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "license": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "name": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "reference": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "ruleset": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "uuid": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "server": {
-        "properties": {
-          "address": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "as": {
-            "properties": {
-              "number": {
-                "type": "long"
-              },
-              "organization": {
-                "properties": {
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              }
-            }
-          },
-          "bytes": {
-            "type": "long"
-          },
-          "domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "geo": {
-            "properties": {
-              "city_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "continent_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "continent_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "country_iso_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "country_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "location": {
-                "type": "geo_point"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "postal_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "region_iso_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "region_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "timezone": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "ip": {
-            "type": "ip"
-          },
-          "mac": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "nat": {
-            "properties": {
-              "ip": {
-                "type": "ip"
-              },
-              "port": {
-                "type": "long"
-              }
-            }
-          },
-          "packets": {
-            "type": "long"
-          },
-          "port": {
-            "type": "long"
-          },
-          "registered_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "subdomain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "top_level_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "user": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "roles": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          }
-        }
-      },
-      "service": {
-        "properties": {
-          "address": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "environment": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "ephemeral_id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "name": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "node": {
-            "properties": {
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "role": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "roles": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "origin": {
-            "properties": {
-              "address": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "environment": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "ephemeral_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "node": {
-                "properties": {
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "role": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "state": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "version": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "state": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "target": {
-            "properties": {
-              "address": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "environment": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "ephemeral_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "node": {
-                "properties": {
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "role": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "state": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "version": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "type": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "source": {
-        "properties": {
-          "address": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "as": {
-            "properties": {
-              "number": {
-                "type": "long"
-              },
-              "organization": {
-                "properties": {
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              }
-            }
-          },
-          "bytes": {
-            "type": "long"
-          },
-          "domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "geo": {
-            "properties": {
-              "city_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "continent_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "continent_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "country_iso_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "country_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "location": {
-                "type": "geo_point"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "postal_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "region_iso_code": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "region_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "timezone": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "ip": {
-            "type": "ip"
-          },
-          "mac": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "nat": {
-            "properties": {
-              "ip": {
-                "type": "ip"
-              },
-              "port": {
-                "type": "long"
-              }
-            }
-          },
-          "packets": {
-            "type": "long"
-          },
-          "port": {
-            "type": "long"
-          },
-          "registered_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "subdomain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "top_level_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "user": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "roles": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          }
-        }
-      },
-      "span": {
-        "properties": {
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "tags": {
-        "ignore_above": 1024,
-        "type": "keyword"
-      },
-      "threat": {
-        "properties": {
-          "enrichments": {
-            "properties": {
-              "indicator": {
-                "properties": {
-                  "as": {
-                    "properties": {
-                      "number": {
-                        "type": "long"
-                      },
-                      "organization": {
-                        "properties": {
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      }
-                    }
-                  },
-                  "confidence": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "properties": {
-                      "address": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "file": {
-                    "properties": {
-                      "accessed": {
-                        "type": "date"
-                      },
-                      "attributes": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "code_signature": {
-                        "properties": {
-                          "digest_algorithm": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "exists": {
-                            "type": "boolean"
-                          },
-                          "signing_id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "status": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "subject_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "team_id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "timestamp": {
-                            "type": "date"
-                          },
-                          "trusted": {
-                            "type": "boolean"
-                          },
-                          "valid": {
-                            "type": "boolean"
-                          }
-                        }
-                      },
-                      "created": {
-                        "type": "date"
-                      },
-                      "ctime": {
-                        "type": "date"
-                      },
-                      "device": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "directory": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "drive_letter": {
-                        "ignore_above": 1,
-                        "type": "keyword"
-                      },
-                      "elf": {
-                        "properties": {
-                          "architecture": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "byte_order": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "cpu_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "creation_date": {
-                            "type": "date"
-                          },
-                          "exports": {
-                            "type": "flattened"
-                          },
-                          "header": {
-                            "properties": {
-                              "abi_version": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "class": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "data": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "entrypoint": {
-                                "type": "long"
-                              },
-                              "object_version": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "os_abi": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "version": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "imports": {
-                            "type": "flattened"
-                          },
-                          "sections": {
-                            "properties": {
-                              "chi2": {
-                                "type": "long"
-                              },
-                              "entropy": {
-                                "type": "long"
-                              },
-                              "flags": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_offset": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_size": {
-                                "type": "long"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "virtual_address": {
-                                "type": "long"
-                              },
-                              "virtual_size": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "nested"
-                          },
-                          "segments": {
-                            "properties": {
-                              "sections": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            },
-                            "type": "nested"
-                          },
-                          "shared_libraries": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "telfhash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "extension": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "fork_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "gid": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "hash": {
-                        "properties": {
-                          "md5": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha1": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha256": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha384": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha512": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "ssdeep": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "tlsh": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "inode": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "mime_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "mode": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "mtime": {
-                        "type": "date"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "owner": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "path": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "pe": {
-                        "properties": {
-                          "architecture": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "company": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "description": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "file_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "imphash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "original_file_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "pehash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "product": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "size": {
-                        "type": "long"
-                      },
-                      "target_path": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "uid": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "x509": {
-                        "properties": {
-                          "alternative_names": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "issuer": {
-                            "properties": {
-                              "common_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "country": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "distinguished_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "locality": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "organization": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "organizational_unit": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "state_or_province": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "not_after": {
-                            "type": "date"
-                          },
-                          "not_before": {
-                            "type": "date"
-                          },
-                          "public_key_algorithm": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "public_key_curve": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "public_key_exponent": {
-                            "doc_values": false,
-                            "index": false,
-                            "type": "long"
-                          },
-                          "public_key_size": {
-                            "type": "long"
-                          },
-                          "serial_number": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "signature_algorithm": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "subject": {
-                            "properties": {
-                              "common_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "country": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "distinguished_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "locality": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "organization": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "organizational_unit": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "state_or_province": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "version_number": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      }
-                    }
-                  },
-                  "first_seen": {
-                    "type": "date"
-                  },
-                  "geo": {
-                    "properties": {
-                      "city_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "continent_code": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "continent_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "country_iso_code": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "country_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "location": {
-                        "type": "geo_point"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "postal_code": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "region_iso_code": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "region_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "timezone": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "ip": {
-                    "type": "ip"
-                  },
-                  "last_seen": {
-                    "type": "date"
-                  },
-                  "marking": {
-                    "properties": {
-                      "tlp": {
-                        "properties": {
-                          "version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      }
-                    }
-                  },
-                  "modified_at": {
-                    "type": "date"
-                  },
-                  "port": {
-                    "type": "long"
-                  },
-                  "provider": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "reference": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "registry": {
-                    "properties": {
-                      "data": {
-                        "properties": {
-                          "bytes": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "strings": {
-                            "type": "wildcard"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hive": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "key": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "path": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "value": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "scanner_stats": {
-                    "type": "long"
-                  },
-                  "sightings": {
-                    "type": "long"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "url": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "extension": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "fragment": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "full": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "type": "wildcard"
-                      },
-                      "original": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "type": "wildcard"
-                      },
-                      "password": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "path": {
-                        "type": "wildcard"
-                      },
-                      "port": {
-                        "type": "long"
-                      },
-                      "query": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "registered_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "scheme": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subdomain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "top_level_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "username": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "x509": {
-                    "properties": {
-                      "alternative_names": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "issuer": {
-                        "properties": {
-                          "common_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "distinguished_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "locality": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "organization": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "organizational_unit": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "state_or_province": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "not_after": {
-                        "type": "date"
-                      },
-                      "not_before": {
-                        "type": "date"
-                      },
-                      "public_key_algorithm": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "public_key_curve": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "public_key_exponent": {
-                        "doc_values": false,
-                        "index": false,
-                        "type": "long"
-                      },
-                      "public_key_size": {
-                        "type": "long"
-                      },
-                      "serial_number": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "signature_algorithm": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subject": {
-                        "properties": {
-                          "common_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "distinguished_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "locality": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "organization": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "organizational_unit": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "state_or_province": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "version_number": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  }
-                },
-                "type": "object"
-              },
-              "matched": {
-                "properties": {
-                  "atomic": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "field": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "index": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "occurred": {
-                    "type": "date"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              }
-            },
-            "type": "nested"
-          },
-          "feed": {
-            "properties": {
-              "dashboard_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "description": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "reference": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "framework": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "group": {
-            "properties": {
-              "alias": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "reference": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "indicator": {
-            "properties": {
-              "as": {
-                "properties": {
-                  "number": {
-                    "type": "long"
-                  },
-                  "organization": {
-                    "properties": {
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  }
-                }
-              },
-              "confidence": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "description": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "properties": {
-                  "address": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "file": {
-                "properties": {
-                  "accessed": {
-                    "type": "date"
-                  },
-                  "attributes": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "code_signature": {
-                    "properties": {
-                      "digest_algorithm": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "exists": {
-                        "type": "boolean"
-                      },
-                      "signing_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "status": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subject_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "team_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "timestamp": {
-                        "type": "date"
-                      },
-                      "trusted": {
-                        "type": "boolean"
-                      },
-                      "valid": {
-                        "type": "boolean"
-                      }
-                    }
-                  },
-                  "created": {
-                    "type": "date"
-                  },
-                  "ctime": {
-                    "type": "date"
-                  },
-                  "device": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "directory": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "drive_letter": {
-                    "ignore_above": 1,
-                    "type": "keyword"
-                  },
-                  "elf": {
-                    "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "byte_order": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "cpu_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "creation_date": {
-                        "type": "date"
-                      },
-                      "exports": {
-                        "type": "flattened"
-                      },
-                      "header": {
-                        "properties": {
-                          "abi_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "class": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "data": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "entrypoint": {
-                            "type": "long"
-                          },
-                          "object_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "os_abi": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "sections": {
-                        "properties": {
-                          "chi2": {
-                            "type": "long"
-                          },
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "flags": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_offset": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "virtual_address": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "segments": {
-                        "properties": {
-                          "sections": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "shared_libraries": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "telfhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "extension": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "fork_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "gid": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "hash": {
-                    "properties": {
-                      "md5": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha1": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha256": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha384": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha512": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ssdeep": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "tlsh": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "inode": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "mime_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "mode": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "mtime": {
-                    "type": "date"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "owner": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "path": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pe": {
-                    "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "company": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "description": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "file_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imphash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "original_file_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "pehash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "product": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "size": {
-                    "type": "long"
-                  },
-                  "target_path": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "uid": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "x509": {
-                    "properties": {
-                      "alternative_names": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "issuer": {
-                        "properties": {
-                          "common_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "distinguished_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "locality": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "organization": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "organizational_unit": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "state_or_province": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "not_after": {
-                        "type": "date"
-                      },
-                      "not_before": {
-                        "type": "date"
-                      },
-                      "public_key_algorithm": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "public_key_curve": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "public_key_exponent": {
-                        "doc_values": false,
-                        "index": false,
-                        "type": "long"
-                      },
-                      "public_key_size": {
-                        "type": "long"
-                      },
-                      "serial_number": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "signature_algorithm": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subject": {
-                        "properties": {
-                          "common_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "distinguished_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "locality": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "organization": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "organizational_unit": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "state_or_province": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "version_number": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  }
-                }
-              },
-              "first_seen": {
-                "type": "date"
-              },
-              "geo": {
-                "properties": {
-                  "city_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "continent_code": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "continent_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "country_iso_code": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "country_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "location": {
-                    "type": "geo_point"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "postal_code": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "region_iso_code": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "region_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "timezone": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "ip": {
-                "type": "ip"
-              },
-              "last_seen": {
-                "type": "date"
-              },
-              "marking": {
-                "properties": {
-                  "tlp": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "modified_at": {
-                "type": "date"
-              },
-              "port": {
-                "type": "long"
-              },
-              "provider": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "reference": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "registry": {
-                "properties": {
-                  "data": {
-                    "properties": {
-                      "bytes": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "strings": {
-                        "type": "wildcard"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hive": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "key": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "path": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "value": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "scanner_stats": {
-                "type": "long"
-              },
-              "sightings": {
-                "type": "long"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "url": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "extension": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "fragment": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "type": "wildcard"
-                  },
-                  "original": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "type": "wildcard"
-                  },
-                  "password": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "path": {
-                    "type": "wildcard"
-                  },
-                  "port": {
-                    "type": "long"
-                  },
-                  "query": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "registered_domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "scheme": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subdomain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "top_level_domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "username": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "x509": {
-                "properties": {
-                  "alternative_names": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "issuer": {
-                    "properties": {
-                      "common_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "country": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "distinguished_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "locality": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "organization": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "organizational_unit": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "state_or_province": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "not_after": {
-                    "type": "date"
-                  },
-                  "not_before": {
-                    "type": "date"
-                  },
-                  "public_key_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "public_key_curve": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "public_key_exponent": {
-                    "doc_values": false,
-                    "index": false,
-                    "type": "long"
-                  },
-                  "public_key_size": {
-                    "type": "long"
-                  },
-                  "serial_number": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "signature_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subject": {
-                    "properties": {
-                      "common_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "country": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "distinguished_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "locality": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "organization": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "organizational_unit": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "state_or_province": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "version_number": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              }
-            }
-          },
-          "software": {
-            "properties": {
-              "alias": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "platforms": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "reference": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "tactic": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "reference": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "technique": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "reference": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "subtechnique": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "reference": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              }
-            }
-          },
-          "threat": {
-            "properties": {
-              "indicator": {
-                "properties": {
-                  "marking": {
-                    "properties": {
-                      "tlp": {
-                        "properties": {
-                          "version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      }
-                    }
-                  }
-                }
-              }
-            }
-          }
-        }
-      },
-      "tls": {
-        "properties": {
-          "cipher": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "client": {
-            "properties": {
-              "certificate": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "certificate_chain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "hash": {
-                "properties": {
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "issuer": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "ja3": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "not_after": {
-                "type": "date"
-              },
-              "not_before": {
-                "type": "date"
-              },
-              "server_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "subject": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "supported_ciphers": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "x509": {
-                "properties": {
-                  "alternative_names": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "issuer": {
-                    "properties": {
-                      "common_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "country": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "distinguished_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "locality": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "organization": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "organizational_unit": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "state_or_province": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "not_after": {
-                    "type": "date"
-                  },
-                  "not_before": {
-                    "type": "date"
-                  },
-                  "public_key_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "public_key_curve": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "public_key_exponent": {
-                    "doc_values": false,
-                    "index": false,
-                    "type": "long"
-                  },
-                  "public_key_size": {
-                    "type": "long"
-                  },
-                  "serial_number": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "signature_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subject": {
-                    "properties": {
-                      "common_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "country": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "distinguished_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "locality": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "organization": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "organizational_unit": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "state_or_province": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "version_number": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              }
-            }
-          },
-          "curve": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "established": {
-            "type": "boolean"
-          },
-          "next_protocol": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "resumed": {
-            "type": "boolean"
-          },
-          "server": {
-            "properties": {
-              "certificate": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "certificate_chain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "hash": {
-                "properties": {
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "issuer": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "ja3s": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "not_after": {
-                "type": "date"
-              },
-              "not_before": {
-                "type": "date"
-              },
-              "subject": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "x509": {
-                "properties": {
-                  "alternative_names": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "issuer": {
-                    "properties": {
-                      "common_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "country": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "distinguished_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "locality": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "organization": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "organizational_unit": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "state_or_province": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "not_after": {
-                    "type": "date"
-                  },
-                  "not_before": {
-                    "type": "date"
-                  },
-                  "public_key_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "public_key_curve": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "public_key_exponent": {
-                    "doc_values": false,
-                    "index": false,
-                    "type": "long"
-                  },
-                  "public_key_size": {
-                    "type": "long"
-                  },
-                  "serial_number": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "signature_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subject": {
-                    "properties": {
-                      "common_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "country": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "distinguished_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "locality": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "organization": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "organizational_unit": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "state_or_province": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "version_number": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              }
-            }
-          },
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "version_protocol": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "trace": {
-        "properties": {
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "transaction": {
-        "properties": {
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "url": {
-        "properties": {
-          "domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "extension": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "fragment": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "full": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "type": "wildcard"
-          },
-          "original": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "type": "wildcard"
-          },
-          "password": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "path": {
-            "type": "wildcard"
-          },
-          "port": {
-            "type": "long"
-          },
-          "query": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "registered_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "scheme": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "subdomain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "top_level_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "username": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "user": {
-        "properties": {
-          "changes": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "roles": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "effective": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "roles": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "email": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "full_name": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "group": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "hash": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "name": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "risk": {
-            "properties": {
-              "calculated_level": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "calculated_score": {
-                "type": "float"
-              },
-              "calculated_score_norm": {
-                "type": "float"
-              },
-              "static_level": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "static_score": {
-                "type": "float"
-              },
-              "static_score_norm": {
-                "type": "float"
-              }
-            }
-          },
-          "roles": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "target": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "roles": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          }
-        }
-      },
-      "user_agent": {
-        "properties": {
-          "device": {
-            "properties": {
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "name": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "original": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "os": {
-            "properties": {
-              "family": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "full": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "kernel": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "platform": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "version": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "vulnerability": {
-        "properties": {
-          "category": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "classification": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "description": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "enumeration": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "reference": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "report_id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "scanner": {
-            "properties": {
-              "vendor": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "score": {
-            "properties": {
-              "base": {
-                "type": "float"
-              },
-              "environmental": {
-                "type": "float"
-              },
-              "temporal": {
-                "type": "float"
-              },
-              "version": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "severity": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      }
-    }
-  },
-  "order": 1,
-  "settings": {
-    "index": {
-      "mapping": {
-        "total_fields": {
-          "limit": 10000
-        }
-      },
-      "refresh_interval": "5s"
-    }
-  }
-}
diff --git a/x-pack/plugins/alerting/common/alert_schema/component_templates/ecs_component_template.ts b/x-pack/plugins/alerting/common/alert_schema/component_templates/ecs_component_template.ts
new file mode 100644
index 00000000000000..676b732b85b95b
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/component_templates/ecs_component_template.ts
@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ClusterPutComponentTemplateRequest } from '@elastic/elasticsearch/lib/api/types';
+import { mappingFromFieldMap } from '../field_maps/mapping_from_field_map';
+import { ecsFieldMap } from '../field_maps/ecs_field_map';
+
+export const ECS_COMPONENT_TEMPLATE_NAME = 'alerts-ecs-component-template';
+export const ecsComponentTemplate: ClusterPutComponentTemplateRequest = {
+  name: ECS_COMPONENT_TEMPLATE_NAME,
+  template: {
+    settings: {
+      number_of_shards: 1,
+      'index.mapping.total_fields.limit': 2000,
+    },
+    mappings: mappingFromFieldMap(ecsFieldMap, 'strict'),
+  },
+};
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts
index b8bb4605edd318..f6571708c9e8eb 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts
@@ -5,206 +5,503 @@
  * 2.0.
  */
 
-import * as Fields from '@kbn/rule-data-utils';
+import {
+  ALERT_ACTION_GROUP,
+  ALERT_ANCESTORS,
+  ALERT_ANCESTORS_DEPTH,
+  ALERT_ANCESTORS_ID,
+  ALERT_ANCESTORS_INDEX,
+  ALERT_ANCESTORS_RULE,
+  ALERT_ANCESTORS_TYPE,
+  ALERT_DEPTH,
+  ALERT_DURATION,
+  ALERT_END,
+  ALERT_EVALUATION_RESULTS,
+  ALERT_EVALUATION_RESULTS_THRESHOLDS_COMPARATOR,
+  ALERT_EVALUATION_RESULTS_THRESHOLDS_TYPE,
+  ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE,
+  ALERT_EVALUATION_RESULTS_VALUE,
+  ALERT_FLAPPING,
+  ALERT_GROUP_ID,
+  ALERT_GROUP_INDEX,
+  ALERT_ID,
+  ALERT_NEW_TERMS,
+  ALERT_ORIGINAL_EVENT_ACTION,
+  ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS,
+  ALERT_ORIGINAL_EVENT_CATEGORY,
+  ALERT_ORIGINAL_EVENT_CODE,
+  ALERT_ORIGINAL_EVENT_CREATED,
+  ALERT_ORIGINAL_EVENT_DATASET,
+  ALERT_ORIGINAL_EVENT_DURATION,
+  ALERT_ORIGINAL_EVENT_END,
+  ALERT_ORIGINAL_EVENT_HASH,
+  ALERT_ORIGINAL_EVENT_ID,
+  ALERT_ORIGINAL_EVENT_INGESTED,
+  ALERT_ORIGINAL_EVENT_KIND,
+  ALERT_ORIGINAL_EVENT_MODULE,
+  ALERT_ORIGINAL_EVENT_ORIGINAL,
+  ALERT_ORIGINAL_EVENT_OUTCOME,
+  ALERT_ORIGINAL_EVENT_PROVIDER,
+  ALERT_ORIGINAL_EVENT_REASON,
+  ALERT_ORIGINAL_EVENT_REFERENCE,
+  ALERT_ORIGINAL_EVENT_RISK_SCORE,
+  ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM,
+  ALERT_ORIGINAL_EVENT_SEQUENCE,
+  ALERT_ORIGINAL_EVENT_SEVERITY,
+  ALERT_ORIGINAL_EVENT_START,
+  ALERT_ORIGINAL_EVENT_TIMEZONE,
+  ALERT_ORIGINAL_EVENT_TYPE,
+  ALERT_ORIGINAL_EVENT_URL,
+  ALERT_ORIGINAL_TIME,
+  ALERT_REASON,
+  ALERT_RISK_SCORE,
+  ALERT_RULE_CATEGORY,
+  ALERT_RULE_CONSUMER,
+  ALERT_RULE_EXECUTION_UUID,
+  ALERT_RULE_NAME,
+  ALERT_RULE_PARAMETERS,
+  ALERT_RULE_PRODUCER,
+  ALERT_RULE_TAGS,
+  ALERT_RULE_TYPE_ID,
+  ALERT_RULE_UUID,
+  ALERT_SEVERITY,
+  ALERT_START,
+  ALERT_STATUS,
+  ALERT_THRESHOLD_RESULT_CARDINALITY,
+  ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD,
+  ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE,
+  ALERT_THRESHOLD_RESULT_COUNT,
+  ALERT_THRESHOLD_RESULT_FROM,
+  ALERT_THRESHOLD_RESULT_TERMS,
+  ALERT_THRESHOLD_RESULT_TERMS_FIELD,
+  ALERT_THRESHOLD_RESULT_TERMS_VALUE,
+  ALERT_TIME_RANGE,
+  ALERT_UUID,
+  ALERT_WORKFLOW_STATUS,
+  ANOMALY_BUCKET_SPAN_MINUTES,
+  ANOMALY_START,
+  MONITOR_ID,
+  MONITOR_NAME,
+  MONITOR_TYPE,
+  PROCESSOR_EVENT,
+  SPACE_IDS,
+  TRANSACTION_TYPE,
+  TRANSACTION_NAME,
+  VERSION,
+} from '@kbn/rule-data-utils';
 
 export const alertFieldMap = {
-  [Fields.ALERT_RULE_PARAMETERS]: { type: 'flattened', ignore_above: 4096 },
-  [Fields.ALERT_RULE_TYPE_ID]: { type: 'keyword', required: true },
-  [Fields.ALERT_RULE_CONSUMER]: { type: 'keyword', required: true },
-  [Fields.ALERT_RULE_PRODUCER]: { type: 'keyword', required: true },
-  [Fields.SPACE_IDS]: { type: 'keyword', array: true, required: true },
-  [Fields.ALERT_UUID]: { type: 'keyword', required: true },
-  [Fields.ALERT_INSTANCE_ID]: { type: 'keyword', required: true },
-  [Fields.ALERT_START]: { type: 'date' },
-  [Fields.ALERT_TIME_RANGE]: {
+  [ALERT_RULE_PARAMETERS]: {
+    type: 'object',
+    enabled: false,
+    required: false,
+  },
+  [ALERT_RULE_TYPE_ID]: {
+    type: 'keyword',
+    array: false,
+    required: true,
+  },
+  [ALERT_RULE_CONSUMER]: {
+    type: 'keyword',
+    array: false,
+    required: true,
+  },
+  [ALERT_RULE_PRODUCER]: {
+    type: 'keyword',
+    array: false,
+    required: true,
+  },
+  [SPACE_IDS]: {
+    type: 'keyword',
+    array: true,
+    required: true,
+  },
+  [ALERT_UUID]: {
+    type: 'keyword',
+    array: false,
+    required: true,
+  },
+  [ALERT_ID]: {
+    type: 'keyword',
+    array: false,
+    required: true,
+  },
+  [ALERT_START]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  [ALERT_TIME_RANGE]: {
     type: 'date_range',
     format: 'epoch_millis||strict_date_optional_time',
+    array: false,
+    required: false,
   },
-  [Fields.ALERT_END]: { type: 'date' },
-  [Fields.ALERT_DURATION]: { type: 'long' },
-  [Fields.ALERT_SEVERITY]: { type: 'keyword' },
-  [Fields.ALERT_STATUS]: { type: 'keyword', required: true },
-  [Fields.ALERT_FLAPPING]: { type: 'boolean' },
-  [Fields.VERSION]: {
-    type: 'version',
+  [ALERT_END]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  [ALERT_DURATION]: {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  [ALERT_SEVERITY]: {
+    type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ECS_VERSION]: {
+  [ALERT_STATUS]: {
     type: 'keyword',
     array: false,
+    required: true,
+  },
+  [VERSION]: {
+    type: 'version',
+    array: false,
     required: false,
   },
-  [Fields.ALERT_RISK_SCORE]: {
+  [ALERT_RISK_SCORE]: {
     type: 'float',
     array: false,
     required: false,
   },
-  [Fields.ALERT_WORKFLOW_STATUS]: {
+  [ALERT_WORKFLOW_STATUS]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_WORKFLOW_USER]: {
+  [ALERT_ACTION_GROUP]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_WORKFLOW_REASON]: {
+  [ALERT_REASON]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_SYSTEM_STATUS]: {
+  [ALERT_RULE_CATEGORY]: {
+    type: 'keyword',
+    array: false,
+    required: true,
+  },
+  [ALERT_RULE_UUID]: {
+    type: 'keyword',
+    array: false,
+    required: true,
+  },
+  [ALERT_RULE_EXECUTION_UUID]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_ACTION_GROUP]: {
+  [ALERT_RULE_NAME]: {
     type: 'keyword',
     array: false,
+    required: true,
+  },
+  [ALERT_RULE_TAGS]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  [ALERT_EVALUATION_RESULTS]: {
+    type: 'object',
+    array: true,
     required: false,
   },
-  [Fields.ALERT_REASON]: {
+  [ALERT_EVALUATION_RESULTS_THRESHOLDS_COMPARATOR]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_AUTHOR]: {
+  [ALERT_EVALUATION_RESULTS_THRESHOLDS_TYPE]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_CATEGORY]: {
+  [ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE]: {
     type: 'keyword',
+    array: true,
+    required: false,
+  },
+  [ALERT_EVALUATION_RESULTS_VALUE]: {
+    type: 'float',
     array: false,
-    required: true,
+    required: false,
+  },
+  [ALERT_FLAPPING]: {
+    type: 'boolean',
+    array: false,
+    required: false,
   },
-  [Fields.ALERT_RULE_UUID]: {
+  [TRANSACTION_TYPE]: {
     type: 'keyword',
     array: false,
-    required: true,
+    required: false,
   },
-  [Fields.ALERT_RULE_CREATED_AT]: {
-    type: 'date',
+  [TRANSACTION_NAME]: {
+    type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_CREATED_BY]: {
+  [PROCESSOR_EVENT]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_DESCRIPTION]: {
+  [MONITOR_ID]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_ENABLED]: {
+  [MONITOR_NAME]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_EXECUTION_UUID]: {
+  [MONITOR_TYPE]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_FROM]: {
+  [ANOMALY_START]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_INTERVAL]: {
+  [ANOMALY_BUCKET_SPAN_MINUTES]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_LICENSE]: {
+  [ALERT_ANCESTORS]: {
+    type: 'object',
+    array: true,
+    required: false,
+  },
+  [ALERT_ANCESTORS_DEPTH]: {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  [ALERT_ANCESTORS_ID]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_NAME]: {
+  [ALERT_ANCESTORS_INDEX]: {
     type: 'keyword',
     array: false,
-    required: true,
+    required: false,
   },
-  [Fields.ALERT_RULE_NOTE]: {
+  [ALERT_ANCESTORS_RULE]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_REFERENCES]: {
+  [ALERT_ANCESTORS_TYPE]: {
     type: 'keyword',
-    array: true,
+    array: false,
+    required: false,
+  },
+  [ALERT_DEPTH]: {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  [ALERT_GROUP_ID]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [ALERT_GROUP_INDEX]: {
+    type: 'integer',
+    array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_RULE_ID]: {
+  [ALERT_ORIGINAL_EVENT_ACTION]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_RULE_NAME_OVERRIDE]: {
+  [ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_TAGS]: {
+  [ALERT_ORIGINAL_EVENT_CATEGORY]: {
     type: 'keyword',
     array: true,
     required: false,
   },
-  [Fields.ALERT_RULE_TO]: {
+  [ALERT_ORIGINAL_EVENT_CODE]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [ALERT_ORIGINAL_EVENT_CREATED]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  [ALERT_ORIGINAL_EVENT_DATASET]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [ALERT_ORIGINAL_EVENT_DURATION]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [ALERT_ORIGINAL_EVENT_END]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  [ALERT_ORIGINAL_EVENT_HASH]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_TYPE]: {
+  [ALERT_ORIGINAL_EVENT_ID]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_UPDATED_AT]: {
+  [ALERT_ORIGINAL_EVENT_INGESTED]: {
     type: 'date',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_UPDATED_BY]: {
+  [ALERT_ORIGINAL_EVENT_KIND]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_VERSION]: {
+  [ALERT_ORIGINAL_EVENT_MODULE]: {
     type: 'keyword',
     array: false,
     required: false,
   },
-  [Fields.ALERT_SUPPRESSION_FIELD]: {
+  [ALERT_ORIGINAL_EVENT_ORIGINAL]: {
     type: 'keyword',
-    array: true,
+    array: false,
     required: false,
   },
-  [Fields.ALERT_SUPPRESSION_VALUE]: {
+  [ALERT_ORIGINAL_EVENT_OUTCOME]: {
     type: 'keyword',
-    array: true,
+    array: false,
+    required: false,
+  },
+  [ALERT_ORIGINAL_EVENT_PROVIDER]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [ALERT_ORIGINAL_EVENT_REASON]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [ALERT_ORIGINAL_EVENT_REFERENCE]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [ALERT_ORIGINAL_EVENT_RISK_SCORE]: {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+  [ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM]: {
+    type: 'float',
+    array: false,
     required: false,
   },
-  [Fields.ALERT_SUPPRESSION_START]: {
+  [ALERT_ORIGINAL_EVENT_SEQUENCE]: {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  [ALERT_ORIGINAL_EVENT_SEVERITY]: {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  [ALERT_ORIGINAL_EVENT_START]: {
     type: 'date',
     array: false,
     required: false,
   },
-  [Fields.ALERT_SUPPRESSION_END]: {
+  [ALERT_ORIGINAL_EVENT_TIMEZONE]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [ALERT_ORIGINAL_EVENT_TYPE]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  [ALERT_ORIGINAL_EVENT_URL]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [ALERT_ORIGINAL_TIME]: {
     type: 'date',
     array: false,
     required: false,
   },
-  [Fields.ALERT_SUPPRESSION_DOCS_COUNT]: {
+  [ALERT_THRESHOLD_RESULT_CARDINALITY]: {
+    type: 'object',
+    array: false,
+    required: false,
+  },
+  [ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE]: {
     type: 'long',
     array: false,
     required: false,
   },
-} as const;
+  [ALERT_THRESHOLD_RESULT_COUNT]: {
+    type: 'long',
+    array: false,
+    required: false,
+  },
+  [ALERT_THRESHOLD_RESULT_FROM]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  [ALERT_THRESHOLD_RESULT_TERMS]: {
+    type: 'object',
+    array: true,
+    required: false,
+  },
+  [ALERT_THRESHOLD_RESULT_TERMS_FIELD]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [ALERT_THRESHOLD_RESULT_TERMS_VALUE]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [ALERT_NEW_TERMS]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+};
 
-export type TechnicalRuleFieldMap = typeof technicalRuleFieldMap;
+export type AlertFieldMap = typeof alertFieldMap;
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts
index 50cb59c83cdb9d..df346c922b0e63 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts
@@ -9005,6 +9005,6 @@ export const ecsFieldMap = {
     required: false,
     ignore_above: 1024,
   },
-} as const;
+};
 
 export type EcsFieldMap = typeof ecsFieldMap;
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
index a474f5aa126000..ef659d524a0d3a 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
@@ -93,6 +93,14 @@ describe('mappingFromFieldMap', () => {
       required: false,
       ignore_above: 1024,
     },
+    unmapped_object: {
+      type: 'object',
+      enabled: false,
+    },
+    formatted_field: {
+      type: 'date_range',
+      format: 'epoch_millis||strict_date_optional_time',
+    },
   };
   const expectedMapping = {
     properties: {
@@ -157,6 +165,14 @@ describe('mappingFromFieldMap', () => {
         scaling_factor: 1000,
         type: 'scaled_float',
       },
+      unmapped_object: {
+        enabled: false,
+        type: 'object',
+      },
+      formatted_field: {
+        type: 'date_range',
+        format: 'epoch_millis||strict_date_optional_time',
+      },
     },
   };
   it('correctly creates mapping from field map', () => {
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts
index ae7eb25f25b3a0..5a1de7a995b366 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.ts
@@ -5,20 +5,20 @@
  * 2.0.
  */
 
-import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
+import type { MappingTypeMapping } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { set } from '@kbn/safer-lodash-set';
-import { FieldMap } from './types';
+import { FieldMap, MultiField } from './types';
 
 export function mappingFromFieldMap(
   fieldMap: FieldMap,
   dynamic: 'strict' | boolean = 'strict'
-): estypes.MappingTypeMapping {
+): MappingTypeMapping {
   const mappings = {
     dynamic,
     properties: {},
   };
 
-  const fields = Object.keys(fieldMap).map((key) => {
+  const fields = Object.keys(fieldMap).map((key: string) => {
     const field = fieldMap[key];
     return {
       name: key,
@@ -34,7 +34,7 @@ export function mappingFromFieldMap(
       ? {
           ...rest,
           // eslint-disable-next-line @typescript-eslint/naming-convention
-          fields: multi_fields.reduce((acc, multi_field) => {
+          fields: multi_fields.reduce((acc, multi_field: MultiField) => {
             return {
               ...acc,
               [multi_field.name]: {
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/merge_field_maps.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/merge_field_maps.ts
index 124de243352ea3..efd0a2e2cd1aef 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/merge_field_maps.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/merge_field_maps.ts
@@ -4,46 +4,46 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-import { FieldMap } from './types';
-
-export function mergeFieldMaps<T1 extends FieldMap, T2 extends FieldMap>(
-  first: T1,
-  second: T2
-): T1 & T2 {
-  const conflicts: Array<Record<string, [{ type: string }, { type: string }]>> = [];
-
-  Object.keys(second).forEach((name) => {
-    const field = second[name];
-
-    const parts = name.split('.');
-
-    const parents = parts.slice(0, parts.length - 2).map((part, index, array) => {
-      return [...array.slice(0, index - 1), part].join('.');
-    });
-
-    parents
-      .filter((parent) => first[parent] !== undefined)
-      .forEach((parent) => {
-        conflicts.push({
-          [parent]: [{ type: 'object' }, first[parent]!],
-        });
-      });
-
-    if (first[name]) {
-      conflicts.push({
-        [name]: [field, first[name]],
-      });
-    }
-  });
-
-  if (conflicts.length) {
-    const err = new Error(`Could not merge mapping due to conflicts`);
-    Object.assign(err, { conflicts });
-    throw err;
-  }
-
-  return {
-    ...first,
-    ...second,
-  };
-}
+// import { FieldMap } from './types';
+
+// export function mergeFieldMaps<T1 extends FieldMap, T2 extends FieldMap>(
+//   first: T1,
+//   second: T2
+// ): T1 & T2 {
+//   const conflicts: Array<Record<string, [{ type: string }, { type: string }]>> = [];
+
+//   Object.keys(second).forEach((name) => {
+//     const field = second[name];
+
+//     const parts = name.split('.');
+
+//     const parents = parts.slice(0, parts.length - 2).map((part, index, array) => {
+//       return [...array.slice(0, index - 1), part].join('.');
+//     });
+
+//     parents
+//       .filter((parent) => first[parent] !== undefined)
+//       .forEach((parent) => {
+//         conflicts.push({
+//           [parent]: [{ type: 'object' }, first[parent]!],
+//         });
+//       });
+
+//     if (first[name]) {
+//       conflicts.push({
+//         [name]: [field, first[name]],
+//       });
+//     }
+//   });
+
+//   if (conflicts.length) {
+//     const err = new Error(`Could not merge mapping due to conflicts`);
+//     Object.assign(err, { conflicts });
+//     throw err;
+//   }
+
+//   return {
+//     ...first,
+//     ...second,
+//   };
+// }
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.test.ts
index 0acf80bfb42e52..14f558a4a4b7cc 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.test.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.test.ts
@@ -4,92 +4,92 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-import { runtimeTypeFromFieldMap } from './runtime_type_from_fieldmap';
+// import { runtimeTypeFromFieldMap } from './runtime_type_from_fieldmap';
 
-describe('runtimeTypeFromFieldMap', () => {
-  const fieldmapRt = runtimeTypeFromFieldMap({
-    keywordField: { type: 'keyword' },
-    longField: { type: 'long' },
-    requiredKeywordField: { type: 'keyword', required: true },
-    multiKeywordField: { type: 'keyword', array: true },
-  } as const);
+// describe('runtimeTypeFromFieldMap', () => {
+//   const fieldmapRt = runtimeTypeFromFieldMap({
+//     keywordField: { type: 'keyword' },
+//     longField: { type: 'long' },
+//     requiredKeywordField: { type: 'keyword', required: true },
+//     multiKeywordField: { type: 'keyword', array: true },
+//   } as const);
 
-  it('accepts both singular and array fields', () => {
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: 'keyword',
-      })
-    ).toBe(true);
+//   it('accepts both singular and array fields', () => {
+//     expect(
+//       fieldmapRt.is({
+//         requiredKeywordField: 'keyword',
+//       })
+//     ).toBe(true);
 
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: ['keyword'],
-      })
-    ).toBe(true);
+//     expect(
+//       fieldmapRt.is({
+//         requiredKeywordField: ['keyword'],
+//       })
+//     ).toBe(true);
 
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: ['keyword'],
-        multiKeywordField: 'keyword',
-      })
-    ).toBe(true);
+//     expect(
+//       fieldmapRt.is({
+//         requiredKeywordField: ['keyword'],
+//         multiKeywordField: 'keyword',
+//       })
+//     ).toBe(true);
 
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: ['keyword'],
-        multiKeywordField: ['keyword'],
-      })
-    ).toBe(true);
-  });
+//     expect(
+//       fieldmapRt.is({
+//         requiredKeywordField: ['keyword'],
+//         multiKeywordField: ['keyword'],
+//       })
+//     ).toBe(true);
+//   });
 
-  it('fails on invalid data types', () => {
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: 2,
-      })
-    ).toBe(false);
+//   it('fails on invalid data types', () => {
+//     expect(
+//       fieldmapRt.is({
+//         requiredKeywordField: 2,
+//       })
+//     ).toBe(false);
 
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: [2],
-      })
-    ).toBe(false);
+//     expect(
+//       fieldmapRt.is({
+//         requiredKeywordField: [2],
+//       })
+//     ).toBe(false);
 
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: ['keyword'],
-        longField: ['keyword'],
-      })
-    ).toBe(false);
+//     expect(
+//       fieldmapRt.is({
+//         requiredKeywordField: ['keyword'],
+//         longField: ['keyword'],
+//       })
+//     ).toBe(false);
 
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: ['keyword'],
-        longField: [3],
-      })
-    ).toBe(true);
+//     expect(
+//       fieldmapRt.is({
+//         requiredKeywordField: ['keyword'],
+//         longField: [3],
+//       })
+//     ).toBe(true);
 
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: ['keyword'],
-        longField: 3,
-      })
-    ).toBe(true);
-  });
+//     expect(
+//       fieldmapRt.is({
+//         requiredKeywordField: ['keyword'],
+//         longField: 3,
+//       })
+//     ).toBe(true);
+//   });
 
-  it('outputs to single or array values', () => {
-    expect(
-      fieldmapRt.encode({
-        requiredKeywordField: ['required'],
-        keywordField: 'keyword',
-        longField: [3, 2],
-        multiKeywordField: ['keyword', 'foo'],
-      })
-    ).toEqual({
-      requiredKeywordField: 'required',
-      keywordField: 'keyword',
-      longField: 3,
-      multiKeywordField: ['keyword', 'foo'],
-    });
-  });
-});
+//   it('outputs to single or array values', () => {
+//     expect(
+//       fieldmapRt.encode({
+//         requiredKeywordField: ['required'],
+//         keywordField: 'keyword',
+//         longField: [3, 2],
+//         multiKeywordField: ['keyword', 'foo'],
+//       })
+//     ).toEqual({
+//       requiredKeywordField: 'required',
+//       keywordField: 'keyword',
+//       longField: 3,
+//       multiKeywordField: ['keyword', 'foo'],
+//     });
+//   });
+// });
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.ts
index 55ffb1302f96d5..5690b68ccd4fcc 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.ts
@@ -4,136 +4,136 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-import { Optional } from 'utility-types';
-import { mapValues, pickBy } from 'lodash';
-import { either } from 'fp-ts/lib/Either';
-import * as t from 'io-ts';
-import { FieldMap } from './types';
-
-const NumberFromString = new t.Type(
-  'NumberFromString',
-  (u): u is number => typeof u === 'number',
-  (u, c) =>
-    either.chain(t.string.validate(u, c), (s) => {
-      const d = Number(s);
-      return isNaN(d) ? t.failure(u, c) : t.success(d);
-    }),
-  (a) => a
-);
-
-const BooleanFromString = new t.Type(
-  'BooleanFromString',
-  (u): u is boolean => typeof u === 'boolean',
-  (u, c) =>
-    either.chain(t.string.validate(u, c), (s) => {
-      switch (s.toLowerCase().trim()) {
-        case '1':
-        case 'true':
-        case 'yes':
-          return t.success(true);
-        case '0':
-        case 'false':
-        case 'no':
-        case null:
-          return t.success(false);
-        default:
-          return t.failure(u, c);
-      }
-    }),
-  (a) => a
-);
-
-const esFieldTypeMap = {
-  keyword: t.string,
-  version: t.string,
-  text: t.string,
-  date: t.string,
-  boolean: t.union([t.number, BooleanFromString]),
-  byte: t.union([t.number, NumberFromString]),
-  long: t.union([t.number, NumberFromString]),
-  integer: t.union([t.number, NumberFromString]),
-  short: t.union([t.number, NumberFromString]),
-  double: t.union([t.number, NumberFromString]),
-  float: t.union([t.number, NumberFromString]),
-  scaled_float: t.union([t.number, NumberFromString]),
-  unsigned_long: t.union([t.number, NumberFromString]),
-  flattened: t.UnknownRecord,
-};
-
-type EsFieldTypeMap = typeof esFieldTypeMap;
-
-type EsFieldTypeOf<T extends string> = T extends keyof EsFieldTypeMap
-  ? EsFieldTypeMap[T]
-  : t.UnknownC;
-
-type CastArray<T extends t.Type<any>> = t.Type<
-  t.TypeOf<T> | Array<t.TypeOf<T>>,
-  Array<t.TypeOf<T>>,
-  unknown
->;
-type CastSingle<T extends t.Type<any>> = t.Type<
-  t.TypeOf<T> | Array<t.TypeOf<T>>,
-  t.TypeOf<T>,
-  unknown
->;
-
-const createCastArrayRt = <T extends t.Type<any>>(type: T): CastArray<T> => {
-  const union = t.union([type, t.array(type)]);
-
-  return new t.Type('castArray', union.is, union.validate, (a) => (Array.isArray(a) ? a : [a]));
-};
-
-const createCastSingleRt = <T extends t.Type<any>>(type: T): CastSingle<T> => {
-  const union = t.union([type, t.array(type)]);
-
-  return new t.Type('castSingle', union.is, union.validate, (a) => (Array.isArray(a) ? a[0] : a));
-};
-
-type SetOptional<T extends FieldMap> = Optional<
-  T,
-  {
-    [key in keyof T]: T[key]['required'] extends true ? never : key;
-  }[keyof T]
->;
-
-type OutputOfField<T extends { type: string; array?: boolean }> = T['array'] extends true
-  ? Array<t.OutputOf<EsFieldTypeOf<T['type']>>>
-  : t.OutputOf<EsFieldTypeOf<T['type']>>;
-
-type TypeOfField<T extends { type: string; array?: boolean }> =
-  | t.TypeOf<EsFieldTypeOf<T['type']>>
-  | Array<t.TypeOf<EsFieldTypeOf<T['type']>>>;
-
-type OutputOf<T extends FieldMap> = {
-  [key in keyof T]: OutputOfField<Exclude<T[key], undefined>>;
-};
-
-type TypeOf<T extends FieldMap> = {
-  [key in keyof T]: TypeOfField<Exclude<T[key], undefined>>;
-};
-
-export type TypeOfFieldMap<T extends FieldMap> = TypeOf<SetOptional<T>>;
-export type OutputOfFieldMap<T extends FieldMap> = OutputOf<SetOptional<T>>;
-
-export type FieldMapType<T extends FieldMap> = t.Type<TypeOfFieldMap<T>, OutputOfFieldMap<T>>;
-
-export function runtimeTypeFromFieldMap<TFieldMap extends FieldMap>(
-  fieldMap: TFieldMap
-): FieldMapType<TFieldMap> {
-  function mapToType(fields: FieldMap) {
-    return mapValues(fields, (field) => {
-      const type =
-        field.type in esFieldTypeMap
-          ? esFieldTypeMap[field.type as keyof EsFieldTypeMap]
-          : t.unknown;
-
-      return field.array ? createCastArrayRt(type) : createCastSingleRt(type);
-    });
-  }
-
-  const required = pickBy(fieldMap, (field) => field.required);
-  return t.intersection([
-    t.exact(t.partial(mapToType(fieldMap))),
-    t.type(mapToType(required)),
-  ]) as unknown as FieldMapType<TFieldMap>;
-}
+// import { Optional } from 'utility-types';
+// import { mapValues, pickBy } from 'lodash';
+// import { either } from 'fp-ts/lib/Either';
+// import * as t from 'io-ts';
+// import { FieldMap } from './types';
+
+// const NumberFromString = new t.Type(
+//   'NumberFromString',
+//   (u): u is number => typeof u === 'number',
+//   (u, c) =>
+//     either.chain(t.string.validate(u, c), (s) => {
+//       const d = Number(s);
+//       return isNaN(d) ? t.failure(u, c) : t.success(d);
+//     }),
+//   (a) => a
+// );
+
+// const BooleanFromString = new t.Type(
+//   'BooleanFromString',
+//   (u): u is boolean => typeof u === 'boolean',
+//   (u, c) =>
+//     either.chain(t.string.validate(u, c), (s) => {
+//       switch (s.toLowerCase().trim()) {
+//         case '1':
+//         case 'true':
+//         case 'yes':
+//           return t.success(true);
+//         case '0':
+//         case 'false':
+//         case 'no':
+//         case null:
+//           return t.success(false);
+//         default:
+//           return t.failure(u, c);
+//       }
+//     }),
+//   (a) => a
+// );
+
+// const esFieldTypeMap = {
+//   keyword: t.string,
+//   version: t.string,
+//   text: t.string,
+//   date: t.string,
+//   boolean: t.union([t.number, BooleanFromString]),
+//   byte: t.union([t.number, NumberFromString]),
+//   long: t.union([t.number, NumberFromString]),
+//   integer: t.union([t.number, NumberFromString]),
+//   short: t.union([t.number, NumberFromString]),
+//   double: t.union([t.number, NumberFromString]),
+//   float: t.union([t.number, NumberFromString]),
+//   scaled_float: t.union([t.number, NumberFromString]),
+//   unsigned_long: t.union([t.number, NumberFromString]),
+//   flattened: t.UnknownRecord,
+// };
+
+// type EsFieldTypeMap = typeof esFieldTypeMap;
+
+// type EsFieldTypeOf<T extends string> = T extends keyof EsFieldTypeMap
+//   ? EsFieldTypeMap[T]
+//   : t.UnknownC;
+
+// type CastArray<T extends t.Type<any>> = t.Type<
+//   t.TypeOf<T> | Array<t.TypeOf<T>>,
+//   Array<t.TypeOf<T>>,
+//   unknown
+// >;
+// type CastSingle<T extends t.Type<any>> = t.Type<
+//   t.TypeOf<T> | Array<t.TypeOf<T>>,
+//   t.TypeOf<T>,
+//   unknown
+// >;
+
+// const createCastArrayRt = <T extends t.Type<any>>(type: T): CastArray<T> => {
+//   const union = t.union([type, t.array(type)]);
+
+//   return new t.Type('castArray', union.is, union.validate, (a) => (Array.isArray(a) ? a : [a]));
+// };
+
+// const createCastSingleRt = <T extends t.Type<any>>(type: T): CastSingle<T> => {
+//   const union = t.union([type, t.array(type)]);
+
+//   return new t.Type('castSingle', union.is, union.validate, (a) => (Array.isArray(a) ? a[0] : a));
+// };
+
+// type SetOptional<T extends FieldMap> = Optional<
+//   T,
+//   {
+//     [key in keyof T]: T[key]['required'] extends true ? never : key;
+//   }[keyof T]
+// >;
+
+// type OutputOfField<T extends { type: string; array?: boolean }> = T['array'] extends true
+//   ? Array<t.OutputOf<EsFieldTypeOf<T['type']>>>
+//   : t.OutputOf<EsFieldTypeOf<T['type']>>;
+
+// type TypeOfField<T extends { type: string; array?: boolean }> =
+//   | t.TypeOf<EsFieldTypeOf<T['type']>>
+//   | Array<t.TypeOf<EsFieldTypeOf<T['type']>>>;
+
+// type OutputOf<T extends FieldMap> = {
+//   [key in keyof T]: OutputOfField<Exclude<T[key], undefined>>;
+// };
+
+// type TypeOf<T extends FieldMap> = {
+//   [key in keyof T]: TypeOfField<Exclude<T[key], undefined>>;
+// };
+
+// export type TypeOfFieldMap<T extends FieldMap> = TypeOf<SetOptional<T>>;
+// export type OutputOfFieldMap<T extends FieldMap> = OutputOf<SetOptional<T>>;
+
+// export type FieldMapType<T extends FieldMap> = t.Type<TypeOfFieldMap<T>, OutputOfFieldMap<T>>;
+
+// export function runtimeTypeFromFieldMap<TFieldMap extends FieldMap>(
+//   fieldMap: TFieldMap
+// ): FieldMapType<TFieldMap> {
+//   function mapToType(fields: FieldMap) {
+//     return mapValues(fields, (field) => {
+//       const type =
+//         field.type in esFieldTypeMap
+//           ? esFieldTypeMap[field.type as keyof EsFieldTypeMap]
+//           : t.unknown;
+
+//       return field.array ? createCastArrayRt(type) : createCastSingleRt(type);
+//     });
+//   }
+
+//   const required = pickBy(fieldMap, (field) => field.required);
+//   return t.intersection([
+//     t.exact(t.partial(mapToType(fieldMap))),
+//     t.type(mapToType(required)),
+//   ]) as unknown as FieldMapType<TFieldMap>;
+// }
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts
index 8deecfd0f9c63a..fe8a6b858d1aee 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts
@@ -5,14 +5,24 @@
  * 2.0.
  */
 
+export interface MultiField {
+  flat_name?: string;
+  name: string;
+  type: string;
+}
+
 export interface FieldMap {
   [key: string]: {
     type: string;
-    required?: boolean;
     array?: boolean;
-    path?: string;
+    doc_values?: boolean;
+    enabled?: boolean;
+    format?: string;
     ignore_above?: number;
+    index?: boolean;
+    multi_fields?: MultiField[];
+    path?: string;
+    required?: boolean;
     scaling_factor?: number;
-    multi_fields?: Array<{ flat_name: string; name: string; type: string }>;
   };
 }
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/index.ts b/x-pack/plugins/alerting/common/alert_schema/index.ts
similarity index 59%
rename from x-pack/plugins/alerting/common/alert_schema/field_maps/index.ts
rename to x-pack/plugins/alerting/common/alert_schema/index.ts
index fac8575b8af48e..097f2ef5e9961b 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/index.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/index.ts
@@ -5,6 +5,5 @@
  * 2.0.
  */
 
-export * from './merge_field_maps';
-export * from './runtime_type_from_fieldmap';
-export * from './types';
+export { ecsComponentTemplate } from './component_templates/ecs_component_template';
+export { alertsComponentTemplate } from './component_templates/alerts_component_template';
diff --git a/x-pack/plugins/alerting/common/alert_schema/parse_technical_fields.ts b/x-pack/plugins/alerting/common/alert_schema/parse_technical_fields.ts
index c5b7d0425f2453..46adb33c865511 100644
--- a/x-pack/plugins/alerting/common/alert_schema/parse_technical_fields.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/parse_technical_fields.ts
@@ -5,33 +5,33 @@
  * 2.0.
  */
 
-import { isLeft } from 'fp-ts/lib/Either';
-import { PathReporter } from 'io-ts/lib/PathReporter';
-import { pick } from 'lodash';
-import {
-  technicalRuleFieldMap,
-  TechnicalRuleFieldMap,
-} from './assets/field_maps/technical_rule_field_map';
-import { runtimeTypeFromFieldMap } from './field_map';
+// import { isLeft } from 'fp-ts/lib/Either';
+// import { PathReporter } from 'io-ts/lib/PathReporter';
+// import { pick } from 'lodash';
+// import {
+//   technicalRuleFieldMap,
+//   TechnicalRuleFieldMap,
+// } from './assets/field_maps/technical_rule_field_map';
+// import { runtimeTypeFromFieldMap } from './field_map';
 
-const technicalFieldRuntimeType =
-  runtimeTypeFromFieldMap<TechnicalRuleFieldMap>(technicalRuleFieldMap);
+// const technicalFieldRuntimeType =
+//   runtimeTypeFromFieldMap<TechnicalRuleFieldMap>(technicalRuleFieldMap);
 
-export const parseTechnicalFields = (input: unknown, partial = false) => {
-  const decodePartial = (alert: unknown) => {
-    const limitedFields = pick(technicalRuleFieldMap, Object.keys(alert as object));
-    const partialTechnicalFieldRuntimeType = runtimeTypeFromFieldMap<TechnicalRuleFieldMap>(
-      limitedFields as unknown as TechnicalRuleFieldMap
-    );
-    return partialTechnicalFieldRuntimeType.decode(alert);
-  };
+// export const parseTechnicalFields = (input: unknown, partial = false) => {
+//   const decodePartial = (alert: unknown) => {
+//     const limitedFields = pick(technicalRuleFieldMap, Object.keys(alert as object));
+//     const partialTechnicalFieldRuntimeType = runtimeTypeFromFieldMap<TechnicalRuleFieldMap>(
+//       limitedFields as unknown as TechnicalRuleFieldMap
+//     );
+//     return partialTechnicalFieldRuntimeType.decode(alert);
+//   };
 
-  const validate = partial ? decodePartial(input) : technicalFieldRuntimeType.decode(input);
+//   const validate = partial ? decodePartial(input) : technicalFieldRuntimeType.decode(input);
 
-  if (isLeft(validate)) {
-    throw new Error(PathReporter.report(validate).join('\n'));
-  }
-  return technicalFieldRuntimeType.encode(validate.right);
-};
+//   if (isLeft(validate)) {
+//     throw new Error(PathReporter.report(validate).join('\n'));
+//   }
+//   return technicalFieldRuntimeType.encode(validate.right);
+// };
 
-export type ParsedTechnicalFields = ReturnType<typeof parseTechnicalFields>;
+// export type ParsedTechnicalFields = ReturnType<typeof parseTechnicalFields>;
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.js b/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.js
index 980949bff40842..a9e6bd57c2375a 100644
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.js
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.js
@@ -4,52 +4,53 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-const path = require('path');
-const fs = require('fs');
-const util = require('util');
-const yaml = require('js-yaml');
-const { exec: execCb } = require('child_process');
-const { reduce } = require('lodash');
-const LineWriter = require('./lib/line_writer');
-
-const exists = util.promisify(fs.exists);
-const readFile = util.promisify(fs.readFile);
-const writeFile = util.promisify(fs.writeFile);
-const exec = util.promisify(execCb);
-
-const ecsDir = path.resolve(__dirname, '../../../../../../ecs');
-const ecsYamlFilename = path.join(ecsDir, 'generated/ecs/ecs_flat.yml');
-
-const outputDir = path.join(__dirname, '../assets/field_maps');
-const outputFieldMapFilename = path.join(outputDir, 'ecs_field_map.ts');
-
-async function createSchema() {
-  if (process.argv.length < 3) {
-    logError(`Error no mapping file specified`);
-  }
-
-  const mappingFile = process.argv[2];
-  // eslint-disable-next-line import/no-dynamic-require
-  const template = require(mappingFile);
-
-  const lineWriter = LineWriter.createLineWriter();
-  generateSchemaLines(lineWriter, null, template.mappings);
-  // last line will have an extraneous comma
-  const schemaLines = lineWriter.getContent().replace(/,$/, '');
-
-  const contents = getSchemaFileContents(ecsVersion, schemaLines);
-  const schemaCode = `${contents}\n`;
-
-  writeGeneratedFile(EVENT_LOG_CONFIG_SCHEMA_FILE, schemaCode);
-  console.log('generated:', EVENT_LOG_CONFIG_SCHEMA_FILE);
-}
-
-function logError(message) {
-  console.log(`error: ${message}`);
-  process.exit(1);
-}
-
-createSchema().catch((err) => {
-  console.log(err);
-  process.exit(1);
-});
+
+// const path = require('path');
+// const fs = require('fs');
+// const util = require('util');
+// const yaml = require('js-yaml');
+// const { exec: execCb } = require('child_process');
+// const { reduce } = require('lodash');
+// const LineWriter = require('./lib/line_writer');
+
+// const exists = util.promisify(fs.exists);
+// const readFile = util.promisify(fs.readFile);
+// const writeFile = util.promisify(fs.writeFile);
+// const exec = util.promisify(execCb);
+
+// const ecsDir = path.resolve(__dirname, '../../../../../../ecs');
+// const ecsYamlFilename = path.join(ecsDir, 'generated/ecs/ecs_flat.yml');
+
+// const outputDir = path.join(__dirname, '../assets/field_maps');
+// const outputFieldMapFilename = path.join(outputDir, 'ecs_field_map.ts');
+
+// async function createSchema() {
+//   if (process.argv.length < 3) {
+//     logError(`Error no mapping file specified`);
+//   }
+
+//   const mappingFile = process.argv[2];
+//   // eslint-disable-next-line import/no-dynamic-require
+//   const template = require(mappingFile);
+
+//   const lineWriter = LineWriter.createLineWriter();
+//   generateSchemaLines(lineWriter, null, template.mappings);
+//   // last line will have an extraneous comma
+//   const schemaLines = lineWriter.getContent().replace(/,$/, '');
+
+//   const contents = getSchemaFileContents(ecsVersion, schemaLines);
+//   const schemaCode = `${contents}\n`;
+
+//   writeGeneratedFile(EVENT_LOG_CONFIG_SCHEMA_FILE, schemaCode);
+//   console.log('generated:', EVENT_LOG_CONFIG_SCHEMA_FILE);
+// }
+
+// function logError(message) {
+//   console.log(`error: ${message}`);
+//   process.exit(1);
+// }
+
+// createSchema().catch((err) => {
+//   console.log(err);
+//   process.exit(1);
+// });
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js
index 534f231d0b3c49..abd874f5fbbd2f 100644
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js
@@ -14,6 +14,7 @@ const { reduce } = require('lodash');
 
 const readFile = util.promisify(fs.readFile);
 const writeFile = util.promisify(fs.writeFile);
+const deleteFile = util.promisify(fs.unlink);
 const exec = util.promisify(execCb);
 
 const ecsYmlUrlPrefix = `https://raw.githubusercontent.com/elastic/ecs/v8.5.2/generated/ecs/`;
@@ -79,7 +80,7 @@ async function generate() {
       do not manually edit
       */
 
-          export const ecsFieldMap = ${JSON.stringify(fields, null, 2)} as const
+          export const ecsFieldMap = ${JSON.stringify(fields, null, 2)}
 
           export type EcsFieldMap = typeof ecsFieldMap;
           `,
@@ -90,6 +91,8 @@ async function generate() {
         ]);
 
         console.log(`Successfully generated fieldmap at ${outputFieldMapFilename}`);
+
+        await deleteFile(ecsYmlFilename);
       });
     },
     (err) => {
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
index 8ef4e9a41301b0..69e6682e70830a 100755
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
@@ -5,18 +5,18 @@
 # 2.0; you may not use this file except in compliance with the Elastic License
 # 2.0.
 
-echo --- Getting ECS template
+# echo --- Getting ECS template
 
-# Pin to a specific commit
-# ECS_VERSION=8.6
-# git clone --depth 1 -b $ECS_VERSION https://github.com/elastic/ecs.git ./ecs
+# # Pin to a specific commit
+# # ECS_VERSION=8.6
+# # git clone --depth 1 -b $ECS_VERSION https://github.com/elastic/ecs.git ./ecs
 
-# cp ./ecs/generated/elasticsearch/legacy/template.json ../component_templates/assets/ecs_legacy_template.json
+# # cp ./ecs/generated/elasticsearch/legacy/template.json ../component_templates/assets/ecs_legacy_template.json
 
-# rm -rf ./ecs
+# # rm -rf ./ecs
 
-echo --- Generating ECS schema from template
+# echo --- Generating ECS schema from template
 
-node create_schema_from_mapping.js ../component_templates/assets/ecs_legacy_template.json
+# node create_schema_from_mapping.js ../component_templates/assets/ecs_legacy_template.json
 
-echo --- Generating Alert schema from template
+# echo --- Generating Alert schema from template
diff --git a/x-pack/plugins/alerting/common/index.ts b/x-pack/plugins/alerting/common/index.ts
index eeb3db0be00664..7037da93d48f6c 100644
--- a/x-pack/plugins/alerting/common/index.ts
+++ b/x-pack/plugins/alerting/common/index.ts
@@ -22,6 +22,7 @@ export * from './rule_notify_when_type';
 export * from './parse_duration';
 export * from './execution_log_types';
 export * from './rule_snooze_type';
+export * from './alert_schema';
 
 export interface AlertingFrameworkHealth {
   isSufficientlySecure: boolean;
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index 410a02dd942728..740b35484e6419 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -7,7 +7,7 @@
 
 import { ClusterPutComponentTemplateRequest } from '@elastic/elasticsearch/lib/api/types';
 import { Logger, ElasticsearchClient } from '@kbn/core/server';
-import { ecsComponentTemplate } from './schema/lib/ecsComponentTemplate';
+import { alertsComponentTemplate, ecsComponentTemplate } from '../../common';
 import { ILM_POLICY_NAME, DEFAULT_ILM_POLICY } from './default_lifecycle_policy';
 
 interface AlertsServiceParams {
@@ -75,7 +75,7 @@ export class AlertsService implements IAlertsService {
 
   private async createOrUpdateComponentTemplates(esClient: ElasticsearchClient) {
     await Promise.all([
-      // this.createOrUpdateComponentTemplate(esClient, ALERTS_COMPONENT_TEMPLATE_NAME, {}),
+      this.createOrUpdateComponentTemplate(esClient, alertsComponentTemplate),
       this.createOrUpdateComponentTemplate(esClient, ecsComponentTemplate),
     ]);
   }

From e2c4d3c419e02286be29dfee14a2b5655941b2ff Mon Sep 17 00:00:00 2001
From: Ying Mao <ying.mao@elastic.co>
Date: Thu, 17 Nov 2022 14:38:36 -0500
Subject: [PATCH 04/42] Fixing tsconfig

---
 x-pack/plugins/alerting/tsconfig.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/alerting/tsconfig.json b/x-pack/plugins/alerting/tsconfig.json
index 105ed878b09752..7e0fdf6d4187b5 100644
--- a/x-pack/plugins/alerting/tsconfig.json
+++ b/x-pack/plugins/alerting/tsconfig.json
@@ -10,7 +10,7 @@
     // have to declare *.json explicitly due to https://github.com/microsoft/TypeScript/issues/25636
     "server/**/*.json",
     "public/**/*",
-    "common/*"
+    "common/**/*"
   ],
   "kbn_references": [
     { "path": "../../../src/core/tsconfig.json" },

From df02fb4823f6cde2f00e31819ff1509eb2bfa9db Mon Sep 17 00:00:00 2001
From: Ying Mao <ying.mao@elastic.co>
Date: Thu, 17 Nov 2022 16:37:36 -0500
Subject: [PATCH 05/42] Fixing checks

---
 x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts | 2 +-
 x-pack/plugins/alerting/server/alerts_service/alerts_service.ts | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts
index fe8a6b858d1aee..f43eb193c90707 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts
@@ -14,6 +14,7 @@ export interface MultiField {
 export interface FieldMap {
   [key: string]: {
     type: string;
+    required: boolean;
     array?: boolean;
     doc_values?: boolean;
     enabled?: boolean;
@@ -22,7 +23,6 @@ export interface FieldMap {
     index?: boolean;
     multi_fields?: MultiField[];
     path?: string;
-    required?: boolean;
     scaling_factor?: number;
   };
 }
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index 740b35484e6419..3bca94dc27cd80 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -143,5 +143,5 @@ export class AlertsService implements IAlertsService {
   //   }
   // }
 
-  private async installWithRetry() {}
+  // private async installWithRetry() {}
 }

From 6b54cffaebe87c03c7235fd02000a78500f154cd Mon Sep 17 00:00:00 2001
From: Ying Mao <ying.mao@elastic.co>
Date: Thu, 17 Nov 2022 17:02:22 -0500
Subject: [PATCH 06/42] Fixing checks

---
 .../alert_schema/field_maps/mapping_from_field_map.test.ts   | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
index ef659d524a0d3a..6e90ff56c16dc0 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
@@ -5,9 +5,10 @@
  * 2.0.
  */
 import { mappingFromFieldMap } from './mapping_from_field_map';
+import { FieldMap } from './types';
 
 describe('mappingFromFieldMap', () => {
-  const fieldMap = {
+  const fieldMap: FieldMap = {
     date_field: {
       type: 'date',
       array: false,
@@ -95,10 +96,12 @@ describe('mappingFromFieldMap', () => {
     },
     unmapped_object: {
       type: 'object',
+      required: false,
       enabled: false,
     },
     formatted_field: {
       type: 'date_range',
+      required: false,
       format: 'epoch_millis||strict_date_optional_time',
     },
   };

From 7e02900f009cb378aa103ba2f3d5fbf534c86325 Mon Sep 17 00:00:00 2001
From: Ying Mao <ying.mao@elastic.co>
Date: Sun, 20 Nov 2022 21:54:20 -0500
Subject: [PATCH 07/42] wip

---
 .../field_maps/field_map_to_io_ts.test.ts     | 174 +++++
 .../field_maps/field_map_to_io_ts.ts          | 221 +++++++
 .../runtime_type_from_fieldmap.test.ts        | 158 ++---
 .../field_maps/runtime_type_from_fieldmap.ts  | 266 ++++----
 .../runtime_types/alert_field_map.ts          | 600 ++++++++++++++++++
 .../scripts/create_schema_from_mapping.js     |  98 +--
 .../alert_schema/scripts/generate_schemas.sh  |   4 +-
 7 files changed, 1260 insertions(+), 261 deletions(-)
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/field_map_to_io_ts.test.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/field_map_to_io_ts.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/runtime_types/alert_field_map.ts

diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/field_map_to_io_ts.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/field_map_to_io_ts.test.ts
new file mode 100644
index 00000000000000..45cbbd1e57e0b7
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/field_map_to_io_ts.test.ts
@@ -0,0 +1,174 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { fieldMapToIoTs } from './field_map_to_io_ts';
+
+describe(`fieldMapToIoTs`, () => {
+  test('fail with anything other than an object', () => {
+    // @ts-expect-error
+    expect(() => fieldMapToIoTs(null)).toThrow();
+  });
+  // test('invalid type => errors with malformed schema', () => {
+  //   expect(() =>
+  //     schemaToIoTs({
+  //       // @ts-expect-error Non-valid type
+  //       an_invalid_field: { type: 'invalid', _meta: { description: 'Test description' } },
+  //     })
+  //   ).toThrow(/Malformed schema/);
+  // });
+  // test('array type missing `items` => errors with malformed schema', () => {
+  //   expect(() =>
+  //     schemaToIoTs({
+  //       // @ts-expect-error Non-valid array-construct
+  //       an_invalid_field: { type: 'array' },
+  //     })
+  //   ).toThrow(/Malformed schema/);
+  // });
+  // test('minimal schemas and empty value => pass', () => {
+  //   const validator = schemaToIoTs({});
+  //   expect(validator.is({})).toBe(true);
+  // });
+  // test('value has fields not defined in the schema => fail', () => {
+  //   const validator = schemaToIoTs({});
+  //   expect(validator.is({ version: 'some-version' })).toBe(false);
+  //   expect(validator.is({ an_array: [{ docs: { missing: 1 } }] })).toBe(false);
+  // });
+  // test('support optional fields', () => {
+  //   const validator = schemaToIoTs<unknown>({
+  //     an_optional_field: {
+  //       type: 'keyword',
+  //       _meta: {
+  //         description: 'An optional field',
+  //         optional: true,
+  //       },
+  //     },
+  //     an_optional_obj: {
+  //       _meta: { optional: true },
+  //       properties: {
+  //         other_field: { type: 'short', _meta: { description: 'Test description' } },
+  //       },
+  //     },
+  //     an_optional_array: {
+  //       type: 'array',
+  //       items: { type: 'short', _meta: { description: 'Test description' } },
+  //       _meta: { optional: true },
+  //     },
+  //   });
+  //   expect(validator.is({})).toBe(true);
+  // });
+  // test('value has nested-fields not defined in the schema => fail', () => {
+  //   const schemas: Array<RootSchema<unknown>> = [
+  //     {
+  //       an_array: {
+  //         type: 'array',
+  //         _meta: { description: 'Test description' },
+  //         items: {
+  //           properties: {},
+  //         },
+  //       },
+  //     },
+  //     {
+  //       an_array: {
+  //         type: 'array',
+  //         _meta: { description: 'Test description' },
+  //         items: {
+  //           properties: { docs: { properties: {} } },
+  //         },
+  //       },
+  //     },
+  //   ];
+  //   schemas.forEach((schema) => {
+  //     const validator = schemaToIoTs(schema);
+  //     expect(validator.is({ an_array: [{ docs: { missing: 1 } }] })).toBe(false);
+  //   });
+  // });
+  // test('value has nested-fields defined in the schema, but with wrong type => fail', () => {
+  //   const validator = schemaToIoTs({
+  //     an_array: {
+  //       type: 'array',
+  //       items: {
+  //         properties: {
+  //           docs: {
+  //             properties: {
+  //               field: { type: 'short', _meta: { description: 'Test description' } },
+  //             },
+  //           },
+  //         },
+  //       },
+  //     },
+  //   });
+  //   expect(validator.is({ an_array: [{ docs: { field: 'abc' } }] })).toBe(false);
+  // });
+  // test.each([
+  //   'boolean',
+  //   'byte',
+  //   'double',
+  //   'float',
+  //   'integer',
+  //   'long',
+  //   'short',
+  // ] as AllowedSchemaTypes[])('Expected type %s, but got string', (type) => {
+  //   const validator = schemaToIoTs({
+  //     a_field: { type, _meta: { description: 'Test description' } },
+  //   });
+  //   expect(validator.is({ a_field: 'abc' })).toBe(false);
+  // });
+  // test.each(['keyword', 'text', 'date'] as AllowedSchemaTypes[])(
+  //   'Expected type %s, but got number',
+  //   (type) => {
+  //     const validator = schemaToIoTs({
+  //       a_field: { type, _meta: { description: 'Test description' } },
+  //     });
+  //     expect(validator.is({ a_field: 1234 })).toBe(false);
+  //   }
+  // );
+  // test('Support DYNAMIC_KEY', () => {
+  //   const validator = schemaToIoTs({
+  //     a_field: {
+  //       properties: { DYNAMIC_KEY: { type: 'short', _meta: { description: 'Test description' } } },
+  //     },
+  //   });
+  //   expect(validator.is({ a_field: { some_key: 1234 } })).toBe(true);
+  // });
+  // test('Support DYNAMIC_KEY + known props', () => {
+  //   const validator = schemaToIoTs({
+  //     a_field: {
+  //       properties: {
+  //         DYNAMIC_KEY: { type: 'short', _meta: { description: 'Test description' } },
+  //         known_prop: { type: 'short', _meta: { description: 'Test description' } },
+  //       },
+  //     },
+  //   });
+  //   expect(validator.is({ a_field: { some_key: 1234, known_prop: 1234 } })).toBe(true);
+  // });
+  // test('value has nested-fields defined in the schema => succeed', () => {
+  //   const validator = schemaToIoTs({
+  //     an_array: {
+  //       type: 'array',
+  //       items: {
+  //         properties: {
+  //           docs: {
+  //             properties: {
+  //               field: { type: 'short', _meta: { description: 'Test description' } },
+  //             },
+  //           },
+  //         },
+  //       },
+  //     },
+  //   });
+  //   expect(validator.is({ an_array: [{ docs: { field: 1 } }] })).toBe(true);
+  // });
+
+  // test('allow pass_through properties', () => {
+  //   const validator = schemaToIoTs({
+  //     im_only_passing_through_data: {
+  //       type: 'pass_through',
+  //       _meta: { description: 'Test description' },
+  //     },
+  //   });
+  //   expect(validator.is({ im_only_passing_through_data: [{ docs: { field: 1 } }] })).toBe(true);
+  // });
+});
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/field_map_to_io_ts.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/field_map_to_io_ts.ts
new file mode 100644
index 00000000000000..036d30f0b1958b
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/field_map_to_io_ts.ts
@@ -0,0 +1,221 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { Optional } from 'utility-types';
+import { mapValues, pickBy } from 'lodash';
+import { either } from 'fp-ts/lib/Either';
+import * as t from 'io-ts';
+import { FieldMap } from './types';
+
+const NumberFromString = new t.Type(
+  'NumberFromString',
+  (u): u is number => typeof u === 'number',
+  (u, c) =>
+    either.chain(t.string.validate(u, c), (s) => {
+      const d = Number(s);
+      return isNaN(d) ? t.failure(u, c) : t.success(d);
+    }),
+  (a) => a
+);
+
+const BooleanFromString = new t.Type(
+  'BooleanFromString',
+  (u): u is boolean => typeof u === 'boolean',
+  (u, c) =>
+    either.chain(t.string.validate(u, c), (s) => {
+      switch (s.toLowerCase().trim()) {
+        case '1':
+        case 'true':
+        case 'yes':
+          return t.success(true);
+        case '0':
+        case 'false':
+        case 'no':
+        case null:
+          return t.success(false);
+        default:
+          return t.failure(u, c);
+      }
+    }),
+  (a) => a
+);
+
+const esFieldTypeMap = {
+  keyword: t.string,
+  version: t.string,
+  text: t.string,
+  date: t.string,
+  boolean: t.union([t.number, BooleanFromString]),
+  byte: t.union([t.number, NumberFromString]),
+  long: t.union([t.number, NumberFromString]),
+  integer: t.union([t.number, NumberFromString]),
+  short: t.union([t.number, NumberFromString]),
+  double: t.union([t.number, NumberFromString]),
+  float: t.union([t.number, NumberFromString]),
+  scaled_float: t.union([t.number, NumberFromString]),
+  unsigned_long: t.union([t.number, NumberFromString]),
+  flattened: t.UnknownRecord,
+};
+
+type EsFieldTypeMap = typeof esFieldTypeMap;
+
+type EsFieldTypeOf<T extends string> = T extends keyof EsFieldTypeMap
+  ? EsFieldTypeMap[T]
+  : t.UnknownC;
+
+type CastArray<T extends t.Type<any>> = t.Type<
+  t.TypeOf<T> | Array<t.TypeOf<T>>,
+  Array<t.TypeOf<T>>,
+  unknown
+>;
+type CastSingle<T extends t.Type<any>> = t.Type<
+  t.TypeOf<T> | Array<t.TypeOf<T>>,
+  t.TypeOf<T>,
+  unknown
+>;
+
+const createCastArrayRt = <T extends t.Type<any>>(type: T): CastArray<T> => {
+  const union = t.union([type, t.array(type)]);
+
+  return new t.Type('castArray', union.is, union.validate, (a) => (Array.isArray(a) ? a : [a]));
+};
+
+const createCastSingleRt = <T extends t.Type<any>>(type: T): CastSingle<T> => {
+  const union = t.union([type, t.array(type)]);
+
+  return new t.Type('castSingle', union.is, union.validate, (a) => (Array.isArray(a) ? a[0] : a));
+};
+
+type SetOptional<T extends FieldMap> = Optional<
+  T,
+  {
+    [key in keyof T]: T[key]['required'] extends true ? never : key;
+  }[keyof T]
+>;
+
+type OutputOfField<T extends { type: string; array?: boolean }> = T['array'] extends true
+  ? Array<t.OutputOf<EsFieldTypeOf<T['type']>>>
+  : t.OutputOf<EsFieldTypeOf<T['type']>>;
+
+type TypeOfField<T extends { type: string; array?: boolean }> =
+  | t.TypeOf<EsFieldTypeOf<T['type']>>
+  | Array<t.TypeOf<EsFieldTypeOf<T['type']>>>;
+
+type OutputOf<T extends FieldMap> = {
+  [key in keyof T]: OutputOfField<Exclude<T[key], undefined>>;
+};
+
+type TypeOf<T extends FieldMap> = {
+  [key in keyof T]: TypeOfField<Exclude<T[key], undefined>>;
+};
+
+export type TypeOfFieldMap<T extends FieldMap> = TypeOf<SetOptional<T>>;
+export type OutputOfFieldMap<T extends FieldMap> = OutputOf<SetOptional<T>>;
+
+export type FieldMapType<T extends FieldMap> = t.Type<TypeOfFieldMap<T>, OutputOfFieldMap<T>>;
+
+function valueToIoTs(value: FieldMap): t.Mixed {
+  const valueType: string = value.type;
+  switch (valueType) {
+    case 'boolean':
+      return t.boolean;
+    case 'keyword':
+    case 'text':
+    case 'date':
+      return t.string;
+    case 'byte':
+    case 'double':
+    case 'float':
+    case 'integer':
+    case 'long':
+    case 'short':
+      return t.number;
+    case 'array':
+      if ('items' in value) {
+        return t.array(schemaValueToIoTs((value as SchemaArray<unknown, unknown>).items));
+      }
+      throw new Error(`Schema type must include the "items" declaration.`);
+    default:
+      throw new Error(`Unsupported schema type ${valueType}.`);
+  }
+
+  if ('properties' in value) {
+    const { DYNAMIC_KEY, ...properties } = value.properties as SchemaObject<Value>['properties'] & {
+      DYNAMIC_KEY?: SchemaValue<unknown>;
+    };
+    const schemas: t.Mixed[] = [schemaObjectToIoTs<Record<string, unknown>>({ properties })];
+    if (DYNAMIC_KEY) {
+      schemas.push(t.record(t.string, schemaValueToIoTs(DYNAMIC_KEY)));
+    }
+    return isOneOfCandidate(schemas) ? t.union(schemas) : schemas[0];
+  } else {
+    const valueType = value.type; // Copied in here because of TS reasons, it's not available in the `default` case
+    switch (valueType) {
+      case 'boolean':
+        return t.boolean;
+      case 'keyword':
+      case 'text':
+      case 'date':
+        return t.string;
+      case 'byte':
+      case 'double':
+      case 'float':
+      case 'integer':
+      case 'long':
+      case 'short':
+        return t.number;
+      case 'array':
+        if ('items' in value) {
+          return t.array(schemaValueToIoTs((value as SchemaArray<unknown, unknown>).items));
+        }
+        throw new Error(`Schema type must include the "items" declaration.`);
+      default:
+        throw new Error(`Unsupported schema type ${valueType}.`);
+    }
+  }
+}
+
+function entriesToObjectIoTs(entries: FieldMap): Record<string, t.Mixed> {
+  const fields = Object.keys(entries).map((key: string) => {
+    const value = entries[key];
+    try {
+      return [key, valueToIoTs(value)];
+    } catch (err) {
+      err.failedKey = [key, ...(err.failedKey || [])];
+      throw err;
+    }
+  });
+}
+
+export function fieldMapToIoTs(fieldMap: FieldMap): t.Type<Record<string, unknown>> {
+  try {
+    const requiredFields: FieldMap = pickBy(fieldMap, (field) => field.required === true);
+    const optionalFields: FieldMap = pickBy(fieldMap, (field) => field.required === false);
+
+    return t.intersection([
+      t.interface(entriesToObjectIoTs(requiredFields)),
+      t.partial(entriesToObjectIoTs(optionalFields)),
+    ]) as unknown as FieldMapType<TFieldMap>;
+  } catch (err) {
+    throw error;
+  }
+  function mapToType(fields: FieldMap) {
+    return mapValues(fields, (field) => {
+      const type =
+        field.type in esFieldTypeMap
+          ? esFieldTypeMap[field.type as keyof EsFieldTypeMap]
+          : t.unknown;
+
+      return field.array ? createCastArrayRt(type) : createCastSingleRt(type);
+    });
+  }
+
+  const required = pickBy(fieldMap, (field) => field.required);
+  return t.intersection([
+    t.exact(t.partial(mapToType(fieldMap))),
+    t.type(mapToType(required)),
+  ]) as unknown as FieldMapType<TFieldMap>;
+}
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.test.ts
index 14f558a4a4b7cc..79416a55600d0b 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.test.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.test.ts
@@ -4,92 +4,94 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-// import { runtimeTypeFromFieldMap } from './runtime_type_from_fieldmap';
+import { runtimeTypeFromFieldMap } from './runtime_type_from_fieldmap';
 
-// describe('runtimeTypeFromFieldMap', () => {
-//   const fieldmapRt = runtimeTypeFromFieldMap({
-//     keywordField: { type: 'keyword' },
-//     longField: { type: 'long' },
-//     requiredKeywordField: { type: 'keyword', required: true },
-//     multiKeywordField: { type: 'keyword', array: true },
-//   } as const);
+describe('runtimeTypeFromFieldMap', () => {
+  const fieldmapRt = runtimeTypeFromFieldMap({
+    keywordField: { type: 'keyword' },
+    longField: { type: 'long' },
+    requiredKeywordField: { type: 'keyword', required: true },
+    multiKeywordField: { type: 'keyword', array: true },
+  } as const);
 
-//   it('accepts both singular and array fields', () => {
-//     expect(
-//       fieldmapRt.is({
-//         requiredKeywordField: 'keyword',
-//       })
-//     ).toBe(true);
+  console.log(typeof fieldmapRt);
 
-//     expect(
-//       fieldmapRt.is({
-//         requiredKeywordField: ['keyword'],
-//       })
-//     ).toBe(true);
+  it('accepts both singular and array fields', () => {
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: 'keyword',
+      })
+    ).toBe(true);
 
-//     expect(
-//       fieldmapRt.is({
-//         requiredKeywordField: ['keyword'],
-//         multiKeywordField: 'keyword',
-//       })
-//     ).toBe(true);
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: ['keyword'],
+      })
+    ).toBe(true);
 
-//     expect(
-//       fieldmapRt.is({
-//         requiredKeywordField: ['keyword'],
-//         multiKeywordField: ['keyword'],
-//       })
-//     ).toBe(true);
-//   });
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: ['keyword'],
+        multiKeywordField: 'keyword',
+      })
+    ).toBe(true);
 
-//   it('fails on invalid data types', () => {
-//     expect(
-//       fieldmapRt.is({
-//         requiredKeywordField: 2,
-//       })
-//     ).toBe(false);
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: ['keyword'],
+        multiKeywordField: ['keyword'],
+      })
+    ).toBe(true);
+  });
 
-//     expect(
-//       fieldmapRt.is({
-//         requiredKeywordField: [2],
-//       })
-//     ).toBe(false);
+  it('fails on invalid data types', () => {
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: 2,
+      })
+    ).toBe(false);
 
-//     expect(
-//       fieldmapRt.is({
-//         requiredKeywordField: ['keyword'],
-//         longField: ['keyword'],
-//       })
-//     ).toBe(false);
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: [2],
+      })
+    ).toBe(false);
 
-//     expect(
-//       fieldmapRt.is({
-//         requiredKeywordField: ['keyword'],
-//         longField: [3],
-//       })
-//     ).toBe(true);
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: ['keyword'],
+        longField: ['keyword'],
+      })
+    ).toBe(false);
 
-//     expect(
-//       fieldmapRt.is({
-//         requiredKeywordField: ['keyword'],
-//         longField: 3,
-//       })
-//     ).toBe(true);
-//   });
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: ['keyword'],
+        longField: [3],
+      })
+    ).toBe(true);
 
-//   it('outputs to single or array values', () => {
-//     expect(
-//       fieldmapRt.encode({
-//         requiredKeywordField: ['required'],
-//         keywordField: 'keyword',
-//         longField: [3, 2],
-//         multiKeywordField: ['keyword', 'foo'],
-//       })
-//     ).toEqual({
-//       requiredKeywordField: 'required',
-//       keywordField: 'keyword',
-//       longField: 3,
-//       multiKeywordField: ['keyword', 'foo'],
-//     });
-//   });
-// });
+    expect(
+      fieldmapRt.is({
+        requiredKeywordField: ['keyword'],
+        longField: 3,
+      })
+    ).toBe(true);
+  });
+
+  it('outputs to single or array values', () => {
+    expect(
+      fieldmapRt.encode({
+        requiredKeywordField: ['required'],
+        keywordField: 'keyword',
+        longField: [3, 2],
+        multiKeywordField: ['keyword', 'foo'],
+      })
+    ).toEqual({
+      requiredKeywordField: 'required',
+      keywordField: 'keyword',
+      longField: 3,
+      multiKeywordField: ['keyword', 'foo'],
+    });
+  });
+});
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.ts
index 5690b68ccd4fcc..55ffb1302f96d5 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.ts
@@ -4,136 +4,136 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-// import { Optional } from 'utility-types';
-// import { mapValues, pickBy } from 'lodash';
-// import { either } from 'fp-ts/lib/Either';
-// import * as t from 'io-ts';
-// import { FieldMap } from './types';
-
-// const NumberFromString = new t.Type(
-//   'NumberFromString',
-//   (u): u is number => typeof u === 'number',
-//   (u, c) =>
-//     either.chain(t.string.validate(u, c), (s) => {
-//       const d = Number(s);
-//       return isNaN(d) ? t.failure(u, c) : t.success(d);
-//     }),
-//   (a) => a
-// );
-
-// const BooleanFromString = new t.Type(
-//   'BooleanFromString',
-//   (u): u is boolean => typeof u === 'boolean',
-//   (u, c) =>
-//     either.chain(t.string.validate(u, c), (s) => {
-//       switch (s.toLowerCase().trim()) {
-//         case '1':
-//         case 'true':
-//         case 'yes':
-//           return t.success(true);
-//         case '0':
-//         case 'false':
-//         case 'no':
-//         case null:
-//           return t.success(false);
-//         default:
-//           return t.failure(u, c);
-//       }
-//     }),
-//   (a) => a
-// );
-
-// const esFieldTypeMap = {
-//   keyword: t.string,
-//   version: t.string,
-//   text: t.string,
-//   date: t.string,
-//   boolean: t.union([t.number, BooleanFromString]),
-//   byte: t.union([t.number, NumberFromString]),
-//   long: t.union([t.number, NumberFromString]),
-//   integer: t.union([t.number, NumberFromString]),
-//   short: t.union([t.number, NumberFromString]),
-//   double: t.union([t.number, NumberFromString]),
-//   float: t.union([t.number, NumberFromString]),
-//   scaled_float: t.union([t.number, NumberFromString]),
-//   unsigned_long: t.union([t.number, NumberFromString]),
-//   flattened: t.UnknownRecord,
-// };
-
-// type EsFieldTypeMap = typeof esFieldTypeMap;
-
-// type EsFieldTypeOf<T extends string> = T extends keyof EsFieldTypeMap
-//   ? EsFieldTypeMap[T]
-//   : t.UnknownC;
-
-// type CastArray<T extends t.Type<any>> = t.Type<
-//   t.TypeOf<T> | Array<t.TypeOf<T>>,
-//   Array<t.TypeOf<T>>,
-//   unknown
-// >;
-// type CastSingle<T extends t.Type<any>> = t.Type<
-//   t.TypeOf<T> | Array<t.TypeOf<T>>,
-//   t.TypeOf<T>,
-//   unknown
-// >;
-
-// const createCastArrayRt = <T extends t.Type<any>>(type: T): CastArray<T> => {
-//   const union = t.union([type, t.array(type)]);
-
-//   return new t.Type('castArray', union.is, union.validate, (a) => (Array.isArray(a) ? a : [a]));
-// };
-
-// const createCastSingleRt = <T extends t.Type<any>>(type: T): CastSingle<T> => {
-//   const union = t.union([type, t.array(type)]);
-
-//   return new t.Type('castSingle', union.is, union.validate, (a) => (Array.isArray(a) ? a[0] : a));
-// };
-
-// type SetOptional<T extends FieldMap> = Optional<
-//   T,
-//   {
-//     [key in keyof T]: T[key]['required'] extends true ? never : key;
-//   }[keyof T]
-// >;
-
-// type OutputOfField<T extends { type: string; array?: boolean }> = T['array'] extends true
-//   ? Array<t.OutputOf<EsFieldTypeOf<T['type']>>>
-//   : t.OutputOf<EsFieldTypeOf<T['type']>>;
-
-// type TypeOfField<T extends { type: string; array?: boolean }> =
-//   | t.TypeOf<EsFieldTypeOf<T['type']>>
-//   | Array<t.TypeOf<EsFieldTypeOf<T['type']>>>;
-
-// type OutputOf<T extends FieldMap> = {
-//   [key in keyof T]: OutputOfField<Exclude<T[key], undefined>>;
-// };
-
-// type TypeOf<T extends FieldMap> = {
-//   [key in keyof T]: TypeOfField<Exclude<T[key], undefined>>;
-// };
-
-// export type TypeOfFieldMap<T extends FieldMap> = TypeOf<SetOptional<T>>;
-// export type OutputOfFieldMap<T extends FieldMap> = OutputOf<SetOptional<T>>;
-
-// export type FieldMapType<T extends FieldMap> = t.Type<TypeOfFieldMap<T>, OutputOfFieldMap<T>>;
-
-// export function runtimeTypeFromFieldMap<TFieldMap extends FieldMap>(
-//   fieldMap: TFieldMap
-// ): FieldMapType<TFieldMap> {
-//   function mapToType(fields: FieldMap) {
-//     return mapValues(fields, (field) => {
-//       const type =
-//         field.type in esFieldTypeMap
-//           ? esFieldTypeMap[field.type as keyof EsFieldTypeMap]
-//           : t.unknown;
-
-//       return field.array ? createCastArrayRt(type) : createCastSingleRt(type);
-//     });
-//   }
-
-//   const required = pickBy(fieldMap, (field) => field.required);
-//   return t.intersection([
-//     t.exact(t.partial(mapToType(fieldMap))),
-//     t.type(mapToType(required)),
-//   ]) as unknown as FieldMapType<TFieldMap>;
-// }
+import { Optional } from 'utility-types';
+import { mapValues, pickBy } from 'lodash';
+import { either } from 'fp-ts/lib/Either';
+import * as t from 'io-ts';
+import { FieldMap } from './types';
+
+const NumberFromString = new t.Type(
+  'NumberFromString',
+  (u): u is number => typeof u === 'number',
+  (u, c) =>
+    either.chain(t.string.validate(u, c), (s) => {
+      const d = Number(s);
+      return isNaN(d) ? t.failure(u, c) : t.success(d);
+    }),
+  (a) => a
+);
+
+const BooleanFromString = new t.Type(
+  'BooleanFromString',
+  (u): u is boolean => typeof u === 'boolean',
+  (u, c) =>
+    either.chain(t.string.validate(u, c), (s) => {
+      switch (s.toLowerCase().trim()) {
+        case '1':
+        case 'true':
+        case 'yes':
+          return t.success(true);
+        case '0':
+        case 'false':
+        case 'no':
+        case null:
+          return t.success(false);
+        default:
+          return t.failure(u, c);
+      }
+    }),
+  (a) => a
+);
+
+const esFieldTypeMap = {
+  keyword: t.string,
+  version: t.string,
+  text: t.string,
+  date: t.string,
+  boolean: t.union([t.number, BooleanFromString]),
+  byte: t.union([t.number, NumberFromString]),
+  long: t.union([t.number, NumberFromString]),
+  integer: t.union([t.number, NumberFromString]),
+  short: t.union([t.number, NumberFromString]),
+  double: t.union([t.number, NumberFromString]),
+  float: t.union([t.number, NumberFromString]),
+  scaled_float: t.union([t.number, NumberFromString]),
+  unsigned_long: t.union([t.number, NumberFromString]),
+  flattened: t.UnknownRecord,
+};
+
+type EsFieldTypeMap = typeof esFieldTypeMap;
+
+type EsFieldTypeOf<T extends string> = T extends keyof EsFieldTypeMap
+  ? EsFieldTypeMap[T]
+  : t.UnknownC;
+
+type CastArray<T extends t.Type<any>> = t.Type<
+  t.TypeOf<T> | Array<t.TypeOf<T>>,
+  Array<t.TypeOf<T>>,
+  unknown
+>;
+type CastSingle<T extends t.Type<any>> = t.Type<
+  t.TypeOf<T> | Array<t.TypeOf<T>>,
+  t.TypeOf<T>,
+  unknown
+>;
+
+const createCastArrayRt = <T extends t.Type<any>>(type: T): CastArray<T> => {
+  const union = t.union([type, t.array(type)]);
+
+  return new t.Type('castArray', union.is, union.validate, (a) => (Array.isArray(a) ? a : [a]));
+};
+
+const createCastSingleRt = <T extends t.Type<any>>(type: T): CastSingle<T> => {
+  const union = t.union([type, t.array(type)]);
+
+  return new t.Type('castSingle', union.is, union.validate, (a) => (Array.isArray(a) ? a[0] : a));
+};
+
+type SetOptional<T extends FieldMap> = Optional<
+  T,
+  {
+    [key in keyof T]: T[key]['required'] extends true ? never : key;
+  }[keyof T]
+>;
+
+type OutputOfField<T extends { type: string; array?: boolean }> = T['array'] extends true
+  ? Array<t.OutputOf<EsFieldTypeOf<T['type']>>>
+  : t.OutputOf<EsFieldTypeOf<T['type']>>;
+
+type TypeOfField<T extends { type: string; array?: boolean }> =
+  | t.TypeOf<EsFieldTypeOf<T['type']>>
+  | Array<t.TypeOf<EsFieldTypeOf<T['type']>>>;
+
+type OutputOf<T extends FieldMap> = {
+  [key in keyof T]: OutputOfField<Exclude<T[key], undefined>>;
+};
+
+type TypeOf<T extends FieldMap> = {
+  [key in keyof T]: TypeOfField<Exclude<T[key], undefined>>;
+};
+
+export type TypeOfFieldMap<T extends FieldMap> = TypeOf<SetOptional<T>>;
+export type OutputOfFieldMap<T extends FieldMap> = OutputOf<SetOptional<T>>;
+
+export type FieldMapType<T extends FieldMap> = t.Type<TypeOfFieldMap<T>, OutputOfFieldMap<T>>;
+
+export function runtimeTypeFromFieldMap<TFieldMap extends FieldMap>(
+  fieldMap: TFieldMap
+): FieldMapType<TFieldMap> {
+  function mapToType(fields: FieldMap) {
+    return mapValues(fields, (field) => {
+      const type =
+        field.type in esFieldTypeMap
+          ? esFieldTypeMap[field.type as keyof EsFieldTypeMap]
+          : t.unknown;
+
+      return field.array ? createCastArrayRt(type) : createCastSingleRt(type);
+    });
+  }
+
+  const required = pickBy(fieldMap, (field) => field.required);
+  return t.intersection([
+    t.exact(t.partial(mapToType(fieldMap))),
+    t.type(mapToType(required)),
+  ]) as unknown as FieldMapType<TFieldMap>;
+}
diff --git a/x-pack/plugins/alerting/common/alert_schema/runtime_types/alert_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/runtime_types/alert_field_map.ts
new file mode 100644
index 00000000000000..f685c00cd11f61
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/runtime_types/alert_field_map.ts
@@ -0,0 +1,600 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import * as t from 'io-ts';
+import { either } from 'fp-ts/lib/Either';
+
+const NumberFromString = new t.Type(
+  'NumberFromString',
+  (u): u is number => typeof u === 'number',
+  (u, c) =>
+    either.chain(t.string.validate(u, c), (s) => {
+      const d = Number(s);
+      return isNaN(d) ? t.failure(u, c) : t.success(d);
+    }),
+  (a) => a
+);
+
+const BooleanFromString = new t.Type(
+  'BooleanFromString',
+  (u): u is boolean => typeof u === 'boolean',
+  (u, c) =>
+    either.chain(t.string.validate(u, c), (s) => {
+      switch (s.toLowerCase().trim()) {
+        case '1':
+        case 'true':
+        case 'yes':
+          return t.success(true);
+        case '0':
+        case 'false':
+        case 'no':
+        case null:
+          return t.success(false);
+        default:
+          return t.failure(u, c);
+      }
+    }),
+  (a) => a
+);
+
+const esFieldTypeMap = {
+  keyword: t.string,
+  version: t.string,
+  text: t.string,
+  date: t.string,
+  boolean: t.union([t.number, BooleanFromString]),
+  byte: t.union([t.number, NumberFromString]),
+  long: t.union([t.number, NumberFromString]),
+  integer: t.union([t.number, NumberFromString]),
+  short: t.union([t.number, NumberFromString]),
+  double: t.union([t.number, NumberFromString]),
+  float: t.union([t.number, NumberFromString]),
+  scaled_float: t.union([t.number, NumberFromString]),
+  unsigned_long: t.union([t.number, NumberFromString]),
+  flattened: t.UnknownRecord,
+  object: t.UnknownRecord,
+};
+const ecsDate = (array: boolean = false) => {};
+function ecsStringMulti() {
+  return schema.maybe(schema.arrayOf(schema.string()));
+}
+
+function ecsString() {
+  return schema.maybe(schema.string());
+}
+
+function ecsNumber() {
+  return schema.maybe(schema.number());
+}
+
+function ecsStringOrNumber() {
+  return schema.maybe(schema.oneOf([schema.string(), schema.number()]));
+}
+
+function ecsDate() {
+  return schema.maybe(schema.string({ validate: validateDate }));
+}
+
+function ecsBoolean() {
+  return schema.maybe(schema.boolean());
+}
+
+const ISO_DATE_PATTERN = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z$/;
+
+function validateDate(isoDate: string) {
+  if (ISO_DATE_PATTERN.test(isoDate)) return;
+  return 'string is not a valid ISO date: ' + isoDate;
+}
+
+function ecsVersion() {
+  return schema.maybe(schema.string({ validate: validateVersion }));
+}
+
+function validateVersion(version: string) {
+  if (semver.valid(version)) return;
+  return 'string is not a valid version: ' + version;
+}
+// import {
+//   ALERT_ACTION_GROUP,
+//   ALERT_ANCESTORS,
+//   ALERT_ANCESTORS_DEPTH,
+//   ALERT_ANCESTORS_ID,
+//   ALERT_ANCESTORS_INDEX,
+//   ALERT_ANCESTORS_RULE,
+//   ALERT_ANCESTORS_TYPE,
+//   ALERT_DEPTH,
+//   ALERT_DURATION,
+//   ALERT_END,
+//   ALERT_EVALUATION_RESULTS,
+//   ALERT_EVALUATION_RESULTS_THRESHOLDS_COMPARATOR,
+//   ALERT_EVALUATION_RESULTS_THRESHOLDS_TYPE,
+//   ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE,
+//   ALERT_EVALUATION_RESULTS_VALUE,
+//   ALERT_FLAPPING,
+//   ALERT_GROUP_ID,
+//   ALERT_GROUP_INDEX,
+//   ALERT_ID,
+//   ALERT_NEW_TERMS,
+//   ALERT_ORIGINAL_EVENT_ACTION,
+//   ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS,
+//   ALERT_ORIGINAL_EVENT_CATEGORY,
+//   ALERT_ORIGINAL_EVENT_CODE,
+//   ALERT_ORIGINAL_EVENT_CREATED,
+//   ALERT_ORIGINAL_EVENT_DATASET,
+//   ALERT_ORIGINAL_EVENT_DURATION,
+//   ALERT_ORIGINAL_EVENT_END,
+//   ALERT_ORIGINAL_EVENT_HASH,
+//   ALERT_ORIGINAL_EVENT_ID,
+//   ALERT_ORIGINAL_EVENT_INGESTED,
+//   ALERT_ORIGINAL_EVENT_KIND,
+//   ALERT_ORIGINAL_EVENT_MODULE,
+//   ALERT_ORIGINAL_EVENT_ORIGINAL,
+//   ALERT_ORIGINAL_EVENT_OUTCOME,
+//   ALERT_ORIGINAL_EVENT_PROVIDER,
+//   ALERT_ORIGINAL_EVENT_REASON,
+//   ALERT_ORIGINAL_EVENT_REFERENCE,
+//   ALERT_ORIGINAL_EVENT_RISK_SCORE,
+//   ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM,
+//   ALERT_ORIGINAL_EVENT_SEQUENCE,
+//   ALERT_ORIGINAL_EVENT_SEVERITY,
+//   ALERT_ORIGINAL_EVENT_START,
+//   ALERT_ORIGINAL_EVENT_TIMEZONE,
+//   ALERT_ORIGINAL_EVENT_TYPE,
+//   ALERT_ORIGINAL_EVENT_URL,
+//   ALERT_ORIGINAL_TIME,
+//   ALERT_REASON,
+//   ALERT_RISK_SCORE,
+//   ALERT_RULE_CATEGORY,
+//   ALERT_RULE_CONSUMER,
+//   ALERT_RULE_EXECUTION_UUID,
+//   ALERT_RULE_NAME,
+//   ALERT_RULE_PARAMETERS,
+//   ALERT_RULE_PRODUCER,
+//   ALERT_RULE_TAGS,
+//   ALERT_RULE_TYPE_ID,
+//   ALERT_RULE_UUID,
+//   ALERT_SEVERITY,
+//   ALERT_START,
+//   ALERT_STATUS,
+//   ALERT_THRESHOLD_RESULT_CARDINALITY,
+//   ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD,
+//   ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE,
+//   ALERT_THRESHOLD_RESULT_COUNT,
+//   ALERT_THRESHOLD_RESULT_FROM,
+//   ALERT_THRESHOLD_RESULT_TERMS,
+//   ALERT_THRESHOLD_RESULT_TERMS_FIELD,
+//   ALERT_THRESHOLD_RESULT_TERMS_VALUE,
+//   ALERT_TIME_RANGE,
+//   ALERT_UUID,
+//   ALERT_WORKFLOW_STATUS,
+//   ANOMALY_BUCKET_SPAN_MINUTES,
+//   ANOMALY_START,
+//   MONITOR_ID,
+//   MONITOR_NAME,
+//   MONITOR_TYPE,
+//   PROCESSOR_EVENT,
+//   SPACE_IDS,
+//   TRANSACTION_TYPE,
+//   TRANSACTION_NAME,
+//   VERSION,
+// } from '@kbn/rule-data-utils';
+
+// export const alertFieldMap = {
+//   [ALERT_RULE_PARAMETERS]: {
+//     type: 'object',
+//     enabled: false,
+//     required: false,
+//   },
+//   [ALERT_RULE_TYPE_ID]: {
+//     type: 'keyword',
+//     array: false,
+//     required: true,
+//   },
+//   [ALERT_RULE_CONSUMER]: {
+//     type: 'keyword',
+//     array: false,
+//     required: true,
+//   },
+//   [ALERT_RULE_PRODUCER]: {
+//     type: 'keyword',
+//     array: false,
+//     required: true,
+//   },
+//   [SPACE_IDS]: {
+//     type: 'keyword',
+//     array: true,
+//     required: true,
+//   },
+//   [ALERT_UUID]: {
+//     type: 'keyword',
+//     array: false,
+//     required: true,
+//   },
+//   [ALERT_ID]: {
+//     type: 'keyword',
+//     array: false,
+//     required: true,
+//   },
+//   [ALERT_START]: {
+//     type: 'date',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_TIME_RANGE]: {
+//     type: 'date_range',
+//     format: 'epoch_millis||strict_date_optional_time',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_END]: {
+//     type: 'date',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_DURATION]: {
+//     type: 'long',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_SEVERITY]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_STATUS]: {
+//     type: 'keyword',
+//     array: false,
+//     required: true,
+//   },
+//   [VERSION]: {
+//     type: 'version',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_RISK_SCORE]: {
+//     type: 'float',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_WORKFLOW_STATUS]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ACTION_GROUP]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_REASON]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_RULE_CATEGORY]: {
+//     type: 'keyword',
+//     array: false,
+//     required: true,
+//   },
+//   [ALERT_RULE_UUID]: {
+//     type: 'keyword',
+//     array: false,
+//     required: true,
+//   },
+//   [ALERT_RULE_EXECUTION_UUID]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_RULE_NAME]: {
+//     type: 'keyword',
+//     array: false,
+//     required: true,
+//   },
+//   [ALERT_RULE_TAGS]: {
+//     type: 'keyword',
+//     array: true,
+//     required: false,
+//   },
+//   [ALERT_EVALUATION_RESULTS]: {
+//     type: 'object',
+//     array: true,
+//     required: false,
+//   },
+//   [ALERT_EVALUATION_RESULTS_THRESHOLDS_COMPARATOR]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_EVALUATION_RESULTS_THRESHOLDS_TYPE]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE]: {
+//     type: 'keyword',
+//     array: true,
+//     required: false,
+//   },
+//   [ALERT_EVALUATION_RESULTS_VALUE]: {
+//     type: 'float',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_FLAPPING]: {
+//     type: 'boolean',
+//     array: false,
+//     required: false,
+//   },
+//   [TRANSACTION_TYPE]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [TRANSACTION_NAME]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [PROCESSOR_EVENT]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [MONITOR_ID]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [MONITOR_NAME]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [MONITOR_TYPE]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ANOMALY_START]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ANOMALY_BUCKET_SPAN_MINUTES]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ANCESTORS]: {
+//     type: 'object',
+//     array: true,
+//     required: false,
+//   },
+//   [ALERT_ANCESTORS_DEPTH]: {
+//     type: 'long',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ANCESTORS_ID]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ANCESTORS_INDEX]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ANCESTORS_RULE]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ANCESTORS_TYPE]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_DEPTH]: {
+//     type: 'long',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_GROUP_ID]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_GROUP_INDEX]: {
+//     type: 'integer',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_ACTION]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_CATEGORY]: {
+//     type: 'keyword',
+//     array: true,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_CODE]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_CREATED]: {
+//     type: 'date',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_DATASET]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_DURATION]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_END]: {
+//     type: 'date',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_HASH]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_ID]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_INGESTED]: {
+//     type: 'date',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_KIND]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_MODULE]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_ORIGINAL]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_OUTCOME]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_PROVIDER]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_REASON]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_REFERENCE]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_RISK_SCORE]: {
+//     type: 'float',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM]: {
+//     type: 'float',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_SEQUENCE]: {
+//     type: 'long',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_SEVERITY]: {
+//     type: 'long',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_START]: {
+//     type: 'date',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_TIMEZONE]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_TYPE]: {
+//     type: 'keyword',
+//     array: true,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_EVENT_URL]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_ORIGINAL_TIME]: {
+//     type: 'date',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_THRESHOLD_RESULT_CARDINALITY]: {
+//     type: 'object',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE]: {
+//     type: 'long',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_THRESHOLD_RESULT_COUNT]: {
+//     type: 'long',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_THRESHOLD_RESULT_FROM]: {
+//     type: 'date',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_THRESHOLD_RESULT_TERMS]: {
+//     type: 'object',
+//     array: true,
+//     required: false,
+//   },
+//   [ALERT_THRESHOLD_RESULT_TERMS_FIELD]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_THRESHOLD_RESULT_TERMS_VALUE]: {
+//     type: 'keyword',
+//     array: false,
+//     required: false,
+//   },
+//   [ALERT_NEW_TERMS]: {
+//     type: 'keyword',
+//     array: true,
+//     required: false,
+//   },
+// };
+
+// export type AlertFieldMap = typeof alertFieldMap;
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.js b/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.js
index a9e6bd57c2375a..a548390b5273c6 100644
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.js
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.js
@@ -5,52 +5,52 @@
  * 2.0.
  */
 
-// const path = require('path');
-// const fs = require('fs');
-// const util = require('util');
-// const yaml = require('js-yaml');
-// const { exec: execCb } = require('child_process');
-// const { reduce } = require('lodash');
-// const LineWriter = require('./lib/line_writer');
-
-// const exists = util.promisify(fs.exists);
-// const readFile = util.promisify(fs.readFile);
-// const writeFile = util.promisify(fs.writeFile);
-// const exec = util.promisify(execCb);
-
-// const ecsDir = path.resolve(__dirname, '../../../../../../ecs');
-// const ecsYamlFilename = path.join(ecsDir, 'generated/ecs/ecs_flat.yml');
-
-// const outputDir = path.join(__dirname, '../assets/field_maps');
-// const outputFieldMapFilename = path.join(outputDir, 'ecs_field_map.ts');
-
-// async function createSchema() {
-//   if (process.argv.length < 3) {
-//     logError(`Error no mapping file specified`);
-//   }
-
-//   const mappingFile = process.argv[2];
-//   // eslint-disable-next-line import/no-dynamic-require
-//   const template = require(mappingFile);
-
-//   const lineWriter = LineWriter.createLineWriter();
-//   generateSchemaLines(lineWriter, null, template.mappings);
-//   // last line will have an extraneous comma
-//   const schemaLines = lineWriter.getContent().replace(/,$/, '');
-
-//   const contents = getSchemaFileContents(ecsVersion, schemaLines);
-//   const schemaCode = `${contents}\n`;
-
-//   writeGeneratedFile(EVENT_LOG_CONFIG_SCHEMA_FILE, schemaCode);
-//   console.log('generated:', EVENT_LOG_CONFIG_SCHEMA_FILE);
-// }
-
-// function logError(message) {
-//   console.log(`error: ${message}`);
-//   process.exit(1);
-// }
-
-// createSchema().catch((err) => {
-//   console.log(err);
-//   process.exit(1);
-// });
+const path = require('path');
+const fs = require('fs');
+const util = require('util');
+const yaml = require('js-yaml');
+const { exec: execCb } = require('child_process');
+const { reduce } = require('lodash');
+const LineWriter = require('./lib/line_writer');
+
+const exists = util.promisify(fs.exists);
+const readFile = util.promisify(fs.readFile);
+const writeFile = util.promisify(fs.writeFile);
+const exec = util.promisify(execCb);
+
+const ecsDir = path.resolve(__dirname, '../../../../../../ecs');
+const ecsYamlFilename = path.join(ecsDir, 'generated/ecs/ecs_flat.yml');
+
+const outputDir = path.join(__dirname, '../assets/field_maps');
+const outputFieldMapFilename = path.join(outputDir, 'ecs_field_map.ts');
+
+async function createSchema() {
+  if (process.argv.length < 3) {
+    logError(`Error no mapping file specified`);
+  }
+
+  const mappingFile = process.argv[2];
+  // eslint-disable-next-line import/no-dynamic-require
+  const template = require(mappingFile);
+
+  // const lineWriter = LineWriter.createLineWriter();
+  // generateSchemaLines(lineWriter, null, template.mappings);
+  // // last line will have an extraneous comma
+  // const schemaLines = lineWriter.getContent().replace(/,$/, '');
+
+  // const contents = getSchemaFileContents(ecsVersion, schemaLines);
+  // const schemaCode = `${contents}\n`;
+
+  // writeGeneratedFile(EVENT_LOG_CONFIG_SCHEMA_FILE, schemaCode);
+  // console.log('generated:', EVENT_LOG_CONFIG_SCHEMA_FILE);
+}
+
+function logError(message) {
+  console.log(`error: ${message}`);
+  process.exit(1);
+}
+
+createSchema().catch((err) => {
+  console.log(err);
+  process.exit(1);
+});
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
index 69e6682e70830a..0bd6d1e59abb00 100755
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
@@ -19,4 +19,6 @@
 
 # node create_schema_from_mapping.js ../component_templates/assets/ecs_legacy_template.json
 
-# echo --- Generating Alert schema from template
+echo --- Generating Alert schema from template
+
+node create_schema_from_mapping.js ../field_maps/alert_field_map.ts

From 044e765e5c1063a2065135898126076dc67e65fb Mon Sep 17 00:00:00 2001
From: Ying Mao <ying.mao@elastic.co>
Date: Mon, 28 Nov 2022 07:40:10 -0500
Subject: [PATCH 08/42] Adding desired schema

---
 .../alert_schema/field_maps/alert_schema.ts   | 207 ++++++++++++
 .../field_maps/mapping_from_field_map.test.ts | 318 ++++++++++++++++++
 2 files changed, 525 insertions(+)
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/alert_schema.ts

diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_schema.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_schema.ts
new file mode 100644
index 00000000000000..dbbc3f4ddbb88b
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_schema.ts
@@ -0,0 +1,207 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { Either } from 'fp-ts/lib/Either';
+import * as rt from 'io-ts';
+
+const ISO_DATE_PATTERN = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z$/;
+
+export const IsoDateString = new rt.Type<string, string, unknown>(
+  'IsoDateString',
+  rt.string.is,
+  (input, context): Either<rt.Errors, string> => {
+    if (typeof input === 'string' && ISO_DATE_PATTERN.test(input)) {
+      return rt.success(input);
+    } else {
+      return rt.failure(input, context);
+    }
+  },
+  rt.identity
+);
+
+export type IsoDateStringC = typeof IsoDateString;
+
+export const schemaDate = IsoDateString;
+export const schemaUnknown = rt.unknown;
+export const schemaString = rt.string;
+export const schemaStringArray = rt.array(schemaString);
+export const schemaNumber = rt.number;
+export const schemaNumberArray = rt.array(schemaNumber);
+export const schemaStringOrNumber = rt.union([schemaString, schemaNumber]);
+export const schemaBoolean = rt.boolean;
+export const schemaBooleanArray = rt.array(schemaBoolean);
+
+export const AlertSchema = rt.exact(
+  rt.partial({
+    anomaly: rt.exact(
+      rt.partial({
+        bucket_span: rt.exact(
+          rt.partial({
+            minutes: schemaString,
+          })
+        ),
+        start: schemaString,
+      })
+    ),
+    kibana: rt.exact(
+      rt.partial({
+        alert: rt.exact(
+          rt.partial({
+            action_group: schemaString,
+            ancestors: rt.array(
+              rt.exact(
+                rt.partial({
+                  depth: schemaNumber,
+                  id: schemaString,
+                  index: schemaString,
+                  rule: schemaString,
+                  type: schemaString,
+                })
+              )
+            ),
+            depth: schemaNumber,
+            duration: rt.exact(
+              rt.partial({
+                us: schemaStringOrNumber,
+              })
+            ),
+            end: schemaDate,
+            evaluation_results: rt.array(
+              rt.exact(
+                rt.partial({
+                  thresholds: rt.array(
+                    rt.exact(
+                      rt.partial({
+                        comparator: schemaString,
+                        type: schemaString,
+                        value: schemaString,
+                      })
+                    )
+                  ),
+                  value: schemaNumber,
+                })
+              )
+            ),
+            flapping: schemaBoolean,
+            group: rt.exact(
+              rt.partial({
+                id: schemaString,
+                index: schemaNumber,
+              })
+            ),
+            id: schemaString,
+            new_terms: schemaStringArray,
+            original_event: rt.exact(
+              rt.partial({
+                action: schemaString,
+                agent_id_status: schemaString,
+                category: schemaString,
+                code: schemaString,
+                created: schemaDate,
+                dataset: schemaString,
+                duration: schemaString,
+                end: schemaDate,
+                hash: schemaString,
+                id: schemaString,
+                ingested: schemaDate,
+                kind: schemaString,
+                module: schemaString,
+                original: schemaString,
+                outcome: schemaString,
+                provider: schemaString,
+                reason: schemaString,
+                reference: schemaString,
+                risk_score: schemaNumber,
+                risk_score_norm: schemaNumber,
+                sequence: schemaNumber,
+                severity: schemaNumber,
+                start: schemaDate,
+                timezone: schemaString,
+                type: schemaString,
+                url: schemaString,
+              })
+            ),
+            original_time: schemaDate,
+            reason: schemaString,
+            risk_score: schemaNumber,
+            rule: rt.exact(
+              rt.partial({
+                category: schemaString,
+                consumer: schemaString,
+                execution: rt.exact(
+                  rt.partial({
+                    uuid: schemaString,
+                  })
+                ),
+                name: schemaString,
+                parameters: schemaUnknown,
+                producer: schemaString,
+                rule_type_id: schemaString,
+                tags: schemaStringArray,
+                uuid: schemaString,
+              })
+            ),
+            severity: schemaString,
+            start: schemaDate,
+            status: schemaString,
+            threshold_result: rt.array(
+              rt.exact(
+                rt.partial({
+                  cardinality: rt.exact(
+                    rt.partial({
+                      field: schemaString,
+                      value: schemaNumber,
+                    })
+                  ),
+                  count: schemaNumber,
+                  from: schemaDate,
+                  terms: rt.array(
+                    rt.exact(
+                      rt.partial({
+                        field: schemaString,
+                        value: schemaString,
+                      })
+                    )
+                  ),
+                })
+              )
+            ),
+            time_range: rt.exact(
+              rt.partial({
+                gte: schemaDate,
+                lte: schemaDate,
+              })
+            ),
+            uuid: schemaString,
+            workflow_status: schemaString,
+          })
+        ),
+        space_ids: schemaStringArray,
+        version: schemaString,
+      })
+    ),
+    monitor: rt.exact(
+      rt.partial({
+        id: schemaString,
+        name: schemaString,
+        type: schemaString,
+      })
+    ),
+    processor: rt.exact(
+      rt.partial({
+        event: schemaString,
+      })
+    ),
+    transaction: rt.exact(
+      rt.partial({
+        name: schemaString,
+        type: schemaString,
+      })
+    ),
+  })
+);
+
+export type Alert = rt.TypeOf<typeof AlertSchema>;
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
index 6e90ff56c16dc0..87e0679b8bd6e7 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
@@ -6,6 +6,7 @@
  */
 import { mappingFromFieldMap } from './mapping_from_field_map';
 import { FieldMap } from './types';
+import { alertFieldMap } from './alert_field_map';
 
 describe('mappingFromFieldMap', () => {
   const fieldMap: FieldMap = {
@@ -180,6 +181,323 @@ describe('mappingFromFieldMap', () => {
   };
   it('correctly creates mapping from field map', () => {
     expect(mappingFromFieldMap(fieldMap)).toEqual({ dynamic: 'strict', ...expectedMapping });
+    expect(mappingFromFieldMap(alertFieldMap)).toEqual({
+      dynamic: 'strict',
+      properties: {
+        anomaly: {
+          properties: {
+            bucket_span: {
+              properties: {
+                minutes: {
+                  type: 'keyword',
+                },
+              },
+            },
+            start: {
+              type: 'keyword',
+            },
+          },
+        },
+        kibana: {
+          properties: {
+            alert: {
+              properties: {
+                action_group: {
+                  type: 'keyword',
+                },
+                ancestors: {
+                  type: 'object',
+                  properties: {
+                    depth: {
+                      type: 'long',
+                    },
+                    id: {
+                      type: 'keyword',
+                    },
+                    index: {
+                      type: 'keyword',
+                    },
+                    rule: {
+                      type: 'keyword',
+                    },
+                    type: {
+                      type: 'keyword',
+                    },
+                  },
+                },
+                depth: {
+                  type: 'long',
+                },
+                duration: {
+                  properties: {
+                    us: {
+                      type: 'long',
+                    },
+                  },
+                },
+                end: {
+                  type: 'date',
+                },
+                evaluation_results: {
+                  type: 'object',
+                  properties: {
+                    thresholds: {
+                      properties: {
+                        comparator: {
+                          type: 'keyword',
+                        },
+                        type: {
+                          type: 'keyword',
+                        },
+                        value: {
+                          type: 'keyword',
+                        },
+                      },
+                    },
+                    value: {
+                      type: 'float',
+                    },
+                  },
+                },
+                flapping: {
+                  type: 'boolean',
+                },
+                group: {
+                  properties: {
+                    id: {
+                      type: 'keyword',
+                    },
+                    index: {
+                      type: 'integer',
+                    },
+                  },
+                },
+                id: {
+                  type: 'keyword',
+                },
+                new_terms: {
+                  type: 'keyword',
+                },
+                original_event: {
+                  properties: {
+                    action: {
+                      type: 'keyword',
+                    },
+                    agent_id_status: {
+                      type: 'keyword',
+                    },
+                    category: {
+                      type: 'keyword',
+                    },
+                    code: {
+                      type: 'keyword',
+                    },
+                    created: {
+                      type: 'date',
+                    },
+                    dataset: {
+                      type: 'keyword',
+                    },
+                    duration: {
+                      type: 'keyword',
+                    },
+                    end: {
+                      type: 'date',
+                    },
+                    hash: {
+                      type: 'keyword',
+                    },
+                    id: {
+                      type: 'keyword',
+                    },
+                    ingested: {
+                      type: 'date',
+                    },
+                    kind: {
+                      type: 'keyword',
+                    },
+                    module: {
+                      type: 'keyword',
+                    },
+                    original: {
+                      type: 'keyword',
+                    },
+                    outcome: {
+                      type: 'keyword',
+                    },
+                    provider: {
+                      type: 'keyword',
+                    },
+                    reason: {
+                      type: 'keyword',
+                    },
+                    reference: {
+                      type: 'keyword',
+                    },
+                    risk_score: {
+                      type: 'float',
+                    },
+                    risk_score_norm: {
+                      type: 'float',
+                    },
+                    sequence: {
+                      type: 'long',
+                    },
+                    severity: {
+                      type: 'long',
+                    },
+                    start: {
+                      type: 'date',
+                    },
+                    timezone: {
+                      type: 'keyword',
+                    },
+                    type: {
+                      type: 'keyword',
+                    },
+                    url: {
+                      type: 'keyword',
+                    },
+                  },
+                },
+                original_time: {
+                  type: 'date',
+                },
+                reason: {
+                  type: 'keyword',
+                },
+                risk_score: {
+                  type: 'float',
+                },
+                rule: {
+                  properties: {
+                    category: {
+                      type: 'keyword',
+                    },
+                    consumer: {
+                      type: 'keyword',
+                    },
+                    execution: {
+                      properties: {
+                        uuid: {
+                          type: 'keyword',
+                        },
+                      },
+                    },
+                    name: {
+                      type: 'keyword',
+                    },
+                    parameters: {
+                      type: 'object',
+                      enabled: false,
+                    },
+                    producer: {
+                      type: 'keyword',
+                    },
+                    rule_type_id: {
+                      type: 'keyword',
+                    },
+                    tags: {
+                      type: 'keyword',
+                    },
+                    uuid: {
+                      type: 'keyword',
+                    },
+                  },
+                },
+                severity: {
+                  type: 'keyword',
+                },
+                start: {
+                  type: 'date',
+                },
+                status: {
+                  type: 'keyword',
+                },
+                threshold_result: {
+                  properties: {
+                    cardinality: {
+                      type: 'object',
+                      properties: {
+                        field: {
+                          type: 'keyword',
+                        },
+                        value: {
+                          type: 'long',
+                        },
+                      },
+                    },
+                    count: {
+                      type: 'long',
+                    },
+                    from: {
+                      type: 'date',
+                    },
+                    terms: {
+                      type: 'object',
+                      properties: {
+                        field: {
+                          type: 'keyword',
+                        },
+                        value: {
+                          type: 'keyword',
+                        },
+                      },
+                    },
+                  },
+                },
+                time_range: {
+                  type: 'date_range',
+                  format: 'epoch_millis||strict_date_optional_time',
+                },
+                uuid: {
+                  type: 'keyword',
+                },
+                workflow_status: {
+                  type: 'keyword',
+                },
+              },
+            },
+            space_ids: {
+              type: 'keyword',
+            },
+            version: {
+              type: 'version',
+            },
+          },
+        },
+        monitor: {
+          properties: {
+            id: {
+              type: 'keyword',
+            },
+            name: {
+              type: 'keyword',
+            },
+            type: {
+              type: 'keyword',
+            },
+          },
+        },
+        processor: {
+          properties: {
+            event: {
+              type: 'keyword',
+            },
+          },
+        },
+        transaction: {
+          properties: {
+            name: {
+              type: 'keyword',
+            },
+            type: {
+              type: 'keyword',
+            },
+          },
+        },
+      },
+    });
   });
 
   it('uses dynamic setting if specified', () => {

From 128a575d728343b0cabc551a62a24de3b1a50d26 Mon Sep 17 00:00:00 2001
From: Ying Mao <ying.mao@elastic.co>
Date: Mon, 5 Dec 2022 15:01:09 -0500
Subject: [PATCH 09/42] Got schema generator working

---
 .../alerts_component_template.ts              |   22 -
 .../ecs_component_template.ts                 |   22 -
 .../alert_schema/field_maps/alert_schema.ts   |  207 --
 .../component_template_from_field_map.ts      |   32 +
 .../field_maps/field_map_to_io_ts.test.ts     |  174 --
 .../field_maps/field_map_to_io_ts.ts          |  221 --
 .../generated/schemas/alert_schema.ts         |  202 ++
 .../generated/schemas/ecs_schema.ts           | 1835 +++++++++++++++++
 .../field_maps/merge_field_maps.ts            |   49 -
 .../runtime_type_from_fieldmap.test.ts        |   97 -
 .../field_maps/runtime_type_from_fieldmap.ts  |  139 --
 .../alerting/common/alert_schema/index.ts     |    5 +-
 .../alert_schema/parse_technical_fields.ts    |   37 -
 .../runtime_types/alert_field_map.ts          |  600 ------
 .../scripts/create_schema_from_mapping.js     |   56 -
 .../scripts/create_schema_from_mapping.ts     |  320 +++
 .../alert_schema/scripts/generate_schemas.sh  |   20 +-
 .../lib/{line_writer.js => line_writer.ts}    |   29 +-
 .../server/alerts_service/alerts_service.ts   |   25 +-
 .../alerting/server/alerts_service/types.ts   |    3 +
 20 files changed, 2445 insertions(+), 1650 deletions(-)
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/component_templates/alerts_component_template.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/component_templates/ecs_component_template.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/alert_schema.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/field_map_to_io_ts.test.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/field_map_to_io_ts.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/generated/schemas/alert_schema.ts
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/generated/schemas/ecs_schema.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/merge_field_maps.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.test.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/parse_technical_fields.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/runtime_types/alert_field_map.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.js
 create mode 100644 x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
 rename x-pack/plugins/alerting/common/alert_schema/scripts/lib/{line_writer.js => line_writer.ts} (52%)

diff --git a/x-pack/plugins/alerting/common/alert_schema/component_templates/alerts_component_template.ts b/x-pack/plugins/alerting/common/alert_schema/component_templates/alerts_component_template.ts
deleted file mode 100644
index 6adc40a79c2170..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/component_templates/alerts_component_template.ts
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { ClusterPutComponentTemplateRequest } from '@elastic/elasticsearch/lib/api/types';
-import { mappingFromFieldMap } from '../field_maps/mapping_from_field_map';
-import { alertFieldMap } from '../field_maps/alert_field_map';
-
-export const ALERTS_COMPONENT_TEMPLATE_NAME = 'alerts-default-component-template';
-export const alertsComponentTemplate: ClusterPutComponentTemplateRequest = {
-  name: ALERTS_COMPONENT_TEMPLATE_NAME,
-  template: {
-    settings: {
-      number_of_shards: 1,
-      'index.mapping.total_fields.limit': 100,
-    },
-    mappings: mappingFromFieldMap(alertFieldMap, 'strict'),
-  },
-};
diff --git a/x-pack/plugins/alerting/common/alert_schema/component_templates/ecs_component_template.ts b/x-pack/plugins/alerting/common/alert_schema/component_templates/ecs_component_template.ts
deleted file mode 100644
index 676b732b85b95b..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/component_templates/ecs_component_template.ts
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { ClusterPutComponentTemplateRequest } from '@elastic/elasticsearch/lib/api/types';
-import { mappingFromFieldMap } from '../field_maps/mapping_from_field_map';
-import { ecsFieldMap } from '../field_maps/ecs_field_map';
-
-export const ECS_COMPONENT_TEMPLATE_NAME = 'alerts-ecs-component-template';
-export const ecsComponentTemplate: ClusterPutComponentTemplateRequest = {
-  name: ECS_COMPONENT_TEMPLATE_NAME,
-  template: {
-    settings: {
-      number_of_shards: 1,
-      'index.mapping.total_fields.limit': 2000,
-    },
-    mappings: mappingFromFieldMap(ecsFieldMap, 'strict'),
-  },
-};
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_schema.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_schema.ts
deleted file mode 100644
index dbbc3f4ddbb88b..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_schema.ts
+++ /dev/null
@@ -1,207 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-import { Either } from 'fp-ts/lib/Either';
-import * as rt from 'io-ts';
-
-const ISO_DATE_PATTERN = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z$/;
-
-export const IsoDateString = new rt.Type<string, string, unknown>(
-  'IsoDateString',
-  rt.string.is,
-  (input, context): Either<rt.Errors, string> => {
-    if (typeof input === 'string' && ISO_DATE_PATTERN.test(input)) {
-      return rt.success(input);
-    } else {
-      return rt.failure(input, context);
-    }
-  },
-  rt.identity
-);
-
-export type IsoDateStringC = typeof IsoDateString;
-
-export const schemaDate = IsoDateString;
-export const schemaUnknown = rt.unknown;
-export const schemaString = rt.string;
-export const schemaStringArray = rt.array(schemaString);
-export const schemaNumber = rt.number;
-export const schemaNumberArray = rt.array(schemaNumber);
-export const schemaStringOrNumber = rt.union([schemaString, schemaNumber]);
-export const schemaBoolean = rt.boolean;
-export const schemaBooleanArray = rt.array(schemaBoolean);
-
-export const AlertSchema = rt.exact(
-  rt.partial({
-    anomaly: rt.exact(
-      rt.partial({
-        bucket_span: rt.exact(
-          rt.partial({
-            minutes: schemaString,
-          })
-        ),
-        start: schemaString,
-      })
-    ),
-    kibana: rt.exact(
-      rt.partial({
-        alert: rt.exact(
-          rt.partial({
-            action_group: schemaString,
-            ancestors: rt.array(
-              rt.exact(
-                rt.partial({
-                  depth: schemaNumber,
-                  id: schemaString,
-                  index: schemaString,
-                  rule: schemaString,
-                  type: schemaString,
-                })
-              )
-            ),
-            depth: schemaNumber,
-            duration: rt.exact(
-              rt.partial({
-                us: schemaStringOrNumber,
-              })
-            ),
-            end: schemaDate,
-            evaluation_results: rt.array(
-              rt.exact(
-                rt.partial({
-                  thresholds: rt.array(
-                    rt.exact(
-                      rt.partial({
-                        comparator: schemaString,
-                        type: schemaString,
-                        value: schemaString,
-                      })
-                    )
-                  ),
-                  value: schemaNumber,
-                })
-              )
-            ),
-            flapping: schemaBoolean,
-            group: rt.exact(
-              rt.partial({
-                id: schemaString,
-                index: schemaNumber,
-              })
-            ),
-            id: schemaString,
-            new_terms: schemaStringArray,
-            original_event: rt.exact(
-              rt.partial({
-                action: schemaString,
-                agent_id_status: schemaString,
-                category: schemaString,
-                code: schemaString,
-                created: schemaDate,
-                dataset: schemaString,
-                duration: schemaString,
-                end: schemaDate,
-                hash: schemaString,
-                id: schemaString,
-                ingested: schemaDate,
-                kind: schemaString,
-                module: schemaString,
-                original: schemaString,
-                outcome: schemaString,
-                provider: schemaString,
-                reason: schemaString,
-                reference: schemaString,
-                risk_score: schemaNumber,
-                risk_score_norm: schemaNumber,
-                sequence: schemaNumber,
-                severity: schemaNumber,
-                start: schemaDate,
-                timezone: schemaString,
-                type: schemaString,
-                url: schemaString,
-              })
-            ),
-            original_time: schemaDate,
-            reason: schemaString,
-            risk_score: schemaNumber,
-            rule: rt.exact(
-              rt.partial({
-                category: schemaString,
-                consumer: schemaString,
-                execution: rt.exact(
-                  rt.partial({
-                    uuid: schemaString,
-                  })
-                ),
-                name: schemaString,
-                parameters: schemaUnknown,
-                producer: schemaString,
-                rule_type_id: schemaString,
-                tags: schemaStringArray,
-                uuid: schemaString,
-              })
-            ),
-            severity: schemaString,
-            start: schemaDate,
-            status: schemaString,
-            threshold_result: rt.array(
-              rt.exact(
-                rt.partial({
-                  cardinality: rt.exact(
-                    rt.partial({
-                      field: schemaString,
-                      value: schemaNumber,
-                    })
-                  ),
-                  count: schemaNumber,
-                  from: schemaDate,
-                  terms: rt.array(
-                    rt.exact(
-                      rt.partial({
-                        field: schemaString,
-                        value: schemaString,
-                      })
-                    )
-                  ),
-                })
-              )
-            ),
-            time_range: rt.exact(
-              rt.partial({
-                gte: schemaDate,
-                lte: schemaDate,
-              })
-            ),
-            uuid: schemaString,
-            workflow_status: schemaString,
-          })
-        ),
-        space_ids: schemaStringArray,
-        version: schemaString,
-      })
-    ),
-    monitor: rt.exact(
-      rt.partial({
-        id: schemaString,
-        name: schemaString,
-        type: schemaString,
-      })
-    ),
-    processor: rt.exact(
-      rt.partial({
-        event: schemaString,
-      })
-    ),
-    transaction: rt.exact(
-      rt.partial({
-        name: schemaString,
-        type: schemaString,
-      })
-    ),
-  })
-);
-
-export type Alert = rt.TypeOf<typeof AlertSchema>;
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts
new file mode 100644
index 00000000000000..64fa93b79ec428
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts
@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ClusterPutComponentTemplateRequest } from '@elastic/elasticsearch/lib/api/types';
+import { mappingFromFieldMap } from './mapping_from_field_map';
+import { FieldMap } from './types';
+
+interface GetComponentTemplateFromFieldMapOpts {
+  name: string;
+  fieldLimit?: number;
+  fieldMap: FieldMap;
+}
+export const getComponentTemplateFromFieldMap = ({
+  name,
+  fieldMap,
+  fieldLimit,
+}: GetComponentTemplateFromFieldMapOpts): ClusterPutComponentTemplateRequest => {
+  return {
+    name,
+    template: {
+      settings: {
+        number_of_shards: 1,
+        'index.mapping.total_fields.limit': fieldLimit ?? 1000,
+      },
+      mappings: mappingFromFieldMap(fieldMap, 'strict'),
+    },
+  };
+};
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/field_map_to_io_ts.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/field_map_to_io_ts.test.ts
deleted file mode 100644
index 45cbbd1e57e0b7..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/field_map_to_io_ts.test.ts
+++ /dev/null
@@ -1,174 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-import { fieldMapToIoTs } from './field_map_to_io_ts';
-
-describe(`fieldMapToIoTs`, () => {
-  test('fail with anything other than an object', () => {
-    // @ts-expect-error
-    expect(() => fieldMapToIoTs(null)).toThrow();
-  });
-  // test('invalid type => errors with malformed schema', () => {
-  //   expect(() =>
-  //     schemaToIoTs({
-  //       // @ts-expect-error Non-valid type
-  //       an_invalid_field: { type: 'invalid', _meta: { description: 'Test description' } },
-  //     })
-  //   ).toThrow(/Malformed schema/);
-  // });
-  // test('array type missing `items` => errors with malformed schema', () => {
-  //   expect(() =>
-  //     schemaToIoTs({
-  //       // @ts-expect-error Non-valid array-construct
-  //       an_invalid_field: { type: 'array' },
-  //     })
-  //   ).toThrow(/Malformed schema/);
-  // });
-  // test('minimal schemas and empty value => pass', () => {
-  //   const validator = schemaToIoTs({});
-  //   expect(validator.is({})).toBe(true);
-  // });
-  // test('value has fields not defined in the schema => fail', () => {
-  //   const validator = schemaToIoTs({});
-  //   expect(validator.is({ version: 'some-version' })).toBe(false);
-  //   expect(validator.is({ an_array: [{ docs: { missing: 1 } }] })).toBe(false);
-  // });
-  // test('support optional fields', () => {
-  //   const validator = schemaToIoTs<unknown>({
-  //     an_optional_field: {
-  //       type: 'keyword',
-  //       _meta: {
-  //         description: 'An optional field',
-  //         optional: true,
-  //       },
-  //     },
-  //     an_optional_obj: {
-  //       _meta: { optional: true },
-  //       properties: {
-  //         other_field: { type: 'short', _meta: { description: 'Test description' } },
-  //       },
-  //     },
-  //     an_optional_array: {
-  //       type: 'array',
-  //       items: { type: 'short', _meta: { description: 'Test description' } },
-  //       _meta: { optional: true },
-  //     },
-  //   });
-  //   expect(validator.is({})).toBe(true);
-  // });
-  // test('value has nested-fields not defined in the schema => fail', () => {
-  //   const schemas: Array<RootSchema<unknown>> = [
-  //     {
-  //       an_array: {
-  //         type: 'array',
-  //         _meta: { description: 'Test description' },
-  //         items: {
-  //           properties: {},
-  //         },
-  //       },
-  //     },
-  //     {
-  //       an_array: {
-  //         type: 'array',
-  //         _meta: { description: 'Test description' },
-  //         items: {
-  //           properties: { docs: { properties: {} } },
-  //         },
-  //       },
-  //     },
-  //   ];
-  //   schemas.forEach((schema) => {
-  //     const validator = schemaToIoTs(schema);
-  //     expect(validator.is({ an_array: [{ docs: { missing: 1 } }] })).toBe(false);
-  //   });
-  // });
-  // test('value has nested-fields defined in the schema, but with wrong type => fail', () => {
-  //   const validator = schemaToIoTs({
-  //     an_array: {
-  //       type: 'array',
-  //       items: {
-  //         properties: {
-  //           docs: {
-  //             properties: {
-  //               field: { type: 'short', _meta: { description: 'Test description' } },
-  //             },
-  //           },
-  //         },
-  //       },
-  //     },
-  //   });
-  //   expect(validator.is({ an_array: [{ docs: { field: 'abc' } }] })).toBe(false);
-  // });
-  // test.each([
-  //   'boolean',
-  //   'byte',
-  //   'double',
-  //   'float',
-  //   'integer',
-  //   'long',
-  //   'short',
-  // ] as AllowedSchemaTypes[])('Expected type %s, but got string', (type) => {
-  //   const validator = schemaToIoTs({
-  //     a_field: { type, _meta: { description: 'Test description' } },
-  //   });
-  //   expect(validator.is({ a_field: 'abc' })).toBe(false);
-  // });
-  // test.each(['keyword', 'text', 'date'] as AllowedSchemaTypes[])(
-  //   'Expected type %s, but got number',
-  //   (type) => {
-  //     const validator = schemaToIoTs({
-  //       a_field: { type, _meta: { description: 'Test description' } },
-  //     });
-  //     expect(validator.is({ a_field: 1234 })).toBe(false);
-  //   }
-  // );
-  // test('Support DYNAMIC_KEY', () => {
-  //   const validator = schemaToIoTs({
-  //     a_field: {
-  //       properties: { DYNAMIC_KEY: { type: 'short', _meta: { description: 'Test description' } } },
-  //     },
-  //   });
-  //   expect(validator.is({ a_field: { some_key: 1234 } })).toBe(true);
-  // });
-  // test('Support DYNAMIC_KEY + known props', () => {
-  //   const validator = schemaToIoTs({
-  //     a_field: {
-  //       properties: {
-  //         DYNAMIC_KEY: { type: 'short', _meta: { description: 'Test description' } },
-  //         known_prop: { type: 'short', _meta: { description: 'Test description' } },
-  //       },
-  //     },
-  //   });
-  //   expect(validator.is({ a_field: { some_key: 1234, known_prop: 1234 } })).toBe(true);
-  // });
-  // test('value has nested-fields defined in the schema => succeed', () => {
-  //   const validator = schemaToIoTs({
-  //     an_array: {
-  //       type: 'array',
-  //       items: {
-  //         properties: {
-  //           docs: {
-  //             properties: {
-  //               field: { type: 'short', _meta: { description: 'Test description' } },
-  //             },
-  //           },
-  //         },
-  //       },
-  //     },
-  //   });
-  //   expect(validator.is({ an_array: [{ docs: { field: 1 } }] })).toBe(true);
-  // });
-
-  // test('allow pass_through properties', () => {
-  //   const validator = schemaToIoTs({
-  //     im_only_passing_through_data: {
-  //       type: 'pass_through',
-  //       _meta: { description: 'Test description' },
-  //     },
-  //   });
-  //   expect(validator.is({ im_only_passing_through_data: [{ docs: { field: 1 } }] })).toBe(true);
-  // });
-});
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/field_map_to_io_ts.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/field_map_to_io_ts.ts
deleted file mode 100644
index 036d30f0b1958b..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/field_map_to_io_ts.ts
+++ /dev/null
@@ -1,221 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-import { Optional } from 'utility-types';
-import { mapValues, pickBy } from 'lodash';
-import { either } from 'fp-ts/lib/Either';
-import * as t from 'io-ts';
-import { FieldMap } from './types';
-
-const NumberFromString = new t.Type(
-  'NumberFromString',
-  (u): u is number => typeof u === 'number',
-  (u, c) =>
-    either.chain(t.string.validate(u, c), (s) => {
-      const d = Number(s);
-      return isNaN(d) ? t.failure(u, c) : t.success(d);
-    }),
-  (a) => a
-);
-
-const BooleanFromString = new t.Type(
-  'BooleanFromString',
-  (u): u is boolean => typeof u === 'boolean',
-  (u, c) =>
-    either.chain(t.string.validate(u, c), (s) => {
-      switch (s.toLowerCase().trim()) {
-        case '1':
-        case 'true':
-        case 'yes':
-          return t.success(true);
-        case '0':
-        case 'false':
-        case 'no':
-        case null:
-          return t.success(false);
-        default:
-          return t.failure(u, c);
-      }
-    }),
-  (a) => a
-);
-
-const esFieldTypeMap = {
-  keyword: t.string,
-  version: t.string,
-  text: t.string,
-  date: t.string,
-  boolean: t.union([t.number, BooleanFromString]),
-  byte: t.union([t.number, NumberFromString]),
-  long: t.union([t.number, NumberFromString]),
-  integer: t.union([t.number, NumberFromString]),
-  short: t.union([t.number, NumberFromString]),
-  double: t.union([t.number, NumberFromString]),
-  float: t.union([t.number, NumberFromString]),
-  scaled_float: t.union([t.number, NumberFromString]),
-  unsigned_long: t.union([t.number, NumberFromString]),
-  flattened: t.UnknownRecord,
-};
-
-type EsFieldTypeMap = typeof esFieldTypeMap;
-
-type EsFieldTypeOf<T extends string> = T extends keyof EsFieldTypeMap
-  ? EsFieldTypeMap[T]
-  : t.UnknownC;
-
-type CastArray<T extends t.Type<any>> = t.Type<
-  t.TypeOf<T> | Array<t.TypeOf<T>>,
-  Array<t.TypeOf<T>>,
-  unknown
->;
-type CastSingle<T extends t.Type<any>> = t.Type<
-  t.TypeOf<T> | Array<t.TypeOf<T>>,
-  t.TypeOf<T>,
-  unknown
->;
-
-const createCastArrayRt = <T extends t.Type<any>>(type: T): CastArray<T> => {
-  const union = t.union([type, t.array(type)]);
-
-  return new t.Type('castArray', union.is, union.validate, (a) => (Array.isArray(a) ? a : [a]));
-};
-
-const createCastSingleRt = <T extends t.Type<any>>(type: T): CastSingle<T> => {
-  const union = t.union([type, t.array(type)]);
-
-  return new t.Type('castSingle', union.is, union.validate, (a) => (Array.isArray(a) ? a[0] : a));
-};
-
-type SetOptional<T extends FieldMap> = Optional<
-  T,
-  {
-    [key in keyof T]: T[key]['required'] extends true ? never : key;
-  }[keyof T]
->;
-
-type OutputOfField<T extends { type: string; array?: boolean }> = T['array'] extends true
-  ? Array<t.OutputOf<EsFieldTypeOf<T['type']>>>
-  : t.OutputOf<EsFieldTypeOf<T['type']>>;
-
-type TypeOfField<T extends { type: string; array?: boolean }> =
-  | t.TypeOf<EsFieldTypeOf<T['type']>>
-  | Array<t.TypeOf<EsFieldTypeOf<T['type']>>>;
-
-type OutputOf<T extends FieldMap> = {
-  [key in keyof T]: OutputOfField<Exclude<T[key], undefined>>;
-};
-
-type TypeOf<T extends FieldMap> = {
-  [key in keyof T]: TypeOfField<Exclude<T[key], undefined>>;
-};
-
-export type TypeOfFieldMap<T extends FieldMap> = TypeOf<SetOptional<T>>;
-export type OutputOfFieldMap<T extends FieldMap> = OutputOf<SetOptional<T>>;
-
-export type FieldMapType<T extends FieldMap> = t.Type<TypeOfFieldMap<T>, OutputOfFieldMap<T>>;
-
-function valueToIoTs(value: FieldMap): t.Mixed {
-  const valueType: string = value.type;
-  switch (valueType) {
-    case 'boolean':
-      return t.boolean;
-    case 'keyword':
-    case 'text':
-    case 'date':
-      return t.string;
-    case 'byte':
-    case 'double':
-    case 'float':
-    case 'integer':
-    case 'long':
-    case 'short':
-      return t.number;
-    case 'array':
-      if ('items' in value) {
-        return t.array(schemaValueToIoTs((value as SchemaArray<unknown, unknown>).items));
-      }
-      throw new Error(`Schema type must include the "items" declaration.`);
-    default:
-      throw new Error(`Unsupported schema type ${valueType}.`);
-  }
-
-  if ('properties' in value) {
-    const { DYNAMIC_KEY, ...properties } = value.properties as SchemaObject<Value>['properties'] & {
-      DYNAMIC_KEY?: SchemaValue<unknown>;
-    };
-    const schemas: t.Mixed[] = [schemaObjectToIoTs<Record<string, unknown>>({ properties })];
-    if (DYNAMIC_KEY) {
-      schemas.push(t.record(t.string, schemaValueToIoTs(DYNAMIC_KEY)));
-    }
-    return isOneOfCandidate(schemas) ? t.union(schemas) : schemas[0];
-  } else {
-    const valueType = value.type; // Copied in here because of TS reasons, it's not available in the `default` case
-    switch (valueType) {
-      case 'boolean':
-        return t.boolean;
-      case 'keyword':
-      case 'text':
-      case 'date':
-        return t.string;
-      case 'byte':
-      case 'double':
-      case 'float':
-      case 'integer':
-      case 'long':
-      case 'short':
-        return t.number;
-      case 'array':
-        if ('items' in value) {
-          return t.array(schemaValueToIoTs((value as SchemaArray<unknown, unknown>).items));
-        }
-        throw new Error(`Schema type must include the "items" declaration.`);
-      default:
-        throw new Error(`Unsupported schema type ${valueType}.`);
-    }
-  }
-}
-
-function entriesToObjectIoTs(entries: FieldMap): Record<string, t.Mixed> {
-  const fields = Object.keys(entries).map((key: string) => {
-    const value = entries[key];
-    try {
-      return [key, valueToIoTs(value)];
-    } catch (err) {
-      err.failedKey = [key, ...(err.failedKey || [])];
-      throw err;
-    }
-  });
-}
-
-export function fieldMapToIoTs(fieldMap: FieldMap): t.Type<Record<string, unknown>> {
-  try {
-    const requiredFields: FieldMap = pickBy(fieldMap, (field) => field.required === true);
-    const optionalFields: FieldMap = pickBy(fieldMap, (field) => field.required === false);
-
-    return t.intersection([
-      t.interface(entriesToObjectIoTs(requiredFields)),
-      t.partial(entriesToObjectIoTs(optionalFields)),
-    ]) as unknown as FieldMapType<TFieldMap>;
-  } catch (err) {
-    throw error;
-  }
-  function mapToType(fields: FieldMap) {
-    return mapValues(fields, (field) => {
-      const type =
-        field.type in esFieldTypeMap
-          ? esFieldTypeMap[field.type as keyof EsFieldTypeMap]
-          : t.unknown;
-
-      return field.array ? createCastArrayRt(type) : createCastSingleRt(type);
-    });
-  }
-
-  const required = pickBy(fieldMap, (field) => field.required);
-  return t.intersection([
-    t.exact(t.partial(mapToType(fieldMap))),
-    t.type(mapToType(required)),
-  ]) as unknown as FieldMapType<TFieldMap>;
-}
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/generated/schemas/alert_schema.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/generated/schemas/alert_schema.ts
new file mode 100644
index 00000000000000..0e0d7d3e0ad9b6
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/generated/schemas/alert_schema.ts
@@ -0,0 +1,202 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+// ---------------------------------- WARNING ----------------------------------
+// this file was generated, and should not be edited by hand
+// ---------------------------------- WARNING ----------------------------------
+
+import { Either } from 'fp-ts/lib/Either';
+import * as rt from 'io-ts';
+
+const ISO_DATE_PATTERN = /^d{4}-d{2}-d{2}Td{2}:d{2}:d{2}.d{3}Z$/;
+
+export const IsoDateString = new rt.Type<string, string, unknown>(
+  'IsoDateString',
+  rt.string.is,
+  (input, context): Either<rt.Errors, string> => {
+    if (typeof input === 'string' && ISO_DATE_PATTERN.test(input)) {
+      return rt.success(input);
+    } else {
+      return rt.failure(input, context);
+    }
+  },
+  rt.identity
+);
+
+export type IsoDateStringC = typeof IsoDateString;
+
+export const schemaDate = IsoDateString;
+export const schemaDateArray = rt.array(IsoDateString);
+export const schemaDateRange = rt.partial({
+  gte: schemaDate,
+  lte: schemaDate,
+});
+export const schemaDateRangeArray = rt.array(schemaDateRange);
+export const schemaUnknown = rt.unknown;
+export const schemaUnknownArray = rt.array(rt.unknown);
+export const schemaString = rt.string;
+export const schemaStringArray = rt.array(schemaString);
+export const schemaNumber = rt.number;
+export const schemaNumberArray = rt.array(schemaNumber);
+export const schemaStringOrNumber = rt.union([schemaString, schemaNumber]);
+export const schemaStringOrNumberArray = rt.array(schemaStringOrNumber);
+export const schemaBoolean = rt.boolean;
+export const schemaBooleanArray = rt.array(schemaBoolean);
+const schemaGeoPointCoords = rt.type({
+  type: schemaString,
+  coordinates: schemaNumberArray,
+});
+const schemaGeoPointString = schemaString;
+const schemaGeoPointLatLon = rt.type({
+  lat: schemaNumber,
+  lon: schemaNumber,
+});
+const schemaGeoPointLocation = rt.type({
+  location: schemaNumberArray,
+});
+const schemaGeoPointLocationString = rt.type({
+  location: schemaString,
+});
+export const schemaGeoPoint = rt.union([
+  schemaGeoPointCoords,
+  schemaGeoPointString,
+  schemaGeoPointLatLon,
+  schemaGeoPointLocation,
+  schemaGeoPointLocationString,
+]);
+export const schemaGeoPointArray = rt.array(schemaGeoPoint);
+
+const AlertRequiredSchema = rt.type({
+  kibana: rt.type({
+    alert: rt.type({
+      id: schemaString,
+      rule: rt.type({
+        category: schemaString,
+        consumer: schemaString,
+        name: schemaString,
+        producer: schemaString,
+        rule_type_id: schemaString,
+        uuid: schemaString,
+      }),
+      status: schemaString,
+      uuid: schemaString,
+    }),
+    space_ids: schemaStringArray,
+  }),
+});
+const AlertOptionalSchema = rt.partial({
+  anomaly: rt.partial({
+    bucket_span: rt.partial({
+      minutes: schemaString,
+    }),
+    start: schemaString,
+  }),
+  kibana: rt.partial({
+    alert: rt.partial({
+      action_group: schemaString,
+      ancestors: rt.array(
+        rt.partial({
+          depth: schemaStringOrNumber,
+          id: schemaString,
+          index: schemaString,
+          rule: schemaString,
+          type: schemaString,
+        })
+      ),
+      depth: schemaStringOrNumber,
+      duration: rt.partial({
+        us: schemaStringOrNumber,
+      }),
+      end: schemaDate,
+      evaluation_results: rt.array(
+        rt.partial({
+          thresholds: rt.partial({
+            comparator: schemaString,
+            type: schemaString,
+            value: schemaStringArray,
+          }),
+          value: schemaNumber,
+        })
+      ),
+      flapping: schemaBoolean,
+      group: rt.partial({
+        id: schemaString,
+        index: schemaNumber,
+      }),
+      new_terms: schemaStringArray,
+      original_event: rt.partial({
+        action: schemaString,
+        agent_id_status: schemaString,
+        category: schemaStringArray,
+        code: schemaString,
+        created: schemaDate,
+        dataset: schemaString,
+        duration: schemaString,
+        end: schemaDate,
+        hash: schemaString,
+        id: schemaString,
+        ingested: schemaDate,
+        kind: schemaString,
+        module: schemaString,
+        original: schemaString,
+        outcome: schemaString,
+        provider: schemaString,
+        reason: schemaString,
+        reference: schemaString,
+        risk_score: schemaNumber,
+        risk_score_norm: schemaNumber,
+        sequence: schemaStringOrNumber,
+        severity: schemaStringOrNumber,
+        start: schemaDate,
+        timezone: schemaString,
+        type: schemaStringArray,
+        url: schemaString,
+      }),
+      original_time: schemaDate,
+      reason: schemaString,
+      risk_score: schemaNumber,
+      rule: rt.partial({
+        execution: rt.partial({
+          uuid: schemaString,
+        }),
+        parameters: schemaUnknown,
+        tags: schemaStringArray,
+      }),
+      severity: schemaString,
+      start: schemaDate,
+      threshold_result: rt.partial({
+        count: schemaStringOrNumber,
+        from: schemaDate,
+        terms: rt.array(
+          rt.partial({
+            field: schemaString,
+            value: schemaString,
+          })
+        ),
+      }),
+      time_range: schemaDateRange,
+      workflow_status: schemaString,
+    }),
+    version: schemaString,
+  }),
+  monitor: rt.partial({
+    id: schemaString,
+    name: schemaString,
+    type: schemaString,
+  }),
+  processor: rt.partial({
+    event: schemaString,
+  }),
+  transaction: rt.partial({
+    name: schemaString,
+    type: schemaString,
+  }),
+});
+
+export const AlertSchema = rt.intersection([AlertRequiredSchema, AlertOptionalSchema]);
+
+export type Alert = rt.TypeOf<typeof AlertSchema>;
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/generated/schemas/ecs_schema.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/generated/schemas/ecs_schema.ts
new file mode 100644
index 00000000000000..fe2aa0e382a144
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/generated/schemas/ecs_schema.ts
@@ -0,0 +1,1835 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+// ---------------------------------- WARNING ----------------------------------
+// this file was generated, and should not be edited by hand
+// ---------------------------------- WARNING ----------------------------------
+
+import { Either } from 'fp-ts/lib/Either';
+import * as rt from 'io-ts';
+
+const ISO_DATE_PATTERN = /^d{4}-d{2}-d{2}Td{2}:d{2}:d{2}.d{3}Z$/;
+
+export const IsoDateString = new rt.Type<string, string, unknown>(
+  'IsoDateString',
+  rt.string.is,
+  (input, context): Either<rt.Errors, string> => {
+    if (typeof input === 'string' && ISO_DATE_PATTERN.test(input)) {
+      return rt.success(input);
+    } else {
+      return rt.failure(input, context);
+    }
+  },
+  rt.identity
+);
+
+export type IsoDateStringC = typeof IsoDateString;
+
+export const schemaDate = IsoDateString;
+export const schemaDateArray = rt.array(IsoDateString);
+export const schemaDateRange = rt.partial({
+  gte: schemaDate,
+  lte: schemaDate,
+});
+export const schemaDateRangeArray = rt.array(schemaDateRange);
+export const schemaUnknown = rt.unknown;
+export const schemaUnknownArray = rt.array(rt.unknown);
+export const schemaString = rt.string;
+export const schemaStringArray = rt.array(schemaString);
+export const schemaNumber = rt.number;
+export const schemaNumberArray = rt.array(schemaNumber);
+export const schemaStringOrNumber = rt.union([schemaString, schemaNumber]);
+export const schemaStringOrNumberArray = rt.array(schemaStringOrNumber);
+export const schemaBoolean = rt.boolean;
+export const schemaBooleanArray = rt.array(schemaBoolean);
+const schemaGeoPointCoords = rt.type({
+  type: schemaString,
+  coordinates: schemaNumberArray,
+});
+const schemaGeoPointString = schemaString;
+const schemaGeoPointLatLon = rt.type({
+  lat: schemaNumber,
+  lon: schemaNumber,
+});
+const schemaGeoPointLocation = rt.type({
+  location: schemaNumberArray,
+});
+const schemaGeoPointLocationString = rt.type({
+  location: schemaString,
+});
+export const schemaGeoPoint = rt.union([
+  schemaGeoPointCoords,
+  schemaGeoPointString,
+  schemaGeoPointLatLon,
+  schemaGeoPointLocation,
+  schemaGeoPointLocationString,
+]);
+export const schemaGeoPointArray = rt.array(schemaGeoPoint);
+
+const EcsRequiredSchema = rt.type({
+  '@timestamp': schemaDate,
+  ecs: rt.type({
+    version: schemaString,
+  }),
+});
+const EcsOptionalSchema = rt.partial({
+  agent: rt.partial({
+    build: rt.partial({
+      original: schemaString,
+    }),
+    ephemeral_id: schemaString,
+    id: schemaString,
+    name: schemaString,
+    type: schemaString,
+    version: schemaString,
+  }),
+  client: rt.partial({
+    address: schemaString,
+    as: rt.partial({
+      number: schemaStringOrNumber,
+      organization: rt.partial({
+        name: schemaString,
+      }),
+    }),
+    bytes: schemaStringOrNumber,
+    domain: schemaString,
+    geo: rt.partial({
+      city_name: schemaString,
+      continent_code: schemaString,
+      continent_name: schemaString,
+      country_iso_code: schemaString,
+      country_name: schemaString,
+      location: schemaGeoPoint,
+      name: schemaString,
+      postal_code: schemaString,
+      region_iso_code: schemaString,
+      region_name: schemaString,
+      timezone: schemaString,
+    }),
+    ip: schemaString,
+    mac: schemaString,
+    nat: rt.partial({
+      ip: schemaString,
+      port: schemaStringOrNumber,
+    }),
+    packets: schemaStringOrNumber,
+    port: schemaStringOrNumber,
+    registered_domain: schemaString,
+    subdomain: schemaString,
+    top_level_domain: schemaString,
+    user: rt.partial({
+      domain: schemaString,
+      email: schemaString,
+      full_name: schemaString,
+      group: rt.partial({
+        domain: schemaString,
+        id: schemaString,
+        name: schemaString,
+      }),
+      hash: schemaString,
+      id: schemaString,
+      name: schemaString,
+      roles: schemaStringArray,
+    }),
+  }),
+  cloud: rt.partial({
+    account: rt.partial({
+      id: schemaString,
+      name: schemaString,
+    }),
+    availability_zone: schemaString,
+    instance: rt.partial({
+      id: schemaString,
+      name: schemaString,
+    }),
+    machine: rt.partial({
+      type: schemaString,
+    }),
+    origin: rt.partial({
+      account: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      availability_zone: schemaString,
+      instance: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      machine: rt.partial({
+        type: schemaString,
+      }),
+      project: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      provider: schemaString,
+      region: schemaString,
+      service: rt.partial({
+        name: schemaString,
+      }),
+    }),
+    project: rt.partial({
+      id: schemaString,
+      name: schemaString,
+    }),
+    provider: schemaString,
+    region: schemaString,
+    service: rt.partial({
+      name: schemaString,
+    }),
+    target: rt.partial({
+      account: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      availability_zone: schemaString,
+      instance: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      machine: rt.partial({
+        type: schemaString,
+      }),
+      project: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      provider: schemaString,
+      region: schemaString,
+      service: rt.partial({
+        name: schemaString,
+      }),
+    }),
+  }),
+  container: rt.partial({
+    cpu: rt.partial({
+      usage: schemaStringOrNumber,
+    }),
+    disk: rt.partial({
+      read: rt.partial({
+        bytes: schemaStringOrNumber,
+      }),
+      write: rt.partial({
+        bytes: schemaStringOrNumber,
+      }),
+    }),
+    id: schemaString,
+    image: rt.partial({
+      hash: rt.partial({
+        all: schemaStringArray,
+      }),
+      name: schemaString,
+      tag: schemaStringArray,
+    }),
+    memory: rt.partial({
+      usage: schemaStringOrNumber,
+    }),
+    name: schemaString,
+    network: rt.partial({
+      egress: rt.partial({
+        bytes: schemaStringOrNumber,
+      }),
+      ingress: rt.partial({
+        bytes: schemaStringOrNumber,
+      }),
+    }),
+    runtime: schemaString,
+  }),
+  data_stream: rt.partial({
+    dataset: schemaString,
+    namespace: schemaString,
+    type: schemaString,
+  }),
+  destination: rt.partial({
+    address: schemaString,
+    as: rt.partial({
+      number: schemaStringOrNumber,
+      organization: rt.partial({
+        name: schemaString,
+      }),
+    }),
+    bytes: schemaStringOrNumber,
+    domain: schemaString,
+    geo: rt.partial({
+      city_name: schemaString,
+      continent_code: schemaString,
+      continent_name: schemaString,
+      country_iso_code: schemaString,
+      country_name: schemaString,
+      location: schemaGeoPoint,
+      name: schemaString,
+      postal_code: schemaString,
+      region_iso_code: schemaString,
+      region_name: schemaString,
+      timezone: schemaString,
+    }),
+    ip: schemaString,
+    mac: schemaString,
+    nat: rt.partial({
+      ip: schemaString,
+      port: schemaStringOrNumber,
+    }),
+    packets: schemaStringOrNumber,
+    port: schemaStringOrNumber,
+    registered_domain: schemaString,
+    subdomain: schemaString,
+    top_level_domain: schemaString,
+    user: rt.partial({
+      domain: schemaString,
+      email: schemaString,
+      full_name: schemaString,
+      group: rt.partial({
+        domain: schemaString,
+        id: schemaString,
+        name: schemaString,
+      }),
+      hash: schemaString,
+      id: schemaString,
+      name: schemaString,
+      roles: schemaStringArray,
+    }),
+  }),
+  dll: rt.partial({
+    code_signature: rt.partial({
+      digest_algorithm: schemaString,
+      exists: schemaBoolean,
+      signing_id: schemaString,
+      status: schemaString,
+      subject_name: schemaString,
+      team_id: schemaString,
+      timestamp: schemaDate,
+      trusted: schemaBoolean,
+      valid: schemaBoolean,
+    }),
+    hash: rt.partial({
+      md5: schemaString,
+      sha1: schemaString,
+      sha256: schemaString,
+      sha384: schemaString,
+      sha512: schemaString,
+      ssdeep: schemaString,
+      tlsh: schemaString,
+    }),
+    name: schemaString,
+    path: schemaString,
+    pe: rt.partial({
+      architecture: schemaString,
+      company: schemaString,
+      description: schemaString,
+      file_version: schemaString,
+      imphash: schemaString,
+      original_file_name: schemaString,
+      pehash: schemaString,
+      product: schemaString,
+    }),
+  }),
+  dns: rt.partial({
+    answers: rt.array(
+      rt.partial({
+        class: schemaString,
+        data: schemaString,
+        name: schemaString,
+        ttl: schemaStringOrNumber,
+        type: schemaString,
+      })
+    ),
+    header_flags: schemaStringArray,
+    id: schemaString,
+    op_code: schemaString,
+    question: rt.partial({
+      class: schemaString,
+      name: schemaString,
+      registered_domain: schemaString,
+      subdomain: schemaString,
+      top_level_domain: schemaString,
+      type: schemaString,
+    }),
+    resolved_ip: schemaStringArray,
+    response_code: schemaString,
+    type: schemaString,
+  }),
+  email: rt.partial({
+    attachments: rt.array(
+      rt.partial({
+        file: rt.partial({
+          extension: schemaString,
+          hash: rt.partial({
+            md5: schemaString,
+            sha1: schemaString,
+            sha256: schemaString,
+            sha384: schemaString,
+            sha512: schemaString,
+            ssdeep: schemaString,
+            tlsh: schemaString,
+          }),
+          mime_type: schemaString,
+          name: schemaString,
+          size: schemaStringOrNumber,
+        }),
+      })
+    ),
+    bcc: rt.partial({
+      address: schemaStringArray,
+    }),
+    cc: rt.partial({
+      address: schemaStringArray,
+    }),
+    content_type: schemaString,
+    delivery_timestamp: schemaDate,
+    direction: schemaString,
+    from: rt.partial({
+      address: schemaStringArray,
+    }),
+    local_id: schemaString,
+    message_id: schemaString,
+    origination_timestamp: schemaDate,
+    reply_to: rt.partial({
+      address: schemaStringArray,
+    }),
+    sender: rt.partial({
+      address: schemaString,
+    }),
+    subject: schemaString,
+    to: rt.partial({
+      address: schemaStringArray,
+    }),
+    x_mailer: schemaString,
+  }),
+  error: rt.partial({
+    code: schemaString,
+    id: schemaString,
+    message: schemaString,
+    stack_trace: schemaString,
+    type: schemaString,
+  }),
+  event: rt.partial({
+    action: schemaString,
+    agent_id_status: schemaString,
+    category: schemaStringArray,
+    code: schemaString,
+    created: schemaDate,
+    dataset: schemaString,
+    duration: schemaStringOrNumber,
+    end: schemaDate,
+    hash: schemaString,
+    id: schemaString,
+    ingested: schemaDate,
+    kind: schemaString,
+    module: schemaString,
+    original: schemaString,
+    outcome: schemaString,
+    provider: schemaString,
+    reason: schemaString,
+    reference: schemaString,
+    risk_score: schemaNumber,
+    risk_score_norm: schemaNumber,
+    sequence: schemaStringOrNumber,
+    severity: schemaStringOrNumber,
+    start: schemaDate,
+    timezone: schemaString,
+    type: schemaStringArray,
+    url: schemaString,
+  }),
+  faas: rt.partial({
+    coldstart: schemaBoolean,
+    execution: schemaString,
+    id: schemaString,
+    name: schemaString,
+    version: schemaString,
+  }),
+  file: rt.partial({
+    accessed: schemaDate,
+    attributes: schemaStringArray,
+    code_signature: rt.partial({
+      digest_algorithm: schemaString,
+      exists: schemaBoolean,
+      signing_id: schemaString,
+      status: schemaString,
+      subject_name: schemaString,
+      team_id: schemaString,
+      timestamp: schemaDate,
+      trusted: schemaBoolean,
+      valid: schemaBoolean,
+    }),
+    created: schemaDate,
+    ctime: schemaDate,
+    device: schemaString,
+    directory: schemaString,
+    drive_letter: schemaString,
+    elf: rt.partial({
+      architecture: schemaString,
+      byte_order: schemaString,
+      cpu_type: schemaString,
+      creation_date: schemaDate,
+      exports: schemaUnknownArray,
+      header: rt.partial({
+        abi_version: schemaString,
+        class: schemaString,
+        data: schemaString,
+        entrypoint: schemaStringOrNumber,
+        object_version: schemaString,
+        os_abi: schemaString,
+        type: schemaString,
+        version: schemaString,
+      }),
+      imports: schemaUnknownArray,
+      sections: rt.array(
+        rt.partial({
+          chi2: schemaStringOrNumber,
+          entropy: schemaStringOrNumber,
+          flags: schemaString,
+          name: schemaString,
+          physical_offset: schemaString,
+          physical_size: schemaStringOrNumber,
+          type: schemaString,
+          virtual_address: schemaStringOrNumber,
+          virtual_size: schemaStringOrNumber,
+        })
+      ),
+      segments: rt.array(
+        rt.partial({
+          sections: schemaString,
+          type: schemaString,
+        })
+      ),
+      shared_libraries: schemaStringArray,
+      telfhash: schemaString,
+    }),
+    extension: schemaString,
+    fork_name: schemaString,
+    gid: schemaString,
+    group: schemaString,
+    hash: rt.partial({
+      md5: schemaString,
+      sha1: schemaString,
+      sha256: schemaString,
+      sha384: schemaString,
+      sha512: schemaString,
+      ssdeep: schemaString,
+      tlsh: schemaString,
+    }),
+    inode: schemaString,
+    mime_type: schemaString,
+    mode: schemaString,
+    mtime: schemaDate,
+    name: schemaString,
+    owner: schemaString,
+    path: schemaString,
+    pe: rt.partial({
+      architecture: schemaString,
+      company: schemaString,
+      description: schemaString,
+      file_version: schemaString,
+      imphash: schemaString,
+      original_file_name: schemaString,
+      pehash: schemaString,
+      product: schemaString,
+    }),
+    size: schemaStringOrNumber,
+    target_path: schemaString,
+    type: schemaString,
+    uid: schemaString,
+    x509: rt.partial({
+      alternative_names: schemaStringArray,
+      issuer: rt.partial({
+        common_name: schemaStringArray,
+        country: schemaStringArray,
+        distinguished_name: schemaString,
+        locality: schemaStringArray,
+        organization: schemaStringArray,
+        organizational_unit: schemaStringArray,
+        state_or_province: schemaStringArray,
+      }),
+      not_after: schemaDate,
+      not_before: schemaDate,
+      public_key_algorithm: schemaString,
+      public_key_curve: schemaString,
+      public_key_exponent: schemaStringOrNumber,
+      public_key_size: schemaStringOrNumber,
+      serial_number: schemaString,
+      signature_algorithm: schemaString,
+      subject: rt.partial({
+        common_name: schemaStringArray,
+        country: schemaStringArray,
+        distinguished_name: schemaString,
+        locality: schemaStringArray,
+        organization: schemaStringArray,
+        organizational_unit: schemaStringArray,
+        state_or_province: schemaStringArray,
+      }),
+      version_number: schemaString,
+    }),
+  }),
+  group: rt.partial({
+    domain: schemaString,
+    id: schemaString,
+    name: schemaString,
+  }),
+  host: rt.partial({
+    architecture: schemaString,
+    boot: rt.partial({
+      id: schemaString,
+    }),
+    cpu: rt.partial({
+      usage: schemaStringOrNumber,
+    }),
+    disk: rt.partial({
+      read: rt.partial({
+        bytes: schemaStringOrNumber,
+      }),
+      write: rt.partial({
+        bytes: schemaStringOrNumber,
+      }),
+    }),
+    domain: schemaString,
+    geo: rt.partial({
+      city_name: schemaString,
+      continent_code: schemaString,
+      continent_name: schemaString,
+      country_iso_code: schemaString,
+      country_name: schemaString,
+      location: schemaGeoPoint,
+      name: schemaString,
+      postal_code: schemaString,
+      region_iso_code: schemaString,
+      region_name: schemaString,
+      timezone: schemaString,
+    }),
+    hostname: schemaString,
+    id: schemaString,
+    ip: schemaStringArray,
+    mac: schemaStringArray,
+    name: schemaString,
+    network: rt.partial({
+      egress: rt.partial({
+        bytes: schemaStringOrNumber,
+        packets: schemaStringOrNumber,
+      }),
+      ingress: rt.partial({
+        bytes: schemaStringOrNumber,
+        packets: schemaStringOrNumber,
+      }),
+    }),
+    os: rt.partial({
+      family: schemaString,
+      full: schemaString,
+      kernel: schemaString,
+      name: schemaString,
+      platform: schemaString,
+      type: schemaString,
+      version: schemaString,
+    }),
+    pid_ns_ino: schemaString,
+    risk: rt.partial({
+      calculated_level: schemaString,
+      calculated_score: schemaNumber,
+      calculated_score_norm: schemaNumber,
+      static_level: schemaString,
+      static_score: schemaNumber,
+      static_score_norm: schemaNumber,
+    }),
+    type: schemaString,
+    uptime: schemaStringOrNumber,
+  }),
+  http: rt.partial({
+    request: rt.partial({
+      body: rt.partial({
+        bytes: schemaStringOrNumber,
+        content: schemaString,
+      }),
+      bytes: schemaStringOrNumber,
+      id: schemaString,
+      method: schemaString,
+      mime_type: schemaString,
+      referrer: schemaString,
+    }),
+    response: rt.partial({
+      body: rt.partial({
+        bytes: schemaStringOrNumber,
+        content: schemaString,
+      }),
+      bytes: schemaStringOrNumber,
+      mime_type: schemaString,
+      status_code: schemaStringOrNumber,
+    }),
+    version: schemaString,
+  }),
+  log: rt.partial({
+    file: rt.partial({
+      path: schemaString,
+    }),
+    level: schemaString,
+    logger: schemaString,
+    origin: rt.partial({
+      file: rt.partial({
+        line: schemaStringOrNumber,
+        name: schemaString,
+      }),
+      function: schemaString,
+    }),
+  }),
+  message: schemaString,
+  network: rt.partial({
+    application: schemaString,
+    bytes: schemaStringOrNumber,
+    community_id: schemaString,
+    direction: schemaString,
+    forwarded_ip: schemaString,
+    iana_number: schemaString,
+    name: schemaString,
+    packets: schemaStringOrNumber,
+    protocol: schemaString,
+    transport: schemaString,
+    type: schemaString,
+    vlan: rt.partial({
+      id: schemaString,
+      name: schemaString,
+    }),
+  }),
+  observer: rt.partial({
+    geo: rt.partial({
+      city_name: schemaString,
+      continent_code: schemaString,
+      continent_name: schemaString,
+      country_iso_code: schemaString,
+      country_name: schemaString,
+      location: schemaGeoPoint,
+      name: schemaString,
+      postal_code: schemaString,
+      region_iso_code: schemaString,
+      region_name: schemaString,
+      timezone: schemaString,
+    }),
+    hostname: schemaString,
+    ip: schemaStringArray,
+    mac: schemaStringArray,
+    name: schemaString,
+    os: rt.partial({
+      family: schemaString,
+      full: schemaString,
+      kernel: schemaString,
+      name: schemaString,
+      platform: schemaString,
+      type: schemaString,
+      version: schemaString,
+    }),
+    product: schemaString,
+    serial_number: schemaString,
+    type: schemaString,
+    vendor: schemaString,
+    version: schemaString,
+  }),
+  orchestrator: rt.partial({
+    api_version: schemaString,
+    cluster: rt.partial({
+      id: schemaString,
+      name: schemaString,
+      url: schemaString,
+      version: schemaString,
+    }),
+    namespace: schemaString,
+    organization: schemaString,
+    resource: rt.partial({
+      id: schemaString,
+      ip: schemaStringArray,
+      name: schemaString,
+      parent: rt.partial({
+        type: schemaString,
+      }),
+      type: schemaString,
+    }),
+    type: schemaString,
+  }),
+  organization: rt.partial({
+    id: schemaString,
+    name: schemaString,
+  }),
+  package: rt.partial({
+    architecture: schemaString,
+    build_version: schemaString,
+    checksum: schemaString,
+    description: schemaString,
+    install_scope: schemaString,
+    installed: schemaDate,
+    license: schemaString,
+    name: schemaString,
+    path: schemaString,
+    reference: schemaString,
+    size: schemaStringOrNumber,
+    type: schemaString,
+    version: schemaString,
+  }),
+  process: rt.partial({
+    args: schemaStringArray,
+    args_count: schemaStringOrNumber,
+    code_signature: rt.partial({
+      digest_algorithm: schemaString,
+      exists: schemaBoolean,
+      signing_id: schemaString,
+      status: schemaString,
+      subject_name: schemaString,
+      team_id: schemaString,
+      timestamp: schemaDate,
+      trusted: schemaBoolean,
+      valid: schemaBoolean,
+    }),
+    command_line: schemaString,
+    elf: rt.partial({
+      architecture: schemaString,
+      byte_order: schemaString,
+      cpu_type: schemaString,
+      creation_date: schemaDate,
+      exports: schemaUnknownArray,
+      header: rt.partial({
+        abi_version: schemaString,
+        class: schemaString,
+        data: schemaString,
+        entrypoint: schemaStringOrNumber,
+        object_version: schemaString,
+        os_abi: schemaString,
+        type: schemaString,
+        version: schemaString,
+      }),
+      imports: schemaUnknownArray,
+      sections: rt.array(
+        rt.partial({
+          chi2: schemaStringOrNumber,
+          entropy: schemaStringOrNumber,
+          flags: schemaString,
+          name: schemaString,
+          physical_offset: schemaString,
+          physical_size: schemaStringOrNumber,
+          type: schemaString,
+          virtual_address: schemaStringOrNumber,
+          virtual_size: schemaStringOrNumber,
+        })
+      ),
+      segments: rt.array(
+        rt.partial({
+          sections: schemaString,
+          type: schemaString,
+        })
+      ),
+      shared_libraries: schemaStringArray,
+      telfhash: schemaString,
+    }),
+    end: schemaDate,
+    entity_id: schemaString,
+    entry_leader: rt.partial({
+      args: schemaStringArray,
+      args_count: schemaStringOrNumber,
+      attested_groups: rt.partial({
+        name: schemaString,
+      }),
+      attested_user: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      command_line: schemaString,
+      entity_id: schemaString,
+      entry_meta: rt.partial({
+        source: rt.partial({
+          ip: schemaString,
+        }),
+        type: schemaString,
+      }),
+      executable: schemaString,
+      group: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      interactive: schemaBoolean,
+      name: schemaString,
+      parent: rt.partial({
+        entity_id: schemaString,
+        pid: schemaStringOrNumber,
+        session_leader: rt.partial({
+          entity_id: schemaString,
+          pid: schemaStringOrNumber,
+          start: schemaDate,
+        }),
+        start: schemaDate,
+      }),
+      pid: schemaStringOrNumber,
+      real_group: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      real_user: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      same_as_process: schemaBoolean,
+      saved_group: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      saved_user: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      start: schemaDate,
+      supplemental_groups: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      user: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      working_directory: schemaString,
+    }),
+    env_vars: schemaStringArray,
+    executable: schemaString,
+    exit_code: schemaStringOrNumber,
+    group_leader: rt.partial({
+      args: schemaStringArray,
+      args_count: schemaStringOrNumber,
+      command_line: schemaString,
+      entity_id: schemaString,
+      executable: schemaString,
+      group: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      interactive: schemaBoolean,
+      name: schemaString,
+      pid: schemaStringOrNumber,
+      real_group: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      real_user: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      same_as_process: schemaBoolean,
+      saved_group: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      saved_user: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      start: schemaDate,
+      supplemental_groups: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      user: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      working_directory: schemaString,
+    }),
+    hash: rt.partial({
+      md5: schemaString,
+      sha1: schemaString,
+      sha256: schemaString,
+      sha384: schemaString,
+      sha512: schemaString,
+      ssdeep: schemaString,
+      tlsh: schemaString,
+    }),
+    interactive: schemaBoolean,
+    name: schemaString,
+    parent: rt.partial({
+      args: schemaStringArray,
+      args_count: schemaStringOrNumber,
+      code_signature: rt.partial({
+        digest_algorithm: schemaString,
+        exists: schemaBoolean,
+        signing_id: schemaString,
+        status: schemaString,
+        subject_name: schemaString,
+        team_id: schemaString,
+        timestamp: schemaDate,
+        trusted: schemaBoolean,
+        valid: schemaBoolean,
+      }),
+      command_line: schemaString,
+      elf: rt.partial({
+        architecture: schemaString,
+        byte_order: schemaString,
+        cpu_type: schemaString,
+        creation_date: schemaDate,
+        exports: schemaUnknownArray,
+        header: rt.partial({
+          abi_version: schemaString,
+          class: schemaString,
+          data: schemaString,
+          entrypoint: schemaStringOrNumber,
+          object_version: schemaString,
+          os_abi: schemaString,
+          type: schemaString,
+          version: schemaString,
+        }),
+        imports: schemaUnknownArray,
+        sections: rt.array(
+          rt.partial({
+            chi2: schemaStringOrNumber,
+            entropy: schemaStringOrNumber,
+            flags: schemaString,
+            name: schemaString,
+            physical_offset: schemaString,
+            physical_size: schemaStringOrNumber,
+            type: schemaString,
+            virtual_address: schemaStringOrNumber,
+            virtual_size: schemaStringOrNumber,
+          })
+        ),
+        segments: rt.array(
+          rt.partial({
+            sections: schemaString,
+            type: schemaString,
+          })
+        ),
+        shared_libraries: schemaStringArray,
+        telfhash: schemaString,
+      }),
+      end: schemaDate,
+      entity_id: schemaString,
+      executable: schemaString,
+      exit_code: schemaStringOrNumber,
+      group: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      group_leader: rt.partial({
+        entity_id: schemaString,
+        pid: schemaStringOrNumber,
+        start: schemaDate,
+      }),
+      hash: rt.partial({
+        md5: schemaString,
+        sha1: schemaString,
+        sha256: schemaString,
+        sha384: schemaString,
+        sha512: schemaString,
+        ssdeep: schemaString,
+        tlsh: schemaString,
+      }),
+      interactive: schemaBoolean,
+      name: schemaString,
+      pe: rt.partial({
+        architecture: schemaString,
+        company: schemaString,
+        description: schemaString,
+        file_version: schemaString,
+        imphash: schemaString,
+        original_file_name: schemaString,
+        pehash: schemaString,
+        product: schemaString,
+      }),
+      pgid: schemaStringOrNumber,
+      pid: schemaStringOrNumber,
+      real_group: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      real_user: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      saved_group: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      saved_user: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      start: schemaDate,
+      supplemental_groups: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      thread: rt.partial({
+        id: schemaStringOrNumber,
+        name: schemaString,
+      }),
+      title: schemaString,
+      uptime: schemaStringOrNumber,
+      user: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      working_directory: schemaString,
+    }),
+    pe: rt.partial({
+      architecture: schemaString,
+      company: schemaString,
+      description: schemaString,
+      file_version: schemaString,
+      imphash: schemaString,
+      original_file_name: schemaString,
+      pehash: schemaString,
+      product: schemaString,
+    }),
+    pgid: schemaStringOrNumber,
+    pid: schemaStringOrNumber,
+    previous: rt.partial({
+      args: schemaStringArray,
+      args_count: schemaStringOrNumber,
+      executable: schemaString,
+    }),
+    real_group: rt.partial({
+      id: schemaString,
+      name: schemaString,
+    }),
+    real_user: rt.partial({
+      id: schemaString,
+      name: schemaString,
+    }),
+    saved_group: rt.partial({
+      id: schemaString,
+      name: schemaString,
+    }),
+    saved_user: rt.partial({
+      id: schemaString,
+      name: schemaString,
+    }),
+    session_leader: rt.partial({
+      args: schemaStringArray,
+      args_count: schemaStringOrNumber,
+      command_line: schemaString,
+      entity_id: schemaString,
+      executable: schemaString,
+      group: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      interactive: schemaBoolean,
+      name: schemaString,
+      parent: rt.partial({
+        entity_id: schemaString,
+        pid: schemaStringOrNumber,
+        session_leader: rt.partial({
+          entity_id: schemaString,
+          pid: schemaStringOrNumber,
+          start: schemaDate,
+        }),
+        start: schemaDate,
+      }),
+      pid: schemaStringOrNumber,
+      real_group: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      real_user: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      same_as_process: schemaBoolean,
+      saved_group: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      saved_user: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      start: schemaDate,
+      supplemental_groups: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      user: rt.partial({
+        id: schemaString,
+        name: schemaString,
+      }),
+      working_directory: schemaString,
+    }),
+    start: schemaDate,
+    supplemental_groups: rt.partial({
+      id: schemaString,
+      name: schemaString,
+    }),
+    thread: rt.partial({
+      id: schemaStringOrNumber,
+      name: schemaString,
+    }),
+    title: schemaString,
+    uptime: schemaStringOrNumber,
+    user: rt.partial({
+      id: schemaString,
+      name: schemaString,
+    }),
+    working_directory: schemaString,
+  }),
+  registry: rt.partial({
+    data: rt.partial({
+      bytes: schemaString,
+      strings: schemaStringArray,
+      type: schemaString,
+    }),
+    hive: schemaString,
+    key: schemaString,
+    path: schemaString,
+    value: schemaString,
+  }),
+  related: rt.partial({
+    hash: schemaStringArray,
+    hosts: schemaStringArray,
+    ip: schemaStringArray,
+    user: schemaStringArray,
+  }),
+  rule: rt.partial({
+    author: schemaStringArray,
+    category: schemaString,
+    description: schemaString,
+    id: schemaString,
+    license: schemaString,
+    name: schemaString,
+    reference: schemaString,
+    ruleset: schemaString,
+    uuid: schemaString,
+    version: schemaString,
+  }),
+  server: rt.partial({
+    address: schemaString,
+    as: rt.partial({
+      number: schemaStringOrNumber,
+      organization: rt.partial({
+        name: schemaString,
+      }),
+    }),
+    bytes: schemaStringOrNumber,
+    domain: schemaString,
+    geo: rt.partial({
+      city_name: schemaString,
+      continent_code: schemaString,
+      continent_name: schemaString,
+      country_iso_code: schemaString,
+      country_name: schemaString,
+      location: schemaGeoPoint,
+      name: schemaString,
+      postal_code: schemaString,
+      region_iso_code: schemaString,
+      region_name: schemaString,
+      timezone: schemaString,
+    }),
+    ip: schemaString,
+    mac: schemaString,
+    nat: rt.partial({
+      ip: schemaString,
+      port: schemaStringOrNumber,
+    }),
+    packets: schemaStringOrNumber,
+    port: schemaStringOrNumber,
+    registered_domain: schemaString,
+    subdomain: schemaString,
+    top_level_domain: schemaString,
+    user: rt.partial({
+      domain: schemaString,
+      email: schemaString,
+      full_name: schemaString,
+      group: rt.partial({
+        domain: schemaString,
+        id: schemaString,
+        name: schemaString,
+      }),
+      hash: schemaString,
+      id: schemaString,
+      name: schemaString,
+      roles: schemaStringArray,
+    }),
+  }),
+  service: rt.partial({
+    address: schemaString,
+    environment: schemaString,
+    ephemeral_id: schemaString,
+    id: schemaString,
+    name: schemaString,
+    node: rt.partial({
+      name: schemaString,
+      role: schemaString,
+      roles: schemaStringArray,
+    }),
+    origin: rt.partial({
+      address: schemaString,
+      environment: schemaString,
+      ephemeral_id: schemaString,
+      id: schemaString,
+      name: schemaString,
+      node: rt.partial({
+        name: schemaString,
+        role: schemaString,
+        roles: schemaStringArray,
+      }),
+      state: schemaString,
+      type: schemaString,
+      version: schemaString,
+    }),
+    state: schemaString,
+    target: rt.partial({
+      address: schemaString,
+      environment: schemaString,
+      ephemeral_id: schemaString,
+      id: schemaString,
+      name: schemaString,
+      node: rt.partial({
+        name: schemaString,
+        role: schemaString,
+        roles: schemaStringArray,
+      }),
+      state: schemaString,
+      type: schemaString,
+      version: schemaString,
+    }),
+    type: schemaString,
+    version: schemaString,
+  }),
+  source: rt.partial({
+    address: schemaString,
+    as: rt.partial({
+      number: schemaStringOrNumber,
+      organization: rt.partial({
+        name: schemaString,
+      }),
+    }),
+    bytes: schemaStringOrNumber,
+    domain: schemaString,
+    geo: rt.partial({
+      city_name: schemaString,
+      continent_code: schemaString,
+      continent_name: schemaString,
+      country_iso_code: schemaString,
+      country_name: schemaString,
+      location: schemaGeoPoint,
+      name: schemaString,
+      postal_code: schemaString,
+      region_iso_code: schemaString,
+      region_name: schemaString,
+      timezone: schemaString,
+    }),
+    ip: schemaString,
+    mac: schemaString,
+    nat: rt.partial({
+      ip: schemaString,
+      port: schemaStringOrNumber,
+    }),
+    packets: schemaStringOrNumber,
+    port: schemaStringOrNumber,
+    registered_domain: schemaString,
+    subdomain: schemaString,
+    top_level_domain: schemaString,
+    user: rt.partial({
+      domain: schemaString,
+      email: schemaString,
+      full_name: schemaString,
+      group: rt.partial({
+        domain: schemaString,
+        id: schemaString,
+        name: schemaString,
+      }),
+      hash: schemaString,
+      id: schemaString,
+      name: schemaString,
+      roles: schemaStringArray,
+    }),
+  }),
+  span: rt.partial({
+    id: schemaString,
+  }),
+  tags: schemaStringArray,
+  threat: rt.partial({
+    enrichments: rt.array(
+      rt.partial({
+        matched: rt.partial({
+          atomic: schemaString,
+          field: schemaString,
+          id: schemaString,
+          index: schemaString,
+          occurred: schemaDate,
+          type: schemaString,
+        }),
+      })
+    ),
+    feed: rt.partial({
+      dashboard_id: schemaString,
+      description: schemaString,
+      name: schemaString,
+      reference: schemaString,
+    }),
+    framework: schemaString,
+    group: rt.partial({
+      alias: schemaStringArray,
+      id: schemaString,
+      name: schemaString,
+      reference: schemaString,
+    }),
+    indicator: rt.partial({
+      as: rt.partial({
+        number: schemaStringOrNumber,
+        organization: rt.partial({
+          name: schemaString,
+        }),
+      }),
+      confidence: schemaString,
+      description: schemaString,
+      email: rt.partial({
+        address: schemaString,
+      }),
+      file: rt.partial({
+        accessed: schemaDate,
+        attributes: schemaStringArray,
+        code_signature: rt.partial({
+          digest_algorithm: schemaString,
+          exists: schemaBoolean,
+          signing_id: schemaString,
+          status: schemaString,
+          subject_name: schemaString,
+          team_id: schemaString,
+          timestamp: schemaDate,
+          trusted: schemaBoolean,
+          valid: schemaBoolean,
+        }),
+        created: schemaDate,
+        ctime: schemaDate,
+        device: schemaString,
+        directory: schemaString,
+        drive_letter: schemaString,
+        elf: rt.partial({
+          architecture: schemaString,
+          byte_order: schemaString,
+          cpu_type: schemaString,
+          creation_date: schemaDate,
+          exports: schemaUnknownArray,
+          header: rt.partial({
+            abi_version: schemaString,
+            class: schemaString,
+            data: schemaString,
+            entrypoint: schemaStringOrNumber,
+            object_version: schemaString,
+            os_abi: schemaString,
+            type: schemaString,
+            version: schemaString,
+          }),
+          imports: schemaUnknownArray,
+          sections: rt.array(
+            rt.partial({
+              chi2: schemaStringOrNumber,
+              entropy: schemaStringOrNumber,
+              flags: schemaString,
+              name: schemaString,
+              physical_offset: schemaString,
+              physical_size: schemaStringOrNumber,
+              type: schemaString,
+              virtual_address: schemaStringOrNumber,
+              virtual_size: schemaStringOrNumber,
+            })
+          ),
+          segments: rt.array(
+            rt.partial({
+              sections: schemaString,
+              type: schemaString,
+            })
+          ),
+          shared_libraries: schemaStringArray,
+          telfhash: schemaString,
+        }),
+        extension: schemaString,
+        fork_name: schemaString,
+        gid: schemaString,
+        group: schemaString,
+        hash: rt.partial({
+          md5: schemaString,
+          sha1: schemaString,
+          sha256: schemaString,
+          sha384: schemaString,
+          sha512: schemaString,
+          ssdeep: schemaString,
+          tlsh: schemaString,
+        }),
+        inode: schemaString,
+        mime_type: schemaString,
+        mode: schemaString,
+        mtime: schemaDate,
+        name: schemaString,
+        owner: schemaString,
+        path: schemaString,
+        pe: rt.partial({
+          architecture: schemaString,
+          company: schemaString,
+          description: schemaString,
+          file_version: schemaString,
+          imphash: schemaString,
+          original_file_name: schemaString,
+          pehash: schemaString,
+          product: schemaString,
+        }),
+        size: schemaStringOrNumber,
+        target_path: schemaString,
+        type: schemaString,
+        uid: schemaString,
+        x509: rt.partial({
+          alternative_names: schemaStringArray,
+          issuer: rt.partial({
+            common_name: schemaStringArray,
+            country: schemaStringArray,
+            distinguished_name: schemaString,
+            locality: schemaStringArray,
+            organization: schemaStringArray,
+            organizational_unit: schemaStringArray,
+            state_or_province: schemaStringArray,
+          }),
+          not_after: schemaDate,
+          not_before: schemaDate,
+          public_key_algorithm: schemaString,
+          public_key_curve: schemaString,
+          public_key_exponent: schemaStringOrNumber,
+          public_key_size: schemaStringOrNumber,
+          serial_number: schemaString,
+          signature_algorithm: schemaString,
+          subject: rt.partial({
+            common_name: schemaStringArray,
+            country: schemaStringArray,
+            distinguished_name: schemaString,
+            locality: schemaStringArray,
+            organization: schemaStringArray,
+            organizational_unit: schemaStringArray,
+            state_or_province: schemaStringArray,
+          }),
+          version_number: schemaString,
+        }),
+      }),
+      first_seen: schemaDate,
+      geo: rt.partial({
+        city_name: schemaString,
+        continent_code: schemaString,
+        continent_name: schemaString,
+        country_iso_code: schemaString,
+        country_name: schemaString,
+        location: schemaGeoPoint,
+        name: schemaString,
+        postal_code: schemaString,
+        region_iso_code: schemaString,
+        region_name: schemaString,
+        timezone: schemaString,
+      }),
+      ip: schemaString,
+      last_seen: schemaDate,
+      marking: rt.partial({
+        tlp: schemaString,
+      }),
+      modified_at: schemaDate,
+      port: schemaStringOrNumber,
+      provider: schemaString,
+      reference: schemaString,
+      registry: rt.partial({
+        data: rt.partial({
+          bytes: schemaString,
+          strings: schemaStringArray,
+          type: schemaString,
+        }),
+        hive: schemaString,
+        key: schemaString,
+        path: schemaString,
+        value: schemaString,
+      }),
+      scanner_stats: schemaStringOrNumber,
+      sightings: schemaStringOrNumber,
+      type: schemaString,
+      url: rt.partial({
+        domain: schemaString,
+        extension: schemaString,
+        fragment: schemaString,
+        full: schemaString,
+        original: schemaString,
+        password: schemaString,
+        path: schemaString,
+        port: schemaStringOrNumber,
+        query: schemaString,
+        registered_domain: schemaString,
+        scheme: schemaString,
+        subdomain: schemaString,
+        top_level_domain: schemaString,
+        username: schemaString,
+      }),
+      x509: rt.partial({
+        alternative_names: schemaStringArray,
+        issuer: rt.partial({
+          common_name: schemaStringArray,
+          country: schemaStringArray,
+          distinguished_name: schemaString,
+          locality: schemaStringArray,
+          organization: schemaStringArray,
+          organizational_unit: schemaStringArray,
+          state_or_province: schemaStringArray,
+        }),
+        not_after: schemaDate,
+        not_before: schemaDate,
+        public_key_algorithm: schemaString,
+        public_key_curve: schemaString,
+        public_key_exponent: schemaStringOrNumber,
+        public_key_size: schemaStringOrNumber,
+        serial_number: schemaString,
+        signature_algorithm: schemaString,
+        subject: rt.partial({
+          common_name: schemaStringArray,
+          country: schemaStringArray,
+          distinguished_name: schemaString,
+          locality: schemaStringArray,
+          organization: schemaStringArray,
+          organizational_unit: schemaStringArray,
+          state_or_province: schemaStringArray,
+        }),
+        version_number: schemaString,
+      }),
+    }),
+    software: rt.partial({
+      alias: schemaStringArray,
+      id: schemaString,
+      name: schemaString,
+      platforms: schemaStringArray,
+      reference: schemaString,
+      type: schemaString,
+    }),
+    tactic: rt.partial({
+      id: schemaStringArray,
+      name: schemaStringArray,
+      reference: schemaStringArray,
+    }),
+    technique: rt.partial({
+      id: schemaStringArray,
+      name: schemaStringArray,
+      reference: schemaStringArray,
+      subtechnique: rt.partial({
+        id: schemaStringArray,
+        name: schemaStringArray,
+        reference: schemaStringArray,
+      }),
+    }),
+  }),
+  tls: rt.partial({
+    cipher: schemaString,
+    client: rt.partial({
+      certificate: schemaString,
+      certificate_chain: schemaStringArray,
+      hash: rt.partial({
+        md5: schemaString,
+        sha1: schemaString,
+        sha256: schemaString,
+      }),
+      issuer: schemaString,
+      ja3: schemaString,
+      not_after: schemaDate,
+      not_before: schemaDate,
+      server_name: schemaString,
+      subject: schemaString,
+      supported_ciphers: schemaStringArray,
+      x509: rt.partial({
+        alternative_names: schemaStringArray,
+        issuer: rt.partial({
+          common_name: schemaStringArray,
+          country: schemaStringArray,
+          distinguished_name: schemaString,
+          locality: schemaStringArray,
+          organization: schemaStringArray,
+          organizational_unit: schemaStringArray,
+          state_or_province: schemaStringArray,
+        }),
+        not_after: schemaDate,
+        not_before: schemaDate,
+        public_key_algorithm: schemaString,
+        public_key_curve: schemaString,
+        public_key_exponent: schemaStringOrNumber,
+        public_key_size: schemaStringOrNumber,
+        serial_number: schemaString,
+        signature_algorithm: schemaString,
+        subject: rt.partial({
+          common_name: schemaStringArray,
+          country: schemaStringArray,
+          distinguished_name: schemaString,
+          locality: schemaStringArray,
+          organization: schemaStringArray,
+          organizational_unit: schemaStringArray,
+          state_or_province: schemaStringArray,
+        }),
+        version_number: schemaString,
+      }),
+    }),
+    curve: schemaString,
+    established: schemaBoolean,
+    next_protocol: schemaString,
+    resumed: schemaBoolean,
+    server: rt.partial({
+      certificate: schemaString,
+      certificate_chain: schemaStringArray,
+      hash: rt.partial({
+        md5: schemaString,
+        sha1: schemaString,
+        sha256: schemaString,
+      }),
+      issuer: schemaString,
+      ja3s: schemaString,
+      not_after: schemaDate,
+      not_before: schemaDate,
+      subject: schemaString,
+      x509: rt.partial({
+        alternative_names: schemaStringArray,
+        issuer: rt.partial({
+          common_name: schemaStringArray,
+          country: schemaStringArray,
+          distinguished_name: schemaString,
+          locality: schemaStringArray,
+          organization: schemaStringArray,
+          organizational_unit: schemaStringArray,
+          state_or_province: schemaStringArray,
+        }),
+        not_after: schemaDate,
+        not_before: schemaDate,
+        public_key_algorithm: schemaString,
+        public_key_curve: schemaString,
+        public_key_exponent: schemaStringOrNumber,
+        public_key_size: schemaStringOrNumber,
+        serial_number: schemaString,
+        signature_algorithm: schemaString,
+        subject: rt.partial({
+          common_name: schemaStringArray,
+          country: schemaStringArray,
+          distinguished_name: schemaString,
+          locality: schemaStringArray,
+          organization: schemaStringArray,
+          organizational_unit: schemaStringArray,
+          state_or_province: schemaStringArray,
+        }),
+        version_number: schemaString,
+      }),
+    }),
+    version: schemaString,
+    version_protocol: schemaString,
+  }),
+  trace: rt.partial({
+    id: schemaString,
+  }),
+  transaction: rt.partial({
+    id: schemaString,
+  }),
+  url: rt.partial({
+    domain: schemaString,
+    extension: schemaString,
+    fragment: schemaString,
+    full: schemaString,
+    original: schemaString,
+    password: schemaString,
+    path: schemaString,
+    port: schemaStringOrNumber,
+    query: schemaString,
+    registered_domain: schemaString,
+    scheme: schemaString,
+    subdomain: schemaString,
+    top_level_domain: schemaString,
+    username: schemaString,
+  }),
+  user: rt.partial({
+    changes: rt.partial({
+      domain: schemaString,
+      email: schemaString,
+      full_name: schemaString,
+      group: rt.partial({
+        domain: schemaString,
+        id: schemaString,
+        name: schemaString,
+      }),
+      hash: schemaString,
+      id: schemaString,
+      name: schemaString,
+      roles: schemaStringArray,
+    }),
+    domain: schemaString,
+    effective: rt.partial({
+      domain: schemaString,
+      email: schemaString,
+      full_name: schemaString,
+      group: rt.partial({
+        domain: schemaString,
+        id: schemaString,
+        name: schemaString,
+      }),
+      hash: schemaString,
+      id: schemaString,
+      name: schemaString,
+      roles: schemaStringArray,
+    }),
+    email: schemaString,
+    full_name: schemaString,
+    group: rt.partial({
+      domain: schemaString,
+      id: schemaString,
+      name: schemaString,
+    }),
+    hash: schemaString,
+    id: schemaString,
+    name: schemaString,
+    risk: rt.partial({
+      calculated_level: schemaString,
+      calculated_score: schemaNumber,
+      calculated_score_norm: schemaNumber,
+      static_level: schemaString,
+      static_score: schemaNumber,
+      static_score_norm: schemaNumber,
+    }),
+    roles: schemaStringArray,
+    target: rt.partial({
+      domain: schemaString,
+      email: schemaString,
+      full_name: schemaString,
+      group: rt.partial({
+        domain: schemaString,
+        id: schemaString,
+        name: schemaString,
+      }),
+      hash: schemaString,
+      id: schemaString,
+      name: schemaString,
+      roles: schemaStringArray,
+    }),
+  }),
+  user_agent: rt.partial({
+    device: rt.partial({
+      name: schemaString,
+    }),
+    name: schemaString,
+    original: schemaString,
+    os: rt.partial({
+      family: schemaString,
+      full: schemaString,
+      kernel: schemaString,
+      name: schemaString,
+      platform: schemaString,
+      type: schemaString,
+      version: schemaString,
+    }),
+    version: schemaString,
+  }),
+  vulnerability: rt.partial({
+    category: schemaStringArray,
+    classification: schemaString,
+    description: schemaString,
+    enumeration: schemaString,
+    id: schemaString,
+    reference: schemaString,
+    report_id: schemaString,
+    scanner: rt.partial({
+      vendor: schemaString,
+    }),
+    score: rt.partial({
+      base: schemaNumber,
+      environmental: schemaNumber,
+      temporal: schemaNumber,
+      version: schemaString,
+    }),
+    severity: schemaString,
+  }),
+});
+
+export const EcsSchema = rt.intersection([EcsRequiredSchema, EcsOptionalSchema]);
+
+export type Ecs = rt.TypeOf<typeof EcsSchema>;
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/merge_field_maps.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/merge_field_maps.ts
deleted file mode 100644
index efd0a2e2cd1aef..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/merge_field_maps.ts
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-// import { FieldMap } from './types';
-
-// export function mergeFieldMaps<T1 extends FieldMap, T2 extends FieldMap>(
-//   first: T1,
-//   second: T2
-// ): T1 & T2 {
-//   const conflicts: Array<Record<string, [{ type: string }, { type: string }]>> = [];
-
-//   Object.keys(second).forEach((name) => {
-//     const field = second[name];
-
-//     const parts = name.split('.');
-
-//     const parents = parts.slice(0, parts.length - 2).map((part, index, array) => {
-//       return [...array.slice(0, index - 1), part].join('.');
-//     });
-
-//     parents
-//       .filter((parent) => first[parent] !== undefined)
-//       .forEach((parent) => {
-//         conflicts.push({
-//           [parent]: [{ type: 'object' }, first[parent]!],
-//         });
-//       });
-
-//     if (first[name]) {
-//       conflicts.push({
-//         [name]: [field, first[name]],
-//       });
-//     }
-//   });
-
-//   if (conflicts.length) {
-//     const err = new Error(`Could not merge mapping due to conflicts`);
-//     Object.assign(err, { conflicts });
-//     throw err;
-//   }
-
-//   return {
-//     ...first,
-//     ...second,
-//   };
-// }
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.test.ts
deleted file mode 100644
index 79416a55600d0b..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.test.ts
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-import { runtimeTypeFromFieldMap } from './runtime_type_from_fieldmap';
-
-describe('runtimeTypeFromFieldMap', () => {
-  const fieldmapRt = runtimeTypeFromFieldMap({
-    keywordField: { type: 'keyword' },
-    longField: { type: 'long' },
-    requiredKeywordField: { type: 'keyword', required: true },
-    multiKeywordField: { type: 'keyword', array: true },
-  } as const);
-
-  console.log(typeof fieldmapRt);
-
-  it('accepts both singular and array fields', () => {
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: 'keyword',
-      })
-    ).toBe(true);
-
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: ['keyword'],
-      })
-    ).toBe(true);
-
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: ['keyword'],
-        multiKeywordField: 'keyword',
-      })
-    ).toBe(true);
-
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: ['keyword'],
-        multiKeywordField: ['keyword'],
-      })
-    ).toBe(true);
-  });
-
-  it('fails on invalid data types', () => {
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: 2,
-      })
-    ).toBe(false);
-
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: [2],
-      })
-    ).toBe(false);
-
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: ['keyword'],
-        longField: ['keyword'],
-      })
-    ).toBe(false);
-
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: ['keyword'],
-        longField: [3],
-      })
-    ).toBe(true);
-
-    expect(
-      fieldmapRt.is({
-        requiredKeywordField: ['keyword'],
-        longField: 3,
-      })
-    ).toBe(true);
-  });
-
-  it('outputs to single or array values', () => {
-    expect(
-      fieldmapRt.encode({
-        requiredKeywordField: ['required'],
-        keywordField: 'keyword',
-        longField: [3, 2],
-        multiKeywordField: ['keyword', 'foo'],
-      })
-    ).toEqual({
-      requiredKeywordField: 'required',
-      keywordField: 'keyword',
-      longField: 3,
-      multiKeywordField: ['keyword', 'foo'],
-    });
-  });
-});
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.ts
deleted file mode 100644
index 55ffb1302f96d5..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/runtime_type_from_fieldmap.ts
+++ /dev/null
@@ -1,139 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-import { Optional } from 'utility-types';
-import { mapValues, pickBy } from 'lodash';
-import { either } from 'fp-ts/lib/Either';
-import * as t from 'io-ts';
-import { FieldMap } from './types';
-
-const NumberFromString = new t.Type(
-  'NumberFromString',
-  (u): u is number => typeof u === 'number',
-  (u, c) =>
-    either.chain(t.string.validate(u, c), (s) => {
-      const d = Number(s);
-      return isNaN(d) ? t.failure(u, c) : t.success(d);
-    }),
-  (a) => a
-);
-
-const BooleanFromString = new t.Type(
-  'BooleanFromString',
-  (u): u is boolean => typeof u === 'boolean',
-  (u, c) =>
-    either.chain(t.string.validate(u, c), (s) => {
-      switch (s.toLowerCase().trim()) {
-        case '1':
-        case 'true':
-        case 'yes':
-          return t.success(true);
-        case '0':
-        case 'false':
-        case 'no':
-        case null:
-          return t.success(false);
-        default:
-          return t.failure(u, c);
-      }
-    }),
-  (a) => a
-);
-
-const esFieldTypeMap = {
-  keyword: t.string,
-  version: t.string,
-  text: t.string,
-  date: t.string,
-  boolean: t.union([t.number, BooleanFromString]),
-  byte: t.union([t.number, NumberFromString]),
-  long: t.union([t.number, NumberFromString]),
-  integer: t.union([t.number, NumberFromString]),
-  short: t.union([t.number, NumberFromString]),
-  double: t.union([t.number, NumberFromString]),
-  float: t.union([t.number, NumberFromString]),
-  scaled_float: t.union([t.number, NumberFromString]),
-  unsigned_long: t.union([t.number, NumberFromString]),
-  flattened: t.UnknownRecord,
-};
-
-type EsFieldTypeMap = typeof esFieldTypeMap;
-
-type EsFieldTypeOf<T extends string> = T extends keyof EsFieldTypeMap
-  ? EsFieldTypeMap[T]
-  : t.UnknownC;
-
-type CastArray<T extends t.Type<any>> = t.Type<
-  t.TypeOf<T> | Array<t.TypeOf<T>>,
-  Array<t.TypeOf<T>>,
-  unknown
->;
-type CastSingle<T extends t.Type<any>> = t.Type<
-  t.TypeOf<T> | Array<t.TypeOf<T>>,
-  t.TypeOf<T>,
-  unknown
->;
-
-const createCastArrayRt = <T extends t.Type<any>>(type: T): CastArray<T> => {
-  const union = t.union([type, t.array(type)]);
-
-  return new t.Type('castArray', union.is, union.validate, (a) => (Array.isArray(a) ? a : [a]));
-};
-
-const createCastSingleRt = <T extends t.Type<any>>(type: T): CastSingle<T> => {
-  const union = t.union([type, t.array(type)]);
-
-  return new t.Type('castSingle', union.is, union.validate, (a) => (Array.isArray(a) ? a[0] : a));
-};
-
-type SetOptional<T extends FieldMap> = Optional<
-  T,
-  {
-    [key in keyof T]: T[key]['required'] extends true ? never : key;
-  }[keyof T]
->;
-
-type OutputOfField<T extends { type: string; array?: boolean }> = T['array'] extends true
-  ? Array<t.OutputOf<EsFieldTypeOf<T['type']>>>
-  : t.OutputOf<EsFieldTypeOf<T['type']>>;
-
-type TypeOfField<T extends { type: string; array?: boolean }> =
-  | t.TypeOf<EsFieldTypeOf<T['type']>>
-  | Array<t.TypeOf<EsFieldTypeOf<T['type']>>>;
-
-type OutputOf<T extends FieldMap> = {
-  [key in keyof T]: OutputOfField<Exclude<T[key], undefined>>;
-};
-
-type TypeOf<T extends FieldMap> = {
-  [key in keyof T]: TypeOfField<Exclude<T[key], undefined>>;
-};
-
-export type TypeOfFieldMap<T extends FieldMap> = TypeOf<SetOptional<T>>;
-export type OutputOfFieldMap<T extends FieldMap> = OutputOf<SetOptional<T>>;
-
-export type FieldMapType<T extends FieldMap> = t.Type<TypeOfFieldMap<T>, OutputOfFieldMap<T>>;
-
-export function runtimeTypeFromFieldMap<TFieldMap extends FieldMap>(
-  fieldMap: TFieldMap
-): FieldMapType<TFieldMap> {
-  function mapToType(fields: FieldMap) {
-    return mapValues(fields, (field) => {
-      const type =
-        field.type in esFieldTypeMap
-          ? esFieldTypeMap[field.type as keyof EsFieldTypeMap]
-          : t.unknown;
-
-      return field.array ? createCastArrayRt(type) : createCastSingleRt(type);
-    });
-  }
-
-  const required = pickBy(fieldMap, (field) => field.required);
-  return t.intersection([
-    t.exact(t.partial(mapToType(fieldMap))),
-    t.type(mapToType(required)),
-  ]) as unknown as FieldMapType<TFieldMap>;
-}
diff --git a/x-pack/plugins/alerting/common/alert_schema/index.ts b/x-pack/plugins/alerting/common/alert_schema/index.ts
index 097f2ef5e9961b..a36ef8a5205e11 100644
--- a/x-pack/plugins/alerting/common/alert_schema/index.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/index.ts
@@ -5,5 +5,6 @@
  * 2.0.
  */
 
-export { ecsComponentTemplate } from './component_templates/ecs_component_template';
-export { alertsComponentTemplate } from './component_templates/alerts_component_template';
+export { ecsFieldMap } from './field_maps/ecs_field_map';
+export { alertFieldMap } from './field_maps/alert_field_map';
+export { getComponentTemplateFromFieldMap } from './field_maps/component_template_from_field_map';
diff --git a/x-pack/plugins/alerting/common/alert_schema/parse_technical_fields.ts b/x-pack/plugins/alerting/common/alert_schema/parse_technical_fields.ts
deleted file mode 100644
index 46adb33c865511..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/parse_technical_fields.ts
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-// import { isLeft } from 'fp-ts/lib/Either';
-// import { PathReporter } from 'io-ts/lib/PathReporter';
-// import { pick } from 'lodash';
-// import {
-//   technicalRuleFieldMap,
-//   TechnicalRuleFieldMap,
-// } from './assets/field_maps/technical_rule_field_map';
-// import { runtimeTypeFromFieldMap } from './field_map';
-
-// const technicalFieldRuntimeType =
-//   runtimeTypeFromFieldMap<TechnicalRuleFieldMap>(technicalRuleFieldMap);
-
-// export const parseTechnicalFields = (input: unknown, partial = false) => {
-//   const decodePartial = (alert: unknown) => {
-//     const limitedFields = pick(technicalRuleFieldMap, Object.keys(alert as object));
-//     const partialTechnicalFieldRuntimeType = runtimeTypeFromFieldMap<TechnicalRuleFieldMap>(
-//       limitedFields as unknown as TechnicalRuleFieldMap
-//     );
-//     return partialTechnicalFieldRuntimeType.decode(alert);
-//   };
-
-//   const validate = partial ? decodePartial(input) : technicalFieldRuntimeType.decode(input);
-
-//   if (isLeft(validate)) {
-//     throw new Error(PathReporter.report(validate).join('\n'));
-//   }
-//   return technicalFieldRuntimeType.encode(validate.right);
-// };
-
-// export type ParsedTechnicalFields = ReturnType<typeof parseTechnicalFields>;
diff --git a/x-pack/plugins/alerting/common/alert_schema/runtime_types/alert_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/runtime_types/alert_field_map.ts
deleted file mode 100644
index f685c00cd11f61..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/runtime_types/alert_field_map.ts
+++ /dev/null
@@ -1,600 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import * as t from 'io-ts';
-import { either } from 'fp-ts/lib/Either';
-
-const NumberFromString = new t.Type(
-  'NumberFromString',
-  (u): u is number => typeof u === 'number',
-  (u, c) =>
-    either.chain(t.string.validate(u, c), (s) => {
-      const d = Number(s);
-      return isNaN(d) ? t.failure(u, c) : t.success(d);
-    }),
-  (a) => a
-);
-
-const BooleanFromString = new t.Type(
-  'BooleanFromString',
-  (u): u is boolean => typeof u === 'boolean',
-  (u, c) =>
-    either.chain(t.string.validate(u, c), (s) => {
-      switch (s.toLowerCase().trim()) {
-        case '1':
-        case 'true':
-        case 'yes':
-          return t.success(true);
-        case '0':
-        case 'false':
-        case 'no':
-        case null:
-          return t.success(false);
-        default:
-          return t.failure(u, c);
-      }
-    }),
-  (a) => a
-);
-
-const esFieldTypeMap = {
-  keyword: t.string,
-  version: t.string,
-  text: t.string,
-  date: t.string,
-  boolean: t.union([t.number, BooleanFromString]),
-  byte: t.union([t.number, NumberFromString]),
-  long: t.union([t.number, NumberFromString]),
-  integer: t.union([t.number, NumberFromString]),
-  short: t.union([t.number, NumberFromString]),
-  double: t.union([t.number, NumberFromString]),
-  float: t.union([t.number, NumberFromString]),
-  scaled_float: t.union([t.number, NumberFromString]),
-  unsigned_long: t.union([t.number, NumberFromString]),
-  flattened: t.UnknownRecord,
-  object: t.UnknownRecord,
-};
-const ecsDate = (array: boolean = false) => {};
-function ecsStringMulti() {
-  return schema.maybe(schema.arrayOf(schema.string()));
-}
-
-function ecsString() {
-  return schema.maybe(schema.string());
-}
-
-function ecsNumber() {
-  return schema.maybe(schema.number());
-}
-
-function ecsStringOrNumber() {
-  return schema.maybe(schema.oneOf([schema.string(), schema.number()]));
-}
-
-function ecsDate() {
-  return schema.maybe(schema.string({ validate: validateDate }));
-}
-
-function ecsBoolean() {
-  return schema.maybe(schema.boolean());
-}
-
-const ISO_DATE_PATTERN = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z$/;
-
-function validateDate(isoDate: string) {
-  if (ISO_DATE_PATTERN.test(isoDate)) return;
-  return 'string is not a valid ISO date: ' + isoDate;
-}
-
-function ecsVersion() {
-  return schema.maybe(schema.string({ validate: validateVersion }));
-}
-
-function validateVersion(version: string) {
-  if (semver.valid(version)) return;
-  return 'string is not a valid version: ' + version;
-}
-// import {
-//   ALERT_ACTION_GROUP,
-//   ALERT_ANCESTORS,
-//   ALERT_ANCESTORS_DEPTH,
-//   ALERT_ANCESTORS_ID,
-//   ALERT_ANCESTORS_INDEX,
-//   ALERT_ANCESTORS_RULE,
-//   ALERT_ANCESTORS_TYPE,
-//   ALERT_DEPTH,
-//   ALERT_DURATION,
-//   ALERT_END,
-//   ALERT_EVALUATION_RESULTS,
-//   ALERT_EVALUATION_RESULTS_THRESHOLDS_COMPARATOR,
-//   ALERT_EVALUATION_RESULTS_THRESHOLDS_TYPE,
-//   ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE,
-//   ALERT_EVALUATION_RESULTS_VALUE,
-//   ALERT_FLAPPING,
-//   ALERT_GROUP_ID,
-//   ALERT_GROUP_INDEX,
-//   ALERT_ID,
-//   ALERT_NEW_TERMS,
-//   ALERT_ORIGINAL_EVENT_ACTION,
-//   ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS,
-//   ALERT_ORIGINAL_EVENT_CATEGORY,
-//   ALERT_ORIGINAL_EVENT_CODE,
-//   ALERT_ORIGINAL_EVENT_CREATED,
-//   ALERT_ORIGINAL_EVENT_DATASET,
-//   ALERT_ORIGINAL_EVENT_DURATION,
-//   ALERT_ORIGINAL_EVENT_END,
-//   ALERT_ORIGINAL_EVENT_HASH,
-//   ALERT_ORIGINAL_EVENT_ID,
-//   ALERT_ORIGINAL_EVENT_INGESTED,
-//   ALERT_ORIGINAL_EVENT_KIND,
-//   ALERT_ORIGINAL_EVENT_MODULE,
-//   ALERT_ORIGINAL_EVENT_ORIGINAL,
-//   ALERT_ORIGINAL_EVENT_OUTCOME,
-//   ALERT_ORIGINAL_EVENT_PROVIDER,
-//   ALERT_ORIGINAL_EVENT_REASON,
-//   ALERT_ORIGINAL_EVENT_REFERENCE,
-//   ALERT_ORIGINAL_EVENT_RISK_SCORE,
-//   ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM,
-//   ALERT_ORIGINAL_EVENT_SEQUENCE,
-//   ALERT_ORIGINAL_EVENT_SEVERITY,
-//   ALERT_ORIGINAL_EVENT_START,
-//   ALERT_ORIGINAL_EVENT_TIMEZONE,
-//   ALERT_ORIGINAL_EVENT_TYPE,
-//   ALERT_ORIGINAL_EVENT_URL,
-//   ALERT_ORIGINAL_TIME,
-//   ALERT_REASON,
-//   ALERT_RISK_SCORE,
-//   ALERT_RULE_CATEGORY,
-//   ALERT_RULE_CONSUMER,
-//   ALERT_RULE_EXECUTION_UUID,
-//   ALERT_RULE_NAME,
-//   ALERT_RULE_PARAMETERS,
-//   ALERT_RULE_PRODUCER,
-//   ALERT_RULE_TAGS,
-//   ALERT_RULE_TYPE_ID,
-//   ALERT_RULE_UUID,
-//   ALERT_SEVERITY,
-//   ALERT_START,
-//   ALERT_STATUS,
-//   ALERT_THRESHOLD_RESULT_CARDINALITY,
-//   ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD,
-//   ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE,
-//   ALERT_THRESHOLD_RESULT_COUNT,
-//   ALERT_THRESHOLD_RESULT_FROM,
-//   ALERT_THRESHOLD_RESULT_TERMS,
-//   ALERT_THRESHOLD_RESULT_TERMS_FIELD,
-//   ALERT_THRESHOLD_RESULT_TERMS_VALUE,
-//   ALERT_TIME_RANGE,
-//   ALERT_UUID,
-//   ALERT_WORKFLOW_STATUS,
-//   ANOMALY_BUCKET_SPAN_MINUTES,
-//   ANOMALY_START,
-//   MONITOR_ID,
-//   MONITOR_NAME,
-//   MONITOR_TYPE,
-//   PROCESSOR_EVENT,
-//   SPACE_IDS,
-//   TRANSACTION_TYPE,
-//   TRANSACTION_NAME,
-//   VERSION,
-// } from '@kbn/rule-data-utils';
-
-// export const alertFieldMap = {
-//   [ALERT_RULE_PARAMETERS]: {
-//     type: 'object',
-//     enabled: false,
-//     required: false,
-//   },
-//   [ALERT_RULE_TYPE_ID]: {
-//     type: 'keyword',
-//     array: false,
-//     required: true,
-//   },
-//   [ALERT_RULE_CONSUMER]: {
-//     type: 'keyword',
-//     array: false,
-//     required: true,
-//   },
-//   [ALERT_RULE_PRODUCER]: {
-//     type: 'keyword',
-//     array: false,
-//     required: true,
-//   },
-//   [SPACE_IDS]: {
-//     type: 'keyword',
-//     array: true,
-//     required: true,
-//   },
-//   [ALERT_UUID]: {
-//     type: 'keyword',
-//     array: false,
-//     required: true,
-//   },
-//   [ALERT_ID]: {
-//     type: 'keyword',
-//     array: false,
-//     required: true,
-//   },
-//   [ALERT_START]: {
-//     type: 'date',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_TIME_RANGE]: {
-//     type: 'date_range',
-//     format: 'epoch_millis||strict_date_optional_time',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_END]: {
-//     type: 'date',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_DURATION]: {
-//     type: 'long',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_SEVERITY]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_STATUS]: {
-//     type: 'keyword',
-//     array: false,
-//     required: true,
-//   },
-//   [VERSION]: {
-//     type: 'version',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_RISK_SCORE]: {
-//     type: 'float',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_WORKFLOW_STATUS]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ACTION_GROUP]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_REASON]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_RULE_CATEGORY]: {
-//     type: 'keyword',
-//     array: false,
-//     required: true,
-//   },
-//   [ALERT_RULE_UUID]: {
-//     type: 'keyword',
-//     array: false,
-//     required: true,
-//   },
-//   [ALERT_RULE_EXECUTION_UUID]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_RULE_NAME]: {
-//     type: 'keyword',
-//     array: false,
-//     required: true,
-//   },
-//   [ALERT_RULE_TAGS]: {
-//     type: 'keyword',
-//     array: true,
-//     required: false,
-//   },
-//   [ALERT_EVALUATION_RESULTS]: {
-//     type: 'object',
-//     array: true,
-//     required: false,
-//   },
-//   [ALERT_EVALUATION_RESULTS_THRESHOLDS_COMPARATOR]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_EVALUATION_RESULTS_THRESHOLDS_TYPE]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE]: {
-//     type: 'keyword',
-//     array: true,
-//     required: false,
-//   },
-//   [ALERT_EVALUATION_RESULTS_VALUE]: {
-//     type: 'float',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_FLAPPING]: {
-//     type: 'boolean',
-//     array: false,
-//     required: false,
-//   },
-//   [TRANSACTION_TYPE]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [TRANSACTION_NAME]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [PROCESSOR_EVENT]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [MONITOR_ID]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [MONITOR_NAME]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [MONITOR_TYPE]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ANOMALY_START]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ANOMALY_BUCKET_SPAN_MINUTES]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ANCESTORS]: {
-//     type: 'object',
-//     array: true,
-//     required: false,
-//   },
-//   [ALERT_ANCESTORS_DEPTH]: {
-//     type: 'long',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ANCESTORS_ID]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ANCESTORS_INDEX]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ANCESTORS_RULE]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ANCESTORS_TYPE]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_DEPTH]: {
-//     type: 'long',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_GROUP_ID]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_GROUP_INDEX]: {
-//     type: 'integer',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_ACTION]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_CATEGORY]: {
-//     type: 'keyword',
-//     array: true,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_CODE]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_CREATED]: {
-//     type: 'date',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_DATASET]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_DURATION]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_END]: {
-//     type: 'date',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_HASH]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_ID]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_INGESTED]: {
-//     type: 'date',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_KIND]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_MODULE]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_ORIGINAL]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_OUTCOME]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_PROVIDER]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_REASON]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_REFERENCE]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_RISK_SCORE]: {
-//     type: 'float',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM]: {
-//     type: 'float',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_SEQUENCE]: {
-//     type: 'long',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_SEVERITY]: {
-//     type: 'long',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_START]: {
-//     type: 'date',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_TIMEZONE]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_TYPE]: {
-//     type: 'keyword',
-//     array: true,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_EVENT_URL]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_ORIGINAL_TIME]: {
-//     type: 'date',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_THRESHOLD_RESULT_CARDINALITY]: {
-//     type: 'object',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE]: {
-//     type: 'long',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_THRESHOLD_RESULT_COUNT]: {
-//     type: 'long',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_THRESHOLD_RESULT_FROM]: {
-//     type: 'date',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_THRESHOLD_RESULT_TERMS]: {
-//     type: 'object',
-//     array: true,
-//     required: false,
-//   },
-//   [ALERT_THRESHOLD_RESULT_TERMS_FIELD]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_THRESHOLD_RESULT_TERMS_VALUE]: {
-//     type: 'keyword',
-//     array: false,
-//     required: false,
-//   },
-//   [ALERT_NEW_TERMS]: {
-//     type: 'keyword',
-//     array: true,
-//     required: false,
-//   },
-// };
-
-// export type AlertFieldMap = typeof alertFieldMap;
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.js b/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.js
deleted file mode 100644
index a548390b5273c6..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.js
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-const path = require('path');
-const fs = require('fs');
-const util = require('util');
-const yaml = require('js-yaml');
-const { exec: execCb } = require('child_process');
-const { reduce } = require('lodash');
-const LineWriter = require('./lib/line_writer');
-
-const exists = util.promisify(fs.exists);
-const readFile = util.promisify(fs.readFile);
-const writeFile = util.promisify(fs.writeFile);
-const exec = util.promisify(execCb);
-
-const ecsDir = path.resolve(__dirname, '../../../../../../ecs');
-const ecsYamlFilename = path.join(ecsDir, 'generated/ecs/ecs_flat.yml');
-
-const outputDir = path.join(__dirname, '../assets/field_maps');
-const outputFieldMapFilename = path.join(outputDir, 'ecs_field_map.ts');
-
-async function createSchema() {
-  if (process.argv.length < 3) {
-    logError(`Error no mapping file specified`);
-  }
-
-  const mappingFile = process.argv[2];
-  // eslint-disable-next-line import/no-dynamic-require
-  const template = require(mappingFile);
-
-  // const lineWriter = LineWriter.createLineWriter();
-  // generateSchemaLines(lineWriter, null, template.mappings);
-  // // last line will have an extraneous comma
-  // const schemaLines = lineWriter.getContent().replace(/,$/, '');
-
-  // const contents = getSchemaFileContents(ecsVersion, schemaLines);
-  // const schemaCode = `${contents}\n`;
-
-  // writeGeneratedFile(EVENT_LOG_CONFIG_SCHEMA_FILE, schemaCode);
-  // console.log('generated:', EVENT_LOG_CONFIG_SCHEMA_FILE);
-}
-
-function logError(message) {
-  console.log(`error: ${message}`);
-  process.exit(1);
-}
-
-createSchema().catch((err) => {
-  console.log(err);
-  process.exit(1);
-});
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts b/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
new file mode 100644
index 00000000000000..e5d43700a44965
--- /dev/null
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
@@ -0,0 +1,320 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { get, set } from 'lodash';
+import { createLineWriter, LineWriter } from './lib/line_writer';
+import { alertFieldMap } from '../field_maps/alert_field_map';
+import { ecsFieldMap } from '../field_maps/ecs_field_map';
+import { FieldMap } from '../field_maps/types';
+
+const PLUGIN_DIR = path.resolve(path.join(__dirname, '..'));
+const ALERT_SCHEMA_FILE = 'field_maps/generated/schemas/alert_schema.ts';
+const ECS_SCHEMA_FILE = 'field_maps/generated/schemas/ecs_schema.ts';
+
+const createSchema = (outputFile: string, fieldMap: FieldMap, schemaPrefix: string) => {
+  const lineWriters = {
+    REQUIRED_FIELDS: createLineWriter(),
+    OPTIONAL_FIELDS: createLineWriter(),
+  };
+
+  generateSchemaFromFieldMap({ lineWriters, fieldMap });
+
+  const contents = getSchemaFileContents(lineWriters, schemaPrefix);
+
+  writeGeneratedFile(outputFile, `${contents}\n`);
+};
+
+interface GenerateSchemaFromFieldMapOpts {
+  lineWriters: Record<string, LineWriter>;
+  fieldMap: FieldMap;
+}
+const generateSchemaFromFieldMap = ({ lineWriters, fieldMap }: GenerateSchemaFromFieldMapOpts) => {
+  const requiredFieldMap = { properties: {} };
+  const optionalFieldMap = { properties: {} };
+
+  const getKeyWithProperties = (key: string) => key.split('.').join('.properties.');
+
+  // Generate required properties
+  Object.keys(fieldMap)
+    .filter((key: string) => fieldMap[key].required === true)
+    .map((key: string) =>
+      set(requiredFieldMap.properties, getKeyWithProperties(key), fieldMap[key])
+    );
+  generateSchemaLines({
+    lineWriter: lineWriters.REQUIRED_FIELDS,
+    propertyKey: null,
+    required: true,
+    fieldMap: requiredFieldMap,
+  });
+
+  // Generate optional properties
+  Object.keys(fieldMap)
+    .filter((key: string) => fieldMap[key].required !== true)
+    .map((key: string) =>
+      set(optionalFieldMap.properties, getKeyWithProperties(key), fieldMap[key])
+    );
+  generateSchemaLines({
+    lineWriter: lineWriters.OPTIONAL_FIELDS,
+    propertyKey: null,
+    required: false,
+    fieldMap: optionalFieldMap,
+  });
+};
+
+interface FieldMapProperty {
+  properties: Record<string, FieldMapProperty>;
+}
+
+interface GenerateSchemaLinesOpts {
+  lineWriter: LineWriter;
+  propertyKey: string | null;
+  required: boolean;
+  fieldMap: {
+    properties: Record<string, FieldMapProperty>;
+  };
+}
+
+const getSchemaDefinition = (schemaPrefix: string, isArray: boolean): string => {
+  if (isArray) {
+    schemaPrefix = `${schemaPrefix}Array`;
+  }
+  return schemaPrefix;
+};
+
+const generateSchemaLines = ({
+  fieldMap,
+  propertyKey,
+  lineWriter,
+  required,
+}: GenerateSchemaLinesOpts) => {
+  if (fieldMap == null) return;
+
+  propertyKey = propertyKey === '@timestamp' ? `'@timestamp'` : propertyKey;
+
+  const type = get(fieldMap, 'type');
+  const isArray = get(fieldMap, 'array', false);
+  const isEnabled = get(fieldMap, 'enabled', true);
+
+  if (null != type) {
+    switch (type) {
+      case 'flattened':
+        lineWriter.addLine(`${propertyKey}: ${getSchemaDefinition('schemaUnknown', isArray)},`);
+        break;
+      case 'object':
+      case 'nested':
+        if (!isEnabled) {
+          lineWriter.addLine(`${propertyKey}: ${getSchemaDefinition('schemaUnknown', isArray)},`);
+        } else if (isArray && null != fieldMap.properties) {
+          lineWriter.addLineAndIndent(`${propertyKey}: rt.array(`);
+          if (required) {
+            lineWriter.addLineAndIndent(`rt.type({`);
+          } else {
+            lineWriter.addLineAndIndent(`rt.partial({`);
+          }
+          for (const prop of Object.keys(fieldMap.properties).sort()) {
+            generateSchemaLines({
+              lineWriter,
+              propertyKey: prop,
+              required,
+              fieldMap: fieldMap.properties[prop],
+            });
+          }
+          lineWriter.dedentAndAddLine(`})`);
+          lineWriter.dedentAndAddLine(`),`);
+        }
+        break;
+      case 'keyword':
+      case 'ip':
+      case 'constant_keyword':
+      case 'match_only_text':
+      case 'version':
+      case 'wildcard':
+        lineWriter.addLine(`${propertyKey}: ${getSchemaDefinition('schemaString', isArray)},`);
+        break;
+      case 'date':
+        lineWriter.addLine(`${propertyKey}: ${getSchemaDefinition('schemaDate', isArray)},`);
+        break;
+      case 'date_range':
+        lineWriter.addLine(`${propertyKey}: ${getSchemaDefinition('schemaDateRange', isArray)},`);
+        break;
+      case 'geo_point':
+        lineWriter.addLine(`${propertyKey}: ${getSchemaDefinition('schemaGeoPoint', isArray)},`);
+        break;
+      case 'long':
+      case 'scaled_float':
+        lineWriter.addLine(
+          `${propertyKey}: ${getSchemaDefinition('schemaStringOrNumber', isArray)},`
+        );
+        break;
+      case 'float':
+      case 'integer':
+        lineWriter.addLine(`${propertyKey}: ${getSchemaDefinition('schemaNumber', isArray)},`);
+        break;
+      case 'boolean':
+        lineWriter.addLine(`${propertyKey}: ${getSchemaDefinition('schemaBoolean', isArray)},`);
+        break;
+      default:
+        logError(`unknown type ${type}: ${JSON.stringify(fieldMap)}`);
+        break;
+    }
+
+    return;
+  }
+
+  if (null == get(fieldMap, 'properties')) {
+    logError(`unknown properties ${propertyKey}: ${JSON.stringify(fieldMap)}`);
+  }
+
+  if (null == propertyKey) {
+    if (required) {
+      lineWriter.addLineAndIndent(`rt.type({`);
+    } else {
+      lineWriter.addLineAndIndent(`rt.partial({`);
+    }
+  } else {
+    if (required) {
+      lineWriter.addLineAndIndent(`${propertyKey}: rt.type({`);
+    } else {
+      lineWriter.addLineAndIndent(`${propertyKey}: rt.partial({`);
+    }
+  }
+
+  // write the object properties
+  for (const prop of Object.keys(fieldMap.properties).sort()) {
+    generateSchemaLines({
+      lineWriter,
+      propertyKey: prop,
+      required,
+      fieldMap: fieldMap.properties[prop],
+    });
+  }
+  lineWriter.dedentAndAddLine(`}),`);
+};
+
+const SchemaFileTemplate = `
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+// ---------------------------------- WARNING ----------------------------------
+// this file was generated, and should not be edited by hand
+// ---------------------------------- WARNING ----------------------------------
+
+import { Either } from 'fp-ts/lib/Either';
+import * as rt from 'io-ts';
+
+const ISO_DATE_PATTERN = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z$/;
+
+export const IsoDateString = new rt.Type<string, string, unknown>(
+  'IsoDateString',
+  rt.string.is,
+  (input, context): Either<rt.Errors, string> => {
+    if (typeof input === 'string' && ISO_DATE_PATTERN.test(input)) {
+      return rt.success(input);
+    } else {
+      return rt.failure(input, context);
+    }
+  },
+  rt.identity
+);
+
+export type IsoDateStringC = typeof IsoDateString;
+
+export const schemaDate = IsoDateString;
+export const schemaDateArray = rt.array(IsoDateString);
+export const schemaDateRange = rt.partial({
+  gte: schemaDate,
+  lte: schemaDate,
+});
+export const schemaDateRangeArray = rt.array(schemaDateRange);
+export const schemaUnknown = rt.unknown;
+export const schemaUnknownArray = rt.array(rt.unknown);
+export const schemaString = rt.string;
+export const schemaStringArray = rt.array(schemaString);
+export const schemaNumber = rt.number;
+export const schemaNumberArray = rt.array(schemaNumber);
+export const schemaStringOrNumber = rt.union([schemaString, schemaNumber]);
+export const schemaStringOrNumberArray = rt.array(schemaStringOrNumber);
+export const schemaBoolean = rt.boolean;
+export const schemaBooleanArray = rt.array(schemaBoolean);
+const schemaGeoPointCoords = rt.type({
+  type: schemaString,
+  coordinates: schemaNumberArray,
+});
+const schemaGeoPointString = schemaString;
+const schemaGeoPointLatLon = rt.type({
+  lat: schemaNumber,
+  lon: schemaNumber,
+});
+const schemaGeoPointLocation = rt.type({
+  location: schemaNumberArray,
+});
+const schemaGeoPointLocationString = rt.type({
+  location: schemaString,
+});
+export const schemaGeoPoint = rt.union([
+  schemaGeoPointCoords,
+  schemaGeoPointString,
+  schemaGeoPointLatLon,
+  schemaGeoPointLocation,
+  schemaGeoPointLocationString,
+]);
+export const schemaGeoPointArray = rt.array(schemaGeoPoint);
+
+const %%schemaPrefix%%RequiredSchema = %%REQUIRED_FIELDS%%;
+const %%schemaPrefix%%OptionalSchema = %%OPTIONAL_FIELDS%%;
+
+export const %%schemaPrefix%%Schema = rt.intersection([%%schemaPrefix%%RequiredSchema, %%schemaPrefix%%OptionalSchema]);
+
+export type %%schemaPrefix%% = rt.TypeOf<typeof %%schemaPrefix%%Schema>;
+`.trim();
+
+const getSchemaFileContents = (lineWriters: Record<string, LineWriter>, schemaPrefix: string) => {
+  return Object.keys(lineWriters).reduce((currTemplate, key) => {
+    const schemaLines = lineWriters[key].getContent().replace(/,$/, '');
+    return currTemplate
+      .replaceAll(`%%schemaPrefix%%`, schemaPrefix)
+      .replace(`%%${key}%%`, schemaLines);
+  }, SchemaFileTemplate);
+};
+
+const writeGeneratedFile = (fileName: string, contents: string) => {
+  const genFileName = path.join(PLUGIN_DIR, fileName);
+  try {
+    fs.writeFileSync(genFileName, contents);
+  } catch (err) {
+    logError(`error writing file: ${genFileName}: ${err.message}`);
+  }
+};
+
+const logError = (message: string) => {
+  // eslint-disable-next-line no-console
+  console.log(`error: ${message}`);
+  process.exit(1);
+};
+
+try {
+  // eslint-disable-next-line no-console
+  console.log(`Creating runtime schema for AlertFieldMap`);
+  createSchema(ALERT_SCHEMA_FILE, alertFieldMap, 'Alert');
+
+  // eslint-disable-next-line no-console
+  console.log(`Creating runtime schema for EcsFieldMap`);
+  createSchema(ECS_SCHEMA_FILE, ecsFieldMap, 'Ecs');
+
+  // eslint-disable-next-line no-console
+  console.log(`Finished creating schemas!`);
+} catch (error) {
+  // eslint-disable-next-line no-console
+  console.log(`Error encountered creating schemas ${error.message}`);
+  throw error;
+}
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
index 0bd6d1e59abb00..f4d2d251c41890 100755
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
@@ -5,20 +5,20 @@
 # 2.0; you may not use this file except in compliance with the Elastic License
 # 2.0.
 
-# echo --- Getting ECS template
+echo --- Getting ECS template
 
-# # Pin to a specific commit
-# # ECS_VERSION=8.6
-# # git clone --depth 1 -b $ECS_VERSION https://github.com/elastic/ecs.git ./ecs
+# Pin to a specific commit
+ECS_VERSION=8.6
+git clone --depth 1 -b $ECS_VERSION https://github.com/elastic/ecs.git ./ecs
 
-# # cp ./ecs/generated/elasticsearch/legacy/template.json ../component_templates/assets/ecs_legacy_template.json
+cp ./ecs/generated/elasticsearch/legacy/template.json ../component_templates/assets/ecs_legacy_template.json
 
-# # rm -rf ./ecs
+rm -rf ./ecs
 
-# echo --- Generating ECS schema from template
+echo --- Generating ECS field map from template
 
-# node create_schema_from_mapping.js ../component_templates/assets/ecs_legacy_template.json
+node generate_ecs_fieldmap.js
 
-echo --- Generating Alert schema from template
+echo --- Generating Alert and ECS schemas from template
 
-node create_schema_from_mapping.js ../field_maps/alert_field_map.ts
+npx -q ts-node create_schema_from_mapping.js
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/lib/line_writer.js b/x-pack/plugins/alerting/common/alert_schema/scripts/lib/line_writer.ts
similarity index 52%
rename from x-pack/plugins/alerting/common/alert_schema/scripts/lib/line_writer.js
rename to x-pack/plugins/alerting/common/alert_schema/scripts/lib/line_writer.ts
index f61405e230215a..43855a31b66bc2 100644
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/lib/line_writer.js
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/lib/line_writer.ts
@@ -8,33 +8,40 @@
 const INDENT_LENGTH = 2;
 const INDENT = ''.padStart(INDENT_LENGTH);
 
-module.exports = {
-  createLineWriter,
-};
+export class LineWriter {
+  private _indent: string = '';
+  private _lines: string[] = [];
 
-class LineWriter {
   constructor() {
     this._indent = '';
     this._lines = [];
   }
 
-  addLine(line) {
+  public addLine(line: string) {
     this._lines.push(`${this._indent}${line}`);
   }
 
-  indent() {
+  public addLineAndIndent(line: string) {
+    this._lines.push(`${this._indent}${line}`);
     this._indent = `${this._indent}${INDENT}`;
   }
 
-  dedent() {
+  public dedentAndAddLine(line: string) {
     this._indent = this._indent.substr(INDENT_LENGTH);
+    this._lines.push(`${this._indent}${line}`);
+  }
+
+  public indent() {
+    this._indent = `${this._indent}${INDENT}`;
   }
 
-  getContent() {
+  public dedent() {
+    this._indent = this._indent.substr(INDENT_LENGTH);
+  }
+
+  public getContent() {
     return this._lines.join('\n');
   }
 }
 
-function createLineWriter() {
-  return new LineWriter();
-}
+export const createLineWriter = () => new LineWriter();
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index 3bca94dc27cd80..54dee150be78b5 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -7,8 +7,13 @@
 
 import { ClusterPutComponentTemplateRequest } from '@elastic/elasticsearch/lib/api/types';
 import { Logger, ElasticsearchClient } from '@kbn/core/server';
-import { alertsComponentTemplate, ecsComponentTemplate } from '../../common';
+import {
+  alertFieldMap,
+  ecsFieldMap,
+  getComponentTemplateFromFieldMap,
+} from '../../common/alert_schema';
 import { ILM_POLICY_NAME, DEFAULT_ILM_POLICY } from './default_lifecycle_policy';
+import { ALERTS_COMPONENT_TEMPLATE_NAME, ECS_COMPONENT_TEMPLATE_NAME } from './types';
 
 interface AlertsServiceParams {
   logger: Logger;
@@ -75,8 +80,22 @@ export class AlertsService implements IAlertsService {
 
   private async createOrUpdateComponentTemplates(esClient: ElasticsearchClient) {
     await Promise.all([
-      this.createOrUpdateComponentTemplate(esClient, alertsComponentTemplate),
-      this.createOrUpdateComponentTemplate(esClient, ecsComponentTemplate),
+      this.createOrUpdateComponentTemplate(
+        esClient,
+        getComponentTemplateFromFieldMap({
+          name: ALERTS_COMPONENT_TEMPLATE_NAME,
+          fieldMap: alertFieldMap,
+          fieldLimit: 100,
+        })
+      ),
+      this.createOrUpdateComponentTemplate(
+        esClient,
+        getComponentTemplateFromFieldMap({
+          name: ECS_COMPONENT_TEMPLATE_NAME,
+          fieldMap: ecsFieldMap,
+          fieldLimit: 2000,
+        })
+      ),
     ]);
   }
 
diff --git a/x-pack/plugins/alerting/server/alerts_service/types.ts b/x-pack/plugins/alerting/server/alerts_service/types.ts
index 1fec1c76430ebd..043bfe813eb07e 100644
--- a/x-pack/plugins/alerting/server/alerts_service/types.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/types.ts
@@ -4,3 +4,6 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
+
+export const ALERTS_COMPONENT_TEMPLATE_NAME = 'alerts-default-component-template';
+export const ECS_COMPONENT_TEMPLATE_NAME = 'alerts-ecs-component-template';

From 64faa6723622aa0ed63585b4dee742866dad9400 Mon Sep 17 00:00:00 2001
From: Ying Mao <ying.mao@elastic.co>
Date: Tue, 6 Dec 2022 13:37:49 -0500
Subject: [PATCH 10/42] Cleaning up schema generation script and adding check
 to buildkite

---
 .buildkite/scripts/steps/checks.sh                 |  1 +
 .buildkite/scripts/steps/checks/alerts_as_data.sh  | 11 +++++++++++
 .../generated => }/schemas/alert_schema.ts         |  0
 .../generated => }/schemas/ecs_schema.ts           |  0
 .../scripts/create_schema_from_mapping.ts          |  8 +++-----
 .../alert_schema/scripts/generate_ecs_fieldmap.js  |  1 -
 .../alert_schema/scripts/generate_schemas.sh       | 14 ++------------
 7 files changed, 17 insertions(+), 18 deletions(-)
 create mode 100755 .buildkite/scripts/steps/checks/alerts_as_data.sh
 rename x-pack/plugins/alerting/common/alert_schema/{field_maps/generated => }/schemas/alert_schema.ts (100%)
 rename x-pack/plugins/alerting/common/alert_schema/{field_maps/generated => }/schemas/ecs_schema.ts (100%)

diff --git a/.buildkite/scripts/steps/checks.sh b/.buildkite/scripts/steps/checks.sh
index 0e11ac04eea1d9..c76c8e7c5724a2 100755
--- a/.buildkite/scripts/steps/checks.sh
+++ b/.buildkite/scripts/steps/checks.sh
@@ -9,6 +9,7 @@ export DISABLE_BOOTSTRAP_VALIDATION=false
 .buildkite/scripts/steps/checks/ftr_configs.sh
 .buildkite/scripts/steps/checks/bazel_packages.sh
 .buildkite/scripts/steps/checks/event_log.sh
+.buildkite/scripts/steps/checks/alerts_as_data.sh
 .buildkite/scripts/steps/checks/telemetry.sh
 .buildkite/scripts/steps/checks/ts_projects.sh
 .buildkite/scripts/steps/checks/jest_configs.sh
diff --git a/.buildkite/scripts/steps/checks/alerts_as_data.sh b/.buildkite/scripts/steps/checks/alerts_as_data.sh
new file mode 100755
index 00000000000000..99f62d8de29de6
--- /dev/null
+++ b/.buildkite/scripts/steps/checks/alerts_as_data.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+source .buildkite/scripts/common/util.sh
+
+echo --- Check Framework Alerts as Data Schema
+
+./x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
+
+check_for_changed_files 'node x-pack/plugins/event_log/scripts/create_schemas.js' false 'Follow the directions in x-pack/plugins/alerting/common/alert_schema/scripts/README.md to make schema changes to framework alerts as data.'
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/generated/schemas/alert_schema.ts b/x-pack/plugins/alerting/common/alert_schema/schemas/alert_schema.ts
similarity index 100%
rename from x-pack/plugins/alerting/common/alert_schema/field_maps/generated/schemas/alert_schema.ts
rename to x-pack/plugins/alerting/common/alert_schema/schemas/alert_schema.ts
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/generated/schemas/ecs_schema.ts b/x-pack/plugins/alerting/common/alert_schema/schemas/ecs_schema.ts
similarity index 100%
rename from x-pack/plugins/alerting/common/alert_schema/field_maps/generated/schemas/ecs_schema.ts
rename to x-pack/plugins/alerting/common/alert_schema/schemas/ecs_schema.ts
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts b/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
index e5d43700a44965..5ab3dcca3bbc8d 100644
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
@@ -14,8 +14,8 @@ import { ecsFieldMap } from '../field_maps/ecs_field_map';
 import { FieldMap } from '../field_maps/types';
 
 const PLUGIN_DIR = path.resolve(path.join(__dirname, '..'));
-const ALERT_SCHEMA_FILE = 'field_maps/generated/schemas/alert_schema.ts';
-const ECS_SCHEMA_FILE = 'field_maps/generated/schemas/ecs_schema.ts';
+const ALERT_SCHEMA_FILE = 'schemas/alert_schema.ts';
+const ECS_SCHEMA_FILE = 'schemas/ecs_schema.ts';
 
 const createSchema = (outputFile: string, fieldMap: FieldMap, schemaPrefix: string) => {
   const lineWriters = {
@@ -314,7 +314,5 @@ try {
   // eslint-disable-next-line no-console
   console.log(`Finished creating schemas!`);
 } catch (error) {
-  // eslint-disable-next-line no-console
-  console.log(`Error encountered creating schemas ${error.message}`);
-  throw error;
+  logError(`Error encountered creating schemas ${error.message}`);
 }
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js
index abd874f5fbbd2f..d0f296d005a4e8 100644
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js
@@ -21,7 +21,6 @@ const ecsYmlUrlPrefix = `https://raw.githubusercontent.com/elastic/ecs/v8.5.2/ge
 const ecsYmlFilename = `ecs_flat.yml`;
 
 const outputDir = path.join(__dirname, '../../alert_schema/field_maps');
-
 const outputFieldMapFilename = path.join(outputDir, 'ecs_field_map.ts');
 
 async function generate() {
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
index f4d2d251c41890..63a9bb6830c150 100755
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
@@ -5,20 +5,10 @@
 # 2.0; you may not use this file except in compliance with the Elastic License
 # 2.0.
 
-echo --- Getting ECS template
-
-# Pin to a specific commit
-ECS_VERSION=8.6
-git clone --depth 1 -b $ECS_VERSION https://github.com/elastic/ecs.git ./ecs
-
-cp ./ecs/generated/elasticsearch/legacy/template.json ../component_templates/assets/ecs_legacy_template.json
-
-rm -rf ./ecs
-
 echo --- Generating ECS field map from template
 
-node generate_ecs_fieldmap.js
+node x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js
 
 echo --- Generating Alert and ECS schemas from template
 
-npx -q ts-node create_schema_from_mapping.js
+npx -q ts-node x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts

From 9bde6b3aa669d256656dcf66d4dfe91ebbd7572d Mon Sep 17 00:00:00 2001
From: Ying Mao <ying.mao@elastic.co>
Date: Tue, 6 Dec 2022 14:38:41 -0500
Subject: [PATCH 11/42] Trying to reduce bundle size

---
 x-pack/plugins/alerting/common/alert_schema/index.ts | 4 ++++
 x-pack/plugins/alerting/common/index.ts              | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/alerting/common/alert_schema/index.ts b/x-pack/plugins/alerting/common/alert_schema/index.ts
index a36ef8a5205e11..d7d5c33be0c2e8 100644
--- a/x-pack/plugins/alerting/common/alert_schema/index.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/index.ts
@@ -7,4 +7,8 @@
 
 export { ecsFieldMap } from './field_maps/ecs_field_map';
 export { alertFieldMap } from './field_maps/alert_field_map';
+export { EcsSchema } from './schemas/ecs_schema';
+export type { Ecs } from './schemas/ecs_schema';
+export { AlertSchema } from './schemas/alert_schema';
+export type { Alert } from './schemas/alert_schema';
 export { getComponentTemplateFromFieldMap } from './field_maps/component_template_from_field_map';
diff --git a/x-pack/plugins/alerting/common/index.ts b/x-pack/plugins/alerting/common/index.ts
index 7037da93d48f6c..43b977cac4db70 100644
--- a/x-pack/plugins/alerting/common/index.ts
+++ b/x-pack/plugins/alerting/common/index.ts
@@ -22,7 +22,8 @@ export * from './rule_notify_when_type';
 export * from './parse_duration';
 export * from './execution_log_types';
 export * from './rule_snooze_type';
-export * from './alert_schema';
+
+export { AlertSchema, EcsSchema, type Alert, type Ecs } from './alert_schema';
 
 export interface AlertingFrameworkHealth {
   isSufficientlySecure: boolean;

From 5b95dd6b02924ff1c828c2a0480db2e9387f6077 Mon Sep 17 00:00:00 2001
From: Ying Mao <ying.mao@elastic.co>
Date: Tue, 6 Dec 2022 16:09:32 -0500
Subject: [PATCH 12/42] Installing all the resources

---
 .../component_template_from_field_map.ts      |   3 +
 .../server/alerts_service/alerts_service.ts   | 393 ++++++++++++++----
 .../alerting/server/alerts_service/types.ts   |   4 +
 x-pack/plugins/alerting/server/plugin.ts      |   7 +-
 4 files changed, 331 insertions(+), 76 deletions(-)

diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts
index 64fa93b79ec428..25dc6e87518ad3 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts
@@ -21,6 +21,9 @@ export const getComponentTemplateFromFieldMap = ({
 }: GetComponentTemplateFromFieldMapOpts): ClusterPutComponentTemplateRequest => {
   return {
     name,
+    _meta: {
+      managed: true,
+    },
     template: {
       settings: {
         number_of_shards: 1,
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index 54dee150be78b5..27553067d27d4f 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -5,20 +5,55 @@
  * 2.0.
  */
 
-import { ClusterPutComponentTemplateRequest } from '@elastic/elasticsearch/lib/api/types';
+import {
+  ClusterPutComponentTemplateRequest,
+  IndicesSimulateIndexTemplateResponse,
+  MappingTypeMapping,
+} from '@elastic/elasticsearch/lib/api/types';
+import { get, isEmpty } from 'lodash';
 import { Logger, ElasticsearchClient } from '@kbn/core/server';
+import { firstValueFrom, Observable } from 'rxjs';
 import {
   alertFieldMap,
   ecsFieldMap,
   getComponentTemplateFromFieldMap,
 } from '../../common/alert_schema';
 import { ILM_POLICY_NAME, DEFAULT_ILM_POLICY } from './default_lifecycle_policy';
-import { ALERTS_COMPONENT_TEMPLATE_NAME, ECS_COMPONENT_TEMPLATE_NAME } from './types';
+import {
+  ALERTS_COMPONENT_TEMPLATE_NAME,
+  DEFAULT_ALERTS_INDEX,
+  DEFAULT_ALERTS_INDEX_PATTERN,
+  ECS_COMPONENT_TEMPLATE_NAME,
+  INDEX_TEMPLATE_NAME,
+  INITIAL_ALERTS_INDEX_NAME,
+} from './types';
+
+const componentTemplatesToInstall = [
+  {
+    name: ALERTS_COMPONENT_TEMPLATE_NAME,
+    fieldMap: alertFieldMap,
+    fieldLimit: 100,
+  },
+  {
+    name: ECS_COMPONENT_TEMPLATE_NAME,
+    fieldMap: ecsFieldMap,
+    fieldLimit: 2000,
+  },
+];
+const TOTAL_FIELDS_LIMIT = 2500;
+const INSTALLATION_TIMEOUT = 20 * 60 * 1000; // 20 minutes
 
 interface AlertsServiceParams {
   logger: Logger;
+  pluginStop$: Observable<void>;
   elasticsearchClientPromise: Promise<ElasticsearchClient>;
 }
+
+interface ConcreteIndexInfo {
+  index: string;
+  alias: string;
+  isWriteIndex: boolean;
+}
 interface IAlertsService {
   /**
    * Initializes all the ES resources used by the alerts client
@@ -51,13 +86,13 @@ export class AlertsService implements IAlertsService {
     setImmediate(async () => {
       const esClient = await this.options.elasticsearchClientPromise;
 
-      // todo wrap all calls in retry
-      await this.createOrUpdateIlmPolicy(esClient);
-      await this.createOrUpdateComponentTemplates(esClient);
-      //      await this.createOrUpdateIndexTemplate(esClient);
-
-      // TODO - check if it exists first
-      //      await this.createConcreteWriteIndex(esClient);
+      await this.installWithTimeoutAndRetry(esClient, this.createOrUpdateIlmPolicy.bind(this));
+      await this.installWithTimeoutAndRetry(
+        esClient,
+        this.createOrUpdateComponentTemplates.bind(this)
+      );
+      await this.installWithTimeoutAndRetry(esClient, this.createOrUpdateIndexTemplate.bind(this));
+      await this.installWithTimeoutAndRetry(esClient, this.createConcreteWriteIndex.bind(this));
     });
   }
 
@@ -78,25 +113,24 @@ export class AlertsService implements IAlertsService {
     }
   }
 
+  /**
+   * Installs component templates if they don't already exist, updates them if
+   * they do.
+   */
   private async createOrUpdateComponentTemplates(esClient: ElasticsearchClient) {
-    await Promise.all([
-      this.createOrUpdateComponentTemplate(
-        esClient,
-        getComponentTemplateFromFieldMap({
-          name: ALERTS_COMPONENT_TEMPLATE_NAME,
-          fieldMap: alertFieldMap,
-          fieldLimit: 100,
-        })
-      ),
-      this.createOrUpdateComponentTemplate(
-        esClient,
-        getComponentTemplateFromFieldMap({
-          name: ECS_COMPONENT_TEMPLATE_NAME,
-          fieldMap: ecsFieldMap,
-          fieldLimit: 2000,
-        })
-      ),
-    ]);
+    this.options.logger.info(
+      `Installing ${componentTemplatesToInstall.length} component templates`
+    );
+
+    await Promise.all(
+      componentTemplatesToInstall.map((componentTemplateSpec) =>
+        this.createOrUpdateComponentTemplate(
+          esClient,
+          // dynamically generate component template from field map specification
+          getComponentTemplateFromFieldMap(componentTemplateSpec)
+        )
+      )
+    );
   }
 
   private async createOrUpdateComponentTemplate(
@@ -115,52 +149,261 @@ export class AlertsService implements IAlertsService {
     }
   }
 
-  // private async createOrUpdateIndexTemplate(esClient: ElasticsearchClient) {
-  //   this.options.logger.info(`Installing index template`);
-
-  //   try {
-  //     await esClient.indices.putIndexTemplate({
-  //       name: INDEX_TEMPLATE_NAME,
-  //       index_patterns: [`${DEFAULT_ALERTS_INDEX}*`],
-  //       // composed_of: [],
-  //       template: {
-  //         settings: {
-  //           hidden: true,
-  //           index: {
-  //             lifecycle: {
-  //               name: ILM_POLICY_NAME,
-  //               rollover_alias: DEFAULT_ALERTS_INDEX,
-  //             },
-  //           },
-  //         },
-  //         mappings: {
-  //           dynamic: true,
-  //         },
-  //       },
-  //     });
-  //   } catch (err) {
-  //     this.options.logger.error(`Error installing index template - ${err.message}`);
-  //     throw err;
-  //   }
-  // }
-
-  // private async createConcreteWriteIndex(esClient: ElasticsearchClient) {
-  //   this.options.logger.info(`Creating concrete write index`);
-
-  //   try {
-  //     await esClient.indices.create({
-  //       index: `${DEFAULT_ALERTS_INDEX}-000001`,
-  //       aliases: {
-  //         [DEFAULT_ALERTS_INDEX]: {
-  //           is_write_index: true,
-  //         },
-  //       },
-  //     });
-  //   } catch (err) {
-  //     this.options.logger.error(`Error creating concrete write index - ${err.message}`);
-  //     // throw err;
-  //   }
-  // }
-
-  // private async installWithRetry() {}
+  /**
+   * Installs index template that uses installed component template
+   * Prior to installation, simulates the installation to check for possible
+   * conflicts. Simulate should return an empty mapping if a template
+   * conflicts with an already installed template.
+   */
+  private async createOrUpdateIndexTemplate(esClient: ElasticsearchClient) {
+    this.options.logger.info(`Installing index template ${INDEX_TEMPLATE_NAME}`);
+
+    const indexTemplate = {
+      name: INDEX_TEMPLATE_NAME,
+      body: {
+        index_patterns: [DEFAULT_ALERTS_INDEX_PATTERN],
+        composed_of: [ALERTS_COMPONENT_TEMPLATE_NAME, ECS_COMPONENT_TEMPLATE_NAME],
+        template: {
+          settings: {
+            auto_expand_replicas: '0-1',
+            hidden: true,
+            'index.lifecycle': {
+              name: ILM_POLICY_NAME,
+              rollover_alias: DEFAULT_ALERTS_INDEX,
+            },
+            'index.mapping.total_fields.limit': TOTAL_FIELDS_LIMIT,
+          },
+          mappings: {
+            dynamic: false,
+          },
+        },
+        _meta: {
+          managed: true,
+        },
+        // do we need metadata? like kibana version? doesn't that get updated every version? or just the first version its installed
+      },
+    };
+
+    // Simulate the index template to proactively identify any issues with the mapping
+    const simulateResponse = await esClient.indices.simulateTemplate(indexTemplate);
+    const mappings: MappingTypeMapping = simulateResponse.template.mappings;
+
+    if (isEmpty(mappings)) {
+      throw new Error(
+        'No mappings would be generated for this index, possibly due to failed/misconfigured bootstrapping'
+      );
+    }
+    try {
+      await esClient.indices.putIndexTemplate(indexTemplate);
+    } catch (err) {
+      this.options.logger.error(`Error installing index template - ${err.message}`);
+      throw err;
+    }
+  }
+
+  /**
+   * Updates the underlying mapping for any existing concrete indices
+   */
+  private async updateIndexMappings(
+    esClient: ElasticsearchClient,
+    concreteIndices: ConcreteIndexInfo[]
+  ) {
+    this.options.logger.info(`Updating underlying mappings for ${concreteIndices.length} indices.`);
+
+    // Update total field limit setting of found indices
+    // Other index setting changes are not updated at this time
+    await Promise.all(
+      concreteIndices.map((index) => this.updateTotalFieldLimitSetting(esClient, index))
+    );
+
+    // Update mappings of the found indices.
+    await Promise.all(
+      concreteIndices.map((index) => this.updateUnderlyingMapping(esClient, index))
+    );
+  }
+
+  private async updateTotalFieldLimitSetting(
+    esClient: ElasticsearchClient,
+    { index, alias }: ConcreteIndexInfo
+  ) {
+    try {
+      await esClient.indices.putSettings({
+        index,
+        body: {
+          'index.mapping.total_fields.limit': TOTAL_FIELDS_LIMIT,
+        },
+      });
+      return;
+    } catch (err) {
+      this.options.logger.error(
+        `Failed to PUT index.mapping.total_fields.limit settings for alias ${alias}: ${err.message}`
+      );
+      throw err;
+    }
+  }
+
+  private async updateUnderlyingMapping(
+    esClient: ElasticsearchClient,
+    { index, alias }: ConcreteIndexInfo
+  ) {
+    let simulatedIndexMapping: IndicesSimulateIndexTemplateResponse;
+    try {
+      simulatedIndexMapping = await esClient.indices.simulateIndexTemplate({
+        name: index,
+      });
+    } catch (err) {
+      this.options.logger.error(
+        `Ignored PUT mappings for alias ${alias}; error generating simulated mappings: ${err.message}`
+      );
+      return;
+    }
+
+    const simulatedMapping = get(simulatedIndexMapping, ['template', 'mappings']);
+
+    if (simulatedMapping == null) {
+      this.options.logger.error(
+        `Ignored PUT mappings for alias ${alias}; simulated mappings were empty`
+      );
+      return;
+    }
+
+    try {
+      await esClient.indices.putMapping({
+        index,
+        body: simulatedMapping,
+      });
+      return;
+    } catch (err) {
+      this.options.logger.error(`Failed to PUT mapping for alias ${alias}: ${err.message}`);
+      throw err;
+    }
+  }
+
+  private async createConcreteWriteIndex(esClient: ElasticsearchClient) {
+    this.options.logger.info(`Creating concrete write index`);
+
+    // check if a concrete write index already exists
+    let concreteIndices: ConcreteIndexInfo[] = [];
+    try {
+      const response = await esClient.indices.getAlias({
+        index: DEFAULT_ALERTS_INDEX_PATTERN,
+      });
+
+      concreteIndices = Object.entries(response).flatMap(([index, { aliases }]) =>
+        Object.entries(aliases).map(([aliasName, aliasProperties]) => ({
+          index,
+          alias: aliasName,
+          isWriteIndex: aliasProperties.is_write_index ?? false,
+        }))
+      );
+
+      this.options.logger.info(
+        `Found ${concreteIndices.length} concrete indices - ${JSON.stringify(concreteIndices)}`
+      );
+    } catch (error) {
+      // 404 is expected if no concrete write indices have been created
+      if (error.statusCode !== 404) {
+        this.options.logger.error(
+          `Error fetching concrete indices for ${DEFAULT_ALERTS_INDEX_PATTERN} pattern - ${error.message}`
+        );
+        throw error;
+      }
+    }
+
+    let concreteWriteIndicesExist = false;
+    // if a concrete write index already exists, update the underlying mapping
+    if (concreteIndices.length > 0) {
+      await this.updateIndexMappings(esClient, concreteIndices);
+
+      const concreteIndicesExist = concreteIndices.some(
+        (index) => index.alias === DEFAULT_ALERTS_INDEX
+      );
+      concreteWriteIndicesExist = concreteIndices.some(
+        (index) => index.alias === DEFAULT_ALERTS_INDEX && index.isWriteIndex
+      );
+
+      // If there are some concrete indices but none of them are the write index, we'll throw an error
+      // because one of the existing indices should have been the write target.
+      if (concreteIndicesExist && !concreteWriteIndicesExist) {
+        throw new Error(
+          `Indices matching pattern ${DEFAULT_ALERTS_INDEX_PATTERN} exist but none are set as the write index for alias ${DEFAULT_ALERTS_INDEX}`
+        );
+      }
+    }
+
+    // check if a concrete write index already exists
+    if (!concreteWriteIndicesExist) {
+      try {
+        await esClient.indices.create({
+          index: INITIAL_ALERTS_INDEX_NAME,
+          body: {
+            aliases: {
+              [DEFAULT_ALERTS_INDEX]: {
+                is_write_index: true,
+              },
+            },
+          },
+        });
+      } catch (error) {
+        this.options.logger.error(`Error creating concrete write index - ${error.message}`);
+        // If the index already exists and it's the write index for the alias,
+        // something else created it so suppress the error. If it's not the write
+        // index, that's bad, throw an error.
+        if (error?.meta?.body?.error?.type === 'resource_already_exists_exception') {
+          const existingIndices = await esClient.indices.get({
+            index: INITIAL_ALERTS_INDEX_NAME,
+          });
+          if (
+            !existingIndices[INITIAL_ALERTS_INDEX_NAME]?.aliases?.[DEFAULT_ALERTS_INDEX]
+              ?.is_write_index
+          ) {
+            throw Error(
+              `Attempted to create index: ${INITIAL_ALERTS_INDEX_NAME} as the write index for alias: ${DEFAULT_ALERTS_INDEX}, but the index already exists and is not the write index for the alias`
+            );
+          }
+        } else {
+          throw error;
+        }
+      }
+    }
+  }
+
+  private async installWithTimeoutAndRetry(
+    esClient: ElasticsearchClient,
+    installFn: (esClient: ElasticsearchClient) => Promise<void>
+  ): Promise<void> {
+    try {
+      let timeoutId: NodeJS.Timeout;
+      const install = async (): Promise<void> => {
+        await installFn(esClient);
+        if (timeoutId) {
+          clearTimeout(timeoutId);
+        }
+      };
+
+      const throwTimeoutException = (): Promise<void> => {
+        return new Promise((resolve, reject) => {
+          timeoutId = setTimeout(() => {
+            const msg = `Timeout: it took more than ${INSTALLATION_TIMEOUT}ms`;
+            reject(new Error(msg));
+          }, INSTALLATION_TIMEOUT);
+
+          firstValueFrom(this.options.pluginStop$).then(() => {
+            clearTimeout(timeoutId);
+            const msg = 'Server is stopping; must stop all async operations';
+            reject(new Error(msg));
+          });
+        });
+      };
+
+      await Promise.race([install(), throwTimeoutException()]);
+    } catch (e) {
+      this.options.logger.error(e);
+
+      if (e?.message.indexOf('Server is stopping') < 0) {
+        const reason = e?.message || 'Unknown reason';
+        throw new Error(`Failure during installation. ${reason}`);
+      }
+    }
+  }
 }
diff --git a/x-pack/plugins/alerting/server/alerts_service/types.ts b/x-pack/plugins/alerting/server/alerts_service/types.ts
index 043bfe813eb07e..9a085fef9f57e3 100644
--- a/x-pack/plugins/alerting/server/alerts_service/types.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/types.ts
@@ -5,5 +5,9 @@
  * 2.0.
  */
 
+export const INDEX_TEMPLATE_NAME = '.alerts-default-template';
+export const DEFAULT_ALERTS_INDEX = '.alerts-default';
+export const DEFAULT_ALERTS_INDEX_PATTERN = `${DEFAULT_ALERTS_INDEX}-*`;
+export const INITIAL_ALERTS_INDEX_NAME = `${DEFAULT_ALERTS_INDEX}-000001`;
 export const ALERTS_COMPONENT_TEMPLATE_NAME = 'alerts-default-component-template';
 export const ECS_COMPONENT_TEMPLATE_NAME = 'alerts-ecs-component-template';
diff --git a/x-pack/plugins/alerting/server/plugin.ts b/x-pack/plugins/alerting/server/plugin.ts
index 1f2c644bb582cb..781329280a1d69 100644
--- a/x-pack/plugins/alerting/server/plugin.ts
+++ b/x-pack/plugins/alerting/server/plugin.ts
@@ -6,7 +6,7 @@
  */
 
 import type { PublicMethodsOf } from '@kbn/utility-types';
-import { BehaviorSubject } from 'rxjs';
+import { BehaviorSubject, ReplaySubject, Subject } from 'rxjs';
 import { pick } from 'lodash';
 import { UsageCollectionSetup, UsageCounter } from '@kbn/usage-collection-plugin/server';
 import { SecurityPluginSetup, SecurityPluginStart } from '@kbn/security-plugin/server';
@@ -177,6 +177,7 @@ export class AlertingPlugin {
   private usageCounter: UsageCounter | undefined;
   private inMemoryMetrics: InMemoryMetrics;
   private alertsService?: AlertsService;
+  private pluginStop$: Subject<void>;
 
   constructor(initializerContext: PluginInitializerContext) {
     this.config = initializerContext.config.get();
@@ -187,6 +188,7 @@ export class AlertingPlugin {
     this.telemetryLogger = initializerContext.logger.get('usage');
     this.kibanaVersion = initializerContext.env.packageInfo.version;
     this.inMemoryMetrics = new InMemoryMetrics(initializerContext.logger.get('in_memory_metrics'));
+    this.pluginStop$ = new ReplaySubject(1);
   }
 
   public setup(
@@ -236,6 +238,7 @@ export class AlertingPlugin {
 
     this.alertsService = new AlertsService({
       logger: this.logger,
+      pluginStop$: this.pluginStop$,
       elasticsearchClientPromise: core
         .getStartServices()
         .then(([{ elasticsearch }]) => elasticsearch.client.asInternalUser),
@@ -509,5 +512,7 @@ export class AlertingPlugin {
     if (this.licenseState) {
       this.licenseState.clean();
     }
+    this.pluginStop$.next();
+    this.pluginStop$.complete();
   }
 }

From 5e5f4b7a5edb27c4019dd5e3b62ef605557c4a7e Mon Sep 17 00:00:00 2001
From: Ying Mao <ying.mao@elastic.co>
Date: Mon, 12 Dec 2022 14:02:47 -0500
Subject: [PATCH 13/42] wip

---
 .../src/default_alerts_as_data.ts             | 194 +----------
 .../src/technical_field_names.ts              |   2 +-
 .../field_maps/alert_field_map.ts             | 324 ------------------
 .../field_maps/mapping_from_field_map.test.ts | 200 -----------
 .../alert_schema/schemas/alert_schema.ts      |  73 ----
 .../alerts_service/alerts_service.mock.ts     |  20 ++
 .../alerts_service/alerts_service.test.ts     | 206 +++++++++++
 7 files changed, 238 insertions(+), 781 deletions(-)
 create mode 100644 x-pack/plugins/alerting/server/alerts_service/alerts_service.mock.ts
 create mode 100644 x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts

diff --git a/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts b/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
index f5f18cfcf3dbee..9a1939127bef3c 100644
--- a/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
+++ b/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
@@ -8,13 +8,11 @@
 
 import { ValuesType } from 'utility-types';
 
-// TODO - add comments for all these dang fields
 const KIBANA_NAMESPACE = 'kibana' as const;
-const ALERT_NAMESPACE = `${KIBANA_NAMESPACE}.alert` as const;
-const ALERT_ORIGINAL_EVENT_NAMESPACE = `${ALERT_NAMESPACE}.original_event` as const;
-const ALERT_THRESHOLD_RESULT_NAMESPACE = `${ALERT_NAMESPACE}.threshold_result` as const;
-const ALERT_RULE_NAMESPACE = `${ALERT_NAMESPACE}.rule` as const;
+const SPACE_IDS = `${KIBANA_NAMESPACE}.space_ids` as const;
+const VERSION = `${KIBANA_NAMESPACE}.version` as const;
 
+const ALERT_NAMESPACE = `${KIBANA_NAMESPACE}.alert` as const;
 const ALERT_ACTION_GROUP = `${ALERT_NAMESPACE}.action_group` as const;
 const ALERT_DURATION = `${ALERT_NAMESPACE}.duration.us` as const;
 const ALERT_END = `${ALERT_NAMESPACE}.end` as const;
@@ -29,7 +27,14 @@ const ALERT_EVALUATION_RESULTS_VALUE = `${ALERT_NAMESPACE}.evaluation_results.va
 const ALERT_FLAPPING = `${ALERT_NAMESPACE}.flapping` as const;
 const ALERT_ID = `${ALERT_NAMESPACE}.id` as const;
 const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const;
-const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const;
+const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const;
+const ALERT_START = `${ALERT_NAMESPACE}.start` as const;
+const ALERT_STATUS = `${ALERT_NAMESPACE}.status` as const;
+const ALERT_TIME_RANGE = `${ALERT_NAMESPACE}.time_range` as const;
+const ALERT_UUID = `${ALERT_NAMESPACE}.uuid` as const;
+const ALERT_WORKFLOW_STATUS = `${ALERT_NAMESPACE}.workflow_status` as const;
+
+const ALERT_RULE_NAMESPACE = `${ALERT_NAMESPACE}.rule` as const;
 const ALERT_RULE_CATEGORY = `${ALERT_RULE_NAMESPACE}.category` as const;
 const ALERT_RULE_CONSUMER = `${ALERT_RULE_NAMESPACE}.consumer` as const;
 const ALERT_RULE_EXECUTION_UUID = `${ALERT_RULE_NAMESPACE}.execution.uuid` as const;
@@ -39,75 +44,6 @@ const ALERT_RULE_PRODUCER = `${ALERT_RULE_NAMESPACE}.producer` as const;
 const ALERT_RULE_TAGS = `${ALERT_RULE_NAMESPACE}.tags` as const;
 const ALERT_RULE_TYPE_ID = `${ALERT_RULE_NAMESPACE}.rule_type_id` as const;
 const ALERT_RULE_UUID = `${ALERT_RULE_NAMESPACE}.uuid` as const;
-const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const;
-const ALERT_START = `${ALERT_NAMESPACE}.start` as const;
-const ALERT_STATUS = `${ALERT_NAMESPACE}.status` as const;
-const ALERT_TIME_RANGE = `${ALERT_NAMESPACE}.time_range` as const;
-const ALERT_UUID = `${ALERT_NAMESPACE}.uuid` as const;
-const ALERT_WORKFLOW_STATUS = `${ALERT_NAMESPACE}.workflow_status` as const;
-const ANOMALY_BUCKET_SPAN_MINUTES = `anomaly.bucket_span.minutes` as const;
-const ANOMALY_START = `anomaly.start` as const;
-const MONITOR_ID = `monitor.id` as const;
-const MONITOR_NAME = `monitor.name` as const;
-const MONITOR_TYPE = `monitor.type` as const;
-const PROCESSOR_EVENT = `processor.event` as const;
-const TRANSACTION_TYPE = `transaction.type` as const;
-const TRANSACTION_NAME = `transaction.name` as const;
-const SPACE_IDS = `${KIBANA_NAMESPACE}.space_ids` as const;
-const VERSION = `${KIBANA_NAMESPACE}.version` as const;
-
-const ALERT_ANCESTORS = `${ALERT_NAMESPACE}.ancestors` as const;
-const ALERT_ANCESTORS_DEPTH = `${ALERT_NAMESPACE}.ancestors.depth` as const;
-const ALERT_ANCESTORS_ID = `${ALERT_NAMESPACE}.ancestors.id` as const;
-const ALERT_ANCESTORS_INDEX = `${ALERT_NAMESPACE}.ancestors.index` as const;
-const ALERT_ANCESTORS_RULE = `${ALERT_NAMESPACE}.ancestors.rule` as const;
-const ALERT_ANCESTORS_TYPE = `${ALERT_NAMESPACE}.ancestors.type` as const;
-const ALERT_DEPTH = `${ALERT_NAMESPACE}.depth` as const;
-const ALERT_GROUP_ID = `${ALERT_NAMESPACE}.group.id` as const;
-const ALERT_GROUP_INDEX = `${ALERT_NAMESPACE}.group.index` as const;
-const ALERT_ORIGINAL_EVENT_ACTION = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.action` as const;
-const ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS =
-  `${ALERT_ORIGINAL_EVENT_NAMESPACE}.agent_id_status` as const;
-const ALERT_ORIGINAL_EVENT_CATEGORY = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.category` as const;
-const ALERT_ORIGINAL_EVENT_CODE = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.code` as const;
-const ALERT_ORIGINAL_EVENT_CREATED = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.created` as const;
-const ALERT_ORIGINAL_EVENT_DATASET = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.dataset` as const;
-const ALERT_ORIGINAL_EVENT_DURATION = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.duration` as const;
-const ALERT_ORIGINAL_EVENT_END = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.end` as const;
-const ALERT_ORIGINAL_EVENT_HASH = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.hash` as const;
-const ALERT_ORIGINAL_EVENT_ID = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.id` as const;
-const ALERT_ORIGINAL_EVENT_INGESTED = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.ingested` as const;
-const ALERT_ORIGINAL_EVENT_KIND = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.kind` as const;
-const ALERT_ORIGINAL_EVENT_MODULE = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.module` as const;
-const ALERT_ORIGINAL_EVENT_ORIGINAL = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.original` as const;
-const ALERT_ORIGINAL_EVENT_OUTCOME = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.outcome` as const;
-const ALERT_ORIGINAL_EVENT_PROVIDER = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.provider` as const;
-const ALERT_ORIGINAL_EVENT_REASON = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.reason` as const;
-const ALERT_ORIGINAL_EVENT_REFERENCE = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.reference` as const;
-const ALERT_ORIGINAL_EVENT_RISK_SCORE = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.risk_score` as const;
-const ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM =
-  `${ALERT_ORIGINAL_EVENT_NAMESPACE}.risk_score_norm` as const;
-const ALERT_ORIGINAL_EVENT_SEQUENCE = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.sequence` as const;
-const ALERT_ORIGINAL_EVENT_SEVERITY = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.severity` as const;
-const ALERT_ORIGINAL_EVENT_START = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.start` as const;
-const ALERT_ORIGINAL_EVENT_TIMEZONE = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.timezone` as const;
-const ALERT_ORIGINAL_EVENT_TYPE = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.type` as const;
-const ALERT_ORIGINAL_EVENT_URL = `${ALERT_ORIGINAL_EVENT_NAMESPACE}.url` as const;
-const ALERT_ORIGINAL_TIME = `${ALERT_NAMESPACE}.original_time` as const;
-const ALERT_THRESHOLD_RESULT_CARDINALITY =
-  `${ALERT_THRESHOLD_RESULT_NAMESPACE}.cardinality` as const;
-const ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD =
-  `${ALERT_THRESHOLD_RESULT_NAMESPACE}.cardinality.field` as const;
-const ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE =
-  `${ALERT_THRESHOLD_RESULT_NAMESPACE}.cardinality.value` as const;
-const ALERT_THRESHOLD_RESULT_COUNT = `${ALERT_THRESHOLD_RESULT_NAMESPACE}.count` as const;
-const ALERT_THRESHOLD_RESULT_FROM = `${ALERT_THRESHOLD_RESULT_NAMESPACE}.from` as const;
-const ALERT_THRESHOLD_RESULT_TERMS = `${ALERT_THRESHOLD_RESULT_NAMESPACE}.terms` as const;
-const ALERT_THRESHOLD_RESULT_TERMS_FIELD =
-  `${ALERT_THRESHOLD_RESULT_NAMESPACE}.terms.field` as const;
-const ALERT_THRESHOLD_RESULT_TERMS_VALUE =
-  `${ALERT_THRESHOLD_RESULT_NAMESPACE}.terms.value` as const;
-const ALERT_NEW_TERMS = `${ALERT_NAMESPACE}.new_terms` as const;
 
 const namespaces = {
   KIBANA_NAMESPACE,
@@ -117,13 +53,6 @@ const namespaces = {
 
 const fields = {
   ALERT_ACTION_GROUP,
-  ALERT_ANCESTORS,
-  ALERT_ANCESTORS_DEPTH,
-  ALERT_ANCESTORS_ID,
-  ALERT_ANCESTORS_INDEX,
-  ALERT_ANCESTORS_RULE,
-  ALERT_ANCESTORS_TYPE,
-  ALERT_DEPTH,
   ALERT_DURATION,
   ALERT_END,
   ALERT_EVALUATION_RESULTS,
@@ -132,39 +61,8 @@ const fields = {
   ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE,
   ALERT_EVALUATION_RESULTS_VALUE,
   ALERT_FLAPPING,
-  ALERT_GROUP_ID,
-  ALERT_GROUP_INDEX,
   ALERT_ID,
-  ALERT_NEW_TERMS,
-  ALERT_ORIGINAL_EVENT_ACTION,
-  ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS,
-  ALERT_ORIGINAL_EVENT_CATEGORY,
-  ALERT_ORIGINAL_EVENT_CODE,
-  ALERT_ORIGINAL_EVENT_CREATED,
-  ALERT_ORIGINAL_EVENT_DATASET,
-  ALERT_ORIGINAL_EVENT_DURATION,
-  ALERT_ORIGINAL_EVENT_END,
-  ALERT_ORIGINAL_EVENT_HASH,
-  ALERT_ORIGINAL_EVENT_ID,
-  ALERT_ORIGINAL_EVENT_INGESTED,
-  ALERT_ORIGINAL_EVENT_KIND,
-  ALERT_ORIGINAL_EVENT_MODULE,
-  ALERT_ORIGINAL_EVENT_ORIGINAL,
-  ALERT_ORIGINAL_EVENT_OUTCOME,
-  ALERT_ORIGINAL_EVENT_PROVIDER,
-  ALERT_ORIGINAL_EVENT_REASON,
-  ALERT_ORIGINAL_EVENT_REFERENCE,
-  ALERT_ORIGINAL_EVENT_RISK_SCORE,
-  ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM,
-  ALERT_ORIGINAL_EVENT_SEQUENCE,
-  ALERT_ORIGINAL_EVENT_SEVERITY,
-  ALERT_ORIGINAL_EVENT_START,
-  ALERT_ORIGINAL_EVENT_TIMEZONE,
-  ALERT_ORIGINAL_EVENT_TYPE,
-  ALERT_ORIGINAL_EVENT_URL,
-  ALERT_ORIGINAL_TIME,
   ALERT_REASON,
-  ALERT_RISK_SCORE,
   ALERT_RULE_CATEGORY,
   ALERT_RULE_CONSUMER,
   ALERT_RULE_EXECUTION_UUID,
@@ -177,38 +75,15 @@ const fields = {
   ALERT_SEVERITY,
   ALERT_START,
   ALERT_STATUS,
-  ALERT_THRESHOLD_RESULT_CARDINALITY,
-  ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD,
-  ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE,
-  ALERT_THRESHOLD_RESULT_COUNT,
-  ALERT_THRESHOLD_RESULT_FROM,
-  ALERT_THRESHOLD_RESULT_TERMS,
-  ALERT_THRESHOLD_RESULT_TERMS_FIELD,
-  ALERT_THRESHOLD_RESULT_TERMS_VALUE,
   ALERT_TIME_RANGE,
   ALERT_UUID,
   ALERT_WORKFLOW_STATUS,
-  ANOMALY_BUCKET_SPAN_MINUTES,
-  ANOMALY_START,
-  MONITOR_ID,
-  MONITOR_NAME,
-  MONITOR_TYPE,
-  PROCESSOR_EVENT,
   SPACE_IDS,
-  TRANSACTION_TYPE,
-  TRANSACTION_NAME,
   VERSION,
 };
 
 export {
   ALERT_ACTION_GROUP,
-  ALERT_ANCESTORS,
-  ALERT_ANCESTORS_DEPTH,
-  ALERT_ANCESTORS_ID,
-  ALERT_ANCESTORS_INDEX,
-  ALERT_ANCESTORS_RULE,
-  ALERT_ANCESTORS_TYPE,
-  ALERT_DEPTH,
   ALERT_DURATION,
   ALERT_END,
   ALERT_EVALUATION_RESULTS,
@@ -217,39 +92,8 @@ export {
   ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE,
   ALERT_EVALUATION_RESULTS_VALUE,
   ALERT_FLAPPING,
-  ALERT_GROUP_ID,
-  ALERT_GROUP_INDEX,
   ALERT_ID,
-  ALERT_NEW_TERMS,
-  ALERT_ORIGINAL_EVENT_ACTION,
-  ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS,
-  ALERT_ORIGINAL_EVENT_CATEGORY,
-  ALERT_ORIGINAL_EVENT_CODE,
-  ALERT_ORIGINAL_EVENT_CREATED,
-  ALERT_ORIGINAL_EVENT_DATASET,
-  ALERT_ORIGINAL_EVENT_DURATION,
-  ALERT_ORIGINAL_EVENT_END,
-  ALERT_ORIGINAL_EVENT_HASH,
-  ALERT_ORIGINAL_EVENT_ID,
-  ALERT_ORIGINAL_EVENT_INGESTED,
-  ALERT_ORIGINAL_EVENT_KIND,
-  ALERT_ORIGINAL_EVENT_MODULE,
-  ALERT_ORIGINAL_EVENT_ORIGINAL,
-  ALERT_ORIGINAL_EVENT_OUTCOME,
-  ALERT_ORIGINAL_EVENT_PROVIDER,
-  ALERT_ORIGINAL_EVENT_REASON,
-  ALERT_ORIGINAL_EVENT_REFERENCE,
-  ALERT_ORIGINAL_EVENT_RISK_SCORE,
-  ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM,
-  ALERT_ORIGINAL_EVENT_SEQUENCE,
-  ALERT_ORIGINAL_EVENT_SEVERITY,
-  ALERT_ORIGINAL_EVENT_START,
-  ALERT_ORIGINAL_EVENT_TIMEZONE,
-  ALERT_ORIGINAL_EVENT_TYPE,
-  ALERT_ORIGINAL_EVENT_URL,
-  ALERT_ORIGINAL_TIME,
   ALERT_REASON,
-  ALERT_RISK_SCORE,
   ALERT_RULE_CATEGORY,
   ALERT_RULE_CONSUMER,
   ALERT_RULE_EXECUTION_UUID,
@@ -262,26 +106,10 @@ export {
   ALERT_SEVERITY,
   ALERT_START,
   ALERT_STATUS,
-  ALERT_THRESHOLD_RESULT_CARDINALITY,
-  ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD,
-  ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE,
-  ALERT_THRESHOLD_RESULT_COUNT,
-  ALERT_THRESHOLD_RESULT_FROM,
-  ALERT_THRESHOLD_RESULT_TERMS,
-  ALERT_THRESHOLD_RESULT_TERMS_FIELD,
-  ALERT_THRESHOLD_RESULT_TERMS_VALUE,
   ALERT_TIME_RANGE,
   ALERT_UUID,
   ALERT_WORKFLOW_STATUS,
-  ANOMALY_BUCKET_SPAN_MINUTES,
-  ANOMALY_START,
-  MONITOR_ID,
-  MONITOR_NAME,
-  MONITOR_TYPE,
-  PROCESSOR_EVENT,
   SPACE_IDS,
-  TRANSACTION_TYPE,
-  TRANSACTION_NAME,
   VERSION,
   ALERT_NAMESPACE,
   ALERT_RULE_NAMESPACE,
diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts
index b7313065abba56..f5d420f66983c4 100644
--- a/packages/kbn-rule-data-utils/src/technical_field_names.ts
+++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@@ -14,7 +14,6 @@ import {
   ALERT_END,
   ALERT_FLAPPING,
   ALERT_REASON,
-  ALERT_RISK_SCORE,
   ALERT_RULE_CATEGORY,
   ALERT_RULE_CONSUMER,
   ALERT_RULE_EXECUTION_UUID,
@@ -50,6 +49,7 @@ const ALERT_BUILDING_BLOCK_TYPE = `${ALERT_NAMESPACE}.building_block_type` as co
 const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const;
 const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const;
 const ALERT_INSTANCE_ID = `${ALERT_NAMESPACE}.instance.id` as const;
+const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const;
 const ALERT_SYSTEM_STATUS = `${ALERT_NAMESPACE}.system_status` as const;
 const ALERT_WORKFLOW_REASON = `${ALERT_NAMESPACE}.workflow_reason` as const;
 const ALERT_WORKFLOW_USER = `${ALERT_NAMESPACE}.workflow_user` as const;
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts
index f6571708c9e8eb..87d64c0ebfc89a 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts
@@ -7,13 +7,6 @@
 
 import {
   ALERT_ACTION_GROUP,
-  ALERT_ANCESTORS,
-  ALERT_ANCESTORS_DEPTH,
-  ALERT_ANCESTORS_ID,
-  ALERT_ANCESTORS_INDEX,
-  ALERT_ANCESTORS_RULE,
-  ALERT_ANCESTORS_TYPE,
-  ALERT_DEPTH,
   ALERT_DURATION,
   ALERT_END,
   ALERT_EVALUATION_RESULTS,
@@ -22,39 +15,8 @@ import {
   ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE,
   ALERT_EVALUATION_RESULTS_VALUE,
   ALERT_FLAPPING,
-  ALERT_GROUP_ID,
-  ALERT_GROUP_INDEX,
   ALERT_ID,
-  ALERT_NEW_TERMS,
-  ALERT_ORIGINAL_EVENT_ACTION,
-  ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS,
-  ALERT_ORIGINAL_EVENT_CATEGORY,
-  ALERT_ORIGINAL_EVENT_CODE,
-  ALERT_ORIGINAL_EVENT_CREATED,
-  ALERT_ORIGINAL_EVENT_DATASET,
-  ALERT_ORIGINAL_EVENT_DURATION,
-  ALERT_ORIGINAL_EVENT_END,
-  ALERT_ORIGINAL_EVENT_HASH,
-  ALERT_ORIGINAL_EVENT_ID,
-  ALERT_ORIGINAL_EVENT_INGESTED,
-  ALERT_ORIGINAL_EVENT_KIND,
-  ALERT_ORIGINAL_EVENT_MODULE,
-  ALERT_ORIGINAL_EVENT_ORIGINAL,
-  ALERT_ORIGINAL_EVENT_OUTCOME,
-  ALERT_ORIGINAL_EVENT_PROVIDER,
-  ALERT_ORIGINAL_EVENT_REASON,
-  ALERT_ORIGINAL_EVENT_REFERENCE,
-  ALERT_ORIGINAL_EVENT_RISK_SCORE,
-  ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM,
-  ALERT_ORIGINAL_EVENT_SEQUENCE,
-  ALERT_ORIGINAL_EVENT_SEVERITY,
-  ALERT_ORIGINAL_EVENT_START,
-  ALERT_ORIGINAL_EVENT_TIMEZONE,
-  ALERT_ORIGINAL_EVENT_TYPE,
-  ALERT_ORIGINAL_EVENT_URL,
-  ALERT_ORIGINAL_TIME,
   ALERT_REASON,
-  ALERT_RISK_SCORE,
   ALERT_RULE_CATEGORY,
   ALERT_RULE_CONSUMER,
   ALERT_RULE_EXECUTION_UUID,
@@ -67,26 +29,10 @@ import {
   ALERT_SEVERITY,
   ALERT_START,
   ALERT_STATUS,
-  ALERT_THRESHOLD_RESULT_CARDINALITY,
-  ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD,
-  ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE,
-  ALERT_THRESHOLD_RESULT_COUNT,
-  ALERT_THRESHOLD_RESULT_FROM,
-  ALERT_THRESHOLD_RESULT_TERMS,
-  ALERT_THRESHOLD_RESULT_TERMS_FIELD,
-  ALERT_THRESHOLD_RESULT_TERMS_VALUE,
   ALERT_TIME_RANGE,
   ALERT_UUID,
   ALERT_WORKFLOW_STATUS,
-  ANOMALY_BUCKET_SPAN_MINUTES,
-  ANOMALY_START,
-  MONITOR_ID,
-  MONITOR_NAME,
-  MONITOR_TYPE,
-  PROCESSOR_EVENT,
   SPACE_IDS,
-  TRANSACTION_TYPE,
-  TRANSACTION_NAME,
   VERSION,
 } from '@kbn/rule-data-utils';
 
@@ -162,11 +108,6 @@ export const alertFieldMap = {
     array: false,
     required: false,
   },
-  [ALERT_RISK_SCORE]: {
-    type: 'float',
-    array: false,
-    required: false,
-  },
   [ALERT_WORKFLOW_STATUS]: {
     type: 'keyword',
     array: false,
@@ -237,271 +178,6 @@ export const alertFieldMap = {
     array: false,
     required: false,
   },
-  [TRANSACTION_TYPE]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [TRANSACTION_NAME]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [PROCESSOR_EVENT]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [MONITOR_ID]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [MONITOR_NAME]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [MONITOR_TYPE]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ANOMALY_START]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ANOMALY_BUCKET_SPAN_MINUTES]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ANCESTORS]: {
-    type: 'object',
-    array: true,
-    required: false,
-  },
-  [ALERT_ANCESTORS_DEPTH]: {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  [ALERT_ANCESTORS_ID]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ANCESTORS_INDEX]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ANCESTORS_RULE]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ANCESTORS_TYPE]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_DEPTH]: {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  [ALERT_GROUP_ID]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_GROUP_INDEX]: {
-    type: 'integer',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_ACTION]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_CATEGORY]: {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_CODE]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_CREATED]: {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_DATASET]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_DURATION]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_END]: {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_HASH]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_ID]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_INGESTED]: {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_KIND]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_MODULE]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_ORIGINAL]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_OUTCOME]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_PROVIDER]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_REASON]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_REFERENCE]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_RISK_SCORE]: {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM]: {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_SEQUENCE]: {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_SEVERITY]: {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_START]: {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_TIMEZONE]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_TYPE]: {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  [ALERT_ORIGINAL_EVENT_URL]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_ORIGINAL_TIME]: {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  [ALERT_THRESHOLD_RESULT_CARDINALITY]: {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  [ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE]: {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  [ALERT_THRESHOLD_RESULT_COUNT]: {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  [ALERT_THRESHOLD_RESULT_FROM]: {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  [ALERT_THRESHOLD_RESULT_TERMS]: {
-    type: 'object',
-    array: true,
-    required: false,
-  },
-  [ALERT_THRESHOLD_RESULT_TERMS_FIELD]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_THRESHOLD_RESULT_TERMS_VALUE]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_NEW_TERMS]: {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
 };
 
 export type AlertFieldMap = typeof alertFieldMap;
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
index 87e0679b8bd6e7..04cd85d67869a1 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
@@ -184,20 +184,6 @@ describe('mappingFromFieldMap', () => {
     expect(mappingFromFieldMap(alertFieldMap)).toEqual({
       dynamic: 'strict',
       properties: {
-        anomaly: {
-          properties: {
-            bucket_span: {
-              properties: {
-                minutes: {
-                  type: 'keyword',
-                },
-              },
-            },
-            start: {
-              type: 'keyword',
-            },
-          },
-        },
         kibana: {
           properties: {
             alert: {
@@ -205,29 +191,6 @@ describe('mappingFromFieldMap', () => {
                 action_group: {
                   type: 'keyword',
                 },
-                ancestors: {
-                  type: 'object',
-                  properties: {
-                    depth: {
-                      type: 'long',
-                    },
-                    id: {
-                      type: 'keyword',
-                    },
-                    index: {
-                      type: 'keyword',
-                    },
-                    rule: {
-                      type: 'keyword',
-                    },
-                    type: {
-                      type: 'keyword',
-                    },
-                  },
-                },
-                depth: {
-                  type: 'long',
-                },
                 duration: {
                   properties: {
                     us: {
@@ -262,113 +225,12 @@ describe('mappingFromFieldMap', () => {
                 flapping: {
                   type: 'boolean',
                 },
-                group: {
-                  properties: {
-                    id: {
-                      type: 'keyword',
-                    },
-                    index: {
-                      type: 'integer',
-                    },
-                  },
-                },
                 id: {
                   type: 'keyword',
                 },
-                new_terms: {
-                  type: 'keyword',
-                },
-                original_event: {
-                  properties: {
-                    action: {
-                      type: 'keyword',
-                    },
-                    agent_id_status: {
-                      type: 'keyword',
-                    },
-                    category: {
-                      type: 'keyword',
-                    },
-                    code: {
-                      type: 'keyword',
-                    },
-                    created: {
-                      type: 'date',
-                    },
-                    dataset: {
-                      type: 'keyword',
-                    },
-                    duration: {
-                      type: 'keyword',
-                    },
-                    end: {
-                      type: 'date',
-                    },
-                    hash: {
-                      type: 'keyword',
-                    },
-                    id: {
-                      type: 'keyword',
-                    },
-                    ingested: {
-                      type: 'date',
-                    },
-                    kind: {
-                      type: 'keyword',
-                    },
-                    module: {
-                      type: 'keyword',
-                    },
-                    original: {
-                      type: 'keyword',
-                    },
-                    outcome: {
-                      type: 'keyword',
-                    },
-                    provider: {
-                      type: 'keyword',
-                    },
-                    reason: {
-                      type: 'keyword',
-                    },
-                    reference: {
-                      type: 'keyword',
-                    },
-                    risk_score: {
-                      type: 'float',
-                    },
-                    risk_score_norm: {
-                      type: 'float',
-                    },
-                    sequence: {
-                      type: 'long',
-                    },
-                    severity: {
-                      type: 'long',
-                    },
-                    start: {
-                      type: 'date',
-                    },
-                    timezone: {
-                      type: 'keyword',
-                    },
-                    type: {
-                      type: 'keyword',
-                    },
-                    url: {
-                      type: 'keyword',
-                    },
-                  },
-                },
-                original_time: {
-                  type: 'date',
-                },
                 reason: {
                   type: 'keyword',
                 },
-                risk_score: {
-                  type: 'float',
-                },
                 rule: {
                   properties: {
                     category: {
@@ -414,38 +276,6 @@ describe('mappingFromFieldMap', () => {
                 status: {
                   type: 'keyword',
                 },
-                threshold_result: {
-                  properties: {
-                    cardinality: {
-                      type: 'object',
-                      properties: {
-                        field: {
-                          type: 'keyword',
-                        },
-                        value: {
-                          type: 'long',
-                        },
-                      },
-                    },
-                    count: {
-                      type: 'long',
-                    },
-                    from: {
-                      type: 'date',
-                    },
-                    terms: {
-                      type: 'object',
-                      properties: {
-                        field: {
-                          type: 'keyword',
-                        },
-                        value: {
-                          type: 'keyword',
-                        },
-                      },
-                    },
-                  },
-                },
                 time_range: {
                   type: 'date_range',
                   format: 'epoch_millis||strict_date_optional_time',
@@ -466,36 +296,6 @@ describe('mappingFromFieldMap', () => {
             },
           },
         },
-        monitor: {
-          properties: {
-            id: {
-              type: 'keyword',
-            },
-            name: {
-              type: 'keyword',
-            },
-            type: {
-              type: 'keyword',
-            },
-          },
-        },
-        processor: {
-          properties: {
-            event: {
-              type: 'keyword',
-            },
-          },
-        },
-        transaction: {
-          properties: {
-            name: {
-              type: 'keyword',
-            },
-            type: {
-              type: 'keyword',
-            },
-          },
-        },
       },
     });
   });
diff --git a/x-pack/plugins/alerting/common/alert_schema/schemas/alert_schema.ts b/x-pack/plugins/alerting/common/alert_schema/schemas/alert_schema.ts
index 0e0d7d3e0ad9b6..a04824028c1c36 100644
--- a/x-pack/plugins/alerting/common/alert_schema/schemas/alert_schema.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/schemas/alert_schema.ts
@@ -89,25 +89,9 @@ const AlertRequiredSchema = rt.type({
   }),
 });
 const AlertOptionalSchema = rt.partial({
-  anomaly: rt.partial({
-    bucket_span: rt.partial({
-      minutes: schemaString,
-    }),
-    start: schemaString,
-  }),
   kibana: rt.partial({
     alert: rt.partial({
       action_group: schemaString,
-      ancestors: rt.array(
-        rt.partial({
-          depth: schemaStringOrNumber,
-          id: schemaString,
-          index: schemaString,
-          rule: schemaString,
-          type: schemaString,
-        })
-      ),
-      depth: schemaStringOrNumber,
       duration: rt.partial({
         us: schemaStringOrNumber,
       }),
@@ -123,42 +107,7 @@ const AlertOptionalSchema = rt.partial({
         })
       ),
       flapping: schemaBoolean,
-      group: rt.partial({
-        id: schemaString,
-        index: schemaNumber,
-      }),
-      new_terms: schemaStringArray,
-      original_event: rt.partial({
-        action: schemaString,
-        agent_id_status: schemaString,
-        category: schemaStringArray,
-        code: schemaString,
-        created: schemaDate,
-        dataset: schemaString,
-        duration: schemaString,
-        end: schemaDate,
-        hash: schemaString,
-        id: schemaString,
-        ingested: schemaDate,
-        kind: schemaString,
-        module: schemaString,
-        original: schemaString,
-        outcome: schemaString,
-        provider: schemaString,
-        reason: schemaString,
-        reference: schemaString,
-        risk_score: schemaNumber,
-        risk_score_norm: schemaNumber,
-        sequence: schemaStringOrNumber,
-        severity: schemaStringOrNumber,
-        start: schemaDate,
-        timezone: schemaString,
-        type: schemaStringArray,
-        url: schemaString,
-      }),
-      original_time: schemaDate,
       reason: schemaString,
-      risk_score: schemaNumber,
       rule: rt.partial({
         execution: rt.partial({
           uuid: schemaString,
@@ -168,33 +117,11 @@ const AlertOptionalSchema = rt.partial({
       }),
       severity: schemaString,
       start: schemaDate,
-      threshold_result: rt.partial({
-        count: schemaStringOrNumber,
-        from: schemaDate,
-        terms: rt.array(
-          rt.partial({
-            field: schemaString,
-            value: schemaString,
-          })
-        ),
-      }),
       time_range: schemaDateRange,
       workflow_status: schemaString,
     }),
     version: schemaString,
   }),
-  monitor: rt.partial({
-    id: schemaString,
-    name: schemaString,
-    type: schemaString,
-  }),
-  processor: rt.partial({
-    event: schemaString,
-  }),
-  transaction: rt.partial({
-    name: schemaString,
-    type: schemaString,
-  }),
 });
 
 export const AlertSchema = rt.intersection([AlertRequiredSchema, AlertOptionalSchema]);
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.mock.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.mock.ts
new file mode 100644
index 00000000000000..532bae4b255eb4
--- /dev/null
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.mock.ts
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { PublicMethodsOf } from '@kbn/utility-types';
+import { AlertsService } from './alerts_service';
+
+const creatAlertsServiceMock = () => {
+  const mocked: jest.Mocked<PublicMethodsOf<AlertsService>> = {
+    initialize: jest.fn(),
+  };
+  return mocked;
+};
+
+export const alertsServiceMock = {
+  create: creatAlertsServiceMock,
+};
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
new file mode 100644
index 00000000000000..55c220b8ae011e
--- /dev/null
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
@@ -0,0 +1,206 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { elasticsearchServiceMock, loggingSystemMock } from '@kbn/core/server/mocks';
+import { ReplaySubject, Subject } from 'rxjs';
+import { AlertsService } from './alerts_service';
+
+const logger = loggingSystemMock.create().get();
+const clusterClient = elasticsearchServiceMock.createClusterClient().asInternalUser;
+
+const SimulateTemplateResponse = {
+  template: {
+    aliases: {
+      alias_name_1: {
+        is_hidden: true,
+      },
+      alias_name_2: {
+        is_hidden: true,
+      },
+    },
+    mappings: { enabled: false },
+    settings: {},
+  },
+};
+
+const GetAliasResponse = {
+  real_index: {
+    aliases: {
+      alias_1: {
+        is_hidden: true,
+      },
+      alias_2: {
+        is_hidden: true,
+      },
+    },
+  },
+};
+
+const IlmPutBody = {
+  body: {
+    policy: {
+      _meta: {
+        managed: true,
+      },
+      phases: {
+        hot: {
+          actions: {
+            rollover: {
+              max_age: '30d',
+              max_primary_shard_size: '50gb',
+            },
+          },
+        },
+      },
+    },
+  },
+  name: 'alerts-default-ilm-policy',
+};
+
+const IndexTemplatePutBody = {
+  name: '.alerts-default-template',
+  body: {
+    index_patterns: ['.alerts-default-*'],
+    composed_of: ['alerts-default-component-template', 'alerts-ecs-component-template'],
+    template: {
+      settings: {
+        auto_expand_replicas: '0-1',
+        hidden: true,
+        'index.lifecycle': {
+          name: 'alerts-default-ilm-policy',
+          rollover_alias: '.alerts-default',
+        },
+        'index.mapping.total_fields.limit': 2500,
+      },
+      mappings: {
+        dynamic: false,
+      },
+    },
+    _meta: {
+      managed: true,
+    },
+  },
+};
+
+describe('Alerts Service', () => {
+  let pluginStop$: Subject<void>;
+
+  beforeEach(() => {
+    jest.resetAllMocks();
+    pluginStop$ = new ReplaySubject(1);
+
+    clusterClient.indices.simulateTemplate.mockImplementation(async () => SimulateTemplateResponse);
+    clusterClient.indices.simulateIndexTemplate.mockImplementation(
+      async () => SimulateTemplateResponse
+    );
+    clusterClient.indices.getAlias.mockImplementation(async () => GetAliasResponse);
+  });
+
+  afterEach(() => {
+    pluginStop$.next();
+    pluginStop$.complete();
+  });
+  describe('initialize()', () => {
+    test('should correctly initialize all resources', async () => {
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      alertsService.initialize();
+
+      // wait until the ILM policy call is made, all subsequent calls should come right after
+      await retryUntil('es client ILM putLifecycle called', () => {
+        return clusterClient.ilm.putLifecycle.mock.calls.length !== 0;
+      });
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+
+      const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0];
+      expect(componentTemplate1.name).toEqual('alerts-default-component-template');
+      const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0];
+      expect(componentTemplate2.name).toEqual('alerts-ecs-component-template');
+
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith(IndexTemplatePutBody);
+      expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.putMapping).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.create).toHaveBeenCalledWith({
+        index: '.alerts-default-000001',
+        body: {
+          aliases: {
+            '.alerts-default': {
+              is_write_index: true,
+            },
+          },
+        },
+      });
+    });
+
+    test('should throw error if adding ILM policy throws error', async () => {
+      clusterClient.ilm.putLifecycle.mockImplementation(() => {
+        throw new Error('fail');
+      });
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      expect(alertsService.initialize()).toThrowErrorMatchingInlineSnapshot(``);
+
+      // wait until the ILM policy call is made, all subsequent calls should come right after
+      await retryUntil('es client ILM putLifecycle called', () => {
+        return clusterClient.ilm.putLifecycle.mock.calls.length !== 0;
+      });
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+
+      const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0];
+      expect(componentTemplate1.name).toEqual('alerts-default-component-template');
+      const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0];
+      expect(componentTemplate2.name).toEqual('alerts-ecs-component-template');
+
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith(IndexTemplatePutBody);
+      expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.putMapping).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.create).toHaveBeenCalledWith({
+        index: '.alerts-default-000001',
+        body: {
+          aliases: {
+            '.alerts-default': {
+              is_write_index: true,
+            },
+          },
+        },
+      });
+    });
+  });
+});
+
+async function retryUntil(
+  label: string,
+  fn: () => boolean,
+  count: number = 20,
+  wait: number = 1000
+): Promise<boolean> {
+  while (count > 0) {
+    count--;
+
+    if (fn()) return true;
+
+    // eslint-disable-next-line no-console
+    console.log(`attempt failed waiting for "${label}", attempts left: ${count}`);
+
+    if (count === 0) return false;
+    await new Promise((resolve) => setTimeout(resolve, wait));
+  }
+
+  return false;
+}

From 8ec92b512c453e59e64d32d56b6e8e4f3f99097c Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Tue, 13 Dec 2022 12:11:25 -0500
Subject: [PATCH 14/42] Adding unit tests for alerts service

---
 .../alerts_service/alerts_service.test.ts     | 483 ++++++++++++++++--
 .../server/alerts_service/alerts_service.ts   |  42 +-
 x-pack/plugins/alerting/server/plugin.ts      |   4 +-
 3 files changed, 469 insertions(+), 60 deletions(-)

diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
index 55c220b8ae011e..2b7ca8cb10dca0 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
@@ -9,7 +9,7 @@ import { elasticsearchServiceMock, loggingSystemMock } from '@kbn/core/server/mo
 import { ReplaySubject, Subject } from 'rxjs';
 import { AlertsService } from './alerts_service';
 
-const logger = loggingSystemMock.create().get();
+let logger: ReturnType<typeof loggingSystemMock['createLogger']>;
 const clusterClient = elasticsearchServiceMock.createClusterClient().asInternalUser;
 
 const SimulateTemplateResponse = {
@@ -26,6 +26,19 @@ const SimulateTemplateResponse = {
     settings: {},
   },
 };
+interface HTTPError extends Error {
+  statusCode: number;
+}
+
+interface EsError extends Error {
+  meta: {
+    body: {
+      error: {
+        type: string;
+      };
+    };
+  };
+}
 
 const GetAliasResponse = {
   real_index: {
@@ -91,6 +104,7 @@ describe('Alerts Service', () => {
 
   beforeEach(() => {
     jest.resetAllMocks();
+    logger = loggingSystemMock.createLogger();
     pluginStop$ = new ReplaySubject(1);
 
     clusterClient.indices.simulateTemplate.mockImplementation(async () => SimulateTemplateResponse);
@@ -112,12 +126,7 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      alertsService.initialize();
-
-      // wait until the ILM policy call is made, all subsequent calls should come right after
-      await retryUntil('es client ILM putLifecycle called', () => {
-        return clusterClient.ilm.putLifecycle.mock.calls.length !== 0;
-      });
+      await alertsService.initialize();
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody);
       expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
@@ -128,7 +137,9 @@ describe('Alerts Service', () => {
       expect(componentTemplate2.name).toEqual('alerts-ecs-component-template');
 
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith(IndexTemplatePutBody);
+      expect(clusterClient.indices.getAlias).toHaveBeenCalledWith({ index: '.alerts-default-*' });
       expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.putMapping).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.create).toHaveBeenCalledWith({
         index: '.alerts-default-000001',
@@ -143,64 +154,452 @@ describe('Alerts Service', () => {
     });
 
     test('should throw error if adding ILM policy throws error', async () => {
-      clusterClient.ilm.putLifecycle.mockImplementation(() => {
-        throw new Error('fail');
+      clusterClient.ilm.putLifecycle.mockRejectedValueOnce(new Error('fail'));
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
       });
+
+      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Failure during installation. fail"`
+      );
+
+      expect(logger.error).toHaveBeenCalledWith(
+        `Error installing ILM policy alerts-default-ilm-policy - fail`
+      );
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
+      expect(clusterClient.cluster.putComponentTemplate).not.toHaveBeenCalled();
+      expect(clusterClient.indices.simulateTemplate).not.toHaveBeenCalled();
+      expect(clusterClient.indices.putIndexTemplate).not.toHaveBeenCalled();
+      expect(clusterClient.indices.getAlias).not.toHaveBeenCalled();
+      expect(clusterClient.indices.putSettings).not.toHaveBeenCalled();
+      expect(clusterClient.indices.simulateIndexTemplate).not.toHaveBeenCalled();
+      expect(clusterClient.indices.putMapping).not.toHaveBeenCalled();
+      expect(clusterClient.indices.create).not.toHaveBeenCalled();
+    });
+
+    test('should throw error if updating component template throws error', async () => {
+      clusterClient.cluster.putComponentTemplate.mockRejectedValueOnce(new Error('fail'));
       const alertsService = new AlertsService({
         logger,
         elasticsearchClientPromise: Promise.resolve(clusterClient),
         pluginStop$,
       });
 
-      expect(alertsService.initialize()).toThrowErrorMatchingInlineSnapshot(``);
+      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Failure during installation. fail"`
+      );
+
+      expect(logger.error).toHaveBeenCalledWith(
+        `Error installing component template alerts-default-component-template - fail`
+      );
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateTemplate).not.toHaveBeenCalled();
+      expect(clusterClient.indices.putIndexTemplate).not.toHaveBeenCalled();
+      expect(clusterClient.indices.getAlias).not.toHaveBeenCalled();
+      expect(clusterClient.indices.putSettings).not.toHaveBeenCalled();
+      expect(clusterClient.indices.simulateIndexTemplate).not.toHaveBeenCalled();
+      expect(clusterClient.indices.putMapping).not.toHaveBeenCalled();
+      expect(clusterClient.indices.create).not.toHaveBeenCalled();
+    });
 
-      // wait until the ILM policy call is made, all subsequent calls should come right after
-      await retryUntil('es client ILM putLifecycle called', () => {
-        return clusterClient.ilm.putLifecycle.mock.calls.length !== 0;
+    test('should not update index template if simulating template throws error', async () => {
+      clusterClient.indices.simulateTemplate.mockRejectedValueOnce(new Error('fail'));
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
       });
 
-      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody);
+      await alertsService.initialize();
+
+      expect(logger.error).toHaveBeenCalledWith(
+        `Failed to simulate index template mappings for .alerts-default-template; not applying mappings - fail`
+      );
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
       expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
+      // putIndexTemplate is skipped but other operations are called as expected
+      expect(clusterClient.indices.putIndexTemplate).not.toHaveBeenCalled();
+      expect(clusterClient.indices.getAlias).toHaveBeenCalled();
+      expect(clusterClient.indices.putSettings).toHaveBeenCalled();
+      expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putMapping).toHaveBeenCalled();
+      expect(clusterClient.indices.create).toHaveBeenCalled();
+    });
 
-      const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0];
-      expect(componentTemplate1.name).toEqual('alerts-default-component-template');
-      const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0];
-      expect(componentTemplate2.name).toEqual('alerts-ecs-component-template');
+    test('should throw error if simulating template returns empty mappings', async () => {
+      clusterClient.indices.simulateTemplate.mockImplementationOnce(async () => ({
+        ...SimulateTemplateResponse,
+        template: {
+          ...SimulateTemplateResponse.template,
+          mappings: {},
+        },
+      }));
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
 
-      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith(IndexTemplatePutBody);
-      expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(2);
-      expect(clusterClient.indices.putMapping).toHaveBeenCalledTimes(2);
-      expect(clusterClient.indices.create).toHaveBeenCalledWith({
-        index: '.alerts-default-000001',
-        body: {
+      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Failure during installation. No mappings would be generated for .alerts-default-template, possibly due to failed/misconfigured bootstrapping"`
+      );
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putIndexTemplate).not.toHaveBeenCalled();
+      expect(clusterClient.indices.getAlias).not.toHaveBeenCalled();
+      expect(clusterClient.indices.putSettings).not.toHaveBeenCalled();
+      expect(clusterClient.indices.simulateIndexTemplate).not.toHaveBeenCalled();
+      expect(clusterClient.indices.putMapping).not.toHaveBeenCalled();
+      expect(clusterClient.indices.create).not.toHaveBeenCalled();
+    });
+
+    test('should throw error if updating index template throws error', async () => {
+      clusterClient.indices.putIndexTemplate.mockRejectedValueOnce(new Error('fail'));
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Failure during installation. fail"`
+      );
+
+      expect(logger.error).toHaveBeenCalledWith(
+        `Error installing index template .alerts-default-template - fail`
+      );
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.getAlias).not.toHaveBeenCalled();
+      expect(clusterClient.indices.putSettings).not.toHaveBeenCalled();
+      expect(clusterClient.indices.simulateIndexTemplate).not.toHaveBeenCalled();
+      expect(clusterClient.indices.putMapping).not.toHaveBeenCalled();
+      expect(clusterClient.indices.create).not.toHaveBeenCalled();
+    });
+
+    test('should throw error if checking for concrete write index throws error', async () => {
+      clusterClient.indices.getAlias.mockRejectedValueOnce(new Error('fail'));
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Failure during installation. fail"`
+      );
+
+      expect(logger.error).toHaveBeenCalledWith(
+        `Error fetching concrete indices for .alerts-default-* pattern - fail`
+      );
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putSettings).not.toHaveBeenCalled();
+      expect(clusterClient.indices.simulateIndexTemplate).not.toHaveBeenCalled();
+      expect(clusterClient.indices.putMapping).not.toHaveBeenCalled();
+      expect(clusterClient.indices.create).not.toHaveBeenCalled();
+    });
+
+    test('should not throw error if checking for concrete write index throws 404', async () => {
+      const error = new Error(`index doesn't exist`) as HTTPError;
+      error.statusCode = 404;
+      clusterClient.indices.getAlias.mockRejectedValueOnce(error);
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await alertsService.initialize();
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putSettings).not.toHaveBeenCalled();
+      expect(clusterClient.indices.simulateIndexTemplate).not.toHaveBeenCalled();
+      expect(clusterClient.indices.putMapping).not.toHaveBeenCalled();
+      expect(clusterClient.indices.create).toHaveBeenCalled();
+    });
+
+    test('should throw error if updating index settings for existing indices throws error', async () => {
+      clusterClient.indices.putSettings.mockRejectedValueOnce(new Error('fail'));
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Failure during installation. fail"`
+      );
+
+      expect(logger.error).toHaveBeenCalledWith(
+        `Failed to PUT index.mapping.total_fields.limit settings for alias alias_1: fail`
+      );
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.getAlias).toHaveBeenCalled();
+      expect(clusterClient.indices.putSettings).toHaveBeenCalled();
+      expect(clusterClient.indices.simulateIndexTemplate).not.toHaveBeenCalled();
+      expect(clusterClient.indices.putMapping).not.toHaveBeenCalled();
+      expect(clusterClient.indices.create).not.toHaveBeenCalled();
+    });
+
+    test('should skip updating index mapping for existing indices if simulate index template throws error', async () => {
+      clusterClient.indices.simulateIndexTemplate.mockRejectedValueOnce(new Error('fail'));
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await alertsService.initialize();
+
+      expect(logger.error).toHaveBeenCalledWith(
+        `Ignored PUT mappings for alias alias_1; error generating simulated mappings: fail`
+      );
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.getAlias).toHaveBeenCalled();
+      expect(clusterClient.indices.putSettings).toHaveBeenCalled();
+      expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putMapping).toHaveBeenCalled();
+      expect(clusterClient.indices.create).toHaveBeenCalled();
+    });
+
+    test('should throw error if updating index mappings for existing indices throws error', async () => {
+      clusterClient.indices.putMapping.mockRejectedValueOnce(new Error('fail'));
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Failure during installation. fail"`
+      );
+
+      expect(logger.error).toHaveBeenCalledWith(`Failed to PUT mapping for alias alias_1: fail`);
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.getAlias).toHaveBeenCalled();
+      expect(clusterClient.indices.putSettings).toHaveBeenCalled();
+      expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putMapping).toHaveBeenCalled();
+      expect(clusterClient.indices.create).not.toHaveBeenCalled();
+    });
+
+    test('does not updating settings or mappings if no existing concrete indices', async () => {
+      clusterClient.indices.getAlias.mockImplementationOnce(async () => ({}));
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await alertsService.initialize();
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.getAlias).toHaveBeenCalled();
+      expect(clusterClient.indices.putSettings).not.toHaveBeenCalled();
+      expect(clusterClient.indices.simulateIndexTemplate).not.toHaveBeenCalled();
+      expect(clusterClient.indices.putMapping).not.toHaveBeenCalled();
+      expect(clusterClient.indices.create).toHaveBeenCalled();
+    });
+
+    test('should throw error if concrete indices exist but none are write index', async () => {
+      clusterClient.indices.getAlias.mockImplementationOnce(async () => ({
+        '.alerts-default-0001': {
+          aliases: {
+            '.alerts-default': {
+              is_write_index: false,
+              is_hidden: true,
+            },
+            alias_2: {
+              is_write_index: false,
+              is_hidden: true,
+            },
+          },
+        },
+      }));
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Failure during installation. Indices matching pattern .alerts-default-* exist but none are set as the write index for alias .alerts-default"`
+      );
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.getAlias).toHaveBeenCalled();
+      expect(clusterClient.indices.putSettings).toHaveBeenCalled();
+      expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putMapping).toHaveBeenCalled();
+      expect(clusterClient.indices.create).not.toHaveBeenCalled();
+    });
+
+    test('does not create new index if concrete write index exists', async () => {
+      clusterClient.indices.getAlias.mockImplementationOnce(async () => ({
+        '.alerts-default-0001': {
           aliases: {
             '.alerts-default': {
               is_write_index: true,
+              is_hidden: true,
+            },
+            alias_2: {
+              is_write_index: false,
+              is_hidden: true,
             },
           },
         },
+      }));
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
       });
+
+      await alertsService.initialize();
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.getAlias).toHaveBeenCalled();
+      expect(clusterClient.indices.putSettings).toHaveBeenCalled();
+      expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putMapping).toHaveBeenCalled();
+      expect(clusterClient.indices.create).not.toHaveBeenCalled();
     });
-  });
-});
 
-async function retryUntil(
-  label: string,
-  fn: () => boolean,
-  count: number = 20,
-  wait: number = 1000
-): Promise<boolean> {
-  while (count > 0) {
-    count--;
+    test('should throw error if create concrete index throws error', async () => {
+      clusterClient.indices.create.mockRejectedValueOnce(new Error('fail'));
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
 
-    if (fn()) return true;
+      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Failure during installation. fail"`
+      );
 
-    // eslint-disable-next-line no-console
-    console.log(`attempt failed waiting for "${label}", attempts left: ${count}`);
+      expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`);
 
-    if (count === 0) return false;
-    await new Promise((resolve) => setTimeout(resolve, wait));
-  }
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.getAlias).toHaveBeenCalled();
+      expect(clusterClient.indices.putSettings).toHaveBeenCalled();
+      expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putMapping).toHaveBeenCalled();
+      expect(clusterClient.indices.create).toHaveBeenCalled();
+    });
 
-  return false;
-}
+    test('should not throw error if create concrete index throws resource_already_exists_exception error and write index already exists', async () => {
+      const error = new Error(`fail`) as EsError;
+      error.meta = {
+        body: {
+          error: {
+            type: 'resource_already_exists_exception',
+          },
+        },
+      };
+      clusterClient.indices.create.mockRejectedValueOnce(error);
+      clusterClient.indices.get.mockImplementationOnce(async () => ({
+        '.alerts-default-000001': { aliases: { '.alerts-default': { is_write_index: true } } },
+      }));
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await alertsService.initialize();
+
+      expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`);
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.getAlias).toHaveBeenCalled();
+      expect(clusterClient.indices.putSettings).toHaveBeenCalled();
+      expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putMapping).toHaveBeenCalled();
+      expect(clusterClient.indices.get).toHaveBeenCalled();
+      expect(clusterClient.indices.create).toHaveBeenCalled();
+    });
+
+    test('should throw error if create concrete index throws resource_already_exists_exception error and write index does not already exists', async () => {
+      const error = new Error(`fail`) as EsError;
+      error.meta = {
+        body: {
+          error: {
+            type: 'resource_already_exists_exception',
+          },
+        },
+      };
+      clusterClient.indices.create.mockRejectedValueOnce(error);
+      clusterClient.indices.get.mockImplementationOnce(async () => ({
+        '.alerts-default-000001': { aliases: { '.alerts-default': { is_write_index: false } } },
+      }));
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Failure during installation. Attempted to create index: .alerts-default-000001 as the write index for alias: .alerts-default, but the index already exists and is not the write index for the alias"`
+      );
+
+      expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`);
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.getAlias).toHaveBeenCalled();
+      expect(clusterClient.indices.putSettings).toHaveBeenCalled();
+      expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalled();
+      expect(clusterClient.indices.putMapping).toHaveBeenCalled();
+      expect(clusterClient.indices.get).toHaveBeenCalled();
+      expect(clusterClient.indices.create).toHaveBeenCalled();
+    });
+  });
+});
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index 27553067d27d4f..19daa6a0d7690b 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -75,25 +75,22 @@ export class AlertsService implements IAlertsService {
     this.initialized = false;
   }
 
-  public initialize() {
+  public async initialize() {
     // Only initialize once
     if (this.initialized) return;
     this.initialized = true;
 
     this.options.logger.debug(`Initializing resources for AlertsService`);
 
-    // Using setImmediate to call async function but run it immediately
-    setImmediate(async () => {
-      const esClient = await this.options.elasticsearchClientPromise;
+    const esClient = await this.options.elasticsearchClientPromise;
 
-      await this.installWithTimeoutAndRetry(esClient, this.createOrUpdateIlmPolicy.bind(this));
-      await this.installWithTimeoutAndRetry(
-        esClient,
-        this.createOrUpdateComponentTemplates.bind(this)
-      );
-      await this.installWithTimeoutAndRetry(esClient, this.createOrUpdateIndexTemplate.bind(this));
-      await this.installWithTimeoutAndRetry(esClient, this.createConcreteWriteIndex.bind(this));
-    });
+    await this.installWithTimeoutAndRetry(esClient, this.createOrUpdateIlmPolicy.bind(this));
+    await this.installWithTimeoutAndRetry(
+      esClient,
+      this.createOrUpdateComponentTemplates.bind(this)
+    );
+    await this.installWithTimeoutAndRetry(esClient, this.createOrUpdateIndexTemplate.bind(this));
+    await this.installWithTimeoutAndRetry(esClient, this.createConcreteWriteIndex.bind(this));
   }
 
   /**
@@ -184,19 +181,30 @@ export class AlertsService implements IAlertsService {
       },
     };
 
-    // Simulate the index template to proactively identify any issues with the mapping
-    const simulateResponse = await esClient.indices.simulateTemplate(indexTemplate);
-    const mappings: MappingTypeMapping = simulateResponse.template.mappings;
+    let mappings: MappingTypeMapping = {};
+    try {
+      // Simulate the index template to proactively identify any issues with the mapping
+      const simulateResponse = await esClient.indices.simulateTemplate(indexTemplate);
+      mappings = simulateResponse.template.mappings;
+    } catch (err) {
+      this.options.logger.error(
+        `Failed to simulate index template mappings for ${INDEX_TEMPLATE_NAME}; not applying mappings - ${err.message}`
+      );
+      return;
+    }
 
     if (isEmpty(mappings)) {
       throw new Error(
-        'No mappings would be generated for this index, possibly due to failed/misconfigured bootstrapping'
+        `No mappings would be generated for ${INDEX_TEMPLATE_NAME}, possibly due to failed/misconfigured bootstrapping`
       );
     }
+
     try {
       await esClient.indices.putIndexTemplate(indexTemplate);
     } catch (err) {
-      this.options.logger.error(`Error installing index template - ${err.message}`);
+      this.options.logger.error(
+        `Error installing index template ${INDEX_TEMPLATE_NAME} - ${err.message}`
+      );
       throw err;
     }
   }
diff --git a/x-pack/plugins/alerting/server/plugin.ts b/x-pack/plugins/alerting/server/plugin.ts
index 781329280a1d69..c7ea8c6e8d0a4d 100644
--- a/x-pack/plugins/alerting/server/plugin.ts
+++ b/x-pack/plugins/alerting/server/plugin.ts
@@ -243,7 +243,9 @@ export class AlertingPlugin {
         .getStartServices()
         .then(([{ elasticsearch }]) => elasticsearch.client.asInternalUser),
     });
-    this.alertsService!.initialize();
+    this.alertsService!.initialize().catch((err) => {
+      this.logger.error(`Error initializing alert resources! - ${err.message}`);
+    });
 
     const usageCollection = plugins.usageCollection;
     if (usageCollection) {

From 60a750c3eab221aedfdbfe15b8b025472cbda6f1 Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Tue, 13 Dec 2022 14:17:31 -0500
Subject: [PATCH 15/42] Fixing types

---
 packages/kbn-rule-data-utils/src/technical_field_names.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts
index f5d420f66983c4..422b63f8abe537 100644
--- a/packages/kbn-rule-data-utils/src/technical_field_names.ts
+++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@@ -183,6 +183,7 @@ export {
   ALERT_EVALUATION_THRESHOLD,
   ALERT_EVALUATION_VALUE,
   ALERT_INSTANCE_ID,
+  ALERT_RISK_SCORE,
   ALERT_WORKFLOW_REASON,
   ALERT_WORKFLOW_USER,
   ALERT_RULE_AUTHOR,

From 32da96a9bfe913abdaf380f11a09501d438e1882 Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Thu, 15 Dec 2022 14:28:27 -0500
Subject: [PATCH 16/42] Adding retries for transient ES errors and tests for
 installation timeout

---
 .../alerts_service/alerts_service.test.ts     | 128 +++++++++++++++++-
 .../server/alerts_service/alerts_service.ts   | 100 +++++++++-----
 .../retry_transient_es_errors.test.ts         |  95 +++++++++++++
 .../retry_transient_es_errors.ts              |  57 ++++++++
 x-pack/plugins/alerting/server/config.test.ts |   1 +
 x-pack/plugins/alerting/server/config.ts      |   1 +
 x-pack/plugins/alerting/server/plugin.ts      |  25 ++--
 7 files changed, 361 insertions(+), 46 deletions(-)
 create mode 100644 x-pack/plugins/alerting/server/alerts_service/retry_transient_es_errors.test.ts
 create mode 100644 x-pack/plugins/alerting/server/alerts_service/retry_transient_es_errors.ts

diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
index 2b7ca8cb10dca0..b146158fe3f394 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
@@ -6,6 +6,7 @@
  */
 
 import { elasticsearchServiceMock, loggingSystemMock } from '@kbn/core/server/mocks';
+import { errors as EsErrors } from '@elastic/elasticsearch';
 import { ReplaySubject, Subject } from 'rxjs';
 import { AlertsService } from './alerts_service';
 
@@ -106,7 +107,7 @@ describe('Alerts Service', () => {
     jest.resetAllMocks();
     logger = loggingSystemMock.createLogger();
     pluginStop$ = new ReplaySubject(1);
-
+    jest.spyOn(global.Math, 'random').mockReturnValue(0.01);
     clusterClient.indices.simulateTemplate.mockImplementation(async () => SimulateTemplateResponse);
     clusterClient.indices.simulateIndexTemplate.mockImplementation(
       async () => SimulateTemplateResponse
@@ -602,4 +603,129 @@ describe('Alerts Service', () => {
       expect(clusterClient.indices.create).toHaveBeenCalled();
     });
   });
+
+  describe('retries', () => {
+    test('should retry adding ILM policy for transient ES errors', async () => {
+      clusterClient.ilm.putLifecycle
+        .mockRejectedValueOnce(new EsErrors.ConnectionError('foo'))
+        .mockRejectedValueOnce(new EsErrors.TimeoutError('timeout'))
+        .mockResolvedValue({ acknowledged: true });
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await alertsService.initialize();
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledTimes(3);
+    });
+
+    test('should retry adding component template for transient ES errors', async () => {
+      clusterClient.cluster.putComponentTemplate
+        .mockRejectedValueOnce(new EsErrors.ConnectionError('foo'))
+        .mockRejectedValueOnce(new EsErrors.TimeoutError('timeout'))
+        .mockResolvedValue({ acknowledged: true });
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await alertsService.initialize();
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4);
+    });
+
+    test('should retry updating index template for transient ES errors', async () => {
+      clusterClient.indices.putIndexTemplate
+        .mockRejectedValueOnce(new EsErrors.ConnectionError('foo'))
+        .mockRejectedValueOnce(new EsErrors.TimeoutError('timeout'))
+        .mockResolvedValue({ acknowledged: true });
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await alertsService.initialize();
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledTimes(3);
+    });
+
+    test('should retry updating index settings for existing indices for transient ES errors', async () => {
+      clusterClient.indices.putSettings
+        .mockRejectedValueOnce(new EsErrors.ConnectionError('foo'))
+        .mockRejectedValueOnce(new EsErrors.TimeoutError('timeout'))
+        .mockResolvedValue({ acknowledged: true });
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await alertsService.initialize();
+      expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(4);
+    });
+
+    test('should retry updating index mappings for existing indices for transient ES errors', async () => {
+      clusterClient.indices.putMapping
+        .mockRejectedValueOnce(new EsErrors.ConnectionError('foo'))
+        .mockRejectedValueOnce(new EsErrors.TimeoutError('timeout'))
+        .mockResolvedValue({ acknowledged: true });
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await alertsService.initialize();
+      expect(clusterClient.indices.putMapping).toHaveBeenCalledTimes(4);
+    });
+
+    test('should retry creating concrete index for transient ES errors', async () => {
+      clusterClient.indices.create
+        .mockRejectedValueOnce(new EsErrors.ConnectionError('foo'))
+        .mockRejectedValueOnce(new EsErrors.TimeoutError('timeout'))
+        .mockResolvedValue({ index: 'index', shards_acknowledged: true, acknowledged: true });
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await alertsService.initialize();
+      expect(clusterClient.indices.create).toHaveBeenCalledTimes(3);
+    });
+  });
+
+  describe('timeout', () => {
+    test('should short circuit initialization if timeout exceeded', async () => {
+      clusterClient.ilm.putLifecycle.mockImplementationOnce(async () => {
+        await new Promise((resolve) => setTimeout(resolve, 20));
+        return { acknowledged: true };
+      });
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await expect(alertsService.initialize(10)).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Failure during installation. Timeout: it took more than 10ms"`
+      );
+    });
+
+    test('should short circuit initialization if pluginStop$ signal received but not throw error', async () => {
+      pluginStop$.next();
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await alertsService.initialize();
+
+      expect(logger.error).toHaveBeenCalledWith(
+        new Error(`Server is stopping; must stop all async operations`)
+      );
+    });
+  });
 });
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index 19daa6a0d7690b..ee847f329f7eed 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -27,6 +27,7 @@ import {
   INDEX_TEMPLATE_NAME,
   INITIAL_ALERTS_INDEX_NAME,
 } from './types';
+import { retryTransientEsErrors } from './retry_transient_es_errors';
 
 const componentTemplatesToInstall = [
   {
@@ -75,7 +76,7 @@ export class AlertsService implements IAlertsService {
     this.initialized = false;
   }
 
-  public async initialize() {
+  public async initialize(timeoutMs?: number) {
     // Only initialize once
     if (this.initialized) return;
     this.initialized = true;
@@ -84,13 +85,14 @@ export class AlertsService implements IAlertsService {
 
     const esClient = await this.options.elasticsearchClientPromise;
 
-    await this.installWithTimeoutAndRetry(esClient, this.createOrUpdateIlmPolicy.bind(this));
-    await this.installWithTimeoutAndRetry(
+    await this.installWithTimeout(esClient, this.createOrUpdateIlmPolicy.bind(this), timeoutMs);
+    await this.installWithTimeout(
       esClient,
-      this.createOrUpdateComponentTemplates.bind(this)
+      this.createOrUpdateComponentTemplates.bind(this),
+      timeoutMs
     );
-    await this.installWithTimeoutAndRetry(esClient, this.createOrUpdateIndexTemplate.bind(this));
-    await this.installWithTimeoutAndRetry(esClient, this.createConcreteWriteIndex.bind(this));
+    await this.installWithTimeout(esClient, this.createOrUpdateIndexTemplate.bind(this), timeoutMs);
+    await this.installWithTimeout(esClient, this.createConcreteWriteIndex.bind(this), timeoutMs);
   }
 
   /**
@@ -100,10 +102,14 @@ export class AlertsService implements IAlertsService {
     this.options.logger.info(`Installing ILM policy ${ILM_POLICY_NAME}`);
 
     try {
-      await esClient.ilm.putLifecycle({
-        name: ILM_POLICY_NAME,
-        body: DEFAULT_ILM_POLICY,
-      });
+      await retryTransientEsErrors(
+        () =>
+          esClient.ilm.putLifecycle({
+            name: ILM_POLICY_NAME,
+            body: DEFAULT_ILM_POLICY,
+          }),
+        { logger: this.options.logger }
+      );
     } catch (err) {
       this.options.logger.error(`Error installing ILM policy ${ILM_POLICY_NAME} - ${err.message}`);
       throw err;
@@ -137,7 +143,9 @@ export class AlertsService implements IAlertsService {
     this.options.logger.info(`Installing component template ${template.name}`);
 
     try {
-      await esClient.cluster.putComponentTemplate(template);
+      await retryTransientEsErrors(() => esClient.cluster.putComponentTemplate(template), {
+        logger: this.options.logger,
+      });
     } catch (err) {
       this.options.logger.error(
         `Error installing component template ${template.name} - ${err.message}`
@@ -200,7 +208,9 @@ export class AlertsService implements IAlertsService {
     }
 
     try {
-      await esClient.indices.putIndexTemplate(indexTemplate);
+      await retryTransientEsErrors(() => esClient.indices.putIndexTemplate(indexTemplate), {
+        logger: this.options.logger,
+      });
     } catch (err) {
       this.options.logger.error(
         `Error installing index template ${INDEX_TEMPLATE_NAME} - ${err.message}`
@@ -235,12 +245,18 @@ export class AlertsService implements IAlertsService {
     { index, alias }: ConcreteIndexInfo
   ) {
     try {
-      await esClient.indices.putSettings({
-        index,
-        body: {
-          'index.mapping.total_fields.limit': TOTAL_FIELDS_LIMIT,
-        },
-      });
+      await retryTransientEsErrors(
+        () =>
+          esClient.indices.putSettings({
+            index,
+            body: {
+              'index.mapping.total_fields.limit': TOTAL_FIELDS_LIMIT,
+            },
+          }),
+        {
+          logger: this.options.logger,
+        }
+      );
       return;
     } catch (err) {
       this.options.logger.error(
@@ -276,10 +292,17 @@ export class AlertsService implements IAlertsService {
     }
 
     try {
-      await esClient.indices.putMapping({
-        index,
-        body: simulatedMapping,
-      });
+      await retryTransientEsErrors(
+        () =>
+          esClient.indices.putMapping({
+            index,
+            body: simulatedMapping,
+          }),
+        {
+          logger: this.options.logger,
+        }
+      );
+
       return;
     } catch (err) {
       this.options.logger.error(`Failed to PUT mapping for alias ${alias}: ${err.message}`);
@@ -342,16 +365,22 @@ export class AlertsService implements IAlertsService {
     // check if a concrete write index already exists
     if (!concreteWriteIndicesExist) {
       try {
-        await esClient.indices.create({
-          index: INITIAL_ALERTS_INDEX_NAME,
-          body: {
-            aliases: {
-              [DEFAULT_ALERTS_INDEX]: {
-                is_write_index: true,
+        await retryTransientEsErrors(
+          () =>
+            esClient.indices.create({
+              index: INITIAL_ALERTS_INDEX_NAME,
+              body: {
+                aliases: {
+                  [DEFAULT_ALERTS_INDEX]: {
+                    is_write_index: true,
+                  },
+                },
               },
-            },
-          },
-        });
+            }),
+          {
+            logger: this.options.logger,
+          }
+        );
       } catch (error) {
         this.options.logger.error(`Error creating concrete write index - ${error.message}`);
         // If the index already exists and it's the write index for the alias,
@@ -376,9 +405,10 @@ export class AlertsService implements IAlertsService {
     }
   }
 
-  private async installWithTimeoutAndRetry(
+  private async installWithTimeout(
     esClient: ElasticsearchClient,
-    installFn: (esClient: ElasticsearchClient) => Promise<void>
+    installFn: (esClient: ElasticsearchClient) => Promise<void>,
+    timeoutMs: number = INSTALLATION_TIMEOUT
   ): Promise<void> {
     try {
       let timeoutId: NodeJS.Timeout;
@@ -392,9 +422,9 @@ export class AlertsService implements IAlertsService {
       const throwTimeoutException = (): Promise<void> => {
         return new Promise((resolve, reject) => {
           timeoutId = setTimeout(() => {
-            const msg = `Timeout: it took more than ${INSTALLATION_TIMEOUT}ms`;
+            const msg = `Timeout: it took more than ${timeoutMs}ms`;
             reject(new Error(msg));
-          }, INSTALLATION_TIMEOUT);
+          }, timeoutMs);
 
           firstValueFrom(this.options.pluginStop$).then(() => {
             clearTimeout(timeoutId);
diff --git a/x-pack/plugins/alerting/server/alerts_service/retry_transient_es_errors.test.ts b/x-pack/plugins/alerting/server/alerts_service/retry_transient_es_errors.test.ts
new file mode 100644
index 00000000000000..2501c57776d80c
--- /dev/null
+++ b/x-pack/plugins/alerting/server/alerts_service/retry_transient_es_errors.test.ts
@@ -0,0 +1,95 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { loggerMock } from '@kbn/logging-mocks';
+import { errors as EsErrors } from '@elastic/elasticsearch';
+
+import { retryTransientEsErrors } from './retry_transient_es_errors';
+
+const logger = loggerMock.create();
+const randomDelayMultiplier = 0.01;
+
+describe('retryTransientErrors', () => {
+  beforeEach(() => {
+    jest.resetAllMocks();
+    jest.spyOn(global.Math, 'random').mockReturnValue(randomDelayMultiplier);
+  });
+
+  it("doesn't retry if operation is successful", async () => {
+    const esCallMock = jest.fn().mockResolvedValue('success');
+    expect(await retryTransientEsErrors(esCallMock, { logger })).toEqual('success');
+    expect(esCallMock).toHaveBeenCalledTimes(1);
+  });
+
+  it('logs a warning message on retry', async () => {
+    const esCallMock = jest
+      .fn()
+      .mockRejectedValueOnce(new EsErrors.ConnectionError('foo'))
+      .mockResolvedValue('success');
+
+    await retryTransientEsErrors(esCallMock, { logger });
+    expect(logger.warn).toHaveBeenCalledTimes(1);
+    expect(logger.warn.mock.calls[0][0]).toMatch(
+      `Retrying Elasticsearch operation after [2s] due to error: ConnectionError: foo ConnectionError: foo`
+    );
+  });
+
+  it('retries with an exponential backoff', async () => {
+    let attempt = 0;
+    const esCallMock = jest.fn(async () => {
+      attempt++;
+      if (attempt < 4) {
+        throw new EsErrors.ConnectionError('foo');
+      } else {
+        return 'success';
+      }
+    });
+
+    expect(await retryTransientEsErrors(esCallMock, { logger })).toEqual('success');
+    expect(esCallMock).toHaveBeenCalledTimes(4);
+    expect(logger.warn).toHaveBeenCalledTimes(3);
+    expect(logger.warn.mock.calls[0][0]).toMatch(
+      `Retrying Elasticsearch operation after [2s] due to error: ConnectionError: foo ConnectionError: foo`
+    );
+    expect(logger.warn.mock.calls[1][0]).toMatch(
+      `Retrying Elasticsearch operation after [4s] due to error: ConnectionError: foo ConnectionError: foo`
+    );
+    expect(logger.warn.mock.calls[2][0]).toMatch(
+      `Retrying Elasticsearch operation after [8s] due to error: ConnectionError: foo ConnectionError: foo`
+    );
+  });
+
+  it('retries each supported error type', async () => {
+    const errors = [
+      new EsErrors.NoLivingConnectionsError('no living connection', {
+        warnings: [],
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        meta: {} as any,
+      }),
+      new EsErrors.ConnectionError('no connection'),
+      new EsErrors.TimeoutError('timeout'),
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      new EsErrors.ResponseError({ statusCode: 503, meta: {} as any, warnings: [] }),
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      new EsErrors.ResponseError({ statusCode: 408, meta: {} as any, warnings: [] }),
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      new EsErrors.ResponseError({ statusCode: 410, meta: {} as any, warnings: [] }),
+    ];
+
+    for (const error of errors) {
+      const esCallMock = jest.fn().mockRejectedValueOnce(error).mockResolvedValue('success');
+      expect(await retryTransientEsErrors(esCallMock, { logger })).toEqual('success');
+      expect(esCallMock).toHaveBeenCalledTimes(2);
+    }
+  });
+
+  it('does not retry unsupported errors', async () => {
+    const error = new Error('foo!');
+    const esCallMock = jest.fn().mockRejectedValueOnce(error).mockResolvedValue('success');
+    await expect(retryTransientEsErrors(esCallMock, { logger })).rejects.toThrow(error);
+    expect(esCallMock).toHaveBeenCalledTimes(1);
+  });
+});
diff --git a/x-pack/plugins/alerting/server/alerts_service/retry_transient_es_errors.ts b/x-pack/plugins/alerting/server/alerts_service/retry_transient_es_errors.ts
new file mode 100644
index 00000000000000..2df03e65690f16
--- /dev/null
+++ b/x-pack/plugins/alerting/server/alerts_service/retry_transient_es_errors.ts
@@ -0,0 +1,57 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { Logger } from '@kbn/core/server';
+import { errors as EsErrors } from '@elastic/elasticsearch';
+
+const MAX_ATTEMPTS = 3;
+
+const retryResponseStatuses = [
+  503, // ServiceUnavailable
+  408, // RequestTimeout
+  410, // Gone
+];
+
+const isRetryableError = (e: Error) =>
+  e instanceof EsErrors.NoLivingConnectionsError ||
+  e instanceof EsErrors.ConnectionError ||
+  e instanceof EsErrors.TimeoutError ||
+  (e instanceof EsErrors.ResponseError && retryResponseStatuses.includes(e?.statusCode!));
+
+const delay = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms));
+
+export const retryTransientEsErrors = async <T>(
+  esCall: () => Promise<T>,
+  {
+    logger,
+    attempt = 0,
+  }: {
+    logger: Logger;
+    attempt?: number;
+  }
+): Promise<T> => {
+  try {
+    return await esCall();
+  } catch (e) {
+    if (attempt < MAX_ATTEMPTS && isRetryableError(e)) {
+      const retryCount = attempt + 1;
+      const retryDelaySec: number = Math.min(Math.pow(2, retryCount), 30); // 2s, 4s, 8s, 16s, 30s, 30s, 30s...
+
+      logger.warn(
+        `Retrying Elasticsearch operation after [${retryDelaySec}s] due to error: ${e.toString()} ${
+          e.stack
+        }`
+      );
+
+      // delay with some randomness
+      await delay(retryDelaySec * 1000 * Math.random());
+      return retryTransientEsErrors(esCall, { logger, attempt: retryCount });
+    }
+
+    throw e;
+  }
+};
diff --git a/x-pack/plugins/alerting/server/config.test.ts b/x-pack/plugins/alerting/server/config.test.ts
index ec6f2f6565d67f..26ea818719b7e7 100644
--- a/x-pack/plugins/alerting/server/config.test.ts
+++ b/x-pack/plugins/alerting/server/config.test.ts
@@ -13,6 +13,7 @@ describe('config validation', () => {
     expect(configSchema.validate(config)).toMatchInlineSnapshot(`
       Object {
         "cancelAlertsOnRuleTimeout": true,
+        "enableFrameworkAlerts": false,
         "healthCheck": Object {
           "interval": "60m",
         },
diff --git a/x-pack/plugins/alerting/server/config.ts b/x-pack/plugins/alerting/server/config.ts
index f6becbf192b05e..f727cb98c02661 100644
--- a/x-pack/plugins/alerting/server/config.ts
+++ b/x-pack/plugins/alerting/server/config.ts
@@ -62,6 +62,7 @@ export const configSchema = schema.object({
   maxEphemeralActionsPerAlert: schema.number({
     defaultValue: DEFAULT_MAX_EPHEMERAL_ACTIONS_PER_ALERT,
   }),
+  enableFrameworkAlerts: schema.boolean({ defaultValue: false }),
   cancelAlertsOnRuleTimeout: schema.boolean({ defaultValue: true }),
   rules: rulesSchema,
 });
diff --git a/x-pack/plugins/alerting/server/plugin.ts b/x-pack/plugins/alerting/server/plugin.ts
index c7ea8c6e8d0a4d..141a435931fef9 100644
--- a/x-pack/plugins/alerting/server/plugin.ts
+++ b/x-pack/plugins/alerting/server/plugin.ts
@@ -236,16 +236,21 @@ export class AlertingPlugin {
     });
     this.ruleTypeRegistry = ruleTypeRegistry;
 
-    this.alertsService = new AlertsService({
-      logger: this.logger,
-      pluginStop$: this.pluginStop$,
-      elasticsearchClientPromise: core
-        .getStartServices()
-        .then(([{ elasticsearch }]) => elasticsearch.client.asInternalUser),
-    });
-    this.alertsService!.initialize().catch((err) => {
-      this.logger.error(`Error initializing alert resources! - ${err.message}`);
-    });
+    if (this.config.enableFrameworkAlerts) {
+      this.alertsService = new AlertsService({
+        logger: this.logger,
+        pluginStop$: this.pluginStop$,
+        elasticsearchClientPromise: core
+          .getStartServices()
+          .then(([{ elasticsearch }]) => elasticsearch.client.asInternalUser),
+      });
+      // TODO - should an initialization failure throw an error?
+      // we do retry all resource installation steps but if all the retries fail
+      // do we just disable alerts writing?
+      this.alertsService!.initialize().catch((err) => {
+        this.logger.error(`Error initializing alert resources! - ${err.message}`);
+      });
+    }
 
     const usageCollection = plugins.usageCollection;
     if (usageCollection) {

From 1d2e9d4bc8659874e50dd96e53a09128386e8ee4 Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Fri, 16 Dec 2022 11:16:42 -0500
Subject: [PATCH 17/42] Fixing types

---
 .../alerts_service/alerts_service.mock.ts     |  2 +-
 x-pack/plugins/alerting/server/plugin.test.ts | 22 +++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.mock.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.mock.ts
index 532bae4b255eb4..2bbca912d7322a 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.mock.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.mock.ts
@@ -10,7 +10,7 @@ import { AlertsService } from './alerts_service';
 
 const creatAlertsServiceMock = () => {
   const mocked: jest.Mocked<PublicMethodsOf<AlertsService>> = {
-    initialize: jest.fn(),
+    initialize: jest.fn(() => Promise.resolve()),
   };
   return mocked;
 };
diff --git a/x-pack/plugins/alerting/server/plugin.test.ts b/x-pack/plugins/alerting/server/plugin.test.ts
index 87ed23c66ba3cd..8ff6a46a07b624 100644
--- a/x-pack/plugins/alerting/server/plugin.test.ts
+++ b/x-pack/plugins/alerting/server/plugin.test.ts
@@ -23,11 +23,19 @@ import { dataPluginMock } from '@kbn/data-plugin/server/mocks';
 import { monitoringCollectionMock } from '@kbn/monitoring-collection-plugin/server/mocks';
 import { PluginSetup as DataPluginSetup } from '@kbn/data-plugin/server';
 import { spacesMock } from '@kbn/spaces-plugin/server/mocks';
+import { AlertsService } from './alerts_service/alerts_service';
+import { alertsServiceMock } from './alerts_service/alerts_service.mock';
+
+const mockAlertService = alertsServiceMock.create();
+jest.mock('./alerts_service/alerts_service', () => ({
+  AlertsService: jest.fn().mockImplementation(() => mockAlertService),
+}));
 
 const generateAlertingConfig = (): AlertingConfig => ({
   healthCheck: {
     interval: '5m',
   },
+  enableFrameworkAlerts: false,
   invalidateApiKeysTask: {
     interval: '5m',
     removalDelay: '1h',
@@ -108,6 +116,20 @@ describe('Alerting Plugin', () => {
       expect(usageCollectionSetup.registerCollector).toHaveBeenCalled();
     });
 
+    it('should initialize AlertsService if enableFrameworkAlerts config is true', async () => {
+      const context = coreMock.createPluginInitializerContext<AlertingConfig>({
+        ...generateAlertingConfig(),
+        enableFrameworkAlerts: true,
+      });
+      plugin = new AlertingPlugin(context);
+
+      // need await to test number of calls of setupMocks.status.set, because it is under async function which awaiting core.getStartServices()
+      await plugin.setup(setupMocks, mockPlugins);
+
+      expect(AlertsService).toHaveBeenCalled();
+      expect(mockAlertService.initialize).toHaveBeenCalled();
+    });
+
     it(`exposes configured minimumScheduleInterval()`, async () => {
       const context = coreMock.createPluginInitializerContext<AlertingConfig>(
         generateAlertingConfig()

From 463d428e5efb975728957e5339c8045caee91070 Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Wed, 21 Dec 2022 10:55:33 -0500
Subject: [PATCH 18/42] Removing ECS fields from component templates

---
 .../alert_schema/field_maps/ecs_field_map.ts  | 9010 -----------------
 .../alerting/common/alert_schema/index.ts     |    3 -
 .../common/alert_schema/schemas/ecs_schema.ts | 1835 ----
 .../scripts/create_schema_from_mapping.ts     |    5 -
 .../alert_schema/scripts/generate_schemas.sh  |    6 +-
 .../alerts_service/alerts_service.test.ts     |   38 +-
 .../server/alerts_service/alerts_service.ts   |   17 +-
 .../alerting/server/alerts_service/types.ts   |    1 -
 8 files changed, 23 insertions(+), 10892 deletions(-)
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/schemas/ecs_schema.ts

diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts
deleted file mode 100644
index df346c922b0e63..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/ecs_field_map.ts
+++ /dev/null
@@ -1,9010 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-/* This file is generated by x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js,
-      do not manually edit
-      */
-
-export const ecsFieldMap = {
-  '@timestamp': {
-    type: 'date',
-    array: false,
-    required: true,
-  },
-  'agent.build.original': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'agent.ephemeral_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'agent.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'agent.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'agent.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'agent.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.address': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.as.number': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'client.as.organization.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'client.as.organization.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'client.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'client.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.geo.city_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.geo.continent_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.geo.continent_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.geo.country_iso_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.geo.country_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.geo.location': {
-    type: 'geo_point',
-    array: false,
-    required: false,
-  },
-  'client.geo.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.geo.postal_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.geo.region_iso_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.geo.region_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.geo.timezone': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.ip': {
-    type: 'ip',
-    array: false,
-    required: false,
-  },
-  'client.mac': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.nat.ip': {
-    type: 'ip',
-    array: false,
-    required: false,
-  },
-  'client.nat.port': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'client.packets': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'client.port': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'client.registered_domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.subdomain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.top_level_domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.user.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.user.email': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.user.full_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'client.user.full_name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'client.user.group.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.user.group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.user.group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.user.hash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'client.user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'client.user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'client.user.roles': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.account.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.account.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.availability_zone': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.instance.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.instance.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.machine.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.origin.account.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.origin.account.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.origin.availability_zone': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.origin.instance.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.origin.instance.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.origin.machine.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.origin.project.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.origin.project.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.origin.provider': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.origin.region': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.origin.service.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.project.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.project.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.provider': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.region': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.service.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.target.account.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.target.account.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.target.availability_zone': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.target.instance.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.target.instance.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.target.machine.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.target.project.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.target.project.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.target.provider': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.target.region': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'cloud.target.service.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'container.cpu.usage': {
-    type: 'scaled_float',
-    array: false,
-    required: false,
-    scaling_factor: 1000,
-  },
-  'container.disk.read.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'container.disk.write.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'container.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'container.image.hash.all': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'container.image.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'container.image.tag': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'container.labels': {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  'container.memory.usage': {
-    type: 'scaled_float',
-    array: false,
-    required: false,
-    scaling_factor: 1000,
-  },
-  'container.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'container.network.egress.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'container.network.ingress.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'container.runtime': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'data_stream.dataset': {
-    type: 'constant_keyword',
-    array: false,
-    required: false,
-  },
-  'data_stream.namespace': {
-    type: 'constant_keyword',
-    array: false,
-    required: false,
-  },
-  'data_stream.type': {
-    type: 'constant_keyword',
-    array: false,
-    required: false,
-  },
-  'destination.address': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.as.number': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'destination.as.organization.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'destination.as.organization.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'destination.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'destination.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.geo.city_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.geo.continent_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.geo.continent_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.geo.country_iso_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.geo.country_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.geo.location': {
-    type: 'geo_point',
-    array: false,
-    required: false,
-  },
-  'destination.geo.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.geo.postal_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.geo.region_iso_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.geo.region_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.geo.timezone': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.ip': {
-    type: 'ip',
-    array: false,
-    required: false,
-  },
-  'destination.mac': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.nat.ip': {
-    type: 'ip',
-    array: false,
-    required: false,
-  },
-  'destination.nat.port': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'destination.packets': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'destination.port': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'destination.registered_domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.subdomain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.top_level_domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.user.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.user.email': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.user.full_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'destination.user.full_name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'destination.user.group.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.user.group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.user.group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.user.hash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'destination.user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'destination.user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'destination.user.roles': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.code_signature.digest_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.code_signature.exists': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'dll.code_signature.signing_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.code_signature.status': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.code_signature.subject_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.code_signature.team_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.code_signature.timestamp': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'dll.code_signature.trusted': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'dll.code_signature.valid': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'dll.hash.md5': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.hash.sha1': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.hash.sha256': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.hash.sha384': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.hash.sha512': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.hash.ssdeep': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.hash.tlsh': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.path': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.pe.architecture': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.pe.company': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.pe.description': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.pe.file_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.pe.imphash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.pe.original_file_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.pe.pehash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dll.pe.product': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dns.answers': {
-    type: 'object',
-    array: true,
-    required: false,
-  },
-  'dns.answers.class': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dns.answers.data': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dns.answers.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dns.answers.ttl': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'dns.answers.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dns.header_flags': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dns.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dns.op_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dns.question.class': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dns.question.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dns.question.registered_domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dns.question.subdomain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dns.question.top_level_domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dns.question.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dns.resolved_ip': {
-    type: 'ip',
-    array: true,
-    required: false,
-  },
-  'dns.response_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'dns.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'ecs.version': {
-    type: 'keyword',
-    array: false,
-    required: true,
-    ignore_above: 1024,
-  },
-  'email.attachments': {
-    type: 'nested',
-    array: true,
-    required: false,
-  },
-  'email.attachments.file.extension': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.attachments.file.hash.md5': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.attachments.file.hash.sha1': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.attachments.file.hash.sha256': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.attachments.file.hash.sha384': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.attachments.file.hash.sha512': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.attachments.file.hash.ssdeep': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.attachments.file.hash.tlsh': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.attachments.file.mime_type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.attachments.file.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.attachments.file.size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'email.bcc.address': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.cc.address': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.content_type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.delivery_timestamp': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'email.direction': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.from.address': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.local_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.message_id': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-  },
-  'email.origination_timestamp': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'email.reply_to.address': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.sender.address': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.subject': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'email.subject.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'email.to.address': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'email.x_mailer': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'error.code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'error.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'error.message': {
-    type: 'match_only_text',
-    array: false,
-    required: false,
-  },
-  'error.stack_trace': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-    multi_fields: [
-      {
-        flat_name: 'error.stack_trace.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'error.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'event.action': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'event.agent_id_status': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'event.category': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'event.code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'event.created': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'event.dataset': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'event.duration': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'event.end': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'event.hash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'event.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'event.ingested': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'event.kind': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'event.module': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'event.original': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    doc_values: false,
-    index: false,
-  },
-  'event.outcome': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'event.provider': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'event.reason': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'event.reference': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'event.risk_score': {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  'event.risk_score_norm': {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  'event.sequence': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'event.severity': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'event.start': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'event.timezone': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'event.type': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'event.url': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'faas.coldstart': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'faas.execution': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'faas.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'faas.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'faas.trigger': {
-    type: 'nested',
-    array: false,
-    required: false,
-  },
-  'faas.trigger.request_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'faas.trigger.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'faas.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.accessed': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'file.attributes': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.code_signature.digest_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.code_signature.exists': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'file.code_signature.signing_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.code_signature.status': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.code_signature.subject_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.code_signature.team_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.code_signature.timestamp': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'file.code_signature.trusted': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'file.code_signature.valid': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'file.created': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'file.ctime': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'file.device': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.directory': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.drive_letter': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1,
-  },
-  'file.elf.architecture': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.byte_order': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.cpu_type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.creation_date': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'file.elf.exports': {
-    type: 'flattened',
-    array: true,
-    required: false,
-  },
-  'file.elf.header.abi_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.header.class': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.header.data': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.header.entrypoint': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'file.elf.header.object_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.header.os_abi': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.header.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.header.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.imports': {
-    type: 'flattened',
-    array: true,
-    required: false,
-  },
-  'file.elf.sections': {
-    type: 'nested',
-    array: true,
-    required: false,
-  },
-  'file.elf.sections.chi2': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'file.elf.sections.entropy': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'file.elf.sections.flags': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.sections.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.sections.physical_offset': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.sections.physical_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'file.elf.sections.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.sections.virtual_address': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'file.elf.sections.virtual_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'file.elf.segments': {
-    type: 'nested',
-    array: true,
-    required: false,
-  },
-  'file.elf.segments.sections': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.segments.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.shared_libraries': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.elf.telfhash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.extension': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.fork_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.gid': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.group': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.hash.md5': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.hash.sha1': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.hash.sha256': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.hash.sha384': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.hash.sha512': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.hash.ssdeep': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.hash.tlsh': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.inode': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.mime_type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.mode': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.mtime': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'file.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.owner': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.path': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'file.path.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'file.pe.architecture': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.pe.company': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.pe.description': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.pe.file_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.pe.imphash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.pe.original_file_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.pe.pehash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.pe.product': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'file.target_path': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'file.target_path.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'file.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.uid': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.alternative_names': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.issuer.common_name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.issuer.country': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.issuer.distinguished_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.issuer.locality': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.issuer.organization': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.issuer.organizational_unit': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.issuer.state_or_province': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.not_after': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'file.x509.not_before': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'file.x509.public_key_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.public_key_curve': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.public_key_exponent': {
-    type: 'long',
-    array: false,
-    required: false,
-    doc_values: false,
-    index: false,
-  },
-  'file.x509.public_key_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'file.x509.serial_number': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.signature_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.subject.common_name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.subject.country': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.subject.distinguished_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.subject.locality': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.subject.organization': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.subject.organizational_unit': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.subject.state_or_province': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'file.x509.version_number': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'group.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.architecture': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.boot.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.cpu.usage': {
-    type: 'scaled_float',
-    array: false,
-    required: false,
-    scaling_factor: 1000,
-  },
-  'host.disk.read.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'host.disk.write.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'host.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.geo.city_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.geo.continent_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.geo.continent_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.geo.country_iso_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.geo.country_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.geo.location': {
-    type: 'geo_point',
-    array: false,
-    required: false,
-  },
-  'host.geo.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.geo.postal_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.geo.region_iso_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.geo.region_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.geo.timezone': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.hostname': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.ip': {
-    type: 'ip',
-    array: true,
-    required: false,
-  },
-  'host.mac': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.network.egress.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'host.network.egress.packets': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'host.network.ingress.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'host.network.ingress.packets': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'host.os.family': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.os.full': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'host.os.full.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'host.os.kernel': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.os.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'host.os.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'host.os.platform': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.os.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.os.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.pid_ns_ino': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.risk.calculated_level': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.risk.calculated_score': {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  'host.risk.calculated_score_norm': {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  'host.risk.static_level': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.risk.static_score': {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  'host.risk.static_score_norm': {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  'host.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'host.uptime': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'http.request.body.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'http.request.body.content': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-    multi_fields: [
-      {
-        flat_name: 'http.request.body.content.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'http.request.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'http.request.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'http.request.method': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'http.request.mime_type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'http.request.referrer': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'http.response.body.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'http.response.body.content': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-    multi_fields: [
-      {
-        flat_name: 'http.response.body.content.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'http.response.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'http.response.mime_type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'http.response.status_code': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'http.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  labels: {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  'log.file.path': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'log.level': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'log.logger': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'log.origin.file.line': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'log.origin.file.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'log.origin.function': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'log.syslog': {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  'log.syslog.appname': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'log.syslog.facility.code': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'log.syslog.facility.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'log.syslog.hostname': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'log.syslog.msgid': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'log.syslog.priority': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'log.syslog.procid': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'log.syslog.severity.code': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'log.syslog.severity.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'log.syslog.structured_data': {
-    type: 'flattened',
-    array: false,
-    required: false,
-  },
-  'log.syslog.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  message: {
-    type: 'match_only_text',
-    array: false,
-    required: false,
-  },
-  'network.application': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'network.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'network.community_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'network.direction': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'network.forwarded_ip': {
-    type: 'ip',
-    array: false,
-    required: false,
-  },
-  'network.iana_number': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'network.inner': {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  'network.inner.vlan.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'network.inner.vlan.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'network.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'network.packets': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'network.protocol': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'network.transport': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'network.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'network.vlan.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'network.vlan.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.egress': {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  'observer.egress.interface.alias': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.egress.interface.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.egress.interface.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.egress.vlan.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.egress.vlan.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.egress.zone': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.geo.city_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.geo.continent_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.geo.continent_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.geo.country_iso_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.geo.country_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.geo.location': {
-    type: 'geo_point',
-    array: false,
-    required: false,
-  },
-  'observer.geo.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.geo.postal_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.geo.region_iso_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.geo.region_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.geo.timezone': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.hostname': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.ingress': {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  'observer.ingress.interface.alias': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.ingress.interface.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.ingress.interface.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.ingress.vlan.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.ingress.vlan.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.ingress.zone': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.ip': {
-    type: 'ip',
-    array: true,
-    required: false,
-  },
-  'observer.mac': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.os.family': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.os.full': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'observer.os.full.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'observer.os.kernel': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.os.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'observer.os.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'observer.os.platform': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.os.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.os.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.product': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.serial_number': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.vendor': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'observer.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'orchestrator.api_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'orchestrator.cluster.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'orchestrator.cluster.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'orchestrator.cluster.url': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'orchestrator.cluster.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'orchestrator.namespace': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'orchestrator.organization': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'orchestrator.resource.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'orchestrator.resource.ip': {
-    type: 'ip',
-    array: true,
-    required: false,
-  },
-  'orchestrator.resource.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'orchestrator.resource.parent.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'orchestrator.resource.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'orchestrator.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'organization.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'organization.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'organization.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'package.architecture': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'package.build_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'package.checksum': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'package.description': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'package.install_scope': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'package.installed': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'package.license': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'package.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'package.path': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'package.reference': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'package.size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'package.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'package.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.args': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.args_count': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.code_signature.digest_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.code_signature.exists': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'process.code_signature.signing_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.code_signature.status': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.code_signature.subject_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.code_signature.team_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.code_signature.timestamp': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'process.code_signature.trusted': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'process.code_signature.valid': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'process.command_line': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-    multi_fields: [
-      {
-        flat_name: 'process.command_line.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.elf.architecture': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.byte_order': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.cpu_type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.creation_date': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'process.elf.exports': {
-    type: 'flattened',
-    array: true,
-    required: false,
-  },
-  'process.elf.header.abi_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.header.class': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.header.data': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.header.entrypoint': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.elf.header.object_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.header.os_abi': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.header.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.header.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.imports': {
-    type: 'flattened',
-    array: true,
-    required: false,
-  },
-  'process.elf.sections': {
-    type: 'nested',
-    array: true,
-    required: false,
-  },
-  'process.elf.sections.chi2': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.elf.sections.entropy': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.elf.sections.flags': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.sections.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.sections.physical_offset': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.sections.physical_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.elf.sections.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.sections.virtual_address': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.elf.sections.virtual_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.elf.segments': {
-    type: 'nested',
-    array: true,
-    required: false,
-  },
-  'process.elf.segments.sections': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.segments.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.shared_libraries': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.elf.telfhash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.end': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'process.entity_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.args': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.args_count': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.entry_leader.attested_groups.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.attested_user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.attested_user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.entry_leader.attested_user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.entry_leader.command_line': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-    multi_fields: [
-      {
-        flat_name: 'process.entry_leader.command_line.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.entry_leader.entity_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.entry_meta.source.ip': {
-    type: 'ip',
-    array: false,
-    required: false,
-  },
-  'process.entry_leader.entry_meta.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.executable': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.entry_leader.executable.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.entry_leader.group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.interactive': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'process.entry_leader.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.entry_leader.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.entry_leader.parent.entity_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.parent.pid': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.entry_leader.parent.session_leader.entity_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.parent.session_leader.pid': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.entry_leader.parent.session_leader.start': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'process.entry_leader.parent.start': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'process.entry_leader.pid': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.entry_leader.real_group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.real_group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.real_user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.real_user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.entry_leader.real_user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.entry_leader.same_as_process': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'process.entry_leader.saved_group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.saved_group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.saved_user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.saved_user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.entry_leader.saved_user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.entry_leader.start': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'process.entry_leader.supplemental_groups.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.supplemental_groups.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.tty': {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  'process.entry_leader.tty.char_device.major': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.entry_leader.tty.char_device.minor': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.entry_leader.user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.entry_leader.user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.entry_leader.user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.entry_leader.working_directory': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.entry_leader.working_directory.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.env_vars': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.executable': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.executable.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.exit_code': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.group_leader.args': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.group_leader.args_count': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.group_leader.command_line': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-    multi_fields: [
-      {
-        flat_name: 'process.group_leader.command_line.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.group_leader.entity_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.group_leader.executable': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.group_leader.executable.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.group_leader.group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.group_leader.group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.group_leader.interactive': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'process.group_leader.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.group_leader.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.group_leader.pid': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.group_leader.real_group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.group_leader.real_group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.group_leader.real_user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.group_leader.real_user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.group_leader.real_user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.group_leader.same_as_process': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'process.group_leader.saved_group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.group_leader.saved_group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.group_leader.saved_user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.group_leader.saved_user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.group_leader.saved_user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.group_leader.start': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'process.group_leader.supplemental_groups.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.group_leader.supplemental_groups.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.group_leader.tty': {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  'process.group_leader.tty.char_device.major': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.group_leader.tty.char_device.minor': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.group_leader.user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.group_leader.user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.group_leader.user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.group_leader.working_directory': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.group_leader.working_directory.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.hash.md5': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.hash.sha1': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.hash.sha256': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.hash.sha384': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.hash.sha512': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.hash.ssdeep': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.hash.tlsh': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.interactive': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'process.io': {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  'process.io.bytes_skipped': {
-    type: 'object',
-    array: true,
-    required: false,
-  },
-  'process.io.bytes_skipped.length': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.io.bytes_skipped.offset': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.io.max_bytes_per_process_exceeded': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'process.io.text': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-  },
-  'process.io.total_bytes_captured': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.io.total_bytes_skipped': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.io.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.parent.args': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.args_count': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.parent.code_signature.digest_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.code_signature.exists': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'process.parent.code_signature.signing_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.code_signature.status': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.code_signature.subject_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.code_signature.team_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.code_signature.timestamp': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'process.parent.code_signature.trusted': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'process.parent.code_signature.valid': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'process.parent.command_line': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-    multi_fields: [
-      {
-        flat_name: 'process.parent.command_line.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.parent.elf.architecture': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.byte_order': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.cpu_type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.creation_date': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'process.parent.elf.exports': {
-    type: 'flattened',
-    array: true,
-    required: false,
-  },
-  'process.parent.elf.header.abi_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.header.class': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.header.data': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.header.entrypoint': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.parent.elf.header.object_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.header.os_abi': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.header.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.header.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.imports': {
-    type: 'flattened',
-    array: true,
-    required: false,
-  },
-  'process.parent.elf.sections': {
-    type: 'nested',
-    array: true,
-    required: false,
-  },
-  'process.parent.elf.sections.chi2': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.parent.elf.sections.entropy': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.parent.elf.sections.flags': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.sections.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.sections.physical_offset': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.sections.physical_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.parent.elf.sections.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.sections.virtual_address': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.parent.elf.sections.virtual_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.parent.elf.segments': {
-    type: 'nested',
-    array: true,
-    required: false,
-  },
-  'process.parent.elf.segments.sections': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.segments.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.shared_libraries': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.elf.telfhash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.end': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'process.parent.entity_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.executable': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.parent.executable.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.parent.exit_code': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.parent.group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.group_leader.entity_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.group_leader.pid': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.parent.group_leader.start': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'process.parent.hash.md5': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.hash.sha1': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.hash.sha256': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.hash.sha384': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.hash.sha512': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.hash.ssdeep': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.hash.tlsh': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.interactive': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'process.parent.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.parent.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.parent.pe.architecture': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.pe.company': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.pe.description': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.pe.file_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.pe.imphash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.pe.original_file_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.pe.pehash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.pe.product': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.pgid': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.parent.pid': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.parent.real_group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.real_group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.real_user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.real_user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.parent.real_user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.parent.saved_group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.saved_group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.saved_user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.saved_user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.parent.saved_user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.parent.start': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'process.parent.supplemental_groups.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.supplemental_groups.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.thread.id': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.parent.thread.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.title': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.parent.title.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.parent.tty': {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  'process.parent.tty.char_device.major': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.parent.tty.char_device.minor': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.parent.uptime': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.parent.user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.parent.user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.parent.user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.parent.working_directory': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.parent.working_directory.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.pe.architecture': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.pe.company': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.pe.description': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.pe.file_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.pe.imphash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.pe.original_file_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.pe.pehash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.pe.product': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.pgid': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.pid': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.previous.args': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.previous.args_count': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.previous.executable': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.previous.executable.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.real_group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.real_group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.real_user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.real_user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.real_user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.saved_group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.saved_group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.saved_user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.saved_user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.saved_user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.session_leader.args': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.session_leader.args_count': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.session_leader.command_line': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-    multi_fields: [
-      {
-        flat_name: 'process.session_leader.command_line.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.session_leader.entity_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.session_leader.executable': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.session_leader.executable.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.session_leader.group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.session_leader.group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.session_leader.interactive': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'process.session_leader.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.session_leader.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.session_leader.parent.entity_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.session_leader.parent.pid': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.session_leader.parent.session_leader.entity_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.session_leader.parent.session_leader.pid': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.session_leader.parent.session_leader.start': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'process.session_leader.parent.start': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'process.session_leader.pid': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.session_leader.real_group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.session_leader.real_group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.session_leader.real_user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.session_leader.real_user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.session_leader.real_user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.session_leader.same_as_process': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'process.session_leader.saved_group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.session_leader.saved_group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.session_leader.saved_user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.session_leader.saved_user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.session_leader.saved_user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.session_leader.start': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'process.session_leader.supplemental_groups.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.session_leader.supplemental_groups.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.session_leader.tty': {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  'process.session_leader.tty.char_device.major': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.session_leader.tty.char_device.minor': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.session_leader.user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.session_leader.user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.session_leader.user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.session_leader.working_directory': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.session_leader.working_directory.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.start': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'process.supplemental_groups.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.supplemental_groups.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.thread.id': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.thread.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.title': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.title.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.tty': {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  'process.tty.char_device.major': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.tty.char_device.minor': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.tty.columns': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.tty.rows': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.uptime': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'process.user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'process.user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'process.working_directory': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'process.working_directory.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'registry.data.bytes': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'registry.data.strings': {
-    type: 'wildcard',
-    array: true,
-    required: false,
-  },
-  'registry.data.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'registry.hive': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'registry.key': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'registry.path': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'registry.value': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'related.hash': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'related.hosts': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'related.ip': {
-    type: 'ip',
-    array: true,
-    required: false,
-  },
-  'related.user': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'rule.author': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'rule.category': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'rule.description': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'rule.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'rule.license': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'rule.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'rule.reference': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'rule.ruleset': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'rule.uuid': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'rule.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.address': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.as.number': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'server.as.organization.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'server.as.organization.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'server.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'server.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.geo.city_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.geo.continent_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.geo.continent_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.geo.country_iso_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.geo.country_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.geo.location': {
-    type: 'geo_point',
-    array: false,
-    required: false,
-  },
-  'server.geo.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.geo.postal_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.geo.region_iso_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.geo.region_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.geo.timezone': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.ip': {
-    type: 'ip',
-    array: false,
-    required: false,
-  },
-  'server.mac': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.nat.ip': {
-    type: 'ip',
-    array: false,
-    required: false,
-  },
-  'server.nat.port': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'server.packets': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'server.port': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'server.registered_domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.subdomain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.top_level_domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.user.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.user.email': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.user.full_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'server.user.full_name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'server.user.group.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.user.group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.user.group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.user.hash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'server.user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'server.user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'server.user.roles': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.address': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.environment': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.ephemeral_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.node.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.node.role': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.node.roles': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.origin.address': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.origin.environment': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.origin.ephemeral_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.origin.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.origin.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.origin.node.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.origin.node.role': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.origin.node.roles': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.origin.state': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.origin.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.origin.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.state': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.target.address': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.target.environment': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.target.ephemeral_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.target.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.target.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.target.node.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.target.node.role': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.target.node.roles': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.target.state': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.target.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.target.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'service.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.address': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.as.number': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'source.as.organization.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'source.as.organization.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'source.bytes': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'source.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.geo.city_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.geo.continent_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.geo.continent_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.geo.country_iso_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.geo.country_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.geo.location': {
-    type: 'geo_point',
-    array: false,
-    required: false,
-  },
-  'source.geo.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.geo.postal_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.geo.region_iso_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.geo.region_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.geo.timezone': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.ip': {
-    type: 'ip',
-    array: false,
-    required: false,
-  },
-  'source.mac': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.nat.ip': {
-    type: 'ip',
-    array: false,
-    required: false,
-  },
-  'source.nat.port': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'source.packets': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'source.port': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'source.registered_domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.subdomain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.top_level_domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.user.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.user.email': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.user.full_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'source.user.full_name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'source.user.group.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.user.group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.user.group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.user.hash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'source.user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'source.user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'source.user.roles': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'span.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  tags: {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments': {
-    type: 'nested',
-    array: true,
-    required: false,
-  },
-  'threat.enrichments.indicator': {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.as.number': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.as.organization.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'threat.enrichments.indicator.as.organization.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'threat.enrichments.indicator.confidence': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.description': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.email.address': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.accessed': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.attributes': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.code_signature.digest_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.code_signature.exists': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.code_signature.signing_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.code_signature.status': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.code_signature.subject_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.code_signature.team_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.code_signature.timestamp': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.code_signature.trusted': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.code_signature.valid': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.created': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.ctime': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.device': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.directory': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.drive_letter': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1,
-  },
-  'threat.enrichments.indicator.file.elf.architecture': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.byte_order': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.cpu_type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.creation_date': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.elf.exports': {
-    type: 'flattened',
-    array: true,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.elf.header.abi_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.header.class': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.header.data': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.header.entrypoint': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.elf.header.object_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.header.os_abi': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.header.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.header.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.imports': {
-    type: 'flattened',
-    array: true,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.elf.sections': {
-    type: 'nested',
-    array: true,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.elf.sections.chi2': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.elf.sections.entropy': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.elf.sections.flags': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.sections.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.sections.physical_offset': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.sections.physical_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.elf.sections.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.sections.virtual_address': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.elf.sections.virtual_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.elf.segments': {
-    type: 'nested',
-    array: true,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.elf.segments.sections': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.segments.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.shared_libraries': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.elf.telfhash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.extension': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.fork_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.gid': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.group': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.hash.md5': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.hash.sha1': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.hash.sha256': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.hash.sha384': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.hash.sha512': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.hash.ssdeep': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.hash.tlsh': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.inode': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.mime_type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.mode': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.mtime': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.owner': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.path': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'threat.enrichments.indicator.file.path.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'threat.enrichments.indicator.file.pe.architecture': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.pe.company': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.pe.description': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.pe.file_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.pe.imphash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.pe.original_file_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.pe.pehash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.pe.product': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.target_path': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'threat.enrichments.indicator.file.target_path.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'threat.enrichments.indicator.file.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.uid': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.alternative_names': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.issuer.common_name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.issuer.country': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.issuer.distinguished_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.issuer.locality': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.issuer.organization': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.issuer.organizational_unit': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.issuer.state_or_province': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.not_after': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.x509.not_before': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.x509.public_key_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.public_key_curve': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.public_key_exponent': {
-    type: 'long',
-    array: false,
-    required: false,
-    doc_values: false,
-    index: false,
-  },
-  'threat.enrichments.indicator.file.x509.public_key_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.file.x509.serial_number': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.signature_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.subject.common_name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.subject.country': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.subject.distinguished_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.subject.locality': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.subject.organization': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.subject.organizational_unit': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.subject.state_or_province': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.file.x509.version_number': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.first_seen': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.geo.city_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.geo.continent_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.geo.continent_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.geo.country_iso_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.geo.country_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.geo.location': {
-    type: 'geo_point',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.geo.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.geo.postal_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.geo.region_iso_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.geo.region_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.geo.timezone': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.ip': {
-    type: 'ip',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.last_seen': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.marking.tlp': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.modified_at': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.port': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.provider': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.reference': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.registry.data.bytes': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.registry.data.strings': {
-    type: 'wildcard',
-    array: true,
-    required: false,
-  },
-  'threat.enrichments.indicator.registry.data.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.registry.hive': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.registry.key': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.registry.path': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.registry.value': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.scanner_stats': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.sightings': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.url.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.url.extension': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.url.fragment': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.url.full': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-    multi_fields: [
-      {
-        flat_name: 'threat.enrichments.indicator.url.full.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'threat.enrichments.indicator.url.original': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-    multi_fields: [
-      {
-        flat_name: 'threat.enrichments.indicator.url.original.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'threat.enrichments.indicator.url.password': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.url.path': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.url.port': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.url.query': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.url.registered_domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.url.scheme': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.url.subdomain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.url.top_level_domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.url.username': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.alternative_names': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.issuer.common_name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.issuer.country': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.issuer.distinguished_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.issuer.locality': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.issuer.organization': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.issuer.organizational_unit': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.issuer.state_or_province': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.not_after': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.x509.not_before': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.x509.public_key_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.public_key_curve': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.public_key_exponent': {
-    type: 'long',
-    array: false,
-    required: false,
-    doc_values: false,
-    index: false,
-  },
-  'threat.enrichments.indicator.x509.public_key_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.indicator.x509.serial_number': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.signature_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.subject.common_name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.subject.country': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.subject.distinguished_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.subject.locality': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.subject.organization': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.subject.organizational_unit': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.subject.state_or_province': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.indicator.x509.version_number': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.matched.atomic': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.matched.field': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.matched.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.matched.index': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.enrichments.matched.occurred': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.enrichments.matched.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.feed.dashboard_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.feed.description': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.feed.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.feed.reference': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.framework': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.group.alias': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.group.reference': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.as.number': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.as.organization.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'threat.indicator.as.organization.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'threat.indicator.confidence': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.description': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.email.address': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.accessed': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.attributes': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.code_signature.digest_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.code_signature.exists': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.code_signature.signing_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.code_signature.status': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.code_signature.subject_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.code_signature.team_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.code_signature.timestamp': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.code_signature.trusted': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.code_signature.valid': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.created': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.ctime': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.device': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.directory': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.drive_letter': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1,
-  },
-  'threat.indicator.file.elf.architecture': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.byte_order': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.cpu_type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.creation_date': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.elf.exports': {
-    type: 'flattened',
-    array: true,
-    required: false,
-  },
-  'threat.indicator.file.elf.header.abi_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.header.class': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.header.data': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.header.entrypoint': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.elf.header.object_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.header.os_abi': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.header.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.header.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.imports': {
-    type: 'flattened',
-    array: true,
-    required: false,
-  },
-  'threat.indicator.file.elf.sections': {
-    type: 'nested',
-    array: true,
-    required: false,
-  },
-  'threat.indicator.file.elf.sections.chi2': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.elf.sections.entropy': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.elf.sections.flags': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.sections.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.sections.physical_offset': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.sections.physical_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.elf.sections.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.sections.virtual_address': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.elf.sections.virtual_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.elf.segments': {
-    type: 'nested',
-    array: true,
-    required: false,
-  },
-  'threat.indicator.file.elf.segments.sections': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.segments.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.shared_libraries': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.elf.telfhash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.extension': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.fork_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.gid': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.group': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.hash.md5': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.hash.sha1': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.hash.sha256': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.hash.sha384': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.hash.sha512': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.hash.ssdeep': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.hash.tlsh': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.inode': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.mime_type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.mode': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.mtime': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.owner': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.path': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'threat.indicator.file.path.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'threat.indicator.file.pe.architecture': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.pe.company': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.pe.description': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.pe.file_version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.pe.imphash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.pe.original_file_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.pe.pehash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.pe.product': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.target_path': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'threat.indicator.file.target_path.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'threat.indicator.file.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.uid': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.alternative_names': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.issuer.common_name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.issuer.country': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.issuer.distinguished_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.issuer.locality': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.issuer.organization': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.issuer.organizational_unit': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.issuer.state_or_province': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.not_after': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.x509.not_before': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.x509.public_key_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.public_key_curve': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.public_key_exponent': {
-    type: 'long',
-    array: false,
-    required: false,
-    doc_values: false,
-    index: false,
-  },
-  'threat.indicator.file.x509.public_key_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.file.x509.serial_number': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.signature_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.subject.common_name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.subject.country': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.subject.distinguished_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.subject.locality': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.subject.organization': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.subject.organizational_unit': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.subject.state_or_province': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.file.x509.version_number': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.first_seen': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.geo.city_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.geo.continent_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.geo.continent_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.geo.country_iso_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.geo.country_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.geo.location': {
-    type: 'geo_point',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.geo.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.geo.postal_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.geo.region_iso_code': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.geo.region_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.geo.timezone': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.ip': {
-    type: 'ip',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.last_seen': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.marking.tlp': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.modified_at': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.port': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.provider': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.reference': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.registry.data.bytes': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.registry.data.strings': {
-    type: 'wildcard',
-    array: true,
-    required: false,
-  },
-  'threat.indicator.registry.data.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.registry.hive': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.registry.key': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.registry.path': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.registry.value': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.scanner_stats': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.sightings': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.url.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.url.extension': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.url.fragment': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.url.full': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-    multi_fields: [
-      {
-        flat_name: 'threat.indicator.url.full.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'threat.indicator.url.original': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-    multi_fields: [
-      {
-        flat_name: 'threat.indicator.url.original.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'threat.indicator.url.password': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.url.path': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.url.port': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.url.query': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.url.registered_domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.url.scheme': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.url.subdomain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.url.top_level_domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.url.username': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.alternative_names': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.issuer.common_name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.issuer.country': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.issuer.distinguished_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.issuer.locality': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.issuer.organization': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.issuer.organizational_unit': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.issuer.state_or_province': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.not_after': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.x509.not_before': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.x509.public_key_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.public_key_curve': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.public_key_exponent': {
-    type: 'long',
-    array: false,
-    required: false,
-    doc_values: false,
-    index: false,
-  },
-  'threat.indicator.x509.public_key_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'threat.indicator.x509.serial_number': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.signature_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.subject.common_name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.subject.country': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.subject.distinguished_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.subject.locality': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.subject.organization': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.subject.organizational_unit': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.subject.state_or_province': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.indicator.x509.version_number': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.software.alias': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.software.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.software.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.software.platforms': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.software.reference': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.software.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.tactic.id': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.tactic.name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.tactic.reference': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.technique.id': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.technique.name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'threat.technique.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'threat.technique.reference': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.technique.subtechnique.id': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'threat.technique.subtechnique.name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'threat.technique.subtechnique.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'threat.technique.subtechnique.reference': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.cipher': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.certificate': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.certificate_chain': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.hash.md5': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.hash.sha1': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.hash.sha256': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.issuer': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.ja3': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.not_after': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'tls.client.not_before': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'tls.client.server_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.subject': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.supported_ciphers': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.alternative_names': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.issuer.common_name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.issuer.country': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.issuer.distinguished_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.issuer.locality': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.issuer.organization': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.issuer.organizational_unit': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.issuer.state_or_province': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.not_after': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'tls.client.x509.not_before': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'tls.client.x509.public_key_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.public_key_curve': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.public_key_exponent': {
-    type: 'long',
-    array: false,
-    required: false,
-    doc_values: false,
-    index: false,
-  },
-  'tls.client.x509.public_key_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'tls.client.x509.serial_number': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.signature_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.subject.common_name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.subject.country': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.subject.distinguished_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.subject.locality': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.subject.organization': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.subject.organizational_unit': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.subject.state_or_province': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.client.x509.version_number': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.curve': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.established': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'tls.next_protocol': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.resumed': {
-    type: 'boolean',
-    array: false,
-    required: false,
-  },
-  'tls.server.certificate': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.certificate_chain': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.hash.md5': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.hash.sha1': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.hash.sha256': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.issuer': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.ja3s': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.not_after': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'tls.server.not_before': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'tls.server.subject': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.alternative_names': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.issuer.common_name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.issuer.country': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.issuer.distinguished_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.issuer.locality': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.issuer.organization': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.issuer.organizational_unit': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.issuer.state_or_province': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.not_after': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'tls.server.x509.not_before': {
-    type: 'date',
-    array: false,
-    required: false,
-  },
-  'tls.server.x509.public_key_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.public_key_curve': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.public_key_exponent': {
-    type: 'long',
-    array: false,
-    required: false,
-    doc_values: false,
-    index: false,
-  },
-  'tls.server.x509.public_key_size': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'tls.server.x509.serial_number': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.signature_algorithm': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.subject.common_name': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.subject.country': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.subject.distinguished_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.subject.locality': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.subject.organization': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.subject.organizational_unit': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.subject.state_or_province': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.server.x509.version_number': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'tls.version_protocol': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'trace.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'transaction.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'url.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'url.extension': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'url.fragment': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'url.full': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-    multi_fields: [
-      {
-        flat_name: 'url.full.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'url.original': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-    multi_fields: [
-      {
-        flat_name: 'url.original.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'url.password': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'url.path': {
-    type: 'wildcard',
-    array: false,
-    required: false,
-  },
-  'url.port': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'url.query': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'url.registered_domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'url.scheme': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'url.subdomain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'url.top_level_domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'url.username': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.changes.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.changes.email': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.changes.full_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'user.changes.full_name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'user.changes.group.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.changes.group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.changes.group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.changes.hash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.changes.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.changes.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'user.changes.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'user.changes.roles': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.effective.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.effective.email': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.effective.full_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'user.effective.full_name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'user.effective.group.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.effective.group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.effective.group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.effective.hash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.effective.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.effective.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'user.effective.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'user.effective.roles': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.email': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.full_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'user.full_name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'user.group.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.hash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'user.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'user.risk.calculated_level': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.risk.calculated_score': {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  'user.risk.calculated_score_norm': {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  'user.risk.static_level': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.risk.static_score': {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  'user.risk.static_score_norm': {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  'user.roles': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.target.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.target.email': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.target.full_name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'user.target.full_name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'user.target.group.domain': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.target.group.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.target.group.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.target.hash': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.target.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user.target.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'user.target.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'user.target.roles': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user_agent.device.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user_agent.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user_agent.original': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'user_agent.original.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'user_agent.os.family': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user_agent.os.full': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'user_agent.os.full.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'user_agent.os.kernel': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user_agent.os.name': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'user_agent.os.name.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'user_agent.os.platform': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user_agent.os.type': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user_agent.os.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'user_agent.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'vulnerability.category': {
-    type: 'keyword',
-    array: true,
-    required: false,
-    ignore_above: 1024,
-  },
-  'vulnerability.classification': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'vulnerability.description': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-    multi_fields: [
-      {
-        flat_name: 'vulnerability.description.text',
-        name: 'text',
-        type: 'match_only_text',
-      },
-    ],
-  },
-  'vulnerability.enumeration': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'vulnerability.id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'vulnerability.reference': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'vulnerability.report_id': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'vulnerability.scanner.vendor': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'vulnerability.score.base': {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  'vulnerability.score.environmental': {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  'vulnerability.score.temporal': {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  'vulnerability.score.version': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-  'vulnerability.severity': {
-    type: 'keyword',
-    array: false,
-    required: false,
-    ignore_above: 1024,
-  },
-};
-
-export type EcsFieldMap = typeof ecsFieldMap;
diff --git a/x-pack/plugins/alerting/common/alert_schema/index.ts b/x-pack/plugins/alerting/common/alert_schema/index.ts
index d7d5c33be0c2e8..a2788e074ba298 100644
--- a/x-pack/plugins/alerting/common/alert_schema/index.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/index.ts
@@ -5,10 +5,7 @@
  * 2.0.
  */
 
-export { ecsFieldMap } from './field_maps/ecs_field_map';
 export { alertFieldMap } from './field_maps/alert_field_map';
-export { EcsSchema } from './schemas/ecs_schema';
-export type { Ecs } from './schemas/ecs_schema';
 export { AlertSchema } from './schemas/alert_schema';
 export type { Alert } from './schemas/alert_schema';
 export { getComponentTemplateFromFieldMap } from './field_maps/component_template_from_field_map';
diff --git a/x-pack/plugins/alerting/common/alert_schema/schemas/ecs_schema.ts b/x-pack/plugins/alerting/common/alert_schema/schemas/ecs_schema.ts
deleted file mode 100644
index fe2aa0e382a144..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/schemas/ecs_schema.ts
+++ /dev/null
@@ -1,1835 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-// ---------------------------------- WARNING ----------------------------------
-// this file was generated, and should not be edited by hand
-// ---------------------------------- WARNING ----------------------------------
-
-import { Either } from 'fp-ts/lib/Either';
-import * as rt from 'io-ts';
-
-const ISO_DATE_PATTERN = /^d{4}-d{2}-d{2}Td{2}:d{2}:d{2}.d{3}Z$/;
-
-export const IsoDateString = new rt.Type<string, string, unknown>(
-  'IsoDateString',
-  rt.string.is,
-  (input, context): Either<rt.Errors, string> => {
-    if (typeof input === 'string' && ISO_DATE_PATTERN.test(input)) {
-      return rt.success(input);
-    } else {
-      return rt.failure(input, context);
-    }
-  },
-  rt.identity
-);
-
-export type IsoDateStringC = typeof IsoDateString;
-
-export const schemaDate = IsoDateString;
-export const schemaDateArray = rt.array(IsoDateString);
-export const schemaDateRange = rt.partial({
-  gte: schemaDate,
-  lte: schemaDate,
-});
-export const schemaDateRangeArray = rt.array(schemaDateRange);
-export const schemaUnknown = rt.unknown;
-export const schemaUnknownArray = rt.array(rt.unknown);
-export const schemaString = rt.string;
-export const schemaStringArray = rt.array(schemaString);
-export const schemaNumber = rt.number;
-export const schemaNumberArray = rt.array(schemaNumber);
-export const schemaStringOrNumber = rt.union([schemaString, schemaNumber]);
-export const schemaStringOrNumberArray = rt.array(schemaStringOrNumber);
-export const schemaBoolean = rt.boolean;
-export const schemaBooleanArray = rt.array(schemaBoolean);
-const schemaGeoPointCoords = rt.type({
-  type: schemaString,
-  coordinates: schemaNumberArray,
-});
-const schemaGeoPointString = schemaString;
-const schemaGeoPointLatLon = rt.type({
-  lat: schemaNumber,
-  lon: schemaNumber,
-});
-const schemaGeoPointLocation = rt.type({
-  location: schemaNumberArray,
-});
-const schemaGeoPointLocationString = rt.type({
-  location: schemaString,
-});
-export const schemaGeoPoint = rt.union([
-  schemaGeoPointCoords,
-  schemaGeoPointString,
-  schemaGeoPointLatLon,
-  schemaGeoPointLocation,
-  schemaGeoPointLocationString,
-]);
-export const schemaGeoPointArray = rt.array(schemaGeoPoint);
-
-const EcsRequiredSchema = rt.type({
-  '@timestamp': schemaDate,
-  ecs: rt.type({
-    version: schemaString,
-  }),
-});
-const EcsOptionalSchema = rt.partial({
-  agent: rt.partial({
-    build: rt.partial({
-      original: schemaString,
-    }),
-    ephemeral_id: schemaString,
-    id: schemaString,
-    name: schemaString,
-    type: schemaString,
-    version: schemaString,
-  }),
-  client: rt.partial({
-    address: schemaString,
-    as: rt.partial({
-      number: schemaStringOrNumber,
-      organization: rt.partial({
-        name: schemaString,
-      }),
-    }),
-    bytes: schemaStringOrNumber,
-    domain: schemaString,
-    geo: rt.partial({
-      city_name: schemaString,
-      continent_code: schemaString,
-      continent_name: schemaString,
-      country_iso_code: schemaString,
-      country_name: schemaString,
-      location: schemaGeoPoint,
-      name: schemaString,
-      postal_code: schemaString,
-      region_iso_code: schemaString,
-      region_name: schemaString,
-      timezone: schemaString,
-    }),
-    ip: schemaString,
-    mac: schemaString,
-    nat: rt.partial({
-      ip: schemaString,
-      port: schemaStringOrNumber,
-    }),
-    packets: schemaStringOrNumber,
-    port: schemaStringOrNumber,
-    registered_domain: schemaString,
-    subdomain: schemaString,
-    top_level_domain: schemaString,
-    user: rt.partial({
-      domain: schemaString,
-      email: schemaString,
-      full_name: schemaString,
-      group: rt.partial({
-        domain: schemaString,
-        id: schemaString,
-        name: schemaString,
-      }),
-      hash: schemaString,
-      id: schemaString,
-      name: schemaString,
-      roles: schemaStringArray,
-    }),
-  }),
-  cloud: rt.partial({
-    account: rt.partial({
-      id: schemaString,
-      name: schemaString,
-    }),
-    availability_zone: schemaString,
-    instance: rt.partial({
-      id: schemaString,
-      name: schemaString,
-    }),
-    machine: rt.partial({
-      type: schemaString,
-    }),
-    origin: rt.partial({
-      account: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      availability_zone: schemaString,
-      instance: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      machine: rt.partial({
-        type: schemaString,
-      }),
-      project: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      provider: schemaString,
-      region: schemaString,
-      service: rt.partial({
-        name: schemaString,
-      }),
-    }),
-    project: rt.partial({
-      id: schemaString,
-      name: schemaString,
-    }),
-    provider: schemaString,
-    region: schemaString,
-    service: rt.partial({
-      name: schemaString,
-    }),
-    target: rt.partial({
-      account: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      availability_zone: schemaString,
-      instance: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      machine: rt.partial({
-        type: schemaString,
-      }),
-      project: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      provider: schemaString,
-      region: schemaString,
-      service: rt.partial({
-        name: schemaString,
-      }),
-    }),
-  }),
-  container: rt.partial({
-    cpu: rt.partial({
-      usage: schemaStringOrNumber,
-    }),
-    disk: rt.partial({
-      read: rt.partial({
-        bytes: schemaStringOrNumber,
-      }),
-      write: rt.partial({
-        bytes: schemaStringOrNumber,
-      }),
-    }),
-    id: schemaString,
-    image: rt.partial({
-      hash: rt.partial({
-        all: schemaStringArray,
-      }),
-      name: schemaString,
-      tag: schemaStringArray,
-    }),
-    memory: rt.partial({
-      usage: schemaStringOrNumber,
-    }),
-    name: schemaString,
-    network: rt.partial({
-      egress: rt.partial({
-        bytes: schemaStringOrNumber,
-      }),
-      ingress: rt.partial({
-        bytes: schemaStringOrNumber,
-      }),
-    }),
-    runtime: schemaString,
-  }),
-  data_stream: rt.partial({
-    dataset: schemaString,
-    namespace: schemaString,
-    type: schemaString,
-  }),
-  destination: rt.partial({
-    address: schemaString,
-    as: rt.partial({
-      number: schemaStringOrNumber,
-      organization: rt.partial({
-        name: schemaString,
-      }),
-    }),
-    bytes: schemaStringOrNumber,
-    domain: schemaString,
-    geo: rt.partial({
-      city_name: schemaString,
-      continent_code: schemaString,
-      continent_name: schemaString,
-      country_iso_code: schemaString,
-      country_name: schemaString,
-      location: schemaGeoPoint,
-      name: schemaString,
-      postal_code: schemaString,
-      region_iso_code: schemaString,
-      region_name: schemaString,
-      timezone: schemaString,
-    }),
-    ip: schemaString,
-    mac: schemaString,
-    nat: rt.partial({
-      ip: schemaString,
-      port: schemaStringOrNumber,
-    }),
-    packets: schemaStringOrNumber,
-    port: schemaStringOrNumber,
-    registered_domain: schemaString,
-    subdomain: schemaString,
-    top_level_domain: schemaString,
-    user: rt.partial({
-      domain: schemaString,
-      email: schemaString,
-      full_name: schemaString,
-      group: rt.partial({
-        domain: schemaString,
-        id: schemaString,
-        name: schemaString,
-      }),
-      hash: schemaString,
-      id: schemaString,
-      name: schemaString,
-      roles: schemaStringArray,
-    }),
-  }),
-  dll: rt.partial({
-    code_signature: rt.partial({
-      digest_algorithm: schemaString,
-      exists: schemaBoolean,
-      signing_id: schemaString,
-      status: schemaString,
-      subject_name: schemaString,
-      team_id: schemaString,
-      timestamp: schemaDate,
-      trusted: schemaBoolean,
-      valid: schemaBoolean,
-    }),
-    hash: rt.partial({
-      md5: schemaString,
-      sha1: schemaString,
-      sha256: schemaString,
-      sha384: schemaString,
-      sha512: schemaString,
-      ssdeep: schemaString,
-      tlsh: schemaString,
-    }),
-    name: schemaString,
-    path: schemaString,
-    pe: rt.partial({
-      architecture: schemaString,
-      company: schemaString,
-      description: schemaString,
-      file_version: schemaString,
-      imphash: schemaString,
-      original_file_name: schemaString,
-      pehash: schemaString,
-      product: schemaString,
-    }),
-  }),
-  dns: rt.partial({
-    answers: rt.array(
-      rt.partial({
-        class: schemaString,
-        data: schemaString,
-        name: schemaString,
-        ttl: schemaStringOrNumber,
-        type: schemaString,
-      })
-    ),
-    header_flags: schemaStringArray,
-    id: schemaString,
-    op_code: schemaString,
-    question: rt.partial({
-      class: schemaString,
-      name: schemaString,
-      registered_domain: schemaString,
-      subdomain: schemaString,
-      top_level_domain: schemaString,
-      type: schemaString,
-    }),
-    resolved_ip: schemaStringArray,
-    response_code: schemaString,
-    type: schemaString,
-  }),
-  email: rt.partial({
-    attachments: rt.array(
-      rt.partial({
-        file: rt.partial({
-          extension: schemaString,
-          hash: rt.partial({
-            md5: schemaString,
-            sha1: schemaString,
-            sha256: schemaString,
-            sha384: schemaString,
-            sha512: schemaString,
-            ssdeep: schemaString,
-            tlsh: schemaString,
-          }),
-          mime_type: schemaString,
-          name: schemaString,
-          size: schemaStringOrNumber,
-        }),
-      })
-    ),
-    bcc: rt.partial({
-      address: schemaStringArray,
-    }),
-    cc: rt.partial({
-      address: schemaStringArray,
-    }),
-    content_type: schemaString,
-    delivery_timestamp: schemaDate,
-    direction: schemaString,
-    from: rt.partial({
-      address: schemaStringArray,
-    }),
-    local_id: schemaString,
-    message_id: schemaString,
-    origination_timestamp: schemaDate,
-    reply_to: rt.partial({
-      address: schemaStringArray,
-    }),
-    sender: rt.partial({
-      address: schemaString,
-    }),
-    subject: schemaString,
-    to: rt.partial({
-      address: schemaStringArray,
-    }),
-    x_mailer: schemaString,
-  }),
-  error: rt.partial({
-    code: schemaString,
-    id: schemaString,
-    message: schemaString,
-    stack_trace: schemaString,
-    type: schemaString,
-  }),
-  event: rt.partial({
-    action: schemaString,
-    agent_id_status: schemaString,
-    category: schemaStringArray,
-    code: schemaString,
-    created: schemaDate,
-    dataset: schemaString,
-    duration: schemaStringOrNumber,
-    end: schemaDate,
-    hash: schemaString,
-    id: schemaString,
-    ingested: schemaDate,
-    kind: schemaString,
-    module: schemaString,
-    original: schemaString,
-    outcome: schemaString,
-    provider: schemaString,
-    reason: schemaString,
-    reference: schemaString,
-    risk_score: schemaNumber,
-    risk_score_norm: schemaNumber,
-    sequence: schemaStringOrNumber,
-    severity: schemaStringOrNumber,
-    start: schemaDate,
-    timezone: schemaString,
-    type: schemaStringArray,
-    url: schemaString,
-  }),
-  faas: rt.partial({
-    coldstart: schemaBoolean,
-    execution: schemaString,
-    id: schemaString,
-    name: schemaString,
-    version: schemaString,
-  }),
-  file: rt.partial({
-    accessed: schemaDate,
-    attributes: schemaStringArray,
-    code_signature: rt.partial({
-      digest_algorithm: schemaString,
-      exists: schemaBoolean,
-      signing_id: schemaString,
-      status: schemaString,
-      subject_name: schemaString,
-      team_id: schemaString,
-      timestamp: schemaDate,
-      trusted: schemaBoolean,
-      valid: schemaBoolean,
-    }),
-    created: schemaDate,
-    ctime: schemaDate,
-    device: schemaString,
-    directory: schemaString,
-    drive_letter: schemaString,
-    elf: rt.partial({
-      architecture: schemaString,
-      byte_order: schemaString,
-      cpu_type: schemaString,
-      creation_date: schemaDate,
-      exports: schemaUnknownArray,
-      header: rt.partial({
-        abi_version: schemaString,
-        class: schemaString,
-        data: schemaString,
-        entrypoint: schemaStringOrNumber,
-        object_version: schemaString,
-        os_abi: schemaString,
-        type: schemaString,
-        version: schemaString,
-      }),
-      imports: schemaUnknownArray,
-      sections: rt.array(
-        rt.partial({
-          chi2: schemaStringOrNumber,
-          entropy: schemaStringOrNumber,
-          flags: schemaString,
-          name: schemaString,
-          physical_offset: schemaString,
-          physical_size: schemaStringOrNumber,
-          type: schemaString,
-          virtual_address: schemaStringOrNumber,
-          virtual_size: schemaStringOrNumber,
-        })
-      ),
-      segments: rt.array(
-        rt.partial({
-          sections: schemaString,
-          type: schemaString,
-        })
-      ),
-      shared_libraries: schemaStringArray,
-      telfhash: schemaString,
-    }),
-    extension: schemaString,
-    fork_name: schemaString,
-    gid: schemaString,
-    group: schemaString,
-    hash: rt.partial({
-      md5: schemaString,
-      sha1: schemaString,
-      sha256: schemaString,
-      sha384: schemaString,
-      sha512: schemaString,
-      ssdeep: schemaString,
-      tlsh: schemaString,
-    }),
-    inode: schemaString,
-    mime_type: schemaString,
-    mode: schemaString,
-    mtime: schemaDate,
-    name: schemaString,
-    owner: schemaString,
-    path: schemaString,
-    pe: rt.partial({
-      architecture: schemaString,
-      company: schemaString,
-      description: schemaString,
-      file_version: schemaString,
-      imphash: schemaString,
-      original_file_name: schemaString,
-      pehash: schemaString,
-      product: schemaString,
-    }),
-    size: schemaStringOrNumber,
-    target_path: schemaString,
-    type: schemaString,
-    uid: schemaString,
-    x509: rt.partial({
-      alternative_names: schemaStringArray,
-      issuer: rt.partial({
-        common_name: schemaStringArray,
-        country: schemaStringArray,
-        distinguished_name: schemaString,
-        locality: schemaStringArray,
-        organization: schemaStringArray,
-        organizational_unit: schemaStringArray,
-        state_or_province: schemaStringArray,
-      }),
-      not_after: schemaDate,
-      not_before: schemaDate,
-      public_key_algorithm: schemaString,
-      public_key_curve: schemaString,
-      public_key_exponent: schemaStringOrNumber,
-      public_key_size: schemaStringOrNumber,
-      serial_number: schemaString,
-      signature_algorithm: schemaString,
-      subject: rt.partial({
-        common_name: schemaStringArray,
-        country: schemaStringArray,
-        distinguished_name: schemaString,
-        locality: schemaStringArray,
-        organization: schemaStringArray,
-        organizational_unit: schemaStringArray,
-        state_or_province: schemaStringArray,
-      }),
-      version_number: schemaString,
-    }),
-  }),
-  group: rt.partial({
-    domain: schemaString,
-    id: schemaString,
-    name: schemaString,
-  }),
-  host: rt.partial({
-    architecture: schemaString,
-    boot: rt.partial({
-      id: schemaString,
-    }),
-    cpu: rt.partial({
-      usage: schemaStringOrNumber,
-    }),
-    disk: rt.partial({
-      read: rt.partial({
-        bytes: schemaStringOrNumber,
-      }),
-      write: rt.partial({
-        bytes: schemaStringOrNumber,
-      }),
-    }),
-    domain: schemaString,
-    geo: rt.partial({
-      city_name: schemaString,
-      continent_code: schemaString,
-      continent_name: schemaString,
-      country_iso_code: schemaString,
-      country_name: schemaString,
-      location: schemaGeoPoint,
-      name: schemaString,
-      postal_code: schemaString,
-      region_iso_code: schemaString,
-      region_name: schemaString,
-      timezone: schemaString,
-    }),
-    hostname: schemaString,
-    id: schemaString,
-    ip: schemaStringArray,
-    mac: schemaStringArray,
-    name: schemaString,
-    network: rt.partial({
-      egress: rt.partial({
-        bytes: schemaStringOrNumber,
-        packets: schemaStringOrNumber,
-      }),
-      ingress: rt.partial({
-        bytes: schemaStringOrNumber,
-        packets: schemaStringOrNumber,
-      }),
-    }),
-    os: rt.partial({
-      family: schemaString,
-      full: schemaString,
-      kernel: schemaString,
-      name: schemaString,
-      platform: schemaString,
-      type: schemaString,
-      version: schemaString,
-    }),
-    pid_ns_ino: schemaString,
-    risk: rt.partial({
-      calculated_level: schemaString,
-      calculated_score: schemaNumber,
-      calculated_score_norm: schemaNumber,
-      static_level: schemaString,
-      static_score: schemaNumber,
-      static_score_norm: schemaNumber,
-    }),
-    type: schemaString,
-    uptime: schemaStringOrNumber,
-  }),
-  http: rt.partial({
-    request: rt.partial({
-      body: rt.partial({
-        bytes: schemaStringOrNumber,
-        content: schemaString,
-      }),
-      bytes: schemaStringOrNumber,
-      id: schemaString,
-      method: schemaString,
-      mime_type: schemaString,
-      referrer: schemaString,
-    }),
-    response: rt.partial({
-      body: rt.partial({
-        bytes: schemaStringOrNumber,
-        content: schemaString,
-      }),
-      bytes: schemaStringOrNumber,
-      mime_type: schemaString,
-      status_code: schemaStringOrNumber,
-    }),
-    version: schemaString,
-  }),
-  log: rt.partial({
-    file: rt.partial({
-      path: schemaString,
-    }),
-    level: schemaString,
-    logger: schemaString,
-    origin: rt.partial({
-      file: rt.partial({
-        line: schemaStringOrNumber,
-        name: schemaString,
-      }),
-      function: schemaString,
-    }),
-  }),
-  message: schemaString,
-  network: rt.partial({
-    application: schemaString,
-    bytes: schemaStringOrNumber,
-    community_id: schemaString,
-    direction: schemaString,
-    forwarded_ip: schemaString,
-    iana_number: schemaString,
-    name: schemaString,
-    packets: schemaStringOrNumber,
-    protocol: schemaString,
-    transport: schemaString,
-    type: schemaString,
-    vlan: rt.partial({
-      id: schemaString,
-      name: schemaString,
-    }),
-  }),
-  observer: rt.partial({
-    geo: rt.partial({
-      city_name: schemaString,
-      continent_code: schemaString,
-      continent_name: schemaString,
-      country_iso_code: schemaString,
-      country_name: schemaString,
-      location: schemaGeoPoint,
-      name: schemaString,
-      postal_code: schemaString,
-      region_iso_code: schemaString,
-      region_name: schemaString,
-      timezone: schemaString,
-    }),
-    hostname: schemaString,
-    ip: schemaStringArray,
-    mac: schemaStringArray,
-    name: schemaString,
-    os: rt.partial({
-      family: schemaString,
-      full: schemaString,
-      kernel: schemaString,
-      name: schemaString,
-      platform: schemaString,
-      type: schemaString,
-      version: schemaString,
-    }),
-    product: schemaString,
-    serial_number: schemaString,
-    type: schemaString,
-    vendor: schemaString,
-    version: schemaString,
-  }),
-  orchestrator: rt.partial({
-    api_version: schemaString,
-    cluster: rt.partial({
-      id: schemaString,
-      name: schemaString,
-      url: schemaString,
-      version: schemaString,
-    }),
-    namespace: schemaString,
-    organization: schemaString,
-    resource: rt.partial({
-      id: schemaString,
-      ip: schemaStringArray,
-      name: schemaString,
-      parent: rt.partial({
-        type: schemaString,
-      }),
-      type: schemaString,
-    }),
-    type: schemaString,
-  }),
-  organization: rt.partial({
-    id: schemaString,
-    name: schemaString,
-  }),
-  package: rt.partial({
-    architecture: schemaString,
-    build_version: schemaString,
-    checksum: schemaString,
-    description: schemaString,
-    install_scope: schemaString,
-    installed: schemaDate,
-    license: schemaString,
-    name: schemaString,
-    path: schemaString,
-    reference: schemaString,
-    size: schemaStringOrNumber,
-    type: schemaString,
-    version: schemaString,
-  }),
-  process: rt.partial({
-    args: schemaStringArray,
-    args_count: schemaStringOrNumber,
-    code_signature: rt.partial({
-      digest_algorithm: schemaString,
-      exists: schemaBoolean,
-      signing_id: schemaString,
-      status: schemaString,
-      subject_name: schemaString,
-      team_id: schemaString,
-      timestamp: schemaDate,
-      trusted: schemaBoolean,
-      valid: schemaBoolean,
-    }),
-    command_line: schemaString,
-    elf: rt.partial({
-      architecture: schemaString,
-      byte_order: schemaString,
-      cpu_type: schemaString,
-      creation_date: schemaDate,
-      exports: schemaUnknownArray,
-      header: rt.partial({
-        abi_version: schemaString,
-        class: schemaString,
-        data: schemaString,
-        entrypoint: schemaStringOrNumber,
-        object_version: schemaString,
-        os_abi: schemaString,
-        type: schemaString,
-        version: schemaString,
-      }),
-      imports: schemaUnknownArray,
-      sections: rt.array(
-        rt.partial({
-          chi2: schemaStringOrNumber,
-          entropy: schemaStringOrNumber,
-          flags: schemaString,
-          name: schemaString,
-          physical_offset: schemaString,
-          physical_size: schemaStringOrNumber,
-          type: schemaString,
-          virtual_address: schemaStringOrNumber,
-          virtual_size: schemaStringOrNumber,
-        })
-      ),
-      segments: rt.array(
-        rt.partial({
-          sections: schemaString,
-          type: schemaString,
-        })
-      ),
-      shared_libraries: schemaStringArray,
-      telfhash: schemaString,
-    }),
-    end: schemaDate,
-    entity_id: schemaString,
-    entry_leader: rt.partial({
-      args: schemaStringArray,
-      args_count: schemaStringOrNumber,
-      attested_groups: rt.partial({
-        name: schemaString,
-      }),
-      attested_user: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      command_line: schemaString,
-      entity_id: schemaString,
-      entry_meta: rt.partial({
-        source: rt.partial({
-          ip: schemaString,
-        }),
-        type: schemaString,
-      }),
-      executable: schemaString,
-      group: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      interactive: schemaBoolean,
-      name: schemaString,
-      parent: rt.partial({
-        entity_id: schemaString,
-        pid: schemaStringOrNumber,
-        session_leader: rt.partial({
-          entity_id: schemaString,
-          pid: schemaStringOrNumber,
-          start: schemaDate,
-        }),
-        start: schemaDate,
-      }),
-      pid: schemaStringOrNumber,
-      real_group: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      real_user: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      same_as_process: schemaBoolean,
-      saved_group: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      saved_user: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      start: schemaDate,
-      supplemental_groups: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      user: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      working_directory: schemaString,
-    }),
-    env_vars: schemaStringArray,
-    executable: schemaString,
-    exit_code: schemaStringOrNumber,
-    group_leader: rt.partial({
-      args: schemaStringArray,
-      args_count: schemaStringOrNumber,
-      command_line: schemaString,
-      entity_id: schemaString,
-      executable: schemaString,
-      group: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      interactive: schemaBoolean,
-      name: schemaString,
-      pid: schemaStringOrNumber,
-      real_group: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      real_user: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      same_as_process: schemaBoolean,
-      saved_group: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      saved_user: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      start: schemaDate,
-      supplemental_groups: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      user: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      working_directory: schemaString,
-    }),
-    hash: rt.partial({
-      md5: schemaString,
-      sha1: schemaString,
-      sha256: schemaString,
-      sha384: schemaString,
-      sha512: schemaString,
-      ssdeep: schemaString,
-      tlsh: schemaString,
-    }),
-    interactive: schemaBoolean,
-    name: schemaString,
-    parent: rt.partial({
-      args: schemaStringArray,
-      args_count: schemaStringOrNumber,
-      code_signature: rt.partial({
-        digest_algorithm: schemaString,
-        exists: schemaBoolean,
-        signing_id: schemaString,
-        status: schemaString,
-        subject_name: schemaString,
-        team_id: schemaString,
-        timestamp: schemaDate,
-        trusted: schemaBoolean,
-        valid: schemaBoolean,
-      }),
-      command_line: schemaString,
-      elf: rt.partial({
-        architecture: schemaString,
-        byte_order: schemaString,
-        cpu_type: schemaString,
-        creation_date: schemaDate,
-        exports: schemaUnknownArray,
-        header: rt.partial({
-          abi_version: schemaString,
-          class: schemaString,
-          data: schemaString,
-          entrypoint: schemaStringOrNumber,
-          object_version: schemaString,
-          os_abi: schemaString,
-          type: schemaString,
-          version: schemaString,
-        }),
-        imports: schemaUnknownArray,
-        sections: rt.array(
-          rt.partial({
-            chi2: schemaStringOrNumber,
-            entropy: schemaStringOrNumber,
-            flags: schemaString,
-            name: schemaString,
-            physical_offset: schemaString,
-            physical_size: schemaStringOrNumber,
-            type: schemaString,
-            virtual_address: schemaStringOrNumber,
-            virtual_size: schemaStringOrNumber,
-          })
-        ),
-        segments: rt.array(
-          rt.partial({
-            sections: schemaString,
-            type: schemaString,
-          })
-        ),
-        shared_libraries: schemaStringArray,
-        telfhash: schemaString,
-      }),
-      end: schemaDate,
-      entity_id: schemaString,
-      executable: schemaString,
-      exit_code: schemaStringOrNumber,
-      group: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      group_leader: rt.partial({
-        entity_id: schemaString,
-        pid: schemaStringOrNumber,
-        start: schemaDate,
-      }),
-      hash: rt.partial({
-        md5: schemaString,
-        sha1: schemaString,
-        sha256: schemaString,
-        sha384: schemaString,
-        sha512: schemaString,
-        ssdeep: schemaString,
-        tlsh: schemaString,
-      }),
-      interactive: schemaBoolean,
-      name: schemaString,
-      pe: rt.partial({
-        architecture: schemaString,
-        company: schemaString,
-        description: schemaString,
-        file_version: schemaString,
-        imphash: schemaString,
-        original_file_name: schemaString,
-        pehash: schemaString,
-        product: schemaString,
-      }),
-      pgid: schemaStringOrNumber,
-      pid: schemaStringOrNumber,
-      real_group: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      real_user: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      saved_group: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      saved_user: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      start: schemaDate,
-      supplemental_groups: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      thread: rt.partial({
-        id: schemaStringOrNumber,
-        name: schemaString,
-      }),
-      title: schemaString,
-      uptime: schemaStringOrNumber,
-      user: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      working_directory: schemaString,
-    }),
-    pe: rt.partial({
-      architecture: schemaString,
-      company: schemaString,
-      description: schemaString,
-      file_version: schemaString,
-      imphash: schemaString,
-      original_file_name: schemaString,
-      pehash: schemaString,
-      product: schemaString,
-    }),
-    pgid: schemaStringOrNumber,
-    pid: schemaStringOrNumber,
-    previous: rt.partial({
-      args: schemaStringArray,
-      args_count: schemaStringOrNumber,
-      executable: schemaString,
-    }),
-    real_group: rt.partial({
-      id: schemaString,
-      name: schemaString,
-    }),
-    real_user: rt.partial({
-      id: schemaString,
-      name: schemaString,
-    }),
-    saved_group: rt.partial({
-      id: schemaString,
-      name: schemaString,
-    }),
-    saved_user: rt.partial({
-      id: schemaString,
-      name: schemaString,
-    }),
-    session_leader: rt.partial({
-      args: schemaStringArray,
-      args_count: schemaStringOrNumber,
-      command_line: schemaString,
-      entity_id: schemaString,
-      executable: schemaString,
-      group: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      interactive: schemaBoolean,
-      name: schemaString,
-      parent: rt.partial({
-        entity_id: schemaString,
-        pid: schemaStringOrNumber,
-        session_leader: rt.partial({
-          entity_id: schemaString,
-          pid: schemaStringOrNumber,
-          start: schemaDate,
-        }),
-        start: schemaDate,
-      }),
-      pid: schemaStringOrNumber,
-      real_group: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      real_user: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      same_as_process: schemaBoolean,
-      saved_group: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      saved_user: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      start: schemaDate,
-      supplemental_groups: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      user: rt.partial({
-        id: schemaString,
-        name: schemaString,
-      }),
-      working_directory: schemaString,
-    }),
-    start: schemaDate,
-    supplemental_groups: rt.partial({
-      id: schemaString,
-      name: schemaString,
-    }),
-    thread: rt.partial({
-      id: schemaStringOrNumber,
-      name: schemaString,
-    }),
-    title: schemaString,
-    uptime: schemaStringOrNumber,
-    user: rt.partial({
-      id: schemaString,
-      name: schemaString,
-    }),
-    working_directory: schemaString,
-  }),
-  registry: rt.partial({
-    data: rt.partial({
-      bytes: schemaString,
-      strings: schemaStringArray,
-      type: schemaString,
-    }),
-    hive: schemaString,
-    key: schemaString,
-    path: schemaString,
-    value: schemaString,
-  }),
-  related: rt.partial({
-    hash: schemaStringArray,
-    hosts: schemaStringArray,
-    ip: schemaStringArray,
-    user: schemaStringArray,
-  }),
-  rule: rt.partial({
-    author: schemaStringArray,
-    category: schemaString,
-    description: schemaString,
-    id: schemaString,
-    license: schemaString,
-    name: schemaString,
-    reference: schemaString,
-    ruleset: schemaString,
-    uuid: schemaString,
-    version: schemaString,
-  }),
-  server: rt.partial({
-    address: schemaString,
-    as: rt.partial({
-      number: schemaStringOrNumber,
-      organization: rt.partial({
-        name: schemaString,
-      }),
-    }),
-    bytes: schemaStringOrNumber,
-    domain: schemaString,
-    geo: rt.partial({
-      city_name: schemaString,
-      continent_code: schemaString,
-      continent_name: schemaString,
-      country_iso_code: schemaString,
-      country_name: schemaString,
-      location: schemaGeoPoint,
-      name: schemaString,
-      postal_code: schemaString,
-      region_iso_code: schemaString,
-      region_name: schemaString,
-      timezone: schemaString,
-    }),
-    ip: schemaString,
-    mac: schemaString,
-    nat: rt.partial({
-      ip: schemaString,
-      port: schemaStringOrNumber,
-    }),
-    packets: schemaStringOrNumber,
-    port: schemaStringOrNumber,
-    registered_domain: schemaString,
-    subdomain: schemaString,
-    top_level_domain: schemaString,
-    user: rt.partial({
-      domain: schemaString,
-      email: schemaString,
-      full_name: schemaString,
-      group: rt.partial({
-        domain: schemaString,
-        id: schemaString,
-        name: schemaString,
-      }),
-      hash: schemaString,
-      id: schemaString,
-      name: schemaString,
-      roles: schemaStringArray,
-    }),
-  }),
-  service: rt.partial({
-    address: schemaString,
-    environment: schemaString,
-    ephemeral_id: schemaString,
-    id: schemaString,
-    name: schemaString,
-    node: rt.partial({
-      name: schemaString,
-      role: schemaString,
-      roles: schemaStringArray,
-    }),
-    origin: rt.partial({
-      address: schemaString,
-      environment: schemaString,
-      ephemeral_id: schemaString,
-      id: schemaString,
-      name: schemaString,
-      node: rt.partial({
-        name: schemaString,
-        role: schemaString,
-        roles: schemaStringArray,
-      }),
-      state: schemaString,
-      type: schemaString,
-      version: schemaString,
-    }),
-    state: schemaString,
-    target: rt.partial({
-      address: schemaString,
-      environment: schemaString,
-      ephemeral_id: schemaString,
-      id: schemaString,
-      name: schemaString,
-      node: rt.partial({
-        name: schemaString,
-        role: schemaString,
-        roles: schemaStringArray,
-      }),
-      state: schemaString,
-      type: schemaString,
-      version: schemaString,
-    }),
-    type: schemaString,
-    version: schemaString,
-  }),
-  source: rt.partial({
-    address: schemaString,
-    as: rt.partial({
-      number: schemaStringOrNumber,
-      organization: rt.partial({
-        name: schemaString,
-      }),
-    }),
-    bytes: schemaStringOrNumber,
-    domain: schemaString,
-    geo: rt.partial({
-      city_name: schemaString,
-      continent_code: schemaString,
-      continent_name: schemaString,
-      country_iso_code: schemaString,
-      country_name: schemaString,
-      location: schemaGeoPoint,
-      name: schemaString,
-      postal_code: schemaString,
-      region_iso_code: schemaString,
-      region_name: schemaString,
-      timezone: schemaString,
-    }),
-    ip: schemaString,
-    mac: schemaString,
-    nat: rt.partial({
-      ip: schemaString,
-      port: schemaStringOrNumber,
-    }),
-    packets: schemaStringOrNumber,
-    port: schemaStringOrNumber,
-    registered_domain: schemaString,
-    subdomain: schemaString,
-    top_level_domain: schemaString,
-    user: rt.partial({
-      domain: schemaString,
-      email: schemaString,
-      full_name: schemaString,
-      group: rt.partial({
-        domain: schemaString,
-        id: schemaString,
-        name: schemaString,
-      }),
-      hash: schemaString,
-      id: schemaString,
-      name: schemaString,
-      roles: schemaStringArray,
-    }),
-  }),
-  span: rt.partial({
-    id: schemaString,
-  }),
-  tags: schemaStringArray,
-  threat: rt.partial({
-    enrichments: rt.array(
-      rt.partial({
-        matched: rt.partial({
-          atomic: schemaString,
-          field: schemaString,
-          id: schemaString,
-          index: schemaString,
-          occurred: schemaDate,
-          type: schemaString,
-        }),
-      })
-    ),
-    feed: rt.partial({
-      dashboard_id: schemaString,
-      description: schemaString,
-      name: schemaString,
-      reference: schemaString,
-    }),
-    framework: schemaString,
-    group: rt.partial({
-      alias: schemaStringArray,
-      id: schemaString,
-      name: schemaString,
-      reference: schemaString,
-    }),
-    indicator: rt.partial({
-      as: rt.partial({
-        number: schemaStringOrNumber,
-        organization: rt.partial({
-          name: schemaString,
-        }),
-      }),
-      confidence: schemaString,
-      description: schemaString,
-      email: rt.partial({
-        address: schemaString,
-      }),
-      file: rt.partial({
-        accessed: schemaDate,
-        attributes: schemaStringArray,
-        code_signature: rt.partial({
-          digest_algorithm: schemaString,
-          exists: schemaBoolean,
-          signing_id: schemaString,
-          status: schemaString,
-          subject_name: schemaString,
-          team_id: schemaString,
-          timestamp: schemaDate,
-          trusted: schemaBoolean,
-          valid: schemaBoolean,
-        }),
-        created: schemaDate,
-        ctime: schemaDate,
-        device: schemaString,
-        directory: schemaString,
-        drive_letter: schemaString,
-        elf: rt.partial({
-          architecture: schemaString,
-          byte_order: schemaString,
-          cpu_type: schemaString,
-          creation_date: schemaDate,
-          exports: schemaUnknownArray,
-          header: rt.partial({
-            abi_version: schemaString,
-            class: schemaString,
-            data: schemaString,
-            entrypoint: schemaStringOrNumber,
-            object_version: schemaString,
-            os_abi: schemaString,
-            type: schemaString,
-            version: schemaString,
-          }),
-          imports: schemaUnknownArray,
-          sections: rt.array(
-            rt.partial({
-              chi2: schemaStringOrNumber,
-              entropy: schemaStringOrNumber,
-              flags: schemaString,
-              name: schemaString,
-              physical_offset: schemaString,
-              physical_size: schemaStringOrNumber,
-              type: schemaString,
-              virtual_address: schemaStringOrNumber,
-              virtual_size: schemaStringOrNumber,
-            })
-          ),
-          segments: rt.array(
-            rt.partial({
-              sections: schemaString,
-              type: schemaString,
-            })
-          ),
-          shared_libraries: schemaStringArray,
-          telfhash: schemaString,
-        }),
-        extension: schemaString,
-        fork_name: schemaString,
-        gid: schemaString,
-        group: schemaString,
-        hash: rt.partial({
-          md5: schemaString,
-          sha1: schemaString,
-          sha256: schemaString,
-          sha384: schemaString,
-          sha512: schemaString,
-          ssdeep: schemaString,
-          tlsh: schemaString,
-        }),
-        inode: schemaString,
-        mime_type: schemaString,
-        mode: schemaString,
-        mtime: schemaDate,
-        name: schemaString,
-        owner: schemaString,
-        path: schemaString,
-        pe: rt.partial({
-          architecture: schemaString,
-          company: schemaString,
-          description: schemaString,
-          file_version: schemaString,
-          imphash: schemaString,
-          original_file_name: schemaString,
-          pehash: schemaString,
-          product: schemaString,
-        }),
-        size: schemaStringOrNumber,
-        target_path: schemaString,
-        type: schemaString,
-        uid: schemaString,
-        x509: rt.partial({
-          alternative_names: schemaStringArray,
-          issuer: rt.partial({
-            common_name: schemaStringArray,
-            country: schemaStringArray,
-            distinguished_name: schemaString,
-            locality: schemaStringArray,
-            organization: schemaStringArray,
-            organizational_unit: schemaStringArray,
-            state_or_province: schemaStringArray,
-          }),
-          not_after: schemaDate,
-          not_before: schemaDate,
-          public_key_algorithm: schemaString,
-          public_key_curve: schemaString,
-          public_key_exponent: schemaStringOrNumber,
-          public_key_size: schemaStringOrNumber,
-          serial_number: schemaString,
-          signature_algorithm: schemaString,
-          subject: rt.partial({
-            common_name: schemaStringArray,
-            country: schemaStringArray,
-            distinguished_name: schemaString,
-            locality: schemaStringArray,
-            organization: schemaStringArray,
-            organizational_unit: schemaStringArray,
-            state_or_province: schemaStringArray,
-          }),
-          version_number: schemaString,
-        }),
-      }),
-      first_seen: schemaDate,
-      geo: rt.partial({
-        city_name: schemaString,
-        continent_code: schemaString,
-        continent_name: schemaString,
-        country_iso_code: schemaString,
-        country_name: schemaString,
-        location: schemaGeoPoint,
-        name: schemaString,
-        postal_code: schemaString,
-        region_iso_code: schemaString,
-        region_name: schemaString,
-        timezone: schemaString,
-      }),
-      ip: schemaString,
-      last_seen: schemaDate,
-      marking: rt.partial({
-        tlp: schemaString,
-      }),
-      modified_at: schemaDate,
-      port: schemaStringOrNumber,
-      provider: schemaString,
-      reference: schemaString,
-      registry: rt.partial({
-        data: rt.partial({
-          bytes: schemaString,
-          strings: schemaStringArray,
-          type: schemaString,
-        }),
-        hive: schemaString,
-        key: schemaString,
-        path: schemaString,
-        value: schemaString,
-      }),
-      scanner_stats: schemaStringOrNumber,
-      sightings: schemaStringOrNumber,
-      type: schemaString,
-      url: rt.partial({
-        domain: schemaString,
-        extension: schemaString,
-        fragment: schemaString,
-        full: schemaString,
-        original: schemaString,
-        password: schemaString,
-        path: schemaString,
-        port: schemaStringOrNumber,
-        query: schemaString,
-        registered_domain: schemaString,
-        scheme: schemaString,
-        subdomain: schemaString,
-        top_level_domain: schemaString,
-        username: schemaString,
-      }),
-      x509: rt.partial({
-        alternative_names: schemaStringArray,
-        issuer: rt.partial({
-          common_name: schemaStringArray,
-          country: schemaStringArray,
-          distinguished_name: schemaString,
-          locality: schemaStringArray,
-          organization: schemaStringArray,
-          organizational_unit: schemaStringArray,
-          state_or_province: schemaStringArray,
-        }),
-        not_after: schemaDate,
-        not_before: schemaDate,
-        public_key_algorithm: schemaString,
-        public_key_curve: schemaString,
-        public_key_exponent: schemaStringOrNumber,
-        public_key_size: schemaStringOrNumber,
-        serial_number: schemaString,
-        signature_algorithm: schemaString,
-        subject: rt.partial({
-          common_name: schemaStringArray,
-          country: schemaStringArray,
-          distinguished_name: schemaString,
-          locality: schemaStringArray,
-          organization: schemaStringArray,
-          organizational_unit: schemaStringArray,
-          state_or_province: schemaStringArray,
-        }),
-        version_number: schemaString,
-      }),
-    }),
-    software: rt.partial({
-      alias: schemaStringArray,
-      id: schemaString,
-      name: schemaString,
-      platforms: schemaStringArray,
-      reference: schemaString,
-      type: schemaString,
-    }),
-    tactic: rt.partial({
-      id: schemaStringArray,
-      name: schemaStringArray,
-      reference: schemaStringArray,
-    }),
-    technique: rt.partial({
-      id: schemaStringArray,
-      name: schemaStringArray,
-      reference: schemaStringArray,
-      subtechnique: rt.partial({
-        id: schemaStringArray,
-        name: schemaStringArray,
-        reference: schemaStringArray,
-      }),
-    }),
-  }),
-  tls: rt.partial({
-    cipher: schemaString,
-    client: rt.partial({
-      certificate: schemaString,
-      certificate_chain: schemaStringArray,
-      hash: rt.partial({
-        md5: schemaString,
-        sha1: schemaString,
-        sha256: schemaString,
-      }),
-      issuer: schemaString,
-      ja3: schemaString,
-      not_after: schemaDate,
-      not_before: schemaDate,
-      server_name: schemaString,
-      subject: schemaString,
-      supported_ciphers: schemaStringArray,
-      x509: rt.partial({
-        alternative_names: schemaStringArray,
-        issuer: rt.partial({
-          common_name: schemaStringArray,
-          country: schemaStringArray,
-          distinguished_name: schemaString,
-          locality: schemaStringArray,
-          organization: schemaStringArray,
-          organizational_unit: schemaStringArray,
-          state_or_province: schemaStringArray,
-        }),
-        not_after: schemaDate,
-        not_before: schemaDate,
-        public_key_algorithm: schemaString,
-        public_key_curve: schemaString,
-        public_key_exponent: schemaStringOrNumber,
-        public_key_size: schemaStringOrNumber,
-        serial_number: schemaString,
-        signature_algorithm: schemaString,
-        subject: rt.partial({
-          common_name: schemaStringArray,
-          country: schemaStringArray,
-          distinguished_name: schemaString,
-          locality: schemaStringArray,
-          organization: schemaStringArray,
-          organizational_unit: schemaStringArray,
-          state_or_province: schemaStringArray,
-        }),
-        version_number: schemaString,
-      }),
-    }),
-    curve: schemaString,
-    established: schemaBoolean,
-    next_protocol: schemaString,
-    resumed: schemaBoolean,
-    server: rt.partial({
-      certificate: schemaString,
-      certificate_chain: schemaStringArray,
-      hash: rt.partial({
-        md5: schemaString,
-        sha1: schemaString,
-        sha256: schemaString,
-      }),
-      issuer: schemaString,
-      ja3s: schemaString,
-      not_after: schemaDate,
-      not_before: schemaDate,
-      subject: schemaString,
-      x509: rt.partial({
-        alternative_names: schemaStringArray,
-        issuer: rt.partial({
-          common_name: schemaStringArray,
-          country: schemaStringArray,
-          distinguished_name: schemaString,
-          locality: schemaStringArray,
-          organization: schemaStringArray,
-          organizational_unit: schemaStringArray,
-          state_or_province: schemaStringArray,
-        }),
-        not_after: schemaDate,
-        not_before: schemaDate,
-        public_key_algorithm: schemaString,
-        public_key_curve: schemaString,
-        public_key_exponent: schemaStringOrNumber,
-        public_key_size: schemaStringOrNumber,
-        serial_number: schemaString,
-        signature_algorithm: schemaString,
-        subject: rt.partial({
-          common_name: schemaStringArray,
-          country: schemaStringArray,
-          distinguished_name: schemaString,
-          locality: schemaStringArray,
-          organization: schemaStringArray,
-          organizational_unit: schemaStringArray,
-          state_or_province: schemaStringArray,
-        }),
-        version_number: schemaString,
-      }),
-    }),
-    version: schemaString,
-    version_protocol: schemaString,
-  }),
-  trace: rt.partial({
-    id: schemaString,
-  }),
-  transaction: rt.partial({
-    id: schemaString,
-  }),
-  url: rt.partial({
-    domain: schemaString,
-    extension: schemaString,
-    fragment: schemaString,
-    full: schemaString,
-    original: schemaString,
-    password: schemaString,
-    path: schemaString,
-    port: schemaStringOrNumber,
-    query: schemaString,
-    registered_domain: schemaString,
-    scheme: schemaString,
-    subdomain: schemaString,
-    top_level_domain: schemaString,
-    username: schemaString,
-  }),
-  user: rt.partial({
-    changes: rt.partial({
-      domain: schemaString,
-      email: schemaString,
-      full_name: schemaString,
-      group: rt.partial({
-        domain: schemaString,
-        id: schemaString,
-        name: schemaString,
-      }),
-      hash: schemaString,
-      id: schemaString,
-      name: schemaString,
-      roles: schemaStringArray,
-    }),
-    domain: schemaString,
-    effective: rt.partial({
-      domain: schemaString,
-      email: schemaString,
-      full_name: schemaString,
-      group: rt.partial({
-        domain: schemaString,
-        id: schemaString,
-        name: schemaString,
-      }),
-      hash: schemaString,
-      id: schemaString,
-      name: schemaString,
-      roles: schemaStringArray,
-    }),
-    email: schemaString,
-    full_name: schemaString,
-    group: rt.partial({
-      domain: schemaString,
-      id: schemaString,
-      name: schemaString,
-    }),
-    hash: schemaString,
-    id: schemaString,
-    name: schemaString,
-    risk: rt.partial({
-      calculated_level: schemaString,
-      calculated_score: schemaNumber,
-      calculated_score_norm: schemaNumber,
-      static_level: schemaString,
-      static_score: schemaNumber,
-      static_score_norm: schemaNumber,
-    }),
-    roles: schemaStringArray,
-    target: rt.partial({
-      domain: schemaString,
-      email: schemaString,
-      full_name: schemaString,
-      group: rt.partial({
-        domain: schemaString,
-        id: schemaString,
-        name: schemaString,
-      }),
-      hash: schemaString,
-      id: schemaString,
-      name: schemaString,
-      roles: schemaStringArray,
-    }),
-  }),
-  user_agent: rt.partial({
-    device: rt.partial({
-      name: schemaString,
-    }),
-    name: schemaString,
-    original: schemaString,
-    os: rt.partial({
-      family: schemaString,
-      full: schemaString,
-      kernel: schemaString,
-      name: schemaString,
-      platform: schemaString,
-      type: schemaString,
-      version: schemaString,
-    }),
-    version: schemaString,
-  }),
-  vulnerability: rt.partial({
-    category: schemaStringArray,
-    classification: schemaString,
-    description: schemaString,
-    enumeration: schemaString,
-    id: schemaString,
-    reference: schemaString,
-    report_id: schemaString,
-    scanner: rt.partial({
-      vendor: schemaString,
-    }),
-    score: rt.partial({
-      base: schemaNumber,
-      environmental: schemaNumber,
-      temporal: schemaNumber,
-      version: schemaString,
-    }),
-    severity: schemaString,
-  }),
-});
-
-export const EcsSchema = rt.intersection([EcsRequiredSchema, EcsOptionalSchema]);
-
-export type Ecs = rt.TypeOf<typeof EcsSchema>;
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts b/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
index 5ab3dcca3bbc8d..ef31dcd1a5924f 100644
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
@@ -10,7 +10,6 @@ import path from 'path';
 import { get, set } from 'lodash';
 import { createLineWriter, LineWriter } from './lib/line_writer';
 import { alertFieldMap } from '../field_maps/alert_field_map';
-import { ecsFieldMap } from '../field_maps/ecs_field_map';
 import { FieldMap } from '../field_maps/types';
 
 const PLUGIN_DIR = path.resolve(path.join(__dirname, '..'));
@@ -307,10 +306,6 @@ try {
   console.log(`Creating runtime schema for AlertFieldMap`);
   createSchema(ALERT_SCHEMA_FILE, alertFieldMap, 'Alert');
 
-  // eslint-disable-next-line no-console
-  console.log(`Creating runtime schema for EcsFieldMap`);
-  createSchema(ECS_SCHEMA_FILE, ecsFieldMap, 'Ecs');
-
   // eslint-disable-next-line no-console
   console.log(`Finished creating schemas!`);
 } catch (error) {
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
index 63a9bb6830c150..53ae905246a4a1 100755
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
@@ -5,10 +5,6 @@
 # 2.0; you may not use this file except in compliance with the Elastic License
 # 2.0.
 
-echo --- Generating ECS field map from template
-
-node x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js
-
-echo --- Generating Alert and ECS schemas from template
+echo --- Generating Alert schemas from template
 
 npx -q ts-node x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
index b146158fe3f394..806e67c918f034 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
@@ -79,7 +79,7 @@ const IndexTemplatePutBody = {
   name: '.alerts-default-template',
   body: {
     index_patterns: ['.alerts-default-*'],
-    composed_of: ['alerts-default-component-template', 'alerts-ecs-component-template'],
+    composed_of: ['alerts-default-component-template'],
     template: {
       settings: {
         auto_expand_replicas: '0-1',
@@ -130,12 +130,10 @@ describe('Alerts Service', () => {
       await alertsService.initialize();
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody);
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
 
       const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0];
       expect(componentTemplate1.name).toEqual('alerts-default-component-template');
-      const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0];
-      expect(componentTemplate2.name).toEqual('alerts-ecs-component-template');
 
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith(IndexTemplatePutBody);
       expect(clusterClient.indices.getAlias).toHaveBeenCalledWith({ index: '.alerts-default-*' });
@@ -198,7 +196,7 @@ describe('Alerts Service', () => {
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
       expect(clusterClient.indices.simulateTemplate).not.toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).not.toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).not.toHaveBeenCalled();
@@ -223,7 +221,7 @@ describe('Alerts Service', () => {
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       // putIndexTemplate is skipped but other operations are called as expected
       expect(clusterClient.indices.putIndexTemplate).not.toHaveBeenCalled();
@@ -253,7 +251,7 @@ describe('Alerts Service', () => {
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).not.toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).not.toHaveBeenCalled();
@@ -280,7 +278,7 @@ describe('Alerts Service', () => {
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).not.toHaveBeenCalled();
@@ -307,7 +305,7 @@ describe('Alerts Service', () => {
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putSettings).not.toHaveBeenCalled();
@@ -329,7 +327,7 @@ describe('Alerts Service', () => {
       await alertsService.initialize();
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putSettings).not.toHaveBeenCalled();
@@ -355,7 +353,7 @@ describe('Alerts Service', () => {
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -380,7 +378,7 @@ describe('Alerts Service', () => {
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -405,7 +403,7 @@ describe('Alerts Service', () => {
       expect(logger.error).toHaveBeenCalledWith(`Failed to PUT mapping for alias alias_1: fail`);
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -426,7 +424,7 @@ describe('Alerts Service', () => {
       await alertsService.initialize();
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -462,7 +460,7 @@ describe('Alerts Service', () => {
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -496,7 +494,7 @@ describe('Alerts Service', () => {
       await alertsService.initialize();
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -521,7 +519,7 @@ describe('Alerts Service', () => {
       expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`);
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -555,7 +553,7 @@ describe('Alerts Service', () => {
       expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`);
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -592,7 +590,7 @@ describe('Alerts Service', () => {
       expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`);
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -632,7 +630,7 @@ describe('Alerts Service', () => {
       });
 
       await alertsService.initialize();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(4);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3);
     });
 
     test('should retry updating index template for transient ES errors', async () => {
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index ee847f329f7eed..92f3a461ff4ad9 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -13,17 +13,12 @@ import {
 import { get, isEmpty } from 'lodash';
 import { Logger, ElasticsearchClient } from '@kbn/core/server';
 import { firstValueFrom, Observable } from 'rxjs';
-import {
-  alertFieldMap,
-  ecsFieldMap,
-  getComponentTemplateFromFieldMap,
-} from '../../common/alert_schema';
+import { alertFieldMap, getComponentTemplateFromFieldMap } from '../../common/alert_schema';
 import { ILM_POLICY_NAME, DEFAULT_ILM_POLICY } from './default_lifecycle_policy';
 import {
   ALERTS_COMPONENT_TEMPLATE_NAME,
   DEFAULT_ALERTS_INDEX,
   DEFAULT_ALERTS_INDEX_PATTERN,
-  ECS_COMPONENT_TEMPLATE_NAME,
   INDEX_TEMPLATE_NAME,
   INITIAL_ALERTS_INDEX_NAME,
 } from './types';
@@ -35,11 +30,6 @@ const componentTemplatesToInstall = [
     fieldMap: alertFieldMap,
     fieldLimit: 100,
   },
-  {
-    name: ECS_COMPONENT_TEMPLATE_NAME,
-    fieldMap: ecsFieldMap,
-    fieldLimit: 2000,
-  },
 ];
 const TOTAL_FIELDS_LIMIT = 2500;
 const INSTALLATION_TIMEOUT = 20 * 60 * 1000; // 20 minutes
@@ -79,7 +69,6 @@ export class AlertsService implements IAlertsService {
   public async initialize(timeoutMs?: number) {
     // Only initialize once
     if (this.initialized) return;
-    this.initialized = true;
 
     this.options.logger.debug(`Initializing resources for AlertsService`);
 
@@ -93,6 +82,8 @@ export class AlertsService implements IAlertsService {
     );
     await this.installWithTimeout(esClient, this.createOrUpdateIndexTemplate.bind(this), timeoutMs);
     await this.installWithTimeout(esClient, this.createConcreteWriteIndex.bind(this), timeoutMs);
+
+    this.initialized = true;
   }
 
   /**
@@ -167,7 +158,7 @@ export class AlertsService implements IAlertsService {
       name: INDEX_TEMPLATE_NAME,
       body: {
         index_patterns: [DEFAULT_ALERTS_INDEX_PATTERN],
-        composed_of: [ALERTS_COMPONENT_TEMPLATE_NAME, ECS_COMPONENT_TEMPLATE_NAME],
+        composed_of: [ALERTS_COMPONENT_TEMPLATE_NAME],
         template: {
           settings: {
             auto_expand_replicas: '0-1',
diff --git a/x-pack/plugins/alerting/server/alerts_service/types.ts b/x-pack/plugins/alerting/server/alerts_service/types.ts
index 9a085fef9f57e3..9e83087f69a6e4 100644
--- a/x-pack/plugins/alerting/server/alerts_service/types.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/types.ts
@@ -10,4 +10,3 @@ export const DEFAULT_ALERTS_INDEX = '.alerts-default';
 export const DEFAULT_ALERTS_INDEX_PATTERN = `${DEFAULT_ALERTS_INDEX}-*`;
 export const INITIAL_ALERTS_INDEX_NAME = `${DEFAULT_ALERTS_INDEX}-000001`;
 export const ALERTS_COMPONENT_TEMPLATE_NAME = 'alerts-default-component-template';
-export const ECS_COMPONENT_TEMPLATE_NAME = 'alerts-ecs-component-template';

From 8a3176cae3beb5202de4d2a730700262fa6c9356 Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Thu, 22 Dec 2022 15:01:37 -0500
Subject: [PATCH 19/42] Installing resources for different registration
 contexts

---
 .../component_template_from_field_map.ts      |   2 +-
 .../common/alert_schema/field_maps/types.ts   |   1 +
 .../alerts_service/alerts_service.test.ts     | 231 ++++++++++++------
 .../server/alerts_service/alerts_service.ts   | 164 ++++++++-----
 .../alerting/server/alerts_service/types.ts   |  39 ++-
 x-pack/plugins/alerting/server/plugin.ts      |  23 +-
 .../alerting/server/rule_type_registry.ts     |  10 +
 x-pack/plugins/alerting/server/types.ts       |   6 +
 .../anomaly/register_anomaly_rule_type.ts     |   2 +
 .../register_error_count_rule_type.ts         |   2 +
 .../rule_types/get_alert_registration.ts      |  53 ++++
 ...register_transaction_duration_rule_type.ts |   2 +
 ...gister_transaction_error_rate_rule_type.ts |   2 +
 .../lib/alerting/get_alert_registration.ts    |  19 ++
 ...er_inventory_metric_threshold_rule_type.ts |   2 +
 .../register_log_threshold_rule_type.ts       |   2 +
 .../register_metric_anomaly_rule_type.ts      |   2 +
 .../register_metric_threshold_rule_type.ts    |   2 +
 .../lib/rules/get_alert_registration.ts       |  15 ++
 .../lib/rules/slo_burn_rate/register.ts       |   2 +
 .../field_maps/experimental_rule_field_map.ts |   8 +-
 .../common/rules/uptime_rule_field_map.ts     |  14 ++
 .../lib/alerts/duration_anomaly.ts            |   2 +
 .../lib/alerts/get_alert_registration.ts      |  15 ++
 .../legacy_uptime/lib/alerts/status_check.ts  |   2 +
 .../server/legacy_uptime/lib/alerts/tls.ts    |   2 +
 .../legacy_uptime/lib/alerts/tls_legacy.ts    |   2 +
 27 files changed, 460 insertions(+), 166 deletions(-)
 create mode 100644 x-pack/plugins/apm/server/routes/alerts/rule_types/get_alert_registration.ts
 create mode 100644 x-pack/plugins/infra/server/lib/alerting/get_alert_registration.ts
 create mode 100644 x-pack/plugins/observability/server/lib/rules/get_alert_registration.ts
 create mode 100644 x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/get_alert_registration.ts

diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts
index 25dc6e87518ad3..b4cd25a4f41260 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts
@@ -9,7 +9,7 @@ import { ClusterPutComponentTemplateRequest } from '@elastic/elasticsearch/lib/a
 import { mappingFromFieldMap } from './mapping_from_field_map';
 import { FieldMap } from './types';
 
-interface GetComponentTemplateFromFieldMapOpts {
+export interface GetComponentTemplateFromFieldMapOpts {
   name: string;
   fieldLimit?: number;
   fieldMap: FieldMap;
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts
index f43eb193c90707..b687cbfb0cf7de 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts
@@ -24,5 +24,6 @@ export interface FieldMap {
     multi_fields?: MultiField[];
     path?: string;
     scaling_factor?: number;
+    dynamic?: boolean | string;
   };
 }
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
index 806e67c918f034..490c41f4aa1b4d 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
@@ -76,17 +76,17 @@ const IlmPutBody = {
 };
 
 const IndexTemplatePutBody = {
-  name: '.alerts-default-template',
+  name: '.alerts-test-template',
   body: {
-    index_patterns: ['.alerts-default-*'],
-    composed_of: ['alerts-default-component-template'],
+    index_patterns: ['.alerts-test-*'],
+    composed_of: ['alerts-default-component-template', 'alerts-test-component-template'],
     template: {
       settings: {
         auto_expand_replicas: '0-1',
         hidden: true,
         'index.lifecycle': {
           name: 'alerts-default-ilm-policy',
-          rollover_alias: '.alerts-default',
+          rollover_alias: '.alerts-test',
         },
         'index.mapping.total_fields.limit': 2500,
       },
@@ -100,6 +100,11 @@ const IndexTemplatePutBody = {
   },
 };
 
+const TestRegistrationContext = {
+  registrationContext: 'test',
+  fieldMap: { field: { type: 'keyword', required: false } },
+};
+
 describe('Alerts Service', () => {
   let pluginStop$: Subject<void>;
 
@@ -120,7 +125,7 @@ describe('Alerts Service', () => {
     pluginStop$.complete();
   });
   describe('initialize()', () => {
-    test('should correctly initialize all resources', async () => {
+    test('should correctly initialize common resources', async () => {
       const alertsService = new AlertsService({
         logger,
         elasticsearchClientPromise: Promise.resolve(clusterClient),
@@ -134,22 +139,6 @@ describe('Alerts Service', () => {
 
       const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0];
       expect(componentTemplate1.name).toEqual('alerts-default-component-template');
-
-      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith(IndexTemplatePutBody);
-      expect(clusterClient.indices.getAlias).toHaveBeenCalledWith({ index: '.alerts-default-*' });
-      expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(2);
-      expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalledTimes(2);
-      expect(clusterClient.indices.putMapping).toHaveBeenCalledTimes(2);
-      expect(clusterClient.indices.create).toHaveBeenCalledWith({
-        index: '.alerts-default-000001',
-        body: {
-          aliases: {
-            '.alerts-default': {
-              is_write_index: true,
-            },
-          },
-        },
-      });
     });
 
     test('should throw error if adding ILM policy throws error', async () => {
@@ -170,16 +159,9 @@ describe('Alerts Service', () => {
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
       expect(clusterClient.cluster.putComponentTemplate).not.toHaveBeenCalled();
-      expect(clusterClient.indices.simulateTemplate).not.toHaveBeenCalled();
-      expect(clusterClient.indices.putIndexTemplate).not.toHaveBeenCalled();
-      expect(clusterClient.indices.getAlias).not.toHaveBeenCalled();
-      expect(clusterClient.indices.putSettings).not.toHaveBeenCalled();
-      expect(clusterClient.indices.simulateIndexTemplate).not.toHaveBeenCalled();
-      expect(clusterClient.indices.putMapping).not.toHaveBeenCalled();
-      expect(clusterClient.indices.create).not.toHaveBeenCalled();
     });
 
-    test('should throw error if updating component template throws error', async () => {
+    test('should throw error if creating/updating common component template throws error', async () => {
       clusterClient.cluster.putComponentTemplate.mockRejectedValueOnce(new Error('fail'));
       const alertsService = new AlertsService({
         logger,
@@ -197,13 +179,78 @@ describe('Alerts Service', () => {
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
       expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
-      expect(clusterClient.indices.simulateTemplate).not.toHaveBeenCalled();
-      expect(clusterClient.indices.putIndexTemplate).not.toHaveBeenCalled();
-      expect(clusterClient.indices.getAlias).not.toHaveBeenCalled();
-      expect(clusterClient.indices.putSettings).not.toHaveBeenCalled();
-      expect(clusterClient.indices.simulateIndexTemplate).not.toHaveBeenCalled();
-      expect(clusterClient.indices.putMapping).not.toHaveBeenCalled();
-      expect(clusterClient.indices.create).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('initializeRegistrationContext()', () => {
+    test('should correctly initialize all resources for registration context', async () => {
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await alertsService.initialize();
+      await alertsService.initializeRegistrationContext(TestRegistrationContext);
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+
+      const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0];
+      expect(componentTemplate1.name).toEqual('alerts-default-component-template');
+      const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0];
+      expect(componentTemplate2.name).toEqual('alerts-test-component-template');
+
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith(IndexTemplatePutBody);
+      expect(clusterClient.indices.getAlias).toHaveBeenCalledWith({ index: '.alerts-test-*' });
+      expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.putMapping).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.create).toHaveBeenCalledWith({
+        index: '.alerts-test-000001',
+        body: {
+          aliases: {
+            '.alerts-test': {
+              is_write_index: true,
+            },
+          },
+        },
+      });
+    });
+
+    test('should skip initialization if registration context already exists', async () => {
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await alertsService.initialize();
+      await alertsService.initializeRegistrationContext(TestRegistrationContext);
+      await alertsService.initializeRegistrationContext(TestRegistrationContext);
+
+      expect(logger.info).toHaveBeenCalledWith(
+        `Resources for registration context "test" have already been installed.`
+      );
+    });
+
+    test('should throw error if registration context already exists and has been registered with a different field map', async () => {
+      const alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      await alertsService.initialize();
+      await alertsService.initializeRegistrationContext(TestRegistrationContext);
+      await expect(
+        alertsService.initializeRegistrationContext({
+          ...TestRegistrationContext,
+          fieldMap: { anotherField: { type: 'keyword', required: false } },
+        })
+      ).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"test has already been registered with a different mapping"`
+      );
     });
 
     test('should not update index template if simulating template throws error', async () => {
@@ -215,13 +262,14 @@ describe('Alerts Service', () => {
       });
 
       await alertsService.initialize();
+      await alertsService.initializeRegistrationContext(TestRegistrationContext);
 
       expect(logger.error).toHaveBeenCalledWith(
-        `Failed to simulate index template mappings for .alerts-default-template; not applying mappings - fail`
+        `Failed to simulate index template mappings for .alerts-test-template; not applying mappings - fail`
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       // putIndexTemplate is skipped but other operations are called as expected
       expect(clusterClient.indices.putIndexTemplate).not.toHaveBeenCalled();
@@ -246,12 +294,15 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Failure during installation. No mappings would be generated for .alerts-default-template, possibly due to failed/misconfigured bootstrapping"`
+      await alertsService.initialize();
+      await expect(
+        alertsService.initializeRegistrationContext(TestRegistrationContext)
+      ).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Failure during installation. No mappings would be generated for .alerts-test-template, possibly due to failed/misconfigured bootstrapping"`
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).not.toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).not.toHaveBeenCalled();
@@ -269,16 +320,17 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Failure during installation. fail"`
-      );
+      await alertsService.initialize();
+      await expect(
+        alertsService.initializeRegistrationContext(TestRegistrationContext)
+      ).rejects.toThrowErrorMatchingInlineSnapshot(`"Failure during installation. fail"`);
 
       expect(logger.error).toHaveBeenCalledWith(
-        `Error installing index template .alerts-default-template - fail`
+        `Error installing index template .alerts-test-template - fail`
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).not.toHaveBeenCalled();
@@ -296,16 +348,17 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Failure during installation. fail"`
-      );
+      await alertsService.initialize();
+      await expect(
+        alertsService.initializeRegistrationContext(TestRegistrationContext)
+      ).rejects.toThrowErrorMatchingInlineSnapshot(`"Failure during installation. fail"`);
 
       expect(logger.error).toHaveBeenCalledWith(
-        `Error fetching concrete indices for .alerts-default-* pattern - fail`
+        `Error fetching concrete indices for .alerts-test-* pattern - fail`
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putSettings).not.toHaveBeenCalled();
@@ -325,9 +378,10 @@ describe('Alerts Service', () => {
       });
 
       await alertsService.initialize();
+      await alertsService.initializeRegistrationContext(TestRegistrationContext);
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putSettings).not.toHaveBeenCalled();
@@ -344,16 +398,17 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Failure during installation. fail"`
-      );
+      await alertsService.initialize();
+      await expect(
+        alertsService.initializeRegistrationContext(TestRegistrationContext)
+      ).rejects.toThrowErrorMatchingInlineSnapshot(`"Failure during installation. fail"`);
 
       expect(logger.error).toHaveBeenCalledWith(
         `Failed to PUT index.mapping.total_fields.limit settings for alias alias_1: fail`
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -372,13 +427,14 @@ describe('Alerts Service', () => {
       });
 
       await alertsService.initialize();
+      await alertsService.initializeRegistrationContext(TestRegistrationContext);
 
       expect(logger.error).toHaveBeenCalledWith(
         `Ignored PUT mappings for alias alias_1; error generating simulated mappings: fail`
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -396,14 +452,15 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Failure during installation. fail"`
-      );
+      await alertsService.initialize();
+      await expect(
+        alertsService.initializeRegistrationContext(TestRegistrationContext)
+      ).rejects.toThrowErrorMatchingInlineSnapshot(`"Failure during installation. fail"`);
 
       expect(logger.error).toHaveBeenCalledWith(`Failed to PUT mapping for alias alias_1: fail`);
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -422,9 +479,10 @@ describe('Alerts Service', () => {
       });
 
       await alertsService.initialize();
+      await alertsService.initializeRegistrationContext(TestRegistrationContext);
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -436,9 +494,9 @@ describe('Alerts Service', () => {
 
     test('should throw error if concrete indices exist but none are write index', async () => {
       clusterClient.indices.getAlias.mockImplementationOnce(async () => ({
-        '.alerts-default-0001': {
+        '.alerts-test-0001': {
           aliases: {
-            '.alerts-default': {
+            '.alerts-test': {
               is_write_index: false,
               is_hidden: true,
             },
@@ -455,12 +513,15 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Failure during installation. Indices matching pattern .alerts-default-* exist but none are set as the write index for alias .alerts-default"`
+      await alertsService.initialize();
+      await expect(
+        alertsService.initializeRegistrationContext(TestRegistrationContext)
+      ).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Failure during installation. Indices matching pattern .alerts-test-* exist but none are set as the write index for alias .alerts-test"`
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -472,9 +533,9 @@ describe('Alerts Service', () => {
 
     test('does not create new index if concrete write index exists', async () => {
       clusterClient.indices.getAlias.mockImplementationOnce(async () => ({
-        '.alerts-default-0001': {
+        '.alerts-test-0001': {
           aliases: {
-            '.alerts-default': {
+            '.alerts-test': {
               is_write_index: true,
               is_hidden: true,
             },
@@ -492,9 +553,10 @@ describe('Alerts Service', () => {
       });
 
       await alertsService.initialize();
+      await alertsService.initializeRegistrationContext(TestRegistrationContext);
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -512,14 +574,15 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Failure during installation. fail"`
-      );
+      await alertsService.initialize();
+      await expect(
+        alertsService.initializeRegistrationContext(TestRegistrationContext)
+      ).rejects.toThrowErrorMatchingInlineSnapshot(`"Failure during installation. fail"`);
 
       expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`);
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -540,7 +603,7 @@ describe('Alerts Service', () => {
       };
       clusterClient.indices.create.mockRejectedValueOnce(error);
       clusterClient.indices.get.mockImplementationOnce(async () => ({
-        '.alerts-default-000001': { aliases: { '.alerts-default': { is_write_index: true } } },
+        '.alerts-test-000001': { aliases: { '.alerts-test': { is_write_index: true } } },
       }));
       const alertsService = new AlertsService({
         logger,
@@ -549,11 +612,12 @@ describe('Alerts Service', () => {
       });
 
       await alertsService.initialize();
+      await alertsService.initializeRegistrationContext(TestRegistrationContext);
 
       expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`);
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -575,7 +639,7 @@ describe('Alerts Service', () => {
       };
       clusterClient.indices.create.mockRejectedValueOnce(error);
       clusterClient.indices.get.mockImplementationOnce(async () => ({
-        '.alerts-default-000001': { aliases: { '.alerts-default': { is_write_index: false } } },
+        '.alerts-test-000001': { aliases: { '.alerts-test': { is_write_index: false } } },
       }));
       const alertsService = new AlertsService({
         logger,
@@ -583,14 +647,17 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Failure during installation. Attempted to create index: .alerts-default-000001 as the write index for alias: .alerts-default, but the index already exists and is not the write index for the alias"`
+      await alertsService.initialize();
+      await expect(
+        alertsService.initializeRegistrationContext(TestRegistrationContext)
+      ).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Failure during installation. Attempted to create index: .alerts-test-000001 as the write index for alias: .alerts-test, but the index already exists and is not the write index for the alias"`
       );
 
       expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`);
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.simulateTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalled();
       expect(clusterClient.indices.getAlias).toHaveBeenCalled();
@@ -645,6 +712,7 @@ describe('Alerts Service', () => {
       });
 
       await alertsService.initialize();
+      await alertsService.initializeRegistrationContext(TestRegistrationContext);
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledTimes(3);
     });
 
@@ -660,6 +728,7 @@ describe('Alerts Service', () => {
       });
 
       await alertsService.initialize();
+      await alertsService.initializeRegistrationContext(TestRegistrationContext);
       expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(4);
     });
 
@@ -675,6 +744,7 @@ describe('Alerts Service', () => {
       });
 
       await alertsService.initialize();
+      await alertsService.initializeRegistrationContext(TestRegistrationContext);
       expect(clusterClient.indices.putMapping).toHaveBeenCalledTimes(4);
     });
 
@@ -690,6 +760,7 @@ describe('Alerts Service', () => {
       });
 
       await alertsService.initialize();
+      await alertsService.initializeRegistrationContext(TestRegistrationContext);
       expect(clusterClient.indices.create).toHaveBeenCalledTimes(3);
     });
   });
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index 92f3a461ff4ad9..da573c5e66dd0b 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -10,27 +10,21 @@ import {
   IndicesSimulateIndexTemplateResponse,
   MappingTypeMapping,
 } from '@elastic/elasticsearch/lib/api/types';
-import { get, isEmpty } from 'lodash';
+import { get, isEmpty, isEqual } from 'lodash';
 import { Logger, ElasticsearchClient } from '@kbn/core/server';
 import { firstValueFrom, Observable } from 'rxjs';
-import { alertFieldMap, getComponentTemplateFromFieldMap } from '../../common/alert_schema';
+import { FieldMap } from '../../common/alert_schema/field_maps/types';
+import { alertFieldMap } from '../../common/alert_schema';
 import { ILM_POLICY_NAME, DEFAULT_ILM_POLICY } from './default_lifecycle_policy';
 import {
-  ALERTS_COMPONENT_TEMPLATE_NAME,
-  DEFAULT_ALERTS_INDEX,
-  DEFAULT_ALERTS_INDEX_PATTERN,
-  INDEX_TEMPLATE_NAME,
-  INITIAL_ALERTS_INDEX_NAME,
+  getComponentTemplate,
+  getComponentTemplateName,
+  getIndexTemplateAndPattern,
+  IIndexPatternString,
 } from './types';
 import { retryTransientEsErrors } from './retry_transient_es_errors';
+import { IRuleTypeAlerts } from '../types';
 
-const componentTemplatesToInstall = [
-  {
-    name: ALERTS_COMPONENT_TEMPLATE_NAME,
-    fieldMap: alertFieldMap,
-    fieldLimit: 100,
-  },
-];
 const TOTAL_FIELDS_LIMIT = 2500;
 const INSTALLATION_TIMEOUT = 20 * 60 * 1000; // 20 minutes
 
@@ -56,16 +50,23 @@ interface IAlertsService {
    * Not using data streams because those are meant for append-only data
    * and we expect to mutate these documents
    */
-  initialize(): void;
+  initialize(timeoutMs?: number): Promise<void>;
+  initializeRegistrationContext(opts: IRuleTypeAlerts, timeoutMs?: number): Promise<void>;
+  isInitialized(): boolean;
 }
 
 export class AlertsService implements IAlertsService {
   private initialized: boolean;
+  private registrationContexts: Map<string, FieldMap> = new Map();
 
   constructor(private readonly options: AlertsServiceParams) {
     this.initialized = false;
   }
 
+  public isInitialized(): boolean {
+    return this.initialized;
+  }
+
   public async initialize(timeoutMs?: number) {
     // Only initialize once
     if (this.initialized) return;
@@ -74,18 +75,62 @@ export class AlertsService implements IAlertsService {
 
     const esClient = await this.options.elasticsearchClientPromise;
 
-    await this.installWithTimeout(esClient, this.createOrUpdateIlmPolicy.bind(this), timeoutMs);
-    await this.installWithTimeout(
-      esClient,
-      this.createOrUpdateComponentTemplates.bind(this),
-      timeoutMs
-    );
-    await this.installWithTimeout(esClient, this.createOrUpdateIndexTemplate.bind(this), timeoutMs);
-    await this.installWithTimeout(esClient, this.createConcreteWriteIndex.bind(this), timeoutMs);
+    const initFns = [
+      () => this.createOrUpdateIlmPolicy(esClient),
+      () => this.createOrUpdateComponentTemplate(esClient, getComponentTemplate(alertFieldMap)),
+    ];
+
+    for (let i = 0; i < initFns.length; ++i) {
+      await this.installWithTimeout(async () => await initFns[i](), timeoutMs);
+    }
 
     this.initialized = true;
   }
 
+  public async initializeRegistrationContext(
+    { registrationContext, fieldMap }: IRuleTypeAlerts,
+    timeoutMs?: number
+  ) {
+    // check that this registration context has not been registered before
+    if (this.registrationContexts.has(registrationContext)) {
+      const registeredFieldMap = this.registrationContexts.get(registrationContext);
+      if (!isEqual(fieldMap, registeredFieldMap)) {
+        throw new Error(
+          `${registrationContext} has already been registered with a different mapping`
+        );
+      }
+      this.options.logger.info(
+        `Resources for registration context "${registrationContext}" have already been installed.`
+      );
+      return;
+    }
+    this.options.logger.debug(
+      `Initializing resources for registrationContext ${registrationContext}`
+    );
+    const esClient = await this.options.elasticsearchClientPromise;
+    const indexTemplateAndPattern = getIndexTemplateAndPattern(registrationContext);
+
+    const initFns = [
+      async () =>
+        await this.createOrUpdateComponentTemplate(
+          esClient,
+          getComponentTemplate(fieldMap, registrationContext)
+        ),
+      async () =>
+        await this.createOrUpdateIndexTemplate(esClient, indexTemplateAndPattern, [
+          getComponentTemplateName(),
+          getComponentTemplateName(registrationContext),
+        ]),
+      async () => await this.createConcreteWriteIndex(esClient, indexTemplateAndPattern),
+    ];
+
+    for (let i = 0; i < initFns.length; ++i) {
+      await this.installWithTimeout(async () => await initFns[i](), timeoutMs);
+    }
+
+    this.registrationContexts.set(registrationContext, fieldMap);
+  }
+
   /**
    * Creates ILM policy if it doesn't already exist, updates it if it does
    */
@@ -107,26 +152,6 @@ export class AlertsService implements IAlertsService {
     }
   }
 
-  /**
-   * Installs component templates if they don't already exist, updates them if
-   * they do.
-   */
-  private async createOrUpdateComponentTemplates(esClient: ElasticsearchClient) {
-    this.options.logger.info(
-      `Installing ${componentTemplatesToInstall.length} component templates`
-    );
-
-    await Promise.all(
-      componentTemplatesToInstall.map((componentTemplateSpec) =>
-        this.createOrUpdateComponentTemplate(
-          esClient,
-          // dynamically generate component template from field map specification
-          getComponentTemplateFromFieldMap(componentTemplateSpec)
-        )
-      )
-    );
-  }
-
   private async createOrUpdateComponentTemplate(
     esClient: ElasticsearchClient,
     template: ClusterPutComponentTemplateRequest
@@ -151,21 +176,25 @@ export class AlertsService implements IAlertsService {
    * conflicts. Simulate should return an empty mapping if a template
    * conflicts with an already installed template.
    */
-  private async createOrUpdateIndexTemplate(esClient: ElasticsearchClient) {
-    this.options.logger.info(`Installing index template ${INDEX_TEMPLATE_NAME}`);
+  private async createOrUpdateIndexTemplate(
+    esClient: ElasticsearchClient,
+    indexPatterns: IIndexPatternString,
+    componentTemplateNames: string[]
+  ) {
+    this.options.logger.info(`Installing index template ${indexPatterns.template}`);
 
     const indexTemplate = {
-      name: INDEX_TEMPLATE_NAME,
+      name: indexPatterns.template,
       body: {
-        index_patterns: [DEFAULT_ALERTS_INDEX_PATTERN],
-        composed_of: [ALERTS_COMPONENT_TEMPLATE_NAME],
+        index_patterns: [indexPatterns.pattern],
+        composed_of: componentTemplateNames,
         template: {
           settings: {
             auto_expand_replicas: '0-1',
             hidden: true,
             'index.lifecycle': {
               name: ILM_POLICY_NAME,
-              rollover_alias: DEFAULT_ALERTS_INDEX,
+              rollover_alias: indexPatterns.alias,
             },
             'index.mapping.total_fields.limit': TOTAL_FIELDS_LIMIT,
           },
@@ -187,14 +216,14 @@ export class AlertsService implements IAlertsService {
       mappings = simulateResponse.template.mappings;
     } catch (err) {
       this.options.logger.error(
-        `Failed to simulate index template mappings for ${INDEX_TEMPLATE_NAME}; not applying mappings - ${err.message}`
+        `Failed to simulate index template mappings for ${indexPatterns.template}; not applying mappings - ${err.message}`
       );
       return;
     }
 
     if (isEmpty(mappings)) {
       throw new Error(
-        `No mappings would be generated for ${INDEX_TEMPLATE_NAME}, possibly due to failed/misconfigured bootstrapping`
+        `No mappings would be generated for ${indexPatterns.template}, possibly due to failed/misconfigured bootstrapping`
       );
     }
 
@@ -204,7 +233,7 @@ export class AlertsService implements IAlertsService {
       });
     } catch (err) {
       this.options.logger.error(
-        `Error installing index template ${INDEX_TEMPLATE_NAME} - ${err.message}`
+        `Error installing index template ${indexPatterns.template} - ${err.message}`
       );
       throw err;
     }
@@ -301,14 +330,17 @@ export class AlertsService implements IAlertsService {
     }
   }
 
-  private async createConcreteWriteIndex(esClient: ElasticsearchClient) {
+  private async createConcreteWriteIndex(
+    esClient: ElasticsearchClient,
+    indexPatterns: IIndexPatternString
+  ) {
     this.options.logger.info(`Creating concrete write index`);
 
     // check if a concrete write index already exists
     let concreteIndices: ConcreteIndexInfo[] = [];
     try {
       const response = await esClient.indices.getAlias({
-        index: DEFAULT_ALERTS_INDEX_PATTERN,
+        index: indexPatterns.pattern,
       });
 
       concreteIndices = Object.entries(response).flatMap(([index, { aliases }]) =>
@@ -326,7 +358,7 @@ export class AlertsService implements IAlertsService {
       // 404 is expected if no concrete write indices have been created
       if (error.statusCode !== 404) {
         this.options.logger.error(
-          `Error fetching concrete indices for ${DEFAULT_ALERTS_INDEX_PATTERN} pattern - ${error.message}`
+          `Error fetching concrete indices for ${indexPatterns.pattern} pattern - ${error.message}`
         );
         throw error;
       }
@@ -338,17 +370,17 @@ export class AlertsService implements IAlertsService {
       await this.updateIndexMappings(esClient, concreteIndices);
 
       const concreteIndicesExist = concreteIndices.some(
-        (index) => index.alias === DEFAULT_ALERTS_INDEX
+        (index) => index.alias === indexPatterns.alias
       );
       concreteWriteIndicesExist = concreteIndices.some(
-        (index) => index.alias === DEFAULT_ALERTS_INDEX && index.isWriteIndex
+        (index) => index.alias === indexPatterns.alias && index.isWriteIndex
       );
 
       // If there are some concrete indices but none of them are the write index, we'll throw an error
       // because one of the existing indices should have been the write target.
       if (concreteIndicesExist && !concreteWriteIndicesExist) {
         throw new Error(
-          `Indices matching pattern ${DEFAULT_ALERTS_INDEX_PATTERN} exist but none are set as the write index for alias ${DEFAULT_ALERTS_INDEX}`
+          `Indices matching pattern ${indexPatterns.pattern} exist but none are set as the write index for alias ${indexPatterns.alias}`
         );
       }
     }
@@ -359,10 +391,10 @@ export class AlertsService implements IAlertsService {
         await retryTransientEsErrors(
           () =>
             esClient.indices.create({
-              index: INITIAL_ALERTS_INDEX_NAME,
+              index: indexPatterns.name,
               body: {
                 aliases: {
-                  [DEFAULT_ALERTS_INDEX]: {
+                  [indexPatterns.alias]: {
                     is_write_index: true,
                   },
                 },
@@ -379,14 +411,13 @@ export class AlertsService implements IAlertsService {
         // index, that's bad, throw an error.
         if (error?.meta?.body?.error?.type === 'resource_already_exists_exception') {
           const existingIndices = await esClient.indices.get({
-            index: INITIAL_ALERTS_INDEX_NAME,
+            index: indexPatterns.name,
           });
           if (
-            !existingIndices[INITIAL_ALERTS_INDEX_NAME]?.aliases?.[DEFAULT_ALERTS_INDEX]
-              ?.is_write_index
+            !existingIndices[indexPatterns.name]?.aliases?.[indexPatterns.alias]?.is_write_index
           ) {
             throw Error(
-              `Attempted to create index: ${INITIAL_ALERTS_INDEX_NAME} as the write index for alias: ${DEFAULT_ALERTS_INDEX}, but the index already exists and is not the write index for the alias`
+              `Attempted to create index: ${indexPatterns.name} as the write index for alias: ${indexPatterns.alias}, but the index already exists and is not the write index for the alias`
             );
           }
         } else {
@@ -397,14 +428,13 @@ export class AlertsService implements IAlertsService {
   }
 
   private async installWithTimeout(
-    esClient: ElasticsearchClient,
-    installFn: (esClient: ElasticsearchClient) => Promise<void>,
+    installFn: () => Promise<void>,
     timeoutMs: number = INSTALLATION_TIMEOUT
   ): Promise<void> {
     try {
       let timeoutId: NodeJS.Timeout;
       const install = async (): Promise<void> => {
-        await installFn(esClient);
+        await installFn();
         if (timeoutId) {
           clearTimeout(timeoutId);
         }
diff --git a/x-pack/plugins/alerting/server/alerts_service/types.ts b/x-pack/plugins/alerting/server/alerts_service/types.ts
index 9e83087f69a6e4..708f76c1671fec 100644
--- a/x-pack/plugins/alerting/server/alerts_service/types.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/types.ts
@@ -5,8 +5,37 @@
  * 2.0.
  */
 
-export const INDEX_TEMPLATE_NAME = '.alerts-default-template';
-export const DEFAULT_ALERTS_INDEX = '.alerts-default';
-export const DEFAULT_ALERTS_INDEX_PATTERN = `${DEFAULT_ALERTS_INDEX}-*`;
-export const INITIAL_ALERTS_INDEX_NAME = `${DEFAULT_ALERTS_INDEX}-000001`;
-export const ALERTS_COMPONENT_TEMPLATE_NAME = 'alerts-default-component-template';
+import { ClusterPutComponentTemplateRequest } from '@elastic/elasticsearch/lib/api/types';
+import { getComponentTemplateFromFieldMap } from '../../common/alert_schema';
+import { FieldMap } from '../../common/alert_schema/field_maps/types';
+
+export const getComponentTemplateName = (context?: string) =>
+  `alerts-${context ? context : 'default'}-component-template`;
+
+export interface IIndexPatternString {
+  template: string;
+  pattern: string;
+  alias: string;
+  name: string;
+}
+
+export const getIndexTemplateAndPattern = (context?: string): IIndexPatternString => {
+  const pattern = context ? context : 'default';
+  return {
+    template: `.alerts-${pattern}-template`,
+    pattern: `.alerts-${pattern}-*`,
+    alias: `.alerts-${pattern}`,
+    name: `.alerts-${pattern}-000001`,
+  };
+};
+
+export const getComponentTemplate = (
+  fieldMap: FieldMap,
+  context?: string
+): ClusterPutComponentTemplateRequest =>
+  getComponentTemplateFromFieldMap({
+    name: getComponentTemplateName(context),
+    fieldMap,
+    // set field limit slightly higher than actual number of fields
+    fieldLimit: Math.round(Object.keys(fieldMap).length * 1.5),
+  });
diff --git a/x-pack/plugins/alerting/server/plugin.ts b/x-pack/plugins/alerting/server/plugin.ts
index 141a435931fef9..de72aeb88a9781 100644
--- a/x-pack/plugins/alerting/server/plugin.ts
+++ b/x-pack/plugins/alerting/server/plugin.ts
@@ -225,17 +225,6 @@ export class AlertingPlugin {
     this.eventLogService = plugins.eventLog;
     plugins.eventLog.registerProviderActions(EVENT_LOG_PROVIDER, Object.values(EVENT_LOG_ACTIONS));
 
-    const ruleTypeRegistry = new RuleTypeRegistry({
-      logger: this.logger,
-      taskManager: plugins.taskManager,
-      taskRunnerFactory: this.taskRunnerFactory,
-      licenseState: this.licenseState,
-      licensing: plugins.licensing,
-      minimumScheduleInterval: this.config.rules.minimumScheduleInterval,
-      inMemoryMetrics: this.inMemoryMetrics,
-    });
-    this.ruleTypeRegistry = ruleTypeRegistry;
-
     if (this.config.enableFrameworkAlerts) {
       this.alertsService = new AlertsService({
         logger: this.logger,
@@ -252,6 +241,18 @@ export class AlertingPlugin {
       });
     }
 
+    const ruleTypeRegistry = new RuleTypeRegistry({
+      logger: this.logger,
+      taskManager: plugins.taskManager,
+      taskRunnerFactory: this.taskRunnerFactory,
+      licenseState: this.licenseState,
+      licensing: plugins.licensing,
+      alertsService: this.alertsService,
+      minimumScheduleInterval: this.config.rules.minimumScheduleInterval,
+      inMemoryMetrics: this.inMemoryMetrics,
+    });
+    this.ruleTypeRegistry = ruleTypeRegistry;
+
     const usageCollection = plugins.usageCollection;
     if (usageCollection) {
       registerAlertingUsageCollector(
diff --git a/x-pack/plugins/alerting/server/rule_type_registry.ts b/x-pack/plugins/alerting/server/rule_type_registry.ts
index b908f7cb67b877..63145f2da1b68c 100644
--- a/x-pack/plugins/alerting/server/rule_type_registry.ts
+++ b/x-pack/plugins/alerting/server/rule_type_registry.ts
@@ -33,6 +33,7 @@ import { ILicenseState } from './lib/license_state';
 import { getRuleTypeFeatureUsageName } from './lib/get_rule_type_feature_usage_name';
 import { InMemoryMetrics } from './monitoring';
 import { AlertingRulesConfig } from '.';
+import { AlertsService } from './alerts_service/alerts_service';
 
 export interface ConstructorOptions {
   logger: Logger;
@@ -42,6 +43,7 @@ export interface ConstructorOptions {
   licensing: LicensingPluginSetup;
   minimumScheduleInterval: AlertingRulesConfig['minimumScheduleInterval'];
   inMemoryMetrics: InMemoryMetrics;
+  alertsService?: AlertsService;
 }
 
 export interface RegistryRuleType
@@ -139,6 +141,7 @@ export class RuleTypeRegistry {
   private readonly minimumScheduleInterval: AlertingRulesConfig['minimumScheduleInterval'];
   private readonly licensing: LicensingPluginSetup;
   private readonly inMemoryMetrics: InMemoryMetrics;
+  private readonly alertsService?: AlertsService;
 
   constructor({
     logger,
@@ -148,6 +151,7 @@ export class RuleTypeRegistry {
     licensing,
     minimumScheduleInterval,
     inMemoryMetrics,
+    alertsService,
   }: ConstructorOptions) {
     this.logger = logger;
     this.taskManager = taskManager;
@@ -156,6 +160,7 @@ export class RuleTypeRegistry {
     this.licensing = licensing;
     this.minimumScheduleInterval = minimumScheduleInterval;
     this.inMemoryMetrics = inMemoryMetrics;
+    this.alertsService = alertsService;
   }
 
   public has(id: string) {
@@ -277,6 +282,11 @@ export class RuleTypeRegistry {
           >(normalizedRuleType, context, this.inMemoryMetrics),
       },
     });
+
+    if (this.alertsService && this.alertsService.isInitialized() && ruleType.alerts) {
+      this.alertsService.initializeRegistrationContext(ruleType.alerts);
+    }
+
     // No need to notify usage on basic alert types
     if (ruleType.minimumLicenseRequired !== 'basic') {
       this.licensing.featureUsage.register(
diff --git a/x-pack/plugins/alerting/server/types.ts b/x-pack/plugins/alerting/server/types.ts
index 3cd3807649f2ec..1fce7a9e99c71f 100644
--- a/x-pack/plugins/alerting/server/types.ts
+++ b/x-pack/plugins/alerting/server/types.ts
@@ -47,6 +47,7 @@ import {
   RuleLastRun,
 } from '../common';
 import { PublicAlertFactory } from './alert/create_alert_factory';
+import { FieldMap } from '../common/alert_schema/field_maps/types';
 export type WithoutQueryAndParams<T> = Pick<T, Exclude<keyof T, 'query' | 'params'>>;
 export type SpaceIdToNamespaceFunction = (spaceId?: string) => string | undefined;
 export type { RuleTypeParams };
@@ -151,6 +152,10 @@ export interface SummarizedAlerts {
   };
 }
 export type GetSummarizedAlertsFn = (opts: GetSummarizedAlertsFnOpts) => Promise<SummarizedAlerts>;
+export interface IRuleTypeAlerts {
+  registrationContext: string;
+  fieldMap: FieldMap;
+}
 
 export interface RuleType<
   Params extends RuleTypeParams = never,
@@ -197,6 +202,7 @@ export interface RuleType<
   cancelAlertsOnRuleTimeout?: boolean;
   doesSetRecoveryContext?: boolean;
   getSummarizedAlerts?: GetSummarizedAlertsFn;
+  alerts?: IRuleTypeAlerts;
 }
 export type UntypedRuleType = RuleType<
   RuleTypeParams,
diff --git a/x-pack/plugins/apm/server/routes/alerts/rule_types/anomaly/register_anomaly_rule_type.ts b/x-pack/plugins/apm/server/routes/alerts/rule_types/anomaly/register_anomaly_rule_type.ts
index 889b249ceca3b9..0a21c965a3e550 100644
--- a/x-pack/plugins/apm/server/routes/alerts/rule_types/anomaly/register_anomaly_rule_type.ts
+++ b/x-pack/plugins/apm/server/routes/alerts/rule_types/anomaly/register_anomaly_rule_type.ts
@@ -49,6 +49,7 @@ import { getMLJobs } from '../../../service_map/get_service_anomalies';
 import { apmActionVariables } from '../../action_variables';
 import { RegisterRuleDependencies } from '../../register_apm_rule_types';
 import { getServiceGroupFieldsForAnomaly } from './get_service_group_fields_for_anomaly';
+import { alertRegistration } from '../get_alert_registration';
 
 const paramsSchema = schema.object({
   serviceName: schema.maybe(schema.string()),
@@ -106,6 +107,7 @@ export function registerAnomalyRuleType({
       producer: 'apm',
       minimumLicenseRequired: 'basic',
       isExportable: true,
+      alerts: alertRegistration,
       executor: async ({ params, services, spaceId }) => {
         if (!ml) {
           return {};
diff --git a/x-pack/plugins/apm/server/routes/alerts/rule_types/error_count/register_error_count_rule_type.ts b/x-pack/plugins/apm/server/routes/alerts/rule_types/error_count/register_error_count_rule_type.ts
index 276e817093f404..3340b2502ae777 100644
--- a/x-pack/plugins/apm/server/routes/alerts/rule_types/error_count/register_error_count_rule_type.ts
+++ b/x-pack/plugins/apm/server/routes/alerts/rule_types/error_count/register_error_count_rule_type.ts
@@ -44,6 +44,7 @@ import {
   getServiceGroupFieldsAgg,
   getServiceGroupFields,
 } from '../get_service_group_fields';
+import { alertRegistration } from '../get_alert_registration';
 
 const paramsSchema = schema.object({
   windowSize: schema.number(),
@@ -94,6 +95,7 @@ export function registerErrorCountRuleType({
       producer: APM_SERVER_FEATURE_ID,
       minimumLicenseRequired: 'basic',
       isExportable: true,
+      alerts: alertRegistration,
       executor: async ({ params: ruleParams, services, spaceId }) => {
         const config = await firstValueFrom(config$);
 
diff --git a/x-pack/plugins/apm/server/routes/alerts/rule_types/get_alert_registration.ts b/x-pack/plugins/apm/server/routes/alerts/rule_types/get_alert_registration.ts
new file mode 100644
index 00000000000000..86be88e82b5f32
--- /dev/null
+++ b/x-pack/plugins/apm/server/routes/alerts/rule_types/get_alert_registration.ts
@@ -0,0 +1,53 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { IRuleTypeAlerts } from '@kbn/alerting-plugin/server/types';
+import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map';
+import {
+  AGENT_NAME,
+  PROCESSOR_EVENT,
+  SERVICE_ENVIRONMENT,
+  SERVICE_LANGUAGE_NAME,
+  SERVICE_NAME,
+  TRANSACTION_TYPE,
+} from '../../../../common/es_fields/apm';
+
+export const alertRegistration: IRuleTypeAlerts = {
+  registrationContext: 'observability.apm',
+  fieldMap: {
+    ...experimentalRuleFieldMap,
+    [SERVICE_NAME]: {
+      type: 'keyword',
+      required: false,
+    },
+    [SERVICE_ENVIRONMENT]: {
+      type: 'keyword',
+      required: false,
+    },
+    [TRANSACTION_TYPE]: {
+      type: 'keyword',
+      required: false,
+    },
+    [PROCESSOR_EVENT]: {
+      type: 'keyword',
+      required: false,
+    },
+    [AGENT_NAME]: {
+      type: 'keyword',
+      required: false,
+    },
+    [SERVICE_LANGUAGE_NAME]: {
+      type: 'keyword',
+      required: false,
+    },
+    labels: {
+      type: 'object',
+      dynamic: true,
+      required: false,
+    },
+  },
+};
diff --git a/x-pack/plugins/apm/server/routes/alerts/rule_types/transaction_duration/register_transaction_duration_rule_type.ts b/x-pack/plugins/apm/server/routes/alerts/rule_types/transaction_duration/register_transaction_duration_rule_type.ts
index 56cf1fc466584a..da6bc5954f794b 100644
--- a/x-pack/plugins/apm/server/routes/alerts/rule_types/transaction_duration/register_transaction_duration_rule_type.ts
+++ b/x-pack/plugins/apm/server/routes/alerts/rule_types/transaction_duration/register_transaction_duration_rule_type.ts
@@ -57,6 +57,7 @@ import {
   getServiceGroupFields,
   getServiceGroupFieldsAgg,
 } from '../get_service_group_fields';
+import { alertRegistration } from '../get_alert_registration';
 
 const paramsSchema = schema.object({
   serviceName: schema.string(),
@@ -113,6 +114,7 @@ export function registerTransactionDurationRuleType({
     producer: APM_SERVER_FEATURE_ID,
     minimumLicenseRequired: 'basic',
     isExportable: true,
+    alerts: alertRegistration,
     executor: async ({ params: ruleParams, services, spaceId }) => {
       const config = await firstValueFrom(config$);
 
diff --git a/x-pack/plugins/apm/server/routes/alerts/rule_types/transaction_error_rate/register_transaction_error_rate_rule_type.ts b/x-pack/plugins/apm/server/routes/alerts/rule_types/transaction_error_rate/register_transaction_error_rate_rule_type.ts
index cda1c0a9f2f880..cf1e9702b0e517 100644
--- a/x-pack/plugins/apm/server/routes/alerts/rule_types/transaction_error_rate/register_transaction_error_rate_rule_type.ts
+++ b/x-pack/plugins/apm/server/routes/alerts/rule_types/transaction_error_rate/register_transaction_error_rate_rule_type.ts
@@ -50,6 +50,7 @@ import {
   getServiceGroupFields,
   getServiceGroupFieldsAgg,
 } from '../get_service_group_fields';
+import { alertRegistration } from '../get_alert_registration';
 
 const paramsSchema = schema.object({
   windowSize: schema.number(),
@@ -102,6 +103,7 @@ export function registerTransactionErrorRateRuleType({
       producer: APM_SERVER_FEATURE_ID,
       minimumLicenseRequired: 'basic',
       isExportable: true,
+      alerts: alertRegistration,
       executor: async ({ services, spaceId, params: ruleParams }) => {
         const config = await firstValueFrom(config$);
 
diff --git a/x-pack/plugins/infra/server/lib/alerting/get_alert_registration.ts b/x-pack/plugins/infra/server/lib/alerting/get_alert_registration.ts
new file mode 100644
index 00000000000000..42650987022927
--- /dev/null
+++ b/x-pack/plugins/infra/server/lib/alerting/get_alert_registration.ts
@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { IRuleTypeAlerts } from '@kbn/alerting-plugin/server/types';
+import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map';
+
+export const logAlertRegistration: IRuleTypeAlerts = {
+  registrationContext: 'observability.logs',
+  fieldMap: experimentalRuleFieldMap,
+};
+
+export const metricAlertRegistration: IRuleTypeAlerts = {
+  registrationContext: 'observability.metrics',
+  fieldMap: experimentalRuleFieldMap,
+};
diff --git a/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/register_inventory_metric_threshold_rule_type.ts b/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/register_inventory_metric_threshold_rule_type.ts
index a5ba2c32ada6e4..e5135cb54f834c 100644
--- a/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/register_inventory_metric_threshold_rule_type.ts
+++ b/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/register_inventory_metric_threshold_rule_type.ts
@@ -51,6 +51,7 @@ import {
   FIRED_ACTIONS_ID,
   WARNING_ACTIONS,
 } from './inventory_metric_threshold_executor';
+import { metricAlertRegistration } from '../get_alert_registration';
 
 const condition = schema.object({
   threshold: schema.arrayOf(schema.number()),
@@ -126,6 +127,7 @@ export async function registerMetricInventoryThresholdRuleType(
         { name: 'tags', description: tagsActionVariableDescription },
       ],
     },
+    alerts: metricAlertRegistration,
     getSummarizedAlerts: libs.metricsRules.createGetSummarizedAlerts(),
   });
 }
diff --git a/x-pack/plugins/infra/server/lib/alerting/log_threshold/register_log_threshold_rule_type.ts b/x-pack/plugins/infra/server/lib/alerting/log_threshold/register_log_threshold_rule_type.ts
index ce04dd70361133..db24b28aaa1b1c 100644
--- a/x-pack/plugins/infra/server/lib/alerting/log_threshold/register_log_threshold_rule_type.ts
+++ b/x-pack/plugins/infra/server/lib/alerting/log_threshold/register_log_threshold_rule_type.ts
@@ -19,6 +19,7 @@ import {
   alertDetailUrlActionVariableDescription,
   groupByKeysActionVariableDescription,
 } from '../common/messages';
+import { logAlertRegistration } from '../get_alert_registration';
 
 const timestampActionVariableDescription = i18n.translate(
   'xpack.infra.logs.alerting.threshold.timestampActionVariableDescription',
@@ -145,6 +146,7 @@ export async function registerLogThresholdRuleType(
       ],
     },
     producer: 'logs',
+    alerts: logAlertRegistration,
     getSummarizedAlerts: libs.logsRules.createGetSummarizedAlerts(),
   });
 }
diff --git a/x-pack/plugins/infra/server/lib/alerting/metric_anomaly/register_metric_anomaly_rule_type.ts b/x-pack/plugins/infra/server/lib/alerting/metric_anomaly/register_metric_anomaly_rule_type.ts
index b27ae6889fd284..608ee9890e6621 100644
--- a/x-pack/plugins/infra/server/lib/alerting/metric_anomaly/register_metric_anomaly_rule_type.ts
+++ b/x-pack/plugins/infra/server/lib/alerting/metric_anomaly/register_metric_anomaly_rule_type.ts
@@ -23,6 +23,7 @@ import { METRIC_ANOMALY_ALERT_TYPE_ID } from '../../../../common/alerting/metric
 import { InfraBackendLibs } from '../../infra_types';
 import { oneOfLiterals, validateIsStringElasticsearchJSONFilter } from '../common/utils';
 import { alertStateActionVariableDescription } from '../common/messages';
+import { metricAlertRegistration } from '../get_alert_registration';
 
 export type MetricAnomalyAllowedActionGroups = typeof FIRED_ACTIONS_ID;
 
@@ -114,4 +115,5 @@ export const registerMetricAnomalyRuleType = (
       },
     ],
   },
+  alerts: metricAlertRegistration,
 });
diff --git a/x-pack/plugins/infra/server/lib/alerting/metric_threshold/register_metric_threshold_rule_type.ts b/x-pack/plugins/infra/server/lib/alerting/metric_threshold/register_metric_threshold_rule_type.ts
index 55e2379bcf19a6..981877a4c5cae5 100644
--- a/x-pack/plugins/infra/server/lib/alerting/metric_threshold/register_metric_threshold_rule_type.ts
+++ b/x-pack/plugins/infra/server/lib/alerting/metric_threshold/register_metric_threshold_rule_type.ts
@@ -41,6 +41,7 @@ import {
   WARNING_ACTIONS,
   NO_DATA_ACTIONS,
 } from './metric_threshold_executor';
+import { metricAlertRegistration } from '../get_alert_registration';
 
 type MetricThresholdAllowedActionGroups = ActionGroupIdsOf<
   typeof FIRED_ACTIONS | typeof WARNING_ACTIONS | typeof NO_DATA_ACTIONS
@@ -127,6 +128,7 @@ export async function registerMetricThresholdRuleType(
       ],
     },
     producer: 'infrastructure',
+    alerts: metricAlertRegistration,
     getSummarizedAlerts: libs.metricsRules.createGetSummarizedAlerts(),
   });
 }
diff --git a/x-pack/plugins/observability/server/lib/rules/get_alert_registration.ts b/x-pack/plugins/observability/server/lib/rules/get_alert_registration.ts
new file mode 100644
index 00000000000000..7bbfc00eebe4b0
--- /dev/null
+++ b/x-pack/plugins/observability/server/lib/rules/get_alert_registration.ts
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { IRuleTypeAlerts } from '@kbn/alerting-plugin/server/types';
+import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map';
+import { RULE_REGISTRATION_CONTEXT } from '../../common/constants';
+
+export const alertRegistration: IRuleTypeAlerts = {
+  registrationContext: RULE_REGISTRATION_CONTEXT,
+  fieldMap: experimentalRuleFieldMap,
+};
diff --git a/x-pack/plugins/observability/server/lib/rules/slo_burn_rate/register.ts b/x-pack/plugins/observability/server/lib/rules/slo_burn_rate/register.ts
index b85f70413e3cbb..f6271b75a8085e 100644
--- a/x-pack/plugins/observability/server/lib/rules/slo_burn_rate/register.ts
+++ b/x-pack/plugins/observability/server/lib/rules/slo_burn_rate/register.ts
@@ -11,6 +11,7 @@ import { LicenseType } from '@kbn/licensing-plugin/server';
 import { createLifecycleExecutor } from '@kbn/rule-registry-plugin/server';
 
 import { SLO_BURN_RATE_RULE_ID } from '../../../../common/constants';
+import { alertRegistration } from '../get_alert_registration';
 import { FIRED_ACTION, getRuleExecutor } from './executor';
 
 const durationSchema = schema.object({
@@ -51,6 +52,7 @@ export function sloBurnRateRuleType(createLifecycleRuleExecutor: CreateLifecycle
         { name: 'shortWindow', description: windowActionVariableDescription },
       ],
     },
+    alert: alertRegistration,
   };
 }
 
diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.ts
index 92f93015309c0b..3859ebe6df9b6b 100644
--- a/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.ts
+++ b/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.ts
@@ -8,8 +8,12 @@
 import * as Fields from '../../technical_rule_data_field_names';
 
 export const experimentalRuleFieldMap = {
-  [Fields.ALERT_EVALUATION_THRESHOLD]: { type: 'scaled_float', scaling_factor: 100 },
-  [Fields.ALERT_EVALUATION_VALUE]: { type: 'scaled_float', scaling_factor: 100 },
+  [Fields.ALERT_EVALUATION_THRESHOLD]: {
+    type: 'scaled_float',
+    scaling_factor: 100,
+    required: false,
+  },
+  [Fields.ALERT_EVALUATION_VALUE]: { type: 'scaled_float', scaling_factor: 100, required: false },
 } as const;
 
 export type ExperimentalRuleFieldMap = typeof experimentalRuleFieldMap;
diff --git a/x-pack/plugins/synthetics/common/rules/uptime_rule_field_map.ts b/x-pack/plugins/synthetics/common/rules/uptime_rule_field_map.ts
index ff69d3a5e6e7fa..be097ed8d8268c 100644
--- a/x-pack/plugins/synthetics/common/rules/uptime_rule_field_map.ts
+++ b/x-pack/plugins/synthetics/common/rules/uptime_rule_field_map.ts
@@ -9,48 +9,62 @@ export const uptimeRuleFieldMap = {
   // common fields
   'monitor.id': {
     type: 'keyword',
+    required: false,
   },
   'url.full': {
     type: 'keyword',
+    required: false,
   },
   'observer.geo.name': {
     type: 'keyword',
+    required: false,
   },
   // monitor status alert fields
   'error.message': {
     type: 'text',
+    required: false,
   },
   'agent.name': {
     type: 'keyword',
+    required: false,
   },
   'monitor.name': {
     type: 'keyword',
+    required: false,
   },
   'monitor.type': {
     type: 'keyword',
+    required: false,
   },
   // tls alert fields
   'tls.server.x509.issuer.common_name': {
     type: 'keyword',
+    required: false,
   },
   'tls.server.x509.subject.common_name': {
     type: 'keyword',
+    required: false,
   },
   'tls.server.x509.not_after': {
     type: 'date',
+    required: false,
   },
   'tls.server.x509.not_before': {
     type: 'date',
+    required: false,
   },
   'tls.server.hash.sha256': {
     type: 'keyword',
+    required: false,
   },
   // anomaly alert fields
   'anomaly.start': {
     type: 'date',
+    required: false,
   },
   'anomaly.bucket_span.minutes': {
     type: 'keyword',
+    required: false,
   },
 } as const;
 
diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/duration_anomaly.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/duration_anomaly.ts
index d54f5fddc696b5..c31270a88fc78f 100644
--- a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/duration_anomaly.ts
+++ b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/duration_anomaly.ts
@@ -33,6 +33,7 @@ import { getMonitorRouteFromMonitorId } from '../../../../common/utils/get_monit
 
 import { createUptimeESClient } from '../lib';
 import { ALERT_REASON_MSG, ACTION_VARIABLES, VIEW_IN_APP_URL } from './action_variables';
+import { alertRegistration } from './get_alert_registration';
 
 export type ActionGroupIds = ActionGroupIdsOf<typeof DURATION_ANOMALY>;
 
@@ -109,6 +110,7 @@ export const durationAnomalyAlertFactory: UptimeAlertTypeFactory<ActionGroupIds>
     ],
     state: [...durationAnomalyTranslations.actionVariables, ...commonStateTranslations],
   },
+  alerts: alertRegistration,
   isExportable: true,
   minimumLicenseRequired: 'platinum',
   doesSetRecoveryContext: true,
diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/get_alert_registration.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/get_alert_registration.ts
new file mode 100644
index 00000000000000..42539d21d4c227
--- /dev/null
+++ b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/get_alert_registration.ts
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { IRuleTypeAlerts } from '@kbn/alerting-plugin/server/types';
+import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map';
+import { uptimeRuleFieldMap } from '../../../../common/rules/uptime_rule_field_map';
+
+export const alertRegistration: IRuleTypeAlerts = {
+  registrationContext: 'observability.uptime',
+  fieldMap: { ...uptimeRuleFieldMap, ...experimentalRuleFieldMap },
+};
diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/status_check.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/status_check.ts
index 42b46b869ff960..a26f64b6ae4fc8 100644
--- a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/status_check.ts
+++ b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/status_check.ts
@@ -51,6 +51,7 @@ import {
   VIEW_IN_APP_URL,
 } from './action_variables';
 import { getMonitorRouteFromMonitorId } from '../../../../common/utils/get_monitor_url';
+import { alertRegistration } from './get_alert_registration';
 
 export type ActionGroupIds = ActionGroupIdsOf<typeof MONITOR_STATUS>;
 
@@ -299,6 +300,7 @@ export const statusCheckAlertFactory: UptimeAlertTypeFactory<ActionGroupIds> = (
     ],
     state: [...commonMonitorStateI18, ...commonStateTranslations],
   },
+  alerts: alertRegistration,
   isExportable: true,
   minimumLicenseRequired: 'basic',
   doesSetRecoveryContext: true,
diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.ts
index 217f40acc4603a..bc4d5c36232a33 100644
--- a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.ts
+++ b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.ts
@@ -24,6 +24,7 @@ import { TlsTranslations } from '../../../../common/translations';
 import { savedObjectsAdapter } from '../saved_objects/saved_objects';
 import { createUptimeESClient } from '../lib';
 import { ACTION_VARIABLES, ALERT_DETAILS_URL } from './action_variables';
+import { alertRegistration } from './get_alert_registration';
 
 export type ActionGroupIds = ActionGroupIdsOf<typeof TLS>;
 
@@ -128,6 +129,7 @@ export const tlsAlertFactory: UptimeAlertTypeFactory<ActionGroupIds> = (
     state: [...tlsTranslations.actionVariables, ...commonStateTranslations],
   },
   isExportable: true,
+  alerts: alertRegistration,
   minimumLicenseRequired: 'basic',
   doesSetRecoveryContext: true,
   async executor({
diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls_legacy.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls_legacy.ts
index 13a27e3048445a..cfb63e45838e21 100644
--- a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls_legacy.ts
+++ b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls_legacy.ts
@@ -24,6 +24,7 @@ import {
   DEFAULT_SIZE,
   DEFAULT_TO,
 } from '../../../../common/requests/get_certs_request_body';
+import { alertRegistration } from './get_alert_registration';
 
 export type ActionGroupIds = ActionGroupIdsOf<typeof TLS_LEGACY>;
 
@@ -112,6 +113,7 @@ export const tlsLegacyAlertFactory: UptimeAlertTypeFactory<ActionGroupIds> = (_s
   },
   isExportable: true,
   minimumLicenseRequired: 'basic',
+  alerts: alertRegistration,
   async executor({ services: { alertFactory, scopedClusterClient, savedObjectsClient }, state }) {
     const dynamicSettings = await savedObjectsAdapter.getUptimeDynamicSettings(savedObjectsClient);
 

From 5cdc21ff58d3650ca8cade2428781e51d8f87b7c Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Thu, 22 Dec 2022 15:43:13 -0500
Subject: [PATCH 20/42] Fixing checks

---
 .../common/alert_schema/scripts/create_schema_from_mapping.ts    | 1 -
 1 file changed, 1 deletion(-)

diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts b/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
index ef31dcd1a5924f..4f3c34e78e3f63 100644
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
@@ -14,7 +14,6 @@ import { FieldMap } from '../field_maps/types';
 
 const PLUGIN_DIR = path.resolve(path.join(__dirname, '..'));
 const ALERT_SCHEMA_FILE = 'schemas/alert_schema.ts';
-const ECS_SCHEMA_FILE = 'schemas/ecs_schema.ts';
 
 const createSchema = (outputFile: string, fieldMap: FieldMap, schemaPrefix: string) => {
   const lineWriters = {

From 6a05a0a2318eaf48131d64e7ccc04c24c5829b10 Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Thu, 22 Dec 2022 16:13:29 -0500
Subject: [PATCH 21/42] wip fixing timing of installations

---
 .../server/alerts_service/alerts_service.ts   | 33 +++++++++++++++++--
 .../alerting/server/alerts_service/types.ts   |  2 +-
 .../alerting/server/rule_type_registry.ts     |  3 +-
 3 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index da573c5e66dd0b..14c1c35fd13486 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -58,6 +58,7 @@ interface IAlertsService {
 export class AlertsService implements IAlertsService {
   private initialized: boolean;
   private registrationContexts: Map<string, FieldMap> = new Map();
+  private initializedContexts: Map<string, boolean> = new Map();
 
   constructor(private readonly options: AlertsServiceParams) {
     this.initialized = false;
@@ -84,6 +85,17 @@ export class AlertsService implements IAlertsService {
       await this.installWithTimeout(async () => await initFns[i](), timeoutMs);
     }
 
+    // if any contexts were registered, initialize resources for them
+    const uninitializedContexts = [...this.initializedContexts.keys()].filter(
+      (context: string) => this.initializedContexts.get(context) === false
+    );
+    for (let i = 0; i < uninitializedContexts.length; ++i) {
+      await this.initializeContext({
+        registrationContext: uninitializedContexts[i],
+        fieldMap: this.registrationContexts.get(uninitializedContexts[i])!,
+      });
+    }
+
     this.initialized = true;
   }
 
@@ -104,9 +116,24 @@ export class AlertsService implements IAlertsService {
       );
       return;
     }
-    this.options.logger.debug(
+
+    this.registrationContexts.set(registrationContext, fieldMap);
+
+    // Don't do anything yet if common resource initialization is not done
+    if (!this.initialized) {
+      console.log('hi');
+      this.initializedContexts.set(registrationContext, false);
+      return;
+    }
+
+    this.initializeContext({ registrationContext, fieldMap });
+  }
+
+  private async initializeContext({ registrationContext, fieldMap }: IRuleTypeAlerts) {
+    this.options.logger.info(
       `Initializing resources for registrationContext ${registrationContext}`
     );
+    console.log(JSON.stringify(fieldMap));
     const esClient = await this.options.elasticsearchClientPromise;
     const indexTemplateAndPattern = getIndexTemplateAndPattern(registrationContext);
 
@@ -125,10 +152,10 @@ export class AlertsService implements IAlertsService {
     ];
 
     for (let i = 0; i < initFns.length; ++i) {
-      await this.installWithTimeout(async () => await initFns[i](), timeoutMs);
+      await this.installWithTimeout(async () => await initFns[i]());
     }
 
-    this.registrationContexts.set(registrationContext, fieldMap);
+    this.initializedContexts.set(registrationContext, true);
   }
 
   /**
diff --git a/x-pack/plugins/alerting/server/alerts_service/types.ts b/x-pack/plugins/alerting/server/alerts_service/types.ts
index 708f76c1671fec..cba7a9c13fdad0 100644
--- a/x-pack/plugins/alerting/server/alerts_service/types.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/types.ts
@@ -37,5 +37,5 @@ export const getComponentTemplate = (
     name: getComponentTemplateName(context),
     fieldMap,
     // set field limit slightly higher than actual number of fields
-    fieldLimit: Math.round(Object.keys(fieldMap).length * 1.5),
+    fieldLimit: 100, // Math.round(Object.keys(fieldMap).length * 1.5),
   });
diff --git a/x-pack/plugins/alerting/server/rule_type_registry.ts b/x-pack/plugins/alerting/server/rule_type_registry.ts
index 63145f2da1b68c..b92cda9d3f767e 100644
--- a/x-pack/plugins/alerting/server/rule_type_registry.ts
+++ b/x-pack/plugins/alerting/server/rule_type_registry.ts
@@ -283,7 +283,8 @@ export class RuleTypeRegistry {
       },
     });
 
-    if (this.alertsService && this.alertsService.isInitialized() && ruleType.alerts) {
+    if (this.alertsService && ruleType.alerts) {
+      console.log('here');
       this.alertsService.initializeRegistrationContext(ruleType.alerts);
     }
 

From 447dd1310c646fd960931a2d53e9c7ea0965e0f2 Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Wed, 4 Jan 2023 10:56:31 -0500
Subject: [PATCH 22/42] Registering all the things

---
 .../scripts/steps/checks/alerts_as_data.sh    |   2 +-
 .../alerts_service/alerts_service.mock.ts     |  17 +-
 .../alerts_service/alerts_service.test.ts     | 442 ++++++++++--------
 .../server/alerts_service/alerts_service.ts   | 151 +++---
 .../default_lifecycle_policy.ts               |   2 +
 .../alerting/server/alerts_service/types.ts   |  13 +-
 x-pack/plugins/alerting/server/plugin.ts      |   4 +-
 .../server/rule_type_registry.test.ts         |  51 ++
 .../alerting/server/rule_type_registry.ts     |   3 +-
 x-pack/plugins/alerting/server/types.ts       |   3 +-
 .../rule_types/get_alert_registration.ts      |   2 +-
 .../lib/alerting/get_alert_registration.ts    |   4 +-
 .../lib/rules/get_alert_registration.ts       |   2 +-
 .../lib/alerts/get_alert_registration.ts      |   2 +-
 14 files changed, 414 insertions(+), 284 deletions(-)

diff --git a/.buildkite/scripts/steps/checks/alerts_as_data.sh b/.buildkite/scripts/steps/checks/alerts_as_data.sh
index 99f62d8de29de6..b2ee45d3addf9f 100755
--- a/.buildkite/scripts/steps/checks/alerts_as_data.sh
+++ b/.buildkite/scripts/steps/checks/alerts_as_data.sh
@@ -8,4 +8,4 @@ echo --- Check Framework Alerts as Data Schema
 
 ./x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
 
-check_for_changed_files 'node x-pack/plugins/event_log/scripts/create_schemas.js' false 'Follow the directions in x-pack/plugins/alerting/common/alert_schema/scripts/README.md to make schema changes to framework alerts as data.'
+check_for_changed_files './x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh' false 'Follow the directions in x-pack/plugins/alerting/common/alert_schema/scripts/README.md to make schema changes to framework alerts as data.'
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.mock.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.mock.ts
index 2bbca912d7322a..d11e95f909c199 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.mock.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.mock.ts
@@ -5,16 +5,17 @@
  * 2.0.
  */
 
-import type { PublicMethodsOf } from '@kbn/utility-types';
-import { AlertsService } from './alerts_service';
-
 const creatAlertsServiceMock = () => {
-  const mocked: jest.Mocked<PublicMethodsOf<AlertsService>> = {
-    initialize: jest.fn(() => Promise.resolve()),
-  };
-  return mocked;
+  return jest.fn().mockImplementation(() => {
+    return {
+      initialize: jest.fn(),
+      register: jest.fn(),
+      isInitialized: jest.fn(),
+      isContextInitialized: jest.fn(),
+    };
+  });
 };
 
 export const alertsServiceMock = {
-  create: creatAlertsServiceMock,
+  create: creatAlertsServiceMock(),
 };
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
index 490c41f4aa1b4d..914b0ef2f6e693 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
@@ -75,18 +75,21 @@ const IlmPutBody = {
   name: 'alerts-default-ilm-policy',
 };
 
-const IndexTemplatePutBody = {
-  name: '.alerts-test-template',
+const getIndexTemplatePutBody = (context?: string) => ({
+  name: `.alerts-${context ? context : 'test'}-template`,
   body: {
-    index_patterns: ['.alerts-test-*'],
-    composed_of: ['alerts-default-component-template', 'alerts-test-component-template'],
+    index_patterns: [`.alerts-${context ? context : 'test'}-*`],
+    composed_of: [
+      'alerts-common-component-template',
+      `alerts-${context ? context : 'test'}-component-template`,
+    ],
     template: {
       settings: {
         auto_expand_replicas: '0-1',
         hidden: true,
         'index.lifecycle': {
           name: 'alerts-default-ilm-policy',
-          rollover_alias: '.alerts-test',
+          rollover_alias: `.alerts-${context ? context : 'test'}-default`,
         },
         'index.mapping.total_fields.limit': 2500,
       },
@@ -98,10 +101,15 @@ const IndexTemplatePutBody = {
       managed: true,
     },
   },
-};
+});
 
 const TestRegistrationContext = {
-  registrationContext: 'test',
+  context: 'test',
+  fieldMap: { field: { type: 'keyword', required: false } },
+};
+
+const AnotherRegistrationContext = {
+  context: 'another',
   fieldMap: { field: { type: 'keyword', required: false } },
 };
 
@@ -109,7 +117,7 @@ describe('Alerts Service', () => {
   let pluginStop$: Subject<void>;
 
   beforeEach(() => {
-    jest.resetAllMocks();
+    jest.clearAllMocks();
     logger = loggingSystemMock.createLogger();
     pluginStop$ = new ReplaySubject(1);
     jest.spyOn(global.Math, 'random').mockReturnValue(0.01);
@@ -132,16 +140,18 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await alertsService.initialize();
+      alertsService.initialize();
+      await new Promise((r) => setTimeout(r, 50));
 
+      expect(alertsService.isInitialized()).toEqual(true);
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody);
       expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
 
       const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0];
-      expect(componentTemplate1.name).toEqual('alerts-default-component-template');
+      expect(componentTemplate1.name).toEqual('alerts-common-component-template');
     });
 
-    test('should throw error if adding ILM policy throws error', async () => {
+    test('should log error and set initialized to false if adding ILM policy throws error', async () => {
       clusterClient.ilm.putLifecycle.mockRejectedValueOnce(new Error('fail'));
       const alertsService = new AlertsService({
         logger,
@@ -149,9 +159,10 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Failure during installation. fail"`
-      );
+      alertsService.initialize();
+      await new Promise((r) => setTimeout(r, 50));
+
+      expect(alertsService.isInitialized()).toEqual(false);
 
       expect(logger.error).toHaveBeenCalledWith(
         `Error installing ILM policy alerts-default-ilm-policy - fail`
@@ -161,7 +172,7 @@ describe('Alerts Service', () => {
       expect(clusterClient.cluster.putComponentTemplate).not.toHaveBeenCalled();
     });
 
-    test('should throw error if creating/updating common component template throws error', async () => {
+    test('should log error and set initialized to false if creating/updating common component template throws error', async () => {
       clusterClient.cluster.putComponentTemplate.mockRejectedValueOnce(new Error('fail'));
       const alertsService = new AlertsService({
         logger,
@@ -169,48 +180,129 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await expect(alertsService.initialize()).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Failure during installation. fail"`
-      );
+      alertsService.initialize();
+      await new Promise((r) => setTimeout(r, 50));
 
+      expect(alertsService.isInitialized()).toEqual(false);
       expect(logger.error).toHaveBeenCalledWith(
-        `Error installing component template alerts-default-component-template - fail`
+        `Error installing component template alerts-common-component-template - fail`
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
       expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
     });
-  });
 
-  describe('initializeRegistrationContext()', () => {
-    test('should correctly initialize all resources for registration context', async () => {
+    test('should install resources for contexts awaiting initialization when common resources are initialized', async () => {
       const alertsService = new AlertsService({
         logger,
         elasticsearchClientPromise: Promise.resolve(clusterClient),
         pluginStop$,
       });
 
-      await alertsService.initialize();
-      await alertsService.initializeRegistrationContext(TestRegistrationContext);
+      // pre-register contexts so they get installed right after initialization
+      alertsService.register(TestRegistrationContext);
+      alertsService.register(AnotherRegistrationContext);
+      alertsService.initialize();
+      await new Promise((r) => setTimeout(r, 50));
+
+      expect(alertsService.isInitialized()).toEqual(true);
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
+      expect(alertsService.isContextInitialized(AnotherRegistrationContext.context)).toEqual(true);
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody);
-      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      // 1x for common component template, 2x for context specific
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3);
 
       const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0];
-      expect(componentTemplate1.name).toEqual('alerts-default-component-template');
+      expect(componentTemplate1.name).toEqual('alerts-common-component-template');
+      const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0];
+      expect(componentTemplate2.name).toEqual('alerts-another-component-template');
+      const componentTemplate3 = clusterClient.cluster.putComponentTemplate.mock.calls[2][0];
+      expect(componentTemplate3.name).toEqual('alerts-test-component-template');
+
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenNthCalledWith(
+        1,
+        getIndexTemplatePutBody('another')
+      );
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenNthCalledWith(
+        2,
+        getIndexTemplatePutBody()
+      );
+
+      expect(clusterClient.indices.getAlias).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.getAlias).toHaveBeenNthCalledWith(1, {
+        index: '.alerts-another-*',
+      });
+      expect(clusterClient.indices.getAlias).toHaveBeenNthCalledWith(2, {
+        index: '.alerts-test-*',
+      });
+      expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(4);
+      expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalledTimes(4);
+      expect(clusterClient.indices.putMapping).toHaveBeenCalledTimes(4);
+      expect(clusterClient.indices.create).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.create).toHaveBeenNthCalledWith(1, {
+        index: '.alerts-another-default-000001',
+        body: {
+          aliases: {
+            '.alerts-another-default': {
+              is_write_index: true,
+            },
+          },
+        },
+      });
+      expect(clusterClient.indices.create).toHaveBeenNthCalledWith(2, {
+        index: '.alerts-test-default-000001',
+        body: {
+          aliases: {
+            '.alerts-test-default': {
+              is_write_index: true,
+            },
+          },
+        },
+      });
+    });
+  });
+
+  describe('register()', () => {
+    let alertsService: AlertsService;
+    beforeEach(async () => {
+      alertsService = new AlertsService({
+        logger,
+        elasticsearchClientPromise: Promise.resolve(clusterClient),
+        pluginStop$,
+      });
+
+      alertsService.initialize();
+      await new Promise((r) => setTimeout(r, 50));
+      expect(alertsService.isInitialized()).toEqual(true);
+    });
+
+    test('should correctly install resources for context when common initialization is complete', async () => {
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 50));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody);
+
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
+      const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0];
+      expect(componentTemplate1.name).toEqual('alerts-common-component-template');
       const componentTemplate2 = clusterClient.cluster.putComponentTemplate.mock.calls[1][0];
       expect(componentTemplate2.name).toEqual('alerts-test-component-template');
 
-      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith(IndexTemplatePutBody);
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith(
+        getIndexTemplatePutBody()
+      );
       expect(clusterClient.indices.getAlias).toHaveBeenCalledWith({ index: '.alerts-test-*' });
       expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.putMapping).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.create).toHaveBeenCalledWith({
-        index: '.alerts-test-000001',
+        index: '.alerts-test-default-000001',
         body: {
           aliases: {
-            '.alerts-test': {
+            '.alerts-test-default': {
               is_write_index: true,
             },
           },
@@ -218,51 +310,34 @@ describe('Alerts Service', () => {
       });
     });
 
-    test('should skip initialization if registration context already exists', async () => {
-      const alertsService = new AlertsService({
-        logger,
-        elasticsearchClientPromise: Promise.resolve(clusterClient),
-        pluginStop$,
-      });
-
-      await alertsService.initialize();
-      await alertsService.initializeRegistrationContext(TestRegistrationContext);
-      await alertsService.initializeRegistrationContext(TestRegistrationContext);
+    test('should skip initialization if context already exists', async () => {
+      alertsService.register(TestRegistrationContext);
+      alertsService.register(TestRegistrationContext);
 
       expect(logger.info).toHaveBeenCalledWith(
-        `Resources for registration context "test" have already been installed.`
+        `Resources for context "test" have already been registered.`
       );
     });
 
-    test('should throw error if registration context already exists and has been registered with a different field map', async () => {
-      const alertsService = new AlertsService({
-        logger,
-        elasticsearchClientPromise: Promise.resolve(clusterClient),
-        pluginStop$,
-      });
-
-      await alertsService.initialize();
-      await alertsService.initializeRegistrationContext(TestRegistrationContext);
-      await expect(
-        alertsService.initializeRegistrationContext({
+    test('should throw error if context already exists and has been registered with a different field map', async () => {
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 50));
+      expect(() => {
+        alertsService.register({
           ...TestRegistrationContext,
           fieldMap: { anotherField: { type: 'keyword', required: false } },
-        })
-      ).rejects.toThrowErrorMatchingInlineSnapshot(
+        });
+      }).toThrowErrorMatchingInlineSnapshot(
         `"test has already been registered with a different mapping"`
       );
     });
 
     test('should not update index template if simulating template throws error', async () => {
       clusterClient.indices.simulateTemplate.mockRejectedValueOnce(new Error('fail'));
-      const alertsService = new AlertsService({
-        logger,
-        elasticsearchClientPromise: Promise.resolve(clusterClient),
-        pluginStop$,
-      });
 
-      await alertsService.initialize();
-      await alertsService.initializeRegistrationContext(TestRegistrationContext);
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 50));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
 
       expect(logger.error).toHaveBeenCalledWith(
         `Failed to simulate index template mappings for .alerts-test-template; not applying mappings - fail`
@@ -280,7 +355,7 @@ describe('Alerts Service', () => {
       expect(clusterClient.indices.create).toHaveBeenCalled();
     });
 
-    test('should throw error if simulating template returns empty mappings', async () => {
+    test('should log error and set initialized to false if simulating template returns empty mappings', async () => {
       clusterClient.indices.simulateTemplate.mockImplementationOnce(async () => ({
         ...SimulateTemplateResponse,
         template: {
@@ -288,17 +363,15 @@ describe('Alerts Service', () => {
           mappings: {},
         },
       }));
-      const alertsService = new AlertsService({
-        logger,
-        elasticsearchClientPromise: Promise.resolve(clusterClient),
-        pluginStop$,
-      });
 
-      await alertsService.initialize();
-      await expect(
-        alertsService.initializeRegistrationContext(TestRegistrationContext)
-      ).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Failure during installation. No mappings would be generated for .alerts-test-template, possibly due to failed/misconfigured bootstrapping"`
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 50));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(false);
+
+      expect(logger.error).toHaveBeenCalledWith(
+        new Error(
+          `No mappings would be generated for .alerts-test-template, possibly due to failed/misconfigured bootstrapping`
+        )
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
@@ -312,18 +385,12 @@ describe('Alerts Service', () => {
       expect(clusterClient.indices.create).not.toHaveBeenCalled();
     });
 
-    test('should throw error if updating index template throws error', async () => {
+    test('should log error and set initialized to false if updating index template throws error', async () => {
       clusterClient.indices.putIndexTemplate.mockRejectedValueOnce(new Error('fail'));
-      const alertsService = new AlertsService({
-        logger,
-        elasticsearchClientPromise: Promise.resolve(clusterClient),
-        pluginStop$,
-      });
 
-      await alertsService.initialize();
-      await expect(
-        alertsService.initializeRegistrationContext(TestRegistrationContext)
-      ).rejects.toThrowErrorMatchingInlineSnapshot(`"Failure during installation. fail"`);
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 50));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(false);
 
       expect(logger.error).toHaveBeenCalledWith(
         `Error installing index template .alerts-test-template - fail`
@@ -340,18 +407,12 @@ describe('Alerts Service', () => {
       expect(clusterClient.indices.create).not.toHaveBeenCalled();
     });
 
-    test('should throw error if checking for concrete write index throws error', async () => {
+    test('should log error and set initialized to false if checking for concrete write index throws error', async () => {
       clusterClient.indices.getAlias.mockRejectedValueOnce(new Error('fail'));
-      const alertsService = new AlertsService({
-        logger,
-        elasticsearchClientPromise: Promise.resolve(clusterClient),
-        pluginStop$,
-      });
 
-      await alertsService.initialize();
-      await expect(
-        alertsService.initializeRegistrationContext(TestRegistrationContext)
-      ).rejects.toThrowErrorMatchingInlineSnapshot(`"Failure during installation. fail"`);
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 50));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(false);
 
       expect(logger.error).toHaveBeenCalledWith(
         `Error fetching concrete indices for .alerts-test-* pattern - fail`
@@ -371,14 +432,10 @@ describe('Alerts Service', () => {
       const error = new Error(`index doesn't exist`) as HTTPError;
       error.statusCode = 404;
       clusterClient.indices.getAlias.mockRejectedValueOnce(error);
-      const alertsService = new AlertsService({
-        logger,
-        elasticsearchClientPromise: Promise.resolve(clusterClient),
-        pluginStop$,
-      });
 
-      await alertsService.initialize();
-      await alertsService.initializeRegistrationContext(TestRegistrationContext);
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 50));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
       expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
@@ -390,18 +447,12 @@ describe('Alerts Service', () => {
       expect(clusterClient.indices.create).toHaveBeenCalled();
     });
 
-    test('should throw error if updating index settings for existing indices throws error', async () => {
+    test('should log error and set initialized to false if updating index settings for existing indices throws error', async () => {
       clusterClient.indices.putSettings.mockRejectedValueOnce(new Error('fail'));
-      const alertsService = new AlertsService({
-        logger,
-        elasticsearchClientPromise: Promise.resolve(clusterClient),
-        pluginStop$,
-      });
 
-      await alertsService.initialize();
-      await expect(
-        alertsService.initializeRegistrationContext(TestRegistrationContext)
-      ).rejects.toThrowErrorMatchingInlineSnapshot(`"Failure during installation. fail"`);
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 50));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(false);
 
       expect(logger.error).toHaveBeenCalledWith(
         `Failed to PUT index.mapping.total_fields.limit settings for alias alias_1: fail`
@@ -420,14 +471,10 @@ describe('Alerts Service', () => {
 
     test('should skip updating index mapping for existing indices if simulate index template throws error', async () => {
       clusterClient.indices.simulateIndexTemplate.mockRejectedValueOnce(new Error('fail'));
-      const alertsService = new AlertsService({
-        logger,
-        elasticsearchClientPromise: Promise.resolve(clusterClient),
-        pluginStop$,
-      });
 
-      await alertsService.initialize();
-      await alertsService.initializeRegistrationContext(TestRegistrationContext);
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 50));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
 
       expect(logger.error).toHaveBeenCalledWith(
         `Ignored PUT mappings for alias alias_1; error generating simulated mappings: fail`
@@ -444,18 +491,12 @@ describe('Alerts Service', () => {
       expect(clusterClient.indices.create).toHaveBeenCalled();
     });
 
-    test('should throw error if updating index mappings for existing indices throws error', async () => {
+    test('should log error and set initialized to false if updating index mappings for existing indices throws error', async () => {
       clusterClient.indices.putMapping.mockRejectedValueOnce(new Error('fail'));
-      const alertsService = new AlertsService({
-        logger,
-        elasticsearchClientPromise: Promise.resolve(clusterClient),
-        pluginStop$,
-      });
 
-      await alertsService.initialize();
-      await expect(
-        alertsService.initializeRegistrationContext(TestRegistrationContext)
-      ).rejects.toThrowErrorMatchingInlineSnapshot(`"Failure during installation. fail"`);
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 50));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(false);
 
       expect(logger.error).toHaveBeenCalledWith(`Failed to PUT mapping for alias alias_1: fail`);
 
@@ -472,14 +513,10 @@ describe('Alerts Service', () => {
 
     test('does not updating settings or mappings if no existing concrete indices', async () => {
       clusterClient.indices.getAlias.mockImplementationOnce(async () => ({}));
-      const alertsService = new AlertsService({
-        logger,
-        elasticsearchClientPromise: Promise.resolve(clusterClient),
-        pluginStop$,
-      });
 
-      await alertsService.initialize();
-      await alertsService.initializeRegistrationContext(TestRegistrationContext);
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 50));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
       expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
@@ -492,11 +529,11 @@ describe('Alerts Service', () => {
       expect(clusterClient.indices.create).toHaveBeenCalled();
     });
 
-    test('should throw error if concrete indices exist but none are write index', async () => {
+    test('should log error and set initialized to false if concrete indices exist but none are write index', async () => {
       clusterClient.indices.getAlias.mockImplementationOnce(async () => ({
-        '.alerts-test-0001': {
+        '.alerts-test-default-0001': {
           aliases: {
-            '.alerts-test': {
+            '.alerts-test-default': {
               is_write_index: false,
               is_hidden: true,
             },
@@ -507,17 +544,15 @@ describe('Alerts Service', () => {
           },
         },
       }));
-      const alertsService = new AlertsService({
-        logger,
-        elasticsearchClientPromise: Promise.resolve(clusterClient),
-        pluginStop$,
-      });
 
-      await alertsService.initialize();
-      await expect(
-        alertsService.initializeRegistrationContext(TestRegistrationContext)
-      ).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Failure during installation. Indices matching pattern .alerts-test-* exist but none are set as the write index for alias .alerts-test"`
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 50));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(false);
+
+      expect(logger.error).toHaveBeenCalledWith(
+        new Error(
+          `Indices matching pattern .alerts-test-* exist but none are set as the write index for alias .alerts-test-default`
+        )
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
@@ -533,9 +568,9 @@ describe('Alerts Service', () => {
 
     test('does not create new index if concrete write index exists', async () => {
       clusterClient.indices.getAlias.mockImplementationOnce(async () => ({
-        '.alerts-test-0001': {
+        '.alerts-test-default-0001': {
           aliases: {
-            '.alerts-test': {
+            '.alerts-test-default': {
               is_write_index: true,
               is_hidden: true,
             },
@@ -546,14 +581,10 @@ describe('Alerts Service', () => {
           },
         },
       }));
-      const alertsService = new AlertsService({
-        logger,
-        elasticsearchClientPromise: Promise.resolve(clusterClient),
-        pluginStop$,
-      });
 
-      await alertsService.initialize();
-      await alertsService.initializeRegistrationContext(TestRegistrationContext);
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 50));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
       expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
@@ -566,18 +597,12 @@ describe('Alerts Service', () => {
       expect(clusterClient.indices.create).not.toHaveBeenCalled();
     });
 
-    test('should throw error if create concrete index throws error', async () => {
+    test('should log error and set initialized to false if create concrete index throws error', async () => {
       clusterClient.indices.create.mockRejectedValueOnce(new Error('fail'));
-      const alertsService = new AlertsService({
-        logger,
-        elasticsearchClientPromise: Promise.resolve(clusterClient),
-        pluginStop$,
-      });
 
-      await alertsService.initialize();
-      await expect(
-        alertsService.initializeRegistrationContext(TestRegistrationContext)
-      ).rejects.toThrowErrorMatchingInlineSnapshot(`"Failure during installation. fail"`);
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 50));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(false);
 
       expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`);
 
@@ -603,16 +628,14 @@ describe('Alerts Service', () => {
       };
       clusterClient.indices.create.mockRejectedValueOnce(error);
       clusterClient.indices.get.mockImplementationOnce(async () => ({
-        '.alerts-test-000001': { aliases: { '.alerts-test': { is_write_index: true } } },
+        '.alerts-test-default-000001': {
+          aliases: { '.alerts-test-default': { is_write_index: true } },
+        },
       }));
-      const alertsService = new AlertsService({
-        logger,
-        elasticsearchClientPromise: Promise.resolve(clusterClient),
-        pluginStop$,
-      });
 
-      await alertsService.initialize();
-      await alertsService.initializeRegistrationContext(TestRegistrationContext);
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 50));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
 
       expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`);
 
@@ -628,7 +651,7 @@ describe('Alerts Service', () => {
       expect(clusterClient.indices.create).toHaveBeenCalled();
     });
 
-    test('should throw error if create concrete index throws resource_already_exists_exception error and write index does not already exists', async () => {
+    test('should log error and set initialized to false if create concrete index throws resource_already_exists_exception error and write index does not already exists', async () => {
       const error = new Error(`fail`) as EsError;
       error.meta = {
         body: {
@@ -639,20 +662,14 @@ describe('Alerts Service', () => {
       };
       clusterClient.indices.create.mockRejectedValueOnce(error);
       clusterClient.indices.get.mockImplementationOnce(async () => ({
-        '.alerts-test-000001': { aliases: { '.alerts-test': { is_write_index: false } } },
+        '.alerts-test-default-000001': {
+          aliases: { '.alerts-test-default': { is_write_index: false } },
+        },
       }));
-      const alertsService = new AlertsService({
-        logger,
-        elasticsearchClientPromise: Promise.resolve(clusterClient),
-        pluginStop$,
-      });
 
-      await alertsService.initialize();
-      await expect(
-        alertsService.initializeRegistrationContext(TestRegistrationContext)
-      ).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Failure during installation. Attempted to create index: .alerts-test-000001 as the write index for alias: .alerts-test, but the index already exists and is not the write index for the alias"`
-      );
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 50));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(false);
 
       expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`);
 
@@ -681,7 +698,9 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await alertsService.initialize();
+      alertsService.initialize();
+      await new Promise((r) => setTimeout(r, 150));
+      expect(alertsService.isInitialized()).toEqual(true);
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledTimes(3);
     });
 
@@ -696,7 +715,9 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await alertsService.initialize();
+      alertsService.initialize();
+      await new Promise((r) => setTimeout(r, 150));
+      expect(alertsService.isInitialized()).toEqual(true);
       expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(3);
     });
 
@@ -711,8 +732,13 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await alertsService.initialize();
-      await alertsService.initializeRegistrationContext(TestRegistrationContext);
+      alertsService.initialize();
+      await new Promise((r) => setTimeout(r, 150));
+      expect(alertsService.isInitialized()).toEqual(true);
+
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 150));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledTimes(3);
     });
 
@@ -727,8 +753,13 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await alertsService.initialize();
-      await alertsService.initializeRegistrationContext(TestRegistrationContext);
+      alertsService.initialize();
+      await new Promise((r) => setTimeout(r, 150));
+      expect(alertsService.isInitialized()).toEqual(true);
+
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 150));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
       expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(4);
     });
 
@@ -743,8 +774,13 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await alertsService.initialize();
-      await alertsService.initializeRegistrationContext(TestRegistrationContext);
+      alertsService.initialize();
+      await new Promise((r) => setTimeout(r, 150));
+      expect(alertsService.isInitialized()).toEqual(true);
+
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 150));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
       expect(clusterClient.indices.putMapping).toHaveBeenCalledTimes(4);
     });
 
@@ -759,8 +795,13 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await alertsService.initialize();
-      await alertsService.initializeRegistrationContext(TestRegistrationContext);
+      alertsService.initialize();
+      await new Promise((r) => setTimeout(r, 150));
+      expect(alertsService.isInitialized()).toEqual(true);
+
+      alertsService.register(TestRegistrationContext);
+      await new Promise((r) => setTimeout(r, 150));
+      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
       expect(clusterClient.indices.create).toHaveBeenCalledTimes(3);
     });
   });
@@ -777,9 +818,11 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await expect(alertsService.initialize(10)).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Failure during installation. Timeout: it took more than 10ms"`
-      );
+      alertsService.initialize(10);
+      await new Promise((r) => setTimeout(r, 150));
+      expect(alertsService.isInitialized()).toEqual(false);
+
+      expect(logger.error).toHaveBeenCalledWith(new Error(`Timeout: it took more than 10ms`));
     });
 
     test('should short circuit initialization if pluginStop$ signal received but not throw error', async () => {
@@ -790,7 +833,8 @@ describe('Alerts Service', () => {
         pluginStop$,
       });
 
-      await alertsService.initialize();
+      alertsService.initialize();
+      await new Promise((r) => setTimeout(r, 50));
 
       expect(logger.error).toHaveBeenCalledWith(
         new Error(`Server is stopping; must stop all async operations`)
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index 14c1c35fd13486..937e3e2e0de17c 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -41,121 +41,152 @@ interface ConcreteIndexInfo {
 }
 interface IAlertsService {
   /**
-   * Initializes all the ES resources used by the alerts client
-   * - ILM policy
-   * - Component templates
-   * - Index templates
-   * - Concrete write index
+   * Initializes the common ES resources needed for framework alerts as data
+   * - ILM policy - common policy shared by all AAD indices
+   * - Component template - common mappings for fields populated and used by the framework
    *
-   * Not using data streams because those are meant for append-only data
-   * and we expect to mutate these documents
+   * Once common resource initialization is complete, look for any solution-specific
+   * resources that have been registered and are awaiting initialization.
    */
-  initialize(timeoutMs?: number): Promise<void>;
-  initializeRegistrationContext(opts: IRuleTypeAlerts, timeoutMs?: number): Promise<void>;
+  initialize(timeoutMs?: number): void;
+
+  /**
+   * Register solution specific resources. If common resource initialization is
+   * complete, go ahead and install those resources, otherwise add to queue to
+   * await initialization
+   *
+   * Solution specific resources include:
+   * - Component template - solution specific mappings for fields used only by solution rule types
+   * - Index templates - solution specific template that combines common and solution specific component templates
+   * - Concrete write index - solution specific write index
+   */
+  register(opts: IRuleTypeAlerts, timeoutMs?: number): void;
+
   isInitialized(): boolean;
 }
 
 export class AlertsService implements IAlertsService {
   private initialized: boolean;
-  private registrationContexts: Map<string, FieldMap> = new Map();
+  private registeredContexts: Map<string, FieldMap> = new Map();
   private initializedContexts: Map<string, boolean> = new Map();
+  private contextsToInitialize: IRuleTypeAlerts[] = [];
 
   constructor(private readonly options: AlertsServiceParams) {
     this.initialized = false;
   }
 
-  public isInitialized(): boolean {
+  public isInitialized() {
     return this.initialized;
   }
 
-  public async initialize(timeoutMs?: number) {
+  public isContextInitialized(context: string) {
+    return this.initializedContexts.get(context) ?? false;
+  }
+
+  public initialize(timeoutMs?: number) {
     // Only initialize once
     if (this.initialized) return;
 
     this.options.logger.debug(`Initializing resources for AlertsService`);
 
-    const esClient = await this.options.elasticsearchClientPromise;
+    // Use setImmediate to execute async fns as soon as possible
+    setImmediate(async () => {
+      try {
+        const esClient = await this.options.elasticsearchClientPromise;
 
-    const initFns = [
-      () => this.createOrUpdateIlmPolicy(esClient),
-      () => this.createOrUpdateComponentTemplate(esClient, getComponentTemplate(alertFieldMap)),
-    ];
+        // Common initialization installs ILM policy and shared component template
+        const initFns = [
+          () => this.createOrUpdateIlmPolicy(esClient),
+          () => this.createOrUpdateComponentTemplate(esClient, getComponentTemplate(alertFieldMap)),
+        ];
 
-    for (let i = 0; i < initFns.length; ++i) {
-      await this.installWithTimeout(async () => await initFns[i](), timeoutMs);
-    }
+        for (const fn of initFns) {
+          await this.installWithTimeout(async () => await fn(), timeoutMs);
+        }
 
-    // if any contexts were registered, initialize resources for them
-    const uninitializedContexts = [...this.initializedContexts.keys()].filter(
-      (context: string) => this.initializedContexts.get(context) === false
-    );
-    for (let i = 0; i < uninitializedContexts.length; ++i) {
-      await this.initializeContext({
-        registrationContext: uninitializedContexts[i],
-        fieldMap: this.registrationContexts.get(uninitializedContexts[i])!,
-      });
-    }
+        this.initialized = true;
+      } catch (err) {
+        this.initialized = false;
+      }
+
+      if (!this.initialized) {
+        return;
+      }
 
-    this.initialized = true;
+      // Look for any registered contexts awaiting initialization and install
+      while (this.contextsToInitialize.length > 0) {
+        const context = this.contextsToInitialize.pop();
+        if (context) {
+          try {
+            await this.initializeContext(context, timeoutMs);
+            this.initializedContexts.set(context.context, true);
+          } catch (err) {
+            this.initializedContexts.set(context.context, false);
+          }
+        }
+      }
+    });
   }
 
-  public async initializeRegistrationContext(
-    { registrationContext, fieldMap }: IRuleTypeAlerts,
-    timeoutMs?: number
-  ) {
-    // check that this registration context has not been registered before
-    if (this.registrationContexts.has(registrationContext)) {
-      const registeredFieldMap = this.registrationContexts.get(registrationContext);
+  public register({ context, fieldMap }: IRuleTypeAlerts, timeoutMs?: number) {
+    // check whether this context has been registered before
+    if (this.registeredContexts.has(context)) {
+      const registeredFieldMap = this.registeredContexts.get(context);
       if (!isEqual(fieldMap, registeredFieldMap)) {
-        throw new Error(
-          `${registrationContext} has already been registered with a different mapping`
-        );
+        throw new Error(`${context} has already been registered with a different mapping`);
       }
-      this.options.logger.info(
-        `Resources for registration context "${registrationContext}" have already been installed.`
-      );
+      this.options.logger.info(`Resources for context "${context}" have already been registered.`);
       return;
     }
 
-    this.registrationContexts.set(registrationContext, fieldMap);
+    this.registeredContexts.set(context, fieldMap);
 
     // Don't do anything yet if common resource initialization is not done
     if (!this.initialized) {
-      console.log('hi');
-      this.initializedContexts.set(registrationContext, false);
+      this.options.logger.info(`Resources for context "${context}" are awaiting initialization.`);
+      this.contextsToInitialize.push({ context, fieldMap });
       return;
     }
 
-    this.initializeContext({ registrationContext, fieldMap });
+    // Common resources are ready so we can initialize this context immediately
+    // Use setImmediate to execute async fns as soon as possible
+    setImmediate(async () => {
+      try {
+        await this.initializeContext({ context, fieldMap }, timeoutMs);
+        this.initializedContexts.set(context, true);
+      } catch (err) {
+        this.initializedContexts.set(context, false);
+      }
+    });
   }
 
-  private async initializeContext({ registrationContext, fieldMap }: IRuleTypeAlerts) {
+  private async initializeContext({ context, fieldMap }: IRuleTypeAlerts, timeoutMs?: number) {
     this.options.logger.info(
-      `Initializing resources for registrationContext ${registrationContext}`
+      `Initializing resources for context ${context} - ${JSON.stringify(fieldMap)}`
     );
-    console.log(JSON.stringify(fieldMap));
+
     const esClient = await this.options.elasticsearchClientPromise;
-    const indexTemplateAndPattern = getIndexTemplateAndPattern(registrationContext);
 
+    const indexTemplateAndPattern = getIndexTemplateAndPattern(context);
+
+    // Context specific initialization installs component template, index template and write index
     const initFns = [
       async () =>
         await this.createOrUpdateComponentTemplate(
           esClient,
-          getComponentTemplate(fieldMap, registrationContext)
+          getComponentTemplate(fieldMap, context)
         ),
       async () =>
         await this.createOrUpdateIndexTemplate(esClient, indexTemplateAndPattern, [
           getComponentTemplateName(),
-          getComponentTemplateName(registrationContext),
+          getComponentTemplateName(context),
         ]),
       async () => await this.createConcreteWriteIndex(esClient, indexTemplateAndPattern),
     ];
 
-    for (let i = 0; i < initFns.length; ++i) {
-      await this.installWithTimeout(async () => await initFns[i]());
+    for (const fn of initFns) {
+      await this.installWithTimeout(async () => await fn(), timeoutMs);
     }
-
-    this.initializedContexts.set(registrationContext, true);
   }
 
   /**
@@ -361,7 +392,7 @@ export class AlertsService implements IAlertsService {
     esClient: ElasticsearchClient,
     indexPatterns: IIndexPatternString
   ) {
-    this.options.logger.info(`Creating concrete write index`);
+    this.options.logger.info(`Creating concrete write index - ${indexPatterns.name}`);
 
     // check if a concrete write index already exists
     let concreteIndices: ConcreteIndexInfo[] = [];
@@ -468,7 +499,7 @@ export class AlertsService implements IAlertsService {
       };
 
       const throwTimeoutException = (): Promise<void> => {
-        return new Promise((resolve, reject) => {
+        return new Promise((_, reject) => {
           timeoutId = setTimeout(() => {
             const msg = `Timeout: it took more than ${timeoutMs}ms`;
             reject(new Error(msg));
diff --git a/x-pack/plugins/alerting/server/alerts_service/default_lifecycle_policy.ts b/x-pack/plugins/alerting/server/alerts_service/default_lifecycle_policy.ts
index d1195d3c129145..f5d11c6214ee61 100644
--- a/x-pack/plugins/alerting/server/alerts_service/default_lifecycle_policy.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/default_lifecycle_policy.ts
@@ -10,6 +10,8 @@
  * - _meta.managed: notify users this is a managed policy and should be modified
  *     at their own risk
  * - no delete phase as we want to keep these indices around indefinitely
+ *
+ * This should be used by all alerts-as-data indices
  */
 
 export const ILM_POLICY_NAME = 'alerts-default-ilm-policy';
diff --git a/x-pack/plugins/alerting/server/alerts_service/types.ts b/x-pack/plugins/alerting/server/alerts_service/types.ts
index cba7a9c13fdad0..514116e152867c 100644
--- a/x-pack/plugins/alerting/server/alerts_service/types.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/types.ts
@@ -10,7 +10,7 @@ import { getComponentTemplateFromFieldMap } from '../../common/alert_schema';
 import { FieldMap } from '../../common/alert_schema/field_maps/types';
 
 export const getComponentTemplateName = (context?: string) =>
-  `alerts-${context ? context : 'default'}-component-template`;
+  `alerts-${context ? context : 'common'}-component-template`;
 
 export interface IIndexPatternString {
   template: string;
@@ -19,11 +19,14 @@ export interface IIndexPatternString {
   name: string;
 }
 
-export const getIndexTemplateAndPattern = (context?: string): IIndexPatternString => {
-  const pattern = context ? context : 'default';
+export const getIndexTemplateAndPattern = (
+  context: string,
+  namespace?: string
+): IIndexPatternString => {
+  const pattern = `${context}-${namespace ? namespace : 'default'}`;
   return {
-    template: `.alerts-${pattern}-template`,
-    pattern: `.alerts-${pattern}-*`,
+    template: `.alerts-${context}-template`,
+    pattern: `.alerts-${context}-*`,
     alias: `.alerts-${pattern}`,
     name: `.alerts-${pattern}-000001`,
   };
diff --git a/x-pack/plugins/alerting/server/plugin.ts b/x-pack/plugins/alerting/server/plugin.ts
index de72aeb88a9781..4f349de25d3b28 100644
--- a/x-pack/plugins/alerting/server/plugin.ts
+++ b/x-pack/plugins/alerting/server/plugin.ts
@@ -236,9 +236,7 @@ export class AlertingPlugin {
       // TODO - should an initialization failure throw an error?
       // we do retry all resource installation steps but if all the retries fail
       // do we just disable alerts writing?
-      this.alertsService!.initialize().catch((err) => {
-        this.logger.error(`Error initializing alert resources! - ${err.message}`);
-      });
+      this.alertsService!.initialize();
     }
 
     const ruleTypeRegistry = new RuleTypeRegistry({
diff --git a/x-pack/plugins/alerting/server/rule_type_registry.test.ts b/x-pack/plugins/alerting/server/rule_type_registry.test.ts
index 5ca22edaa9e04b..d1dc7ffe45f4db 100644
--- a/x-pack/plugins/alerting/server/rule_type_registry.test.ts
+++ b/x-pack/plugins/alerting/server/rule_type_registry.test.ts
@@ -14,6 +14,7 @@ import { licenseStateMock } from './lib/license_state.mock';
 import { licensingMock } from '@kbn/licensing-plugin/server/mocks';
 import { loggingSystemMock } from '@kbn/core/server/mocks';
 import { inMemoryMetricsMock } from './monitoring/in_memory_metrics.mock';
+import { alertsServiceMock } from './alerts_service/alerts_service.mock';
 
 const logger = loggingSystemMock.create().get();
 let mockedLicenseState: jest.Mocked<ILicenseState>;
@@ -21,6 +22,7 @@ let ruleTypeRegistryParams: ConstructorOptions;
 
 const taskManager = taskManagerMock.createSetup();
 const inMemoryMetrics = inMemoryMetricsMock.create();
+const alertsService = alertsServiceMock.create();
 
 beforeEach(() => {
   jest.resetAllMocks();
@@ -451,6 +453,55 @@ describe('Create Lifecycle', () => {
         })
       ).toThrowErrorMatchingInlineSnapshot(`"Rule type \\"test\\" is already registered."`);
     });
+
+    test('should initialize alerts as data resources if AlertsService is defined and alert definition is registered', () => {
+      const registry = new RuleTypeRegistry({ ...ruleTypeRegistryParams, alertsService });
+      registry.register({
+        id: 'test',
+        name: 'Test',
+        actionGroups: [
+          {
+            id: 'default',
+            name: 'Default',
+          },
+        ],
+        defaultActionGroupId: 'default',
+        minimumLicenseRequired: 'basic',
+        isExportable: true,
+        executor: jest.fn(),
+        producer: 'alerts',
+        alerts: {
+          context: 'test',
+          fieldMap: { field: { type: 'keyword', required: false } },
+        },
+      });
+
+      expect(alertsService.register).toHaveBeenCalledWith({
+        context: 'test',
+        fieldMap: { field: { type: 'keyword', required: false } },
+      });
+    });
+
+    test('should not initialize alerts as data resources if no alert definition is registered', () => {
+      const registry = new RuleTypeRegistry({ ...ruleTypeRegistryParams, alertsService });
+      registry.register({
+        id: 'test',
+        name: 'Test',
+        actionGroups: [
+          {
+            id: 'default',
+            name: 'Default',
+          },
+        ],
+        defaultActionGroupId: 'default',
+        minimumLicenseRequired: 'basic',
+        isExportable: true,
+        executor: jest.fn(),
+        producer: 'alerts',
+      });
+
+      expect(alertsService.register).not.toHaveBeenCalled();
+    });
   });
 
   describe('get()', () => {
diff --git a/x-pack/plugins/alerting/server/rule_type_registry.ts b/x-pack/plugins/alerting/server/rule_type_registry.ts
index b92cda9d3f767e..b4be0957f11af5 100644
--- a/x-pack/plugins/alerting/server/rule_type_registry.ts
+++ b/x-pack/plugins/alerting/server/rule_type_registry.ts
@@ -284,8 +284,7 @@ export class RuleTypeRegistry {
     });
 
     if (this.alertsService && ruleType.alerts) {
-      console.log('here');
-      this.alertsService.initializeRegistrationContext(ruleType.alerts);
+      this.alertsService.register(ruleType.alerts);
     }
 
     // No need to notify usage on basic alert types
diff --git a/x-pack/plugins/alerting/server/types.ts b/x-pack/plugins/alerting/server/types.ts
index eb4f8ae6343c4e..eda1bd1d67ba34 100644
--- a/x-pack/plugins/alerting/server/types.ts
+++ b/x-pack/plugins/alerting/server/types.ts
@@ -154,7 +154,8 @@ export interface SummarizedAlerts {
 }
 export type GetSummarizedAlertsFn = (opts: GetSummarizedAlertsFnOpts) => Promise<SummarizedAlerts>;
 export interface IRuleTypeAlerts {
-  registrationContext: string;
+  context: string;
+  namespace?: string;
   fieldMap: FieldMap;
 }
 
diff --git a/x-pack/plugins/apm/server/routes/alerts/rule_types/get_alert_registration.ts b/x-pack/plugins/apm/server/routes/alerts/rule_types/get_alert_registration.ts
index 86be88e82b5f32..4e2350a341dce9 100644
--- a/x-pack/plugins/apm/server/routes/alerts/rule_types/get_alert_registration.ts
+++ b/x-pack/plugins/apm/server/routes/alerts/rule_types/get_alert_registration.ts
@@ -17,7 +17,7 @@ import {
 } from '../../../../common/es_fields/apm';
 
 export const alertRegistration: IRuleTypeAlerts = {
-  registrationContext: 'observability.apm',
+  context: 'observability.apm',
   fieldMap: {
     ...experimentalRuleFieldMap,
     [SERVICE_NAME]: {
diff --git a/x-pack/plugins/infra/server/lib/alerting/get_alert_registration.ts b/x-pack/plugins/infra/server/lib/alerting/get_alert_registration.ts
index 42650987022927..24e9750e50293f 100644
--- a/x-pack/plugins/infra/server/lib/alerting/get_alert_registration.ts
+++ b/x-pack/plugins/infra/server/lib/alerting/get_alert_registration.ts
@@ -9,11 +9,11 @@ import { IRuleTypeAlerts } from '@kbn/alerting-plugin/server/types';
 import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map';
 
 export const logAlertRegistration: IRuleTypeAlerts = {
-  registrationContext: 'observability.logs',
+  context: 'observability.logs',
   fieldMap: experimentalRuleFieldMap,
 };
 
 export const metricAlertRegistration: IRuleTypeAlerts = {
-  registrationContext: 'observability.metrics',
+  context: 'observability.metrics',
   fieldMap: experimentalRuleFieldMap,
 };
diff --git a/x-pack/plugins/observability/server/lib/rules/get_alert_registration.ts b/x-pack/plugins/observability/server/lib/rules/get_alert_registration.ts
index 7bbfc00eebe4b0..2097c78e7c20fc 100644
--- a/x-pack/plugins/observability/server/lib/rules/get_alert_registration.ts
+++ b/x-pack/plugins/observability/server/lib/rules/get_alert_registration.ts
@@ -10,6 +10,6 @@ import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/asset
 import { RULE_REGISTRATION_CONTEXT } from '../../common/constants';
 
 export const alertRegistration: IRuleTypeAlerts = {
-  registrationContext: RULE_REGISTRATION_CONTEXT,
+  context: RULE_REGISTRATION_CONTEXT,
   fieldMap: experimentalRuleFieldMap,
 };
diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/get_alert_registration.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/get_alert_registration.ts
index 42539d21d4c227..7f299af2a2db2f 100644
--- a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/get_alert_registration.ts
+++ b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/get_alert_registration.ts
@@ -10,6 +10,6 @@ import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/asset
 import { uptimeRuleFieldMap } from '../../../../common/rules/uptime_rule_field_map';
 
 export const alertRegistration: IRuleTypeAlerts = {
-  registrationContext: 'observability.uptime',
+  context: 'observability.uptime',
   fieldMap: { ...uptimeRuleFieldMap, ...experimentalRuleFieldMap },
 };

From 4d70369f7f6b2af44ba207982964ac18c5b9168a Mon Sep 17 00:00:00 2001
From: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Date: Wed, 4 Jan 2023 16:03:08 +0000
Subject: [PATCH 23/42] [CI] Auto-commit changed files from 'node
 scripts/ts_project_linter --fix'

---
 x-pack/plugins/alerting/tsconfig.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/x-pack/plugins/alerting/tsconfig.json b/x-pack/plugins/alerting/tsconfig.json
index 6892544ea27278..852fbeaf7cfcaa 100644
--- a/x-pack/plugins/alerting/tsconfig.json
+++ b/x-pack/plugins/alerting/tsconfig.json
@@ -38,6 +38,7 @@
     "@kbn/securitysolution-rules",
     "@kbn/data-views-plugin",
     "@kbn/share-plugin",
+    "@kbn/safer-lodash-set",
   ],
   "exclude": [
     "target/**/*",

From 4b42f6928c320c8cf4d4b670f6cebc2a75713e6a Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Wed, 4 Jan 2023 11:05:48 -0500
Subject: [PATCH 24/42] Merging in main

---
 x-pack/plugins/alerting/server/plugin.test.ts | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/x-pack/plugins/alerting/server/plugin.test.ts b/x-pack/plugins/alerting/server/plugin.test.ts
index 9c403b37d44221..fbc6cc383b3d3a 100644
--- a/x-pack/plugins/alerting/server/plugin.test.ts
+++ b/x-pack/plugins/alerting/server/plugin.test.ts
@@ -26,7 +26,6 @@ import {
   PluginSetup as DataPluginSetup,
 } from '@kbn/data-plugin/server';
 import { spacesMock } from '@kbn/spaces-plugin/server/mocks';
-<<<<<<< HEAD
 import { AlertsService } from './alerts_service/alerts_service';
 import { alertsServiceMock } from './alerts_service/alerts_service.mock';
 
@@ -34,10 +33,8 @@ const mockAlertService = alertsServiceMock.create();
 jest.mock('./alerts_service/alerts_service', () => ({
   AlertsService: jest.fn().mockImplementation(() => mockAlertService),
 }));
-=======
 import { SharePluginStart } from '@kbn/share-plugin/server';
 import { dataViewPluginMocks } from '@kbn/data-views-plugin/public/mocks';
->>>>>>> bc19656c3c1caa4e940e51342ffb3c1e57fe4f33
 
 const generateAlertingConfig = (): AlertingConfig => ({
   healthCheck: {

From 02e8067ae01ddb1991b83e3d16639e10b3dc75d8 Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Wed, 4 Jan 2023 12:03:55 -0500
Subject: [PATCH 25/42] Fixing types

---
 x-pack/plugins/alerting/common/index.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/alerting/common/index.ts b/x-pack/plugins/alerting/common/index.ts
index 8a654cc3ce14f8..4b206588668710 100644
--- a/x-pack/plugins/alerting/common/index.ts
+++ b/x-pack/plugins/alerting/common/index.ts
@@ -24,7 +24,7 @@ export * from './parse_duration';
 export * from './execution_log_types';
 export * from './rule_snooze_type';
 
-export { AlertSchema, EcsSchema, type Alert, type Ecs } from './alert_schema';
+export { AlertSchema, type Alert } from './alert_schema';
 
 export interface AlertingFrameworkHealth {
   isSufficientlySecure: boolean;

From 52b41c0649e0bcf8bbf8e75f3ef67bf8f8e16f6a Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Wed, 4 Jan 2023 13:19:35 -0500
Subject: [PATCH 26/42] Fixing unit test

---
 .../assets/field_maps/experimental_rule_field_map.test.ts       | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.test.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.test.ts
index 4e2d591bf88bd0..3a6dbc4f209827 100644
--- a/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.test.ts
+++ b/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.test.ts
@@ -13,10 +13,12 @@ it('matches snapshot', () => {
   expect(experimentalRuleFieldMap).toMatchInlineSnapshot(`
     Object {
       "kibana.alert.evaluation.threshold": Object {
+        "required": false,
         "scaling_factor": 100,
         "type": "scaled_float",
       },
       "kibana.alert.evaluation.value": Object {
+        "required": false,
         "scaling_factor": 100,
         "type": "scaled_float",
       },

From 9626e0c5f528967c7f8323cb3d215d965012118b Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Wed, 4 Jan 2023 16:46:20 -0500
Subject: [PATCH 27/42] Helper function for resource installation

---
 .../server/alerts_service/alerts_service.ts   |  48 ++----
 ...reate_resource_installation_helper.test.ts | 137 ++++++++++++++++++
 .../create_resource_installation_helper.ts    |  79 ++++++++++
 3 files changed, 228 insertions(+), 36 deletions(-)
 create mode 100644 x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.test.ts
 create mode 100644 x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.ts

diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index 937e3e2e0de17c..79f1f1f43fd514 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -24,6 +24,10 @@ import {
 } from './types';
 import { retryTransientEsErrors } from './retry_transient_es_errors';
 import { IRuleTypeAlerts } from '../types';
+import {
+  createResourceInstallationHelper,
+  ResourceInstallationHelper,
+} from './create_resource_installation_helper';
 
 const TOTAL_FIELDS_LIMIT = 2500;
 const INSTALLATION_TIMEOUT = 20 * 60 * 1000; // 20 minutes
@@ -67,12 +71,14 @@ interface IAlertsService {
 
 export class AlertsService implements IAlertsService {
   private initialized: boolean;
+  private resourceInitializationHelper: ResourceInstallationHelper;
   private registeredContexts: Map<string, FieldMap> = new Map();
-  private initializedContexts: Map<string, boolean> = new Map();
-  private contextsToInitialize: IRuleTypeAlerts[] = [];
 
   constructor(private readonly options: AlertsServiceParams) {
     this.initialized = false;
+    this.resourceInitializationHelper = createResourceInstallationHelper(
+      this.initializeContext.bind(this)
+    );
   }
 
   public isInitialized() {
@@ -80,7 +86,7 @@ export class AlertsService implements IAlertsService {
   }
 
   public isContextInitialized(context: string) {
-    return this.initializedContexts.get(context) ?? false;
+    return this.resourceInitializationHelper.getInitializedContexts().get(context) ?? false;
   }
 
   public initialize(timeoutMs?: number) {
@@ -109,21 +115,8 @@ export class AlertsService implements IAlertsService {
         this.initialized = false;
       }
 
-      if (!this.initialized) {
-        return;
-      }
-
-      // Look for any registered contexts awaiting initialization and install
-      while (this.contextsToInitialize.length > 0) {
-        const context = this.contextsToInitialize.pop();
-        if (context) {
-          try {
-            await this.initializeContext(context, timeoutMs);
-            this.initializedContexts.set(context.context, true);
-          } catch (err) {
-            this.initializedContexts.set(context.context, false);
-          }
-        }
+      if (this.initialized) {
+        this.resourceInitializationHelper.setReadyToInitialize(timeoutMs);
       }
     });
   }
@@ -140,24 +133,7 @@ export class AlertsService implements IAlertsService {
     }
 
     this.registeredContexts.set(context, fieldMap);
-
-    // Don't do anything yet if common resource initialization is not done
-    if (!this.initialized) {
-      this.options.logger.info(`Resources for context "${context}" are awaiting initialization.`);
-      this.contextsToInitialize.push({ context, fieldMap });
-      return;
-    }
-
-    // Common resources are ready so we can initialize this context immediately
-    // Use setImmediate to execute async fns as soon as possible
-    setImmediate(async () => {
-      try {
-        await this.initializeContext({ context, fieldMap }, timeoutMs);
-        this.initializedContexts.set(context, true);
-      } catch (err) {
-        this.initializedContexts.set(context, false);
-      }
-    });
+    this.resourceInitializationHelper.add({ context, fieldMap }, timeoutMs);
   }
 
   private async initializeContext({ context, fieldMap }: IRuleTypeAlerts, timeoutMs?: number) {
diff --git a/x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.test.ts b/x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.test.ts
new file mode 100644
index 00000000000000..257592791ca02a
--- /dev/null
+++ b/x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.test.ts
@@ -0,0 +1,137 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { loggingSystemMock } from '@kbn/core/server/mocks';
+import { IRuleTypeAlerts } from '../types';
+import { createResourceInstallationHelper } from './create_resource_installation_helper';
+
+const logger: ReturnType<typeof loggingSystemMock['createLogger']> =
+  loggingSystemMock.createLogger();
+
+const initFn = async (context: IRuleTypeAlerts, timeoutMs?: number) => {
+  logger.info(context.context);
+};
+
+const initFnWithDelay = async (context: IRuleTypeAlerts, timeoutMs?: number) => {
+  logger.info(context.context);
+  await new Promise((r) => setTimeout(r, 50));
+};
+
+const initFnWithError = async (context: IRuleTypeAlerts, timeoutMs?: number) => {
+  throw new Error('fail');
+};
+
+describe('createResourceInstallationHelper', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  test(`should not call init function if readyToInitialize is false`, () => {
+    const helper = createResourceInstallationHelper(initFn);
+
+    // Add two contexts that need to be initialized but don't call helper.setReadyToInitialize()
+    helper.add({ context: 'test1', fieldMap: { field: { type: 'keyword', required: false } } });
+    helper.add({ context: 'test2', fieldMap: { field: { type: 'keyword', required: false } } });
+
+    expect(logger.info).not.toHaveBeenCalled();
+    const initializedContexts = helper.getInitializedContexts();
+    expect([...initializedContexts.keys()].length).toEqual(0);
+  });
+
+  test(`should call init function if readyToInitialize is set to true`, async () => {
+    const helper = createResourceInstallationHelper(initFn);
+
+    // Add two contexts that need to be initialized and then call helper.setReadyToInitialize()
+    helper.add({ context: 'test1', fieldMap: { field: { type: 'keyword', required: false } } });
+    helper.add({ context: 'test2', fieldMap: { field: { type: 'keyword', required: false } } });
+
+    helper.setReadyToInitialize();
+
+    // for the setImmediate
+    await new Promise((r) => setTimeout(r, 10));
+
+    expect(logger.info).toHaveBeenCalledTimes(2);
+    const initializedContexts = helper.getInitializedContexts();
+    expect([...initializedContexts.keys()].length).toEqual(2);
+
+    expect(initializedContexts.get('test1')).toEqual(true);
+    expect(initializedContexts.get('test2')).toEqual(true);
+  });
+
+  test(`should install resources for contexts added after readyToInitialize is called`, async () => {
+    const helper = createResourceInstallationHelper(initFnWithDelay);
+
+    // Add two contexts that need to be initialized
+    helper.add({ context: 'test1', fieldMap: { field: { type: 'keyword', required: false } } });
+    helper.add({ context: 'test2', fieldMap: { field: { type: 'keyword', required: false } } });
+
+    // Start processing the queued contexts; Each initFn will take 50 ms since we're adding an artificial delay
+    helper.setReadyToInitialize();
+
+    // for the setImmediate
+    await new Promise((r) => setTimeout(r, 10));
+
+    // Add another context to process
+    helper.add({ context: 'test3', fieldMap: { field: { type: 'keyword', required: false } } });
+
+    // 3 contexts with delay will take 150
+    await new Promise((r) => setTimeout(r, 200));
+
+    expect(logger.info).toHaveBeenCalledTimes(3);
+    const initializedContexts = helper.getInitializedContexts();
+    expect([...initializedContexts.keys()].length).toEqual(3);
+
+    expect(initializedContexts.get('test1')).toEqual(true);
+    expect(initializedContexts.get('test2')).toEqual(true);
+    expect(initializedContexts.get('test3')).toEqual(true);
+  });
+
+  test(`should install resources for contexts added after initial processing loop has run`, async () => {
+    const helper = createResourceInstallationHelper(initFn);
+
+    // No contexts queued so this should finish quickly
+    helper.setReadyToInitialize();
+
+    // for the setImmediate
+    await new Promise((r) => setTimeout(r, 10));
+
+    expect(logger.info).not.toHaveBeenCalled();
+    let initializedContexts = helper.getInitializedContexts();
+    expect([...initializedContexts.keys()].length).toEqual(0);
+
+    // Add a context to process
+    helper.add({ context: 'test1', fieldMap: { field: { type: 'keyword', required: false } } });
+
+    // for the setImmediate
+    await new Promise((r) => setTimeout(r, 10));
+
+    expect(logger.info).toHaveBeenCalledTimes(1);
+    initializedContexts = helper.getInitializedContexts();
+    expect([...initializedContexts.keys()].length).toEqual(1);
+
+    expect(initializedContexts.get('test1')).toEqual(true);
+  });
+
+  test(`should gracefully handle errors during initialization and set initialized flag to false`, async () => {
+    const helper = createResourceInstallationHelper(initFnWithError);
+
+    helper.setReadyToInitialize();
+
+    // for the setImmediate
+    await new Promise((r) => setTimeout(r, 10));
+
+    // Add a context to process
+    helper.add({ context: 'test1', fieldMap: { field: { type: 'keyword', required: false } } });
+
+    // for the setImmediate
+    await new Promise((r) => setTimeout(r, 10));
+
+    const initializedContexts = helper.getInitializedContexts();
+    expect([...initializedContexts.keys()].length).toEqual(1);
+    expect(initializedContexts.get('test1')).toEqual(false);
+  });
+});
diff --git a/x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.ts b/x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.ts
new file mode 100644
index 00000000000000..e8bf18f630940f
--- /dev/null
+++ b/x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.ts
@@ -0,0 +1,79 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { IRuleTypeAlerts } from '../types';
+
+export interface ResourceInstallationHelper {
+  add: (context: IRuleTypeAlerts, timeoutMs?: number) => void;
+  setReadyToInitialize: (timeoutMs?: number) => void;
+  getInitializedContexts: () => Map<string, boolean>;
+}
+
+/**
+ * Helper function that queues up resources to initialize until we are
+ * ready to begin initialization. Once we're ready, we start taking from
+ * the queue and kicking off initialization.
+ *
+ * If a resource is added after we begin initialization, we push it onto
+ * the queue and the running loop will handle it
+ *
+ * If a resource is added to the queue when the processing loop is not
+ * running, kick off the processing loop
+ */
+export function createResourceInstallationHelper(
+  initFn: (context: IRuleTypeAlerts, timeoutMs?: number) => Promise<void>
+): ResourceInstallationHelper {
+  let readyToInitialize = false;
+  let isInitializing: boolean = false;
+  const contextsToInitialize: IRuleTypeAlerts[] = [];
+  const initializedContexts: Map<string, boolean> = new Map();
+
+  const waitUntilContextResourcesInstalled = async (
+    context: IRuleTypeAlerts,
+    timeoutMs?: number
+  ): Promise<boolean> => {
+    try {
+      await initFn(context, timeoutMs);
+      return true;
+    } catch (err) {
+      return false;
+    }
+  };
+
+  const startInitialization = (timeoutMs?: number) => {
+    if (!readyToInitialize) {
+      return;
+    }
+
+    setImmediate(async () => {
+      isInitializing = true;
+      while (contextsToInitialize.length > 0) {
+        const context = contextsToInitialize.pop()!;
+        initializedContexts.set(
+          context.context,
+          await waitUntilContextResourcesInstalled(context, timeoutMs)
+        );
+      }
+      isInitializing = false;
+    });
+  };
+  return {
+    add: (context: IRuleTypeAlerts, timeoutMs?: number) => {
+      contextsToInitialize.push(context);
+      if (!isInitializing) {
+        startInitialization(timeoutMs);
+      }
+    },
+    setReadyToInitialize: (timeoutMs?: number) => {
+      readyToInitialize = true;
+      startInitialization(timeoutMs);
+    },
+    getInitializedContexts: () => {
+      return initializedContexts;
+    },
+  };
+}

From 77afe725bdf109d223b72fd92a11ca77c264444c Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Thu, 5 Jan 2023 07:54:41 -0500
Subject: [PATCH 28/42] Returning promise instead of waiting

---
 .../alerts_service/alerts_service.test.ts     | 84 ++++++++++++++-----
 .../server/alerts_service/alerts_service.ts   | 12 ++-
 ...reate_resource_installation_helper.test.ts | 18 ++--
 .../create_resource_installation_helper.ts    |  8 +-
 4 files changed, 87 insertions(+), 35 deletions(-)

diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
index 914b0ef2f6e693..7f1d34c5afc90d 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
@@ -206,8 +206,12 @@ describe('Alerts Service', () => {
       await new Promise((r) => setTimeout(r, 50));
 
       expect(alertsService.isInitialized()).toEqual(true);
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
-      expect(alertsService.isContextInitialized(AnotherRegistrationContext.context)).toEqual(true);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        true
+      );
+      expect(await alertsService.isContextInitialized(AnotherRegistrationContext.context)).toEqual(
+        true
+      );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody);
       // 1x for common component template, 2x for context specific
@@ -281,7 +285,9 @@ describe('Alerts Service', () => {
     test('should correctly install resources for context when common initialization is complete', async () => {
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 50));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        true
+      );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody);
 
@@ -337,7 +343,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 50));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        true
+      );
 
       expect(logger.error).toHaveBeenCalledWith(
         `Failed to simulate index template mappings for .alerts-test-template; not applying mappings - fail`
@@ -366,7 +374,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 50));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(false);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        false
+      );
 
       expect(logger.error).toHaveBeenCalledWith(
         new Error(
@@ -390,7 +400,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 50));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(false);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        false
+      );
 
       expect(logger.error).toHaveBeenCalledWith(
         `Error installing index template .alerts-test-template - fail`
@@ -412,7 +424,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 50));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(false);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        false
+      );
 
       expect(logger.error).toHaveBeenCalledWith(
         `Error fetching concrete indices for .alerts-test-* pattern - fail`
@@ -435,7 +449,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 50));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        true
+      );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
       expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
@@ -452,7 +468,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 50));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(false);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        false
+      );
 
       expect(logger.error).toHaveBeenCalledWith(
         `Failed to PUT index.mapping.total_fields.limit settings for alias alias_1: fail`
@@ -474,7 +492,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 50));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        true
+      );
 
       expect(logger.error).toHaveBeenCalledWith(
         `Ignored PUT mappings for alias alias_1; error generating simulated mappings: fail`
@@ -496,7 +516,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 50));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(false);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        false
+      );
 
       expect(logger.error).toHaveBeenCalledWith(`Failed to PUT mapping for alias alias_1: fail`);
 
@@ -516,7 +538,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 50));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        true
+      );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
       expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
@@ -547,7 +571,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 50));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(false);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        false
+      );
 
       expect(logger.error).toHaveBeenCalledWith(
         new Error(
@@ -584,7 +610,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 50));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        true
+      );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
       expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(2);
@@ -602,7 +630,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 50));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(false);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        false
+      );
 
       expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`);
 
@@ -635,7 +665,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 50));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        true
+      );
 
       expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`);
 
@@ -669,7 +701,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 50));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(false);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        false
+      );
 
       expect(logger.error).toHaveBeenCalledWith(`Error creating concrete write index - fail`);
 
@@ -738,7 +772,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 150));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        true
+      );
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledTimes(3);
     });
 
@@ -759,7 +795,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 150));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        true
+      );
       expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(4);
     });
 
@@ -780,7 +818,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 150));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        true
+      );
       expect(clusterClient.indices.putMapping).toHaveBeenCalledTimes(4);
     });
 
@@ -801,7 +841,9 @@ describe('Alerts Service', () => {
 
       alertsService.register(TestRegistrationContext);
       await new Promise((r) => setTimeout(r, 150));
-      expect(alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(true);
+      expect(await alertsService.isContextInitialized(TestRegistrationContext.context)).toEqual(
+        true
+      );
       expect(clusterClient.indices.create).toHaveBeenCalledTimes(3);
     });
   });
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index 79f1f1f43fd514..1e927a3cd5909f 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -85,8 +85,8 @@ export class AlertsService implements IAlertsService {
     return this.initialized;
   }
 
-  public isContextInitialized(context: string) {
-    return this.resourceInitializationHelper.getInitializedContexts().get(context) ?? false;
+  public async isContextInitialized(context: string) {
+    return (await this.resourceInitializationHelper.getInitializedContexts().get(context)) ?? false;
   }
 
   public initialize(timeoutMs?: number) {
@@ -180,6 +180,8 @@ export class AlertsService implements IAlertsService {
           }),
         { logger: this.options.logger }
       );
+      // await new Promise((r) => setTimeout(r, 15000));
+      this.options.logger.info(`DONE Installing ILM policy ${ILM_POLICY_NAME}`);
     } catch (err) {
       this.options.logger.error(`Error installing ILM policy ${ILM_POLICY_NAME} - ${err.message}`);
       throw err;
@@ -196,6 +198,8 @@ export class AlertsService implements IAlertsService {
       await retryTransientEsErrors(() => esClient.cluster.putComponentTemplate(template), {
         logger: this.options.logger,
       });
+      // await new Promise((r) => setTimeout(r, 15000));
+      this.options.logger.info(`DONE Installing component template ${template.name}`);
     } catch (err) {
       this.options.logger.error(
         `Error installing component template ${template.name} - ${err.message}`
@@ -265,6 +269,8 @@ export class AlertsService implements IAlertsService {
       await retryTransientEsErrors(() => esClient.indices.putIndexTemplate(indexTemplate), {
         logger: this.options.logger,
       });
+      // await new Promise((r) => setTimeout(r, 15000));
+      this.options.logger.info(`DONE Installing index template ${indexPatterns.template}`);
     } catch (err) {
       this.options.logger.error(
         `Error installing index template ${indexPatterns.template} - ${err.message}`
@@ -438,6 +444,8 @@ export class AlertsService implements IAlertsService {
             logger: this.options.logger,
           }
         );
+        // await new Promise((r) => setTimeout(r, 15000));
+        this.options.logger.info(`DONE Creating concrete write index - ${indexPatterns.name}`);
       } catch (error) {
         this.options.logger.error(`Error creating concrete write index - ${error.message}`);
         // If the index already exists and it's the write index for the alias,
diff --git a/x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.test.ts b/x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.test.ts
index 257592791ca02a..f9ce460d040931 100644
--- a/x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.test.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.test.ts
@@ -58,8 +58,8 @@ describe('createResourceInstallationHelper', () => {
     const initializedContexts = helper.getInitializedContexts();
     expect([...initializedContexts.keys()].length).toEqual(2);
 
-    expect(initializedContexts.get('test1')).toEqual(true);
-    expect(initializedContexts.get('test2')).toEqual(true);
+    expect(await initializedContexts.get('test1')).toEqual(true);
+    expect(await initializedContexts.get('test2')).toEqual(true);
   });
 
   test(`should install resources for contexts added after readyToInitialize is called`, async () => {
@@ -69,7 +69,7 @@ describe('createResourceInstallationHelper', () => {
     helper.add({ context: 'test1', fieldMap: { field: { type: 'keyword', required: false } } });
     helper.add({ context: 'test2', fieldMap: { field: { type: 'keyword', required: false } } });
 
-    // Start processing the queued contexts; Each initFn will take 50 ms since we're adding an artificial delay
+    // Start processing the queued contexts
     helper.setReadyToInitialize();
 
     // for the setImmediate
@@ -79,15 +79,15 @@ describe('createResourceInstallationHelper', () => {
     helper.add({ context: 'test3', fieldMap: { field: { type: 'keyword', required: false } } });
 
     // 3 contexts with delay will take 150
-    await new Promise((r) => setTimeout(r, 200));
+    await new Promise((r) => setTimeout(r, 10));
 
     expect(logger.info).toHaveBeenCalledTimes(3);
     const initializedContexts = helper.getInitializedContexts();
     expect([...initializedContexts.keys()].length).toEqual(3);
 
-    expect(initializedContexts.get('test1')).toEqual(true);
-    expect(initializedContexts.get('test2')).toEqual(true);
-    expect(initializedContexts.get('test3')).toEqual(true);
+    expect(await initializedContexts.get('test1')).toEqual(true);
+    expect(await initializedContexts.get('test2')).toEqual(true);
+    expect(await initializedContexts.get('test3')).toEqual(true);
   });
 
   test(`should install resources for contexts added after initial processing loop has run`, async () => {
@@ -113,7 +113,7 @@ describe('createResourceInstallationHelper', () => {
     initializedContexts = helper.getInitializedContexts();
     expect([...initializedContexts.keys()].length).toEqual(1);
 
-    expect(initializedContexts.get('test1')).toEqual(true);
+    expect(await initializedContexts.get('test1')).toEqual(true);
   });
 
   test(`should gracefully handle errors during initialization and set initialized flag to false`, async () => {
@@ -132,6 +132,6 @@ describe('createResourceInstallationHelper', () => {
 
     const initializedContexts = helper.getInitializedContexts();
     expect([...initializedContexts.keys()].length).toEqual(1);
-    expect(initializedContexts.get('test1')).toEqual(false);
+    expect(await initializedContexts.get('test1')).toEqual(false);
   });
 });
diff --git a/x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.ts b/x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.ts
index e8bf18f630940f..0e3cbe0f87a9a1 100644
--- a/x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.ts
@@ -10,7 +10,7 @@ import { IRuleTypeAlerts } from '../types';
 export interface ResourceInstallationHelper {
   add: (context: IRuleTypeAlerts, timeoutMs?: number) => void;
   setReadyToInitialize: (timeoutMs?: number) => void;
-  getInitializedContexts: () => Map<string, boolean>;
+  getInitializedContexts: () => Map<string, Promise<boolean>>;
 }
 
 /**
@@ -30,7 +30,7 @@ export function createResourceInstallationHelper(
   let readyToInitialize = false;
   let isInitializing: boolean = false;
   const contextsToInitialize: IRuleTypeAlerts[] = [];
-  const initializedContexts: Map<string, boolean> = new Map();
+  const initializedContexts: Map<string, Promise<boolean>> = new Map();
 
   const waitUntilContextResourcesInstalled = async (
     context: IRuleTypeAlerts,
@@ -55,7 +55,9 @@ export function createResourceInstallationHelper(
         const context = contextsToInitialize.pop()!;
         initializedContexts.set(
           context.context,
-          await waitUntilContextResourcesInstalled(context, timeoutMs)
+
+          // Return a promise than can be checked when needed
+          waitUntilContextResourcesInstalled(context, timeoutMs)
         );
       }
       isInitializing = false;

From 88af3a3aacb1ae91e8c75f4dc4623d9a9dc92dce Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Thu, 5 Jan 2023 10:33:22 -0500
Subject: [PATCH 29/42] Adding functional test

---
 .../server/alerts_service/alerts_service.ts   |   4 -
 .../alerting_api_integration/common/config.ts |   1 +
 .../plugins/alerts/server/alert_types.ts      |  21 +++
 .../tests/alerting/alerts_as_data.ts          | 168 ++++++++++++++++++
 .../spaces_only/tests/alerting/index.ts       |   1 +
 5 files changed, 191 insertions(+), 4 deletions(-)
 create mode 100644 x-pack/test/alerting_api_integration/spaces_only/tests/alerting/alerts_as_data.ts

diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index 1e927a3cd5909f..487f7375948591 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -180,7 +180,6 @@ export class AlertsService implements IAlertsService {
           }),
         { logger: this.options.logger }
       );
-      // await new Promise((r) => setTimeout(r, 15000));
       this.options.logger.info(`DONE Installing ILM policy ${ILM_POLICY_NAME}`);
     } catch (err) {
       this.options.logger.error(`Error installing ILM policy ${ILM_POLICY_NAME} - ${err.message}`);
@@ -198,7 +197,6 @@ export class AlertsService implements IAlertsService {
       await retryTransientEsErrors(() => esClient.cluster.putComponentTemplate(template), {
         logger: this.options.logger,
       });
-      // await new Promise((r) => setTimeout(r, 15000));
       this.options.logger.info(`DONE Installing component template ${template.name}`);
     } catch (err) {
       this.options.logger.error(
@@ -269,7 +267,6 @@ export class AlertsService implements IAlertsService {
       await retryTransientEsErrors(() => esClient.indices.putIndexTemplate(indexTemplate), {
         logger: this.options.logger,
       });
-      // await new Promise((r) => setTimeout(r, 15000));
       this.options.logger.info(`DONE Installing index template ${indexPatterns.template}`);
     } catch (err) {
       this.options.logger.error(
@@ -444,7 +441,6 @@ export class AlertsService implements IAlertsService {
             logger: this.options.logger,
           }
         );
-        // await new Promise((r) => setTimeout(r, 15000));
         this.options.logger.info(`DONE Creating concrete write index - ${indexPatterns.name}`);
       } catch (error) {
         this.options.logger.error(`Error creating concrete write index - ${error.message}`);
diff --git a/x-pack/test/alerting_api_integration/common/config.ts b/x-pack/test/alerting_api_integration/common/config.ts
index 81784f9fa9e5b6..4095a9626488d4 100644
--- a/x-pack/test/alerting_api_integration/common/config.ts
+++ b/x-pack/test/alerting_api_integration/common/config.ts
@@ -184,6 +184,7 @@ export function createTestConfig(name: string, options: CreateTestConfigOptions)
           `--xpack.alerting.rules.run.actions.connectorTypeOverrides=${JSON.stringify([
             { id: 'test.capped', max: '1' },
           ])}`,
+          `--xpack.alerting.enableFrameworkAlerts=true`,
           `--xpack.actions.enabledActionTypes=${JSON.stringify(enabledActionTypes)}`,
           `--xpack.actions.rejectUnauthorized=${rejectUnauthorized}`,
           `--xpack.actions.microsoftGraphApiUrl=${servers.kibana.protocol}://${servers.kibana.hostname}:${servers.kibana.port}/api/_actions-FTS-external-service-simulators/exchange/users/test@/sendMail`,
diff --git a/x-pack/test/alerting_api_integration/common/fixtures/plugins/alerts/server/alert_types.ts b/x-pack/test/alerting_api_integration/common/fixtures/plugins/alerts/server/alert_types.ts
index 93d2b200c3fde4..538d0a529f4cc3 100644
--- a/x-pack/test/alerting_api_integration/common/fixtures/plugins/alerts/server/alert_types.ts
+++ b/x-pack/test/alerting_api_integration/common/fixtures/plugins/alerts/server/alert_types.ts
@@ -92,6 +92,27 @@ function getAlwaysFiringAlertType() {
       context: [{ name: 'instanceContextValue', description: 'the instance context value' }],
     },
     executor: curry(alwaysFiringExecutor)(),
+    alerts: {
+      context: 'test.always-firing',
+      fieldMap: {
+        instance_state_value: {
+          required: false,
+          type: 'boolean',
+        },
+        instance_params_value: {
+          required: false,
+          type: 'boolean',
+        },
+        instance_context_value: {
+          required: false,
+          type: 'boolean',
+        },
+        group_in_series_index: {
+          required: false,
+          type: 'long',
+        },
+      },
+    },
   };
   return result;
 }
diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/alerts_as_data.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/alerts_as_data.ts
new file mode 100644
index 00000000000000..b7e3b40da283cf
--- /dev/null
+++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/alerts_as_data.ts
@@ -0,0 +1,168 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { alertFieldMap } from '@kbn/alerting-plugin/common/alert_schema';
+import { mappingFromFieldMap } from '@kbn/alerting-plugin/common/alert_schema/field_maps/mapping_from_field_map';
+import expect from '@kbn/expect';
+import { FtrProviderContext } from '../../../common/ftr_provider_context';
+
+// eslint-disable-next-line import/no-default-export
+export default function createAlertsAsDataTest({ getService }: FtrProviderContext) {
+  const es = getService('es');
+  const commonFrameworkMappings = mappingFromFieldMap(alertFieldMap, 'strict');
+
+  describe('alerts as data', () => {
+    it('should install common alerts as data resources on startup', async () => {
+      const ilmPolicyName = 'alerts-default-ilm-policy';
+      const componentTemplateName = 'alerts-common-component-template';
+
+      const commonIlmPolicy = await es.ilm.getLifecycle({
+        name: ilmPolicyName,
+      });
+
+      expect(commonIlmPolicy[ilmPolicyName].policy).to.eql({
+        _meta: {
+          managed: true,
+        },
+        phases: {
+          hot: {
+            min_age: '0ms',
+            actions: {
+              rollover: {
+                max_age: '30d',
+                max_primary_shard_size: '50gb',
+              },
+            },
+          },
+        },
+      });
+
+      const { component_templates: componentTemplates } = await es.cluster.getComponentTemplate({
+        name: componentTemplateName,
+      });
+
+      expect(componentTemplates.length).to.eql(1);
+      const commonComponentTemplate = componentTemplates[0];
+
+      expect(commonComponentTemplate.name).to.eql(componentTemplateName);
+      expect(commonComponentTemplate.component_template.template.mappings).to.eql(
+        commonFrameworkMappings
+      );
+      expect(commonComponentTemplate.component_template.template.settings).to.eql({
+        index: {
+          number_of_shards: 1,
+          mapping: {
+            total_fields: {
+              limit: 100,
+            },
+          },
+        },
+      });
+    });
+
+    it('should install context specific alerts as data resources on startup', async () => {
+      const componentTemplateName = 'alerts-test.always-firing-component-template';
+      const indexTemplateName = '.alerts-test.always-firing-template';
+      const indexName = '.alerts-test.always-firing-default-000001';
+      const contextSpecificMappings = {
+        instance_params_value: {
+          type: 'boolean',
+        },
+        instance_state_value: {
+          type: 'boolean',
+        },
+        instance_context_value: {
+          type: 'boolean',
+        },
+        group_in_series_index: {
+          type: 'long',
+        },
+      };
+
+      const { component_templates: componentTemplates } = await es.cluster.getComponentTemplate({
+        name: componentTemplateName,
+      });
+      expect(componentTemplates.length).to.eql(1);
+      const contextComponentTemplate = componentTemplates[0];
+      expect(contextComponentTemplate.name).to.eql(componentTemplateName);
+      expect(contextComponentTemplate.component_template.template.mappings).to.eql({
+        dynamic: 'strict',
+        properties: contextSpecificMappings,
+      });
+      expect(contextComponentTemplate.component_template.template.settings).to.eql({
+        index: {
+          number_of_shards: 1,
+          mapping: {
+            total_fields: {
+              limit: 100,
+            },
+          },
+        },
+      });
+
+      const { index_templates: indexTemplates } = await es.indices.getIndexTemplate({
+        name: indexTemplateName,
+      });
+      expect(indexTemplates.length).to.eql(1);
+      const contextIndexTemplate = indexTemplates[0];
+      expect(contextIndexTemplate.name).to.eql(indexTemplateName);
+      expect(contextIndexTemplate.index_template.index_patterns).to.eql([
+        '.alerts-test.always-firing-*',
+      ]);
+      expect(contextIndexTemplate.index_template.composed_of).to.eql([
+        'alerts-common-component-template',
+        'alerts-test.always-firing-component-template',
+      ]);
+      expect(contextIndexTemplate.index_template.template!.mappings).to.eql({
+        dynamic: false,
+      });
+      expect(contextIndexTemplate.index_template.template!.settings).to.eql({
+        index: {
+          lifecycle: {
+            name: 'alerts-default-ilm-policy',
+            rollover_alias: '.alerts-test.always-firing-default',
+          },
+          mapping: {
+            total_fields: {
+              limit: '2500',
+            },
+          },
+          hidden: 'true',
+          auto_expand_replicas: '0-1',
+        },
+      });
+
+      const contextIndex = await es.indices.get({
+        index: indexName,
+      });
+
+      expect(contextIndex[indexName].aliases).to.eql({
+        '.alerts-test.always-firing-default': {
+          is_write_index: true,
+        },
+      });
+
+      expect(contextIndex[indexName].settings?.index?.lifecycle).to.eql({
+        name: 'alerts-default-ilm-policy',
+        rollover_alias: '.alerts-test.always-firing-default',
+      });
+
+      expect(contextIndex[indexName].settings?.index?.mapping).to.eql({
+        total_fields: {
+          limit: '2500',
+        },
+      });
+
+      expect(contextIndex[indexName].settings?.index?.hidden).to.eql('true');
+      expect(contextIndex[indexName].settings?.index?.number_of_shards).to.eql(1);
+      expect(contextIndex[indexName].settings?.index?.auto_expand_replicas).to.eql('0-1');
+      expect(contextIndex[indexName].settings?.index?.provided_name).to.eql(
+        '.alerts-test.always-firing-default-000001'
+      );
+    });
+  });
+}
diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/index.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/index.ts
index c887a10aa14aa8..e11cc2e4422a72 100644
--- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/index.ts
+++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/index.ts
@@ -52,6 +52,7 @@ export default function alertingTests({ loadTestFile, getService }: FtrProviderC
     loadTestFile(require.resolve('./run_soon'));
     loadTestFile(require.resolve('./flapping_history'));
     loadTestFile(require.resolve('./check_registered_rule_types'));
+    loadTestFile(require.resolve('./alerts_as_data'));
     // Do not place test files here, due to https://github.com/elastic/kibana/issues/123059
 
     // note that this test will destroy existing spaces

From d9596a715d42016a46cd373f5a8dda6f43f9ba59 Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Thu, 5 Jan 2023 11:13:10 -0500
Subject: [PATCH 30/42] Space aware index template

---
 .../alerts_service/alerts_service.test.ts     | 22 ++++++++++---------
 .../alerting/server/alerts_service/types.ts   |  4 ++--
 .../tests/alerting/alerts_as_data.ts          |  6 ++---
 3 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
index 7f1d34c5afc90d..2b521234a1cebd 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
@@ -76,9 +76,9 @@ const IlmPutBody = {
 };
 
 const getIndexTemplatePutBody = (context?: string) => ({
-  name: `.alerts-${context ? context : 'test'}-template`,
+  name: `.alerts-${context ? context : 'test'}-default-template`,
   body: {
-    index_patterns: [`.alerts-${context ? context : 'test'}-*`],
+    index_patterns: [`.alerts-${context ? context : 'test'}-default-*`],
     composed_of: [
       'alerts-common-component-template',
       `alerts-${context ? context : 'test'}-component-template`,
@@ -236,10 +236,10 @@ describe('Alerts Service', () => {
 
       expect(clusterClient.indices.getAlias).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.getAlias).toHaveBeenNthCalledWith(1, {
-        index: '.alerts-another-*',
+        index: '.alerts-another-default-*',
       });
       expect(clusterClient.indices.getAlias).toHaveBeenNthCalledWith(2, {
-        index: '.alerts-test-*',
+        index: '.alerts-test-default-*',
       });
       expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(4);
       expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalledTimes(4);
@@ -300,7 +300,9 @@ describe('Alerts Service', () => {
       expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith(
         getIndexTemplatePutBody()
       );
-      expect(clusterClient.indices.getAlias).toHaveBeenCalledWith({ index: '.alerts-test-*' });
+      expect(clusterClient.indices.getAlias).toHaveBeenCalledWith({
+        index: '.alerts-test-default-*',
+      });
       expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalledTimes(2);
       expect(clusterClient.indices.putMapping).toHaveBeenCalledTimes(2);
@@ -348,7 +350,7 @@ describe('Alerts Service', () => {
       );
 
       expect(logger.error).toHaveBeenCalledWith(
-        `Failed to simulate index template mappings for .alerts-test-template; not applying mappings - fail`
+        `Failed to simulate index template mappings for .alerts-test-default-template; not applying mappings - fail`
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
@@ -380,7 +382,7 @@ describe('Alerts Service', () => {
 
       expect(logger.error).toHaveBeenCalledWith(
         new Error(
-          `No mappings would be generated for .alerts-test-template, possibly due to failed/misconfigured bootstrapping`
+          `No mappings would be generated for .alerts-test-default-template, possibly due to failed/misconfigured bootstrapping`
         )
       );
 
@@ -405,7 +407,7 @@ describe('Alerts Service', () => {
       );
 
       expect(logger.error).toHaveBeenCalledWith(
-        `Error installing index template .alerts-test-template - fail`
+        `Error installing index template .alerts-test-default-template - fail`
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
@@ -429,7 +431,7 @@ describe('Alerts Service', () => {
       );
 
       expect(logger.error).toHaveBeenCalledWith(
-        `Error fetching concrete indices for .alerts-test-* pattern - fail`
+        `Error fetching concrete indices for .alerts-test-default-* pattern - fail`
       );
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalled();
@@ -577,7 +579,7 @@ describe('Alerts Service', () => {
 
       expect(logger.error).toHaveBeenCalledWith(
         new Error(
-          `Indices matching pattern .alerts-test-* exist but none are set as the write index for alias .alerts-test-default`
+          `Indices matching pattern .alerts-test-default-* exist but none are set as the write index for alias .alerts-test-default`
         )
       );
 
diff --git a/x-pack/plugins/alerting/server/alerts_service/types.ts b/x-pack/plugins/alerting/server/alerts_service/types.ts
index 514116e152867c..db47a9a8e00150 100644
--- a/x-pack/plugins/alerting/server/alerts_service/types.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/types.ts
@@ -25,8 +25,8 @@ export const getIndexTemplateAndPattern = (
 ): IIndexPatternString => {
   const pattern = `${context}-${namespace ? namespace : 'default'}`;
   return {
-    template: `.alerts-${context}-template`,
-    pattern: `.alerts-${context}-*`,
+    template: `.alerts-${pattern}-template`,
+    pattern: `.alerts-${pattern}-*`,
     alias: `.alerts-${pattern}`,
     name: `.alerts-${pattern}-000001`,
   };
diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/alerts_as_data.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/alerts_as_data.ts
index b7e3b40da283cf..d0c2c43e6bacc9 100644
--- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/alerts_as_data.ts
+++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/alerts_as_data.ts
@@ -66,7 +66,7 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex
 
     it('should install context specific alerts as data resources on startup', async () => {
       const componentTemplateName = 'alerts-test.always-firing-component-template';
-      const indexTemplateName = '.alerts-test.always-firing-template';
+      const indexTemplateName = '.alerts-test.always-firing-default-template';
       const indexName = '.alerts-test.always-firing-default-000001';
       const contextSpecificMappings = {
         instance_params_value: {
@@ -111,11 +111,11 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex
       const contextIndexTemplate = indexTemplates[0];
       expect(contextIndexTemplate.name).to.eql(indexTemplateName);
       expect(contextIndexTemplate.index_template.index_patterns).to.eql([
-        '.alerts-test.always-firing-*',
+        '.alerts-test.always-firing-default-*',
       ]);
       expect(contextIndexTemplate.index_template.composed_of).to.eql([
         'alerts-common-component-template',
-        'alerts-test.always-firing-component-template',
+        'alerts-test.always-firing-component-default-template',
       ]);
       expect(contextIndexTemplate.index_template.template!.mappings).to.eql({
         dynamic: false,

From 05c69e7e3d3dac084006b247869961d8ba0eb7be Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Thu, 5 Jan 2023 13:55:51 -0500
Subject: [PATCH 31/42] Fixing test and updating log messages

---
 .../alerts_service/alerts_service.test.ts     |  2 +-
 .../server/alerts_service/alerts_service.ts   | 21 ++++++++-----------
 .../tests/alerting/alerts_as_data.ts          |  2 +-
 3 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
index 2b521234a1cebd..a62310d2c01eb5 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
@@ -322,7 +322,7 @@ describe('Alerts Service', () => {
       alertsService.register(TestRegistrationContext);
       alertsService.register(TestRegistrationContext);
 
-      expect(logger.info).toHaveBeenCalledWith(
+      expect(logger.debug).toHaveBeenCalledWith(
         `Resources for context "test" have already been registered.`
       );
     });
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index 487f7375948591..a0544e480c4a39 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -128,19 +128,16 @@ export class AlertsService implements IAlertsService {
       if (!isEqual(fieldMap, registeredFieldMap)) {
         throw new Error(`${context} has already been registered with a different mapping`);
       }
-      this.options.logger.info(`Resources for context "${context}" have already been registered.`);
+      this.options.logger.debug(`Resources for context "${context}" have already been registered.`);
       return;
     }
 
+    this.options.logger.info(`Registering resources for context "${context}".`);
     this.registeredContexts.set(context, fieldMap);
     this.resourceInitializationHelper.add({ context, fieldMap }, timeoutMs);
   }
 
   private async initializeContext({ context, fieldMap }: IRuleTypeAlerts, timeoutMs?: number) {
-    this.options.logger.info(
-      `Initializing resources for context ${context} - ${JSON.stringify(fieldMap)}`
-    );
-
     const esClient = await this.options.elasticsearchClientPromise;
 
     const indexTemplateAndPattern = getIndexTemplateAndPattern(context);
@@ -180,7 +177,6 @@ export class AlertsService implements IAlertsService {
           }),
         { logger: this.options.logger }
       );
-      this.options.logger.info(`DONE Installing ILM policy ${ILM_POLICY_NAME}`);
     } catch (err) {
       this.options.logger.error(`Error installing ILM policy ${ILM_POLICY_NAME} - ${err.message}`);
       throw err;
@@ -197,7 +193,6 @@ export class AlertsService implements IAlertsService {
       await retryTransientEsErrors(() => esClient.cluster.putComponentTemplate(template), {
         logger: this.options.logger,
       });
-      this.options.logger.info(`DONE Installing component template ${template.name}`);
     } catch (err) {
       this.options.logger.error(
         `Error installing component template ${template.name} - ${err.message}`
@@ -267,7 +262,6 @@ export class AlertsService implements IAlertsService {
       await retryTransientEsErrors(() => esClient.indices.putIndexTemplate(indexTemplate), {
         logger: this.options.logger,
       });
-      this.options.logger.info(`DONE Installing index template ${indexPatterns.template}`);
     } catch (err) {
       this.options.logger.error(
         `Error installing index template ${indexPatterns.template} - ${err.message}`
@@ -283,7 +277,9 @@ export class AlertsService implements IAlertsService {
     esClient: ElasticsearchClient,
     concreteIndices: ConcreteIndexInfo[]
   ) {
-    this.options.logger.info(`Updating underlying mappings for ${concreteIndices.length} indices.`);
+    this.options.logger.debug(
+      `Updating underlying mappings for ${concreteIndices.length} indices.`
+    );
 
     // Update total field limit setting of found indices
     // Other index setting changes are not updated at this time
@@ -388,8 +384,10 @@ export class AlertsService implements IAlertsService {
         }))
       );
 
-      this.options.logger.info(
-        `Found ${concreteIndices.length} concrete indices - ${JSON.stringify(concreteIndices)}`
+      this.options.logger.debug(
+        `Found ${concreteIndices.length} concrete indices for ${
+          indexPatterns.name
+        } - ${JSON.stringify(concreteIndices)}`
       );
     } catch (error) {
       // 404 is expected if no concrete write indices have been created
@@ -441,7 +439,6 @@ export class AlertsService implements IAlertsService {
             logger: this.options.logger,
           }
         );
-        this.options.logger.info(`DONE Creating concrete write index - ${indexPatterns.name}`);
       } catch (error) {
         this.options.logger.error(`Error creating concrete write index - ${error.message}`);
         // If the index already exists and it's the write index for the alias,
diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/alerts_as_data.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/alerts_as_data.ts
index d0c2c43e6bacc9..9173546024e672 100644
--- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/alerts_as_data.ts
+++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/alerts_as_data.ts
@@ -65,7 +65,7 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex
     });
 
     it('should install context specific alerts as data resources on startup', async () => {
-      const componentTemplateName = 'alerts-test.always-firing-component-template';
+      const componentTemplateName = 'alerts-test.always-firing-default-component-template';
       const indexTemplateName = '.alerts-test.always-firing-default-template';
       const indexName = '.alerts-test.always-firing-default-000001';
       const contextSpecificMappings = {

From 3a81c84b2d34faa2ab2fdabe8ac0be4c8b773fbd Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Thu, 5 Jan 2023 14:11:25 -0500
Subject: [PATCH 32/42] Removing schema generation as not currently needed

---
 .buildkite/scripts/steps/checks.sh            |   1 -
 .../scripts/steps/checks/alerts_as_data.sh    |  11 -
 .../alerting/common/alert_schema/index.ts     |   2 -
 .../alert_schema/schemas/alert_schema.ts      | 129 --------
 .../scripts/create_schema_from_mapping.ts     | 312 ------------------
 .../scripts/generate_ecs_fieldmap.js          | 107 ------
 .../alert_schema/scripts/generate_schemas.sh  |  10 -
 .../alert_schema/scripts/lib/line_writer.ts   |  47 ---
 x-pack/plugins/alerting/common/index.ts       |   2 -
 9 files changed, 621 deletions(-)
 delete mode 100755 .buildkite/scripts/steps/checks/alerts_as_data.sh
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/schemas/alert_schema.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js
 delete mode 100755 x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
 delete mode 100644 x-pack/plugins/alerting/common/alert_schema/scripts/lib/line_writer.ts

diff --git a/.buildkite/scripts/steps/checks.sh b/.buildkite/scripts/steps/checks.sh
index c5cfc8e98b8ac6..c7c22d7958edc6 100755
--- a/.buildkite/scripts/steps/checks.sh
+++ b/.buildkite/scripts/steps/checks.sh
@@ -11,7 +11,6 @@ export DISABLE_BOOTSTRAP_VALIDATION=false
 .buildkite/scripts/steps/checks/verify_notice.sh
 .buildkite/scripts/steps/checks/plugin_list_docs.sh
 .buildkite/scripts/steps/checks/event_log.sh
-.buildkite/scripts/steps/checks/alerts_as_data.sh
 .buildkite/scripts/steps/checks/telemetry.sh
 .buildkite/scripts/steps/checks/jest_configs.sh
 .buildkite/scripts/steps/checks/bundle_limits.sh
diff --git a/.buildkite/scripts/steps/checks/alerts_as_data.sh b/.buildkite/scripts/steps/checks/alerts_as_data.sh
deleted file mode 100755
index b2ee45d3addf9f..00000000000000
--- a/.buildkite/scripts/steps/checks/alerts_as_data.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-source .buildkite/scripts/common/util.sh
-
-echo --- Check Framework Alerts as Data Schema
-
-./x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
-
-check_for_changed_files './x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh' false 'Follow the directions in x-pack/plugins/alerting/common/alert_schema/scripts/README.md to make schema changes to framework alerts as data.'
diff --git a/x-pack/plugins/alerting/common/alert_schema/index.ts b/x-pack/plugins/alerting/common/alert_schema/index.ts
index a2788e074ba298..acca43450fe347 100644
--- a/x-pack/plugins/alerting/common/alert_schema/index.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/index.ts
@@ -6,6 +6,4 @@
  */
 
 export { alertFieldMap } from './field_maps/alert_field_map';
-export { AlertSchema } from './schemas/alert_schema';
-export type { Alert } from './schemas/alert_schema';
 export { getComponentTemplateFromFieldMap } from './field_maps/component_template_from_field_map';
diff --git a/x-pack/plugins/alerting/common/alert_schema/schemas/alert_schema.ts b/x-pack/plugins/alerting/common/alert_schema/schemas/alert_schema.ts
deleted file mode 100644
index a04824028c1c36..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/schemas/alert_schema.ts
+++ /dev/null
@@ -1,129 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-// ---------------------------------- WARNING ----------------------------------
-// this file was generated, and should not be edited by hand
-// ---------------------------------- WARNING ----------------------------------
-
-import { Either } from 'fp-ts/lib/Either';
-import * as rt from 'io-ts';
-
-const ISO_DATE_PATTERN = /^d{4}-d{2}-d{2}Td{2}:d{2}:d{2}.d{3}Z$/;
-
-export const IsoDateString = new rt.Type<string, string, unknown>(
-  'IsoDateString',
-  rt.string.is,
-  (input, context): Either<rt.Errors, string> => {
-    if (typeof input === 'string' && ISO_DATE_PATTERN.test(input)) {
-      return rt.success(input);
-    } else {
-      return rt.failure(input, context);
-    }
-  },
-  rt.identity
-);
-
-export type IsoDateStringC = typeof IsoDateString;
-
-export const schemaDate = IsoDateString;
-export const schemaDateArray = rt.array(IsoDateString);
-export const schemaDateRange = rt.partial({
-  gte: schemaDate,
-  lte: schemaDate,
-});
-export const schemaDateRangeArray = rt.array(schemaDateRange);
-export const schemaUnknown = rt.unknown;
-export const schemaUnknownArray = rt.array(rt.unknown);
-export const schemaString = rt.string;
-export const schemaStringArray = rt.array(schemaString);
-export const schemaNumber = rt.number;
-export const schemaNumberArray = rt.array(schemaNumber);
-export const schemaStringOrNumber = rt.union([schemaString, schemaNumber]);
-export const schemaStringOrNumberArray = rt.array(schemaStringOrNumber);
-export const schemaBoolean = rt.boolean;
-export const schemaBooleanArray = rt.array(schemaBoolean);
-const schemaGeoPointCoords = rt.type({
-  type: schemaString,
-  coordinates: schemaNumberArray,
-});
-const schemaGeoPointString = schemaString;
-const schemaGeoPointLatLon = rt.type({
-  lat: schemaNumber,
-  lon: schemaNumber,
-});
-const schemaGeoPointLocation = rt.type({
-  location: schemaNumberArray,
-});
-const schemaGeoPointLocationString = rt.type({
-  location: schemaString,
-});
-export const schemaGeoPoint = rt.union([
-  schemaGeoPointCoords,
-  schemaGeoPointString,
-  schemaGeoPointLatLon,
-  schemaGeoPointLocation,
-  schemaGeoPointLocationString,
-]);
-export const schemaGeoPointArray = rt.array(schemaGeoPoint);
-
-const AlertRequiredSchema = rt.type({
-  kibana: rt.type({
-    alert: rt.type({
-      id: schemaString,
-      rule: rt.type({
-        category: schemaString,
-        consumer: schemaString,
-        name: schemaString,
-        producer: schemaString,
-        rule_type_id: schemaString,
-        uuid: schemaString,
-      }),
-      status: schemaString,
-      uuid: schemaString,
-    }),
-    space_ids: schemaStringArray,
-  }),
-});
-const AlertOptionalSchema = rt.partial({
-  kibana: rt.partial({
-    alert: rt.partial({
-      action_group: schemaString,
-      duration: rt.partial({
-        us: schemaStringOrNumber,
-      }),
-      end: schemaDate,
-      evaluation_results: rt.array(
-        rt.partial({
-          thresholds: rt.partial({
-            comparator: schemaString,
-            type: schemaString,
-            value: schemaStringArray,
-          }),
-          value: schemaNumber,
-        })
-      ),
-      flapping: schemaBoolean,
-      reason: schemaString,
-      rule: rt.partial({
-        execution: rt.partial({
-          uuid: schemaString,
-        }),
-        parameters: schemaUnknown,
-        tags: schemaStringArray,
-      }),
-      severity: schemaString,
-      start: schemaDate,
-      time_range: schemaDateRange,
-      workflow_status: schemaString,
-    }),
-    version: schemaString,
-  }),
-});
-
-export const AlertSchema = rt.intersection([AlertRequiredSchema, AlertOptionalSchema]);
-
-export type Alert = rt.TypeOf<typeof AlertSchema>;
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts b/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
deleted file mode 100644
index 4f3c34e78e3f63..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
+++ /dev/null
@@ -1,312 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import fs from 'fs';
-import path from 'path';
-import { get, set } from 'lodash';
-import { createLineWriter, LineWriter } from './lib/line_writer';
-import { alertFieldMap } from '../field_maps/alert_field_map';
-import { FieldMap } from '../field_maps/types';
-
-const PLUGIN_DIR = path.resolve(path.join(__dirname, '..'));
-const ALERT_SCHEMA_FILE = 'schemas/alert_schema.ts';
-
-const createSchema = (outputFile: string, fieldMap: FieldMap, schemaPrefix: string) => {
-  const lineWriters = {
-    REQUIRED_FIELDS: createLineWriter(),
-    OPTIONAL_FIELDS: createLineWriter(),
-  };
-
-  generateSchemaFromFieldMap({ lineWriters, fieldMap });
-
-  const contents = getSchemaFileContents(lineWriters, schemaPrefix);
-
-  writeGeneratedFile(outputFile, `${contents}\n`);
-};
-
-interface GenerateSchemaFromFieldMapOpts {
-  lineWriters: Record<string, LineWriter>;
-  fieldMap: FieldMap;
-}
-const generateSchemaFromFieldMap = ({ lineWriters, fieldMap }: GenerateSchemaFromFieldMapOpts) => {
-  const requiredFieldMap = { properties: {} };
-  const optionalFieldMap = { properties: {} };
-
-  const getKeyWithProperties = (key: string) => key.split('.').join('.properties.');
-
-  // Generate required properties
-  Object.keys(fieldMap)
-    .filter((key: string) => fieldMap[key].required === true)
-    .map((key: string) =>
-      set(requiredFieldMap.properties, getKeyWithProperties(key), fieldMap[key])
-    );
-  generateSchemaLines({
-    lineWriter: lineWriters.REQUIRED_FIELDS,
-    propertyKey: null,
-    required: true,
-    fieldMap: requiredFieldMap,
-  });
-
-  // Generate optional properties
-  Object.keys(fieldMap)
-    .filter((key: string) => fieldMap[key].required !== true)
-    .map((key: string) =>
-      set(optionalFieldMap.properties, getKeyWithProperties(key), fieldMap[key])
-    );
-  generateSchemaLines({
-    lineWriter: lineWriters.OPTIONAL_FIELDS,
-    propertyKey: null,
-    required: false,
-    fieldMap: optionalFieldMap,
-  });
-};
-
-interface FieldMapProperty {
-  properties: Record<string, FieldMapProperty>;
-}
-
-interface GenerateSchemaLinesOpts {
-  lineWriter: LineWriter;
-  propertyKey: string | null;
-  required: boolean;
-  fieldMap: {
-    properties: Record<string, FieldMapProperty>;
-  };
-}
-
-const getSchemaDefinition = (schemaPrefix: string, isArray: boolean): string => {
-  if (isArray) {
-    schemaPrefix = `${schemaPrefix}Array`;
-  }
-  return schemaPrefix;
-};
-
-const generateSchemaLines = ({
-  fieldMap,
-  propertyKey,
-  lineWriter,
-  required,
-}: GenerateSchemaLinesOpts) => {
-  if (fieldMap == null) return;
-
-  propertyKey = propertyKey === '@timestamp' ? `'@timestamp'` : propertyKey;
-
-  const type = get(fieldMap, 'type');
-  const isArray = get(fieldMap, 'array', false);
-  const isEnabled = get(fieldMap, 'enabled', true);
-
-  if (null != type) {
-    switch (type) {
-      case 'flattened':
-        lineWriter.addLine(`${propertyKey}: ${getSchemaDefinition('schemaUnknown', isArray)},`);
-        break;
-      case 'object':
-      case 'nested':
-        if (!isEnabled) {
-          lineWriter.addLine(`${propertyKey}: ${getSchemaDefinition('schemaUnknown', isArray)},`);
-        } else if (isArray && null != fieldMap.properties) {
-          lineWriter.addLineAndIndent(`${propertyKey}: rt.array(`);
-          if (required) {
-            lineWriter.addLineAndIndent(`rt.type({`);
-          } else {
-            lineWriter.addLineAndIndent(`rt.partial({`);
-          }
-          for (const prop of Object.keys(fieldMap.properties).sort()) {
-            generateSchemaLines({
-              lineWriter,
-              propertyKey: prop,
-              required,
-              fieldMap: fieldMap.properties[prop],
-            });
-          }
-          lineWriter.dedentAndAddLine(`})`);
-          lineWriter.dedentAndAddLine(`),`);
-        }
-        break;
-      case 'keyword':
-      case 'ip':
-      case 'constant_keyword':
-      case 'match_only_text':
-      case 'version':
-      case 'wildcard':
-        lineWriter.addLine(`${propertyKey}: ${getSchemaDefinition('schemaString', isArray)},`);
-        break;
-      case 'date':
-        lineWriter.addLine(`${propertyKey}: ${getSchemaDefinition('schemaDate', isArray)},`);
-        break;
-      case 'date_range':
-        lineWriter.addLine(`${propertyKey}: ${getSchemaDefinition('schemaDateRange', isArray)},`);
-        break;
-      case 'geo_point':
-        lineWriter.addLine(`${propertyKey}: ${getSchemaDefinition('schemaGeoPoint', isArray)},`);
-        break;
-      case 'long':
-      case 'scaled_float':
-        lineWriter.addLine(
-          `${propertyKey}: ${getSchemaDefinition('schemaStringOrNumber', isArray)},`
-        );
-        break;
-      case 'float':
-      case 'integer':
-        lineWriter.addLine(`${propertyKey}: ${getSchemaDefinition('schemaNumber', isArray)},`);
-        break;
-      case 'boolean':
-        lineWriter.addLine(`${propertyKey}: ${getSchemaDefinition('schemaBoolean', isArray)},`);
-        break;
-      default:
-        logError(`unknown type ${type}: ${JSON.stringify(fieldMap)}`);
-        break;
-    }
-
-    return;
-  }
-
-  if (null == get(fieldMap, 'properties')) {
-    logError(`unknown properties ${propertyKey}: ${JSON.stringify(fieldMap)}`);
-  }
-
-  if (null == propertyKey) {
-    if (required) {
-      lineWriter.addLineAndIndent(`rt.type({`);
-    } else {
-      lineWriter.addLineAndIndent(`rt.partial({`);
-    }
-  } else {
-    if (required) {
-      lineWriter.addLineAndIndent(`${propertyKey}: rt.type({`);
-    } else {
-      lineWriter.addLineAndIndent(`${propertyKey}: rt.partial({`);
-    }
-  }
-
-  // write the object properties
-  for (const prop of Object.keys(fieldMap.properties).sort()) {
-    generateSchemaLines({
-      lineWriter,
-      propertyKey: prop,
-      required,
-      fieldMap: fieldMap.properties[prop],
-    });
-  }
-  lineWriter.dedentAndAddLine(`}),`);
-};
-
-const SchemaFileTemplate = `
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-// ---------------------------------- WARNING ----------------------------------
-// this file was generated, and should not be edited by hand
-// ---------------------------------- WARNING ----------------------------------
-
-import { Either } from 'fp-ts/lib/Either';
-import * as rt from 'io-ts';
-
-const ISO_DATE_PATTERN = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z$/;
-
-export const IsoDateString = new rt.Type<string, string, unknown>(
-  'IsoDateString',
-  rt.string.is,
-  (input, context): Either<rt.Errors, string> => {
-    if (typeof input === 'string' && ISO_DATE_PATTERN.test(input)) {
-      return rt.success(input);
-    } else {
-      return rt.failure(input, context);
-    }
-  },
-  rt.identity
-);
-
-export type IsoDateStringC = typeof IsoDateString;
-
-export const schemaDate = IsoDateString;
-export const schemaDateArray = rt.array(IsoDateString);
-export const schemaDateRange = rt.partial({
-  gte: schemaDate,
-  lte: schemaDate,
-});
-export const schemaDateRangeArray = rt.array(schemaDateRange);
-export const schemaUnknown = rt.unknown;
-export const schemaUnknownArray = rt.array(rt.unknown);
-export const schemaString = rt.string;
-export const schemaStringArray = rt.array(schemaString);
-export const schemaNumber = rt.number;
-export const schemaNumberArray = rt.array(schemaNumber);
-export const schemaStringOrNumber = rt.union([schemaString, schemaNumber]);
-export const schemaStringOrNumberArray = rt.array(schemaStringOrNumber);
-export const schemaBoolean = rt.boolean;
-export const schemaBooleanArray = rt.array(schemaBoolean);
-const schemaGeoPointCoords = rt.type({
-  type: schemaString,
-  coordinates: schemaNumberArray,
-});
-const schemaGeoPointString = schemaString;
-const schemaGeoPointLatLon = rt.type({
-  lat: schemaNumber,
-  lon: schemaNumber,
-});
-const schemaGeoPointLocation = rt.type({
-  location: schemaNumberArray,
-});
-const schemaGeoPointLocationString = rt.type({
-  location: schemaString,
-});
-export const schemaGeoPoint = rt.union([
-  schemaGeoPointCoords,
-  schemaGeoPointString,
-  schemaGeoPointLatLon,
-  schemaGeoPointLocation,
-  schemaGeoPointLocationString,
-]);
-export const schemaGeoPointArray = rt.array(schemaGeoPoint);
-
-const %%schemaPrefix%%RequiredSchema = %%REQUIRED_FIELDS%%;
-const %%schemaPrefix%%OptionalSchema = %%OPTIONAL_FIELDS%%;
-
-export const %%schemaPrefix%%Schema = rt.intersection([%%schemaPrefix%%RequiredSchema, %%schemaPrefix%%OptionalSchema]);
-
-export type %%schemaPrefix%% = rt.TypeOf<typeof %%schemaPrefix%%Schema>;
-`.trim();
-
-const getSchemaFileContents = (lineWriters: Record<string, LineWriter>, schemaPrefix: string) => {
-  return Object.keys(lineWriters).reduce((currTemplate, key) => {
-    const schemaLines = lineWriters[key].getContent().replace(/,$/, '');
-    return currTemplate
-      .replaceAll(`%%schemaPrefix%%`, schemaPrefix)
-      .replace(`%%${key}%%`, schemaLines);
-  }, SchemaFileTemplate);
-};
-
-const writeGeneratedFile = (fileName: string, contents: string) => {
-  const genFileName = path.join(PLUGIN_DIR, fileName);
-  try {
-    fs.writeFileSync(genFileName, contents);
-  } catch (err) {
-    logError(`error writing file: ${genFileName}: ${err.message}`);
-  }
-};
-
-const logError = (message: string) => {
-  // eslint-disable-next-line no-console
-  console.log(`error: ${message}`);
-  process.exit(1);
-};
-
-try {
-  // eslint-disable-next-line no-console
-  console.log(`Creating runtime schema for AlertFieldMap`);
-  createSchema(ALERT_SCHEMA_FILE, alertFieldMap, 'Alert');
-
-  // eslint-disable-next-line no-console
-  console.log(`Finished creating schemas!`);
-} catch (error) {
-  logError(`Error encountered creating schemas ${error.message}`);
-}
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js
deleted file mode 100644
index d0f296d005a4e8..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-const path = require('path');
-const fs = require('fs');
-const util = require('util');
-const https = require('https');
-const yaml = require('js-yaml');
-const { exec: execCb } = require('child_process');
-const { reduce } = require('lodash');
-
-const readFile = util.promisify(fs.readFile);
-const writeFile = util.promisify(fs.writeFile);
-const deleteFile = util.promisify(fs.unlink);
-const exec = util.promisify(execCb);
-
-const ecsYmlUrlPrefix = `https://raw.githubusercontent.com/elastic/ecs/v8.5.2/generated/ecs/`;
-const ecsYmlFilename = `ecs_flat.yml`;
-
-const outputDir = path.join(__dirname, '../../alert_schema/field_maps');
-const outputFieldMapFilename = path.join(outputDir, 'ecs_field_map.ts');
-
-async function generate() {
-  https.get(
-    `${ecsYmlUrlPrefix}${ecsYmlFilename}`,
-    (response) => {
-      const filePath = fs.createWriteStream(ecsYmlFilename);
-      response.pipe(filePath);
-      filePath.on('finish', async () => {
-        filePath.close();
-        console.log(`Successfully downloaded ${ecsYmlUrlPrefix}${ecsYmlFilename}`);
-
-        const flatYaml = await yaml.safeLoad(await readFile(ecsYmlFilename));
-
-        const fields = reduce(
-          flatYaml,
-          (fieldsObj, value, key) => {
-            const field = {
-              type: value.type,
-              array: value.normalize.includes('array'),
-              required: !!value.required,
-            };
-
-            if (value.scaling_factor) {
-              field.scaling_factor = value.scaling_factor;
-            }
-
-            if (value.ignore_above) {
-              field.ignore_above = value.ignore_above;
-            }
-
-            if (null != value.doc_values) {
-              field.doc_values = value.doc_values;
-            }
-
-            if (null != value.index) {
-              field.index = value.index;
-            }
-
-            if (value.multi_fields) {
-              field.multi_fields = value.multi_fields;
-            }
-
-            fieldsObj[key] = field;
-
-            return fieldsObj;
-          },
-          {}
-        );
-
-        await Promise.all([
-          writeFile(
-            outputFieldMapFilename,
-            `
-      /* This file is generated by x-pack/plugins/alerting/common/alert_schema/scripts/generate_ecs_fieldmap.js,
-      do not manually edit
-      */
-
-          export const ecsFieldMap = ${JSON.stringify(fields, null, 2)}
-
-          export type EcsFieldMap = typeof ecsFieldMap;
-          `,
-            { encoding: 'utf-8' }
-          ).then(() => {
-            return exec(`node scripts/eslint --fix ${outputFieldMapFilename}`);
-          }),
-        ]);
-
-        console.log(`Successfully generated fieldmap at ${outputFieldMapFilename}`);
-
-        await deleteFile(ecsYmlFilename);
-      });
-    },
-    (err) => {
-      console.log(`Error downloading ${ecsYmlUrlPrefix}${ecsYmlFilename} - ${err.message}`);
-      process.exit(1);
-    }
-  );
-}
-
-generate().catch((err) => {
-  console.log(err);
-  process.exit(1);
-});
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh b/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
deleted file mode 100755
index 53ae905246a4a1..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/generate_schemas.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
-# or more contributor license agreements. Licensed under the Elastic License
-# 2.0; you may not use this file except in compliance with the Elastic License
-# 2.0.
-
-echo --- Generating Alert schemas from template
-
-npx -q ts-node x-pack/plugins/alerting/common/alert_schema/scripts/create_schema_from_mapping.ts
diff --git a/x-pack/plugins/alerting/common/alert_schema/scripts/lib/line_writer.ts b/x-pack/plugins/alerting/common/alert_schema/scripts/lib/line_writer.ts
deleted file mode 100644
index 43855a31b66bc2..00000000000000
--- a/x-pack/plugins/alerting/common/alert_schema/scripts/lib/line_writer.ts
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-const INDENT_LENGTH = 2;
-const INDENT = ''.padStart(INDENT_LENGTH);
-
-export class LineWriter {
-  private _indent: string = '';
-  private _lines: string[] = [];
-
-  constructor() {
-    this._indent = '';
-    this._lines = [];
-  }
-
-  public addLine(line: string) {
-    this._lines.push(`${this._indent}${line}`);
-  }
-
-  public addLineAndIndent(line: string) {
-    this._lines.push(`${this._indent}${line}`);
-    this._indent = `${this._indent}${INDENT}`;
-  }
-
-  public dedentAndAddLine(line: string) {
-    this._indent = this._indent.substr(INDENT_LENGTH);
-    this._lines.push(`${this._indent}${line}`);
-  }
-
-  public indent() {
-    this._indent = `${this._indent}${INDENT}`;
-  }
-
-  public dedent() {
-    this._indent = this._indent.substr(INDENT_LENGTH);
-  }
-
-  public getContent() {
-    return this._lines.join('\n');
-  }
-}
-
-export const createLineWriter = () => new LineWriter();
diff --git a/x-pack/plugins/alerting/common/index.ts b/x-pack/plugins/alerting/common/index.ts
index 4b206588668710..795a05dcb802c2 100644
--- a/x-pack/plugins/alerting/common/index.ts
+++ b/x-pack/plugins/alerting/common/index.ts
@@ -24,8 +24,6 @@ export * from './parse_duration';
 export * from './execution_log_types';
 export * from './rule_snooze_type';
 
-export { AlertSchema, type Alert } from './alert_schema';
-
 export interface AlertingFrameworkHealth {
   isSufficientlySecure: boolean;
   hasPermanentEncryptionKey: boolean;

From 3edfdcb7eb8716b6821a4dfc6d52c4519a6d9b3e Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Thu, 5 Jan 2023 14:26:49 -0500
Subject: [PATCH 33/42] Removing solution specific context

---
 .../server/alerts_service/alerts_service.ts   |  1 +
 x-pack/plugins/alerting/server/plugin.ts      |  3 --
 .../anomaly/register_anomaly_rule_type.ts     |  2 -
 .../register_error_count_rule_type.ts         |  2 -
 .../rule_types/get_alert_registration.ts      | 53 -------------------
 ...register_transaction_duration_rule_type.ts |  2 -
 ...gister_transaction_error_rate_rule_type.ts |  2 -
 .../lib/alerting/get_alert_registration.ts    | 19 -------
 ...er_inventory_metric_threshold_rule_type.ts |  2 -
 .../register_log_threshold_rule_type.ts       |  2 -
 .../register_metric_anomaly_rule_type.ts      |  2 -
 .../register_metric_threshold_rule_type.ts    |  2 -
 .../lib/rules/get_alert_registration.ts       | 15 ------
 .../lib/rules/slo_burn_rate/register.ts       |  2 -
 .../experimental_rule_field_map.test.ts       |  2 -
 .../field_maps/experimental_rule_field_map.ts |  8 +--
 .../common/rules/uptime_rule_field_map.ts     | 14 -----
 .../lib/alerts/duration_anomaly.ts            |  2 -
 .../lib/alerts/get_alert_registration.ts      | 15 ------
 .../legacy_uptime/lib/alerts/status_check.ts  |  2 -
 .../server/legacy_uptime/lib/alerts/tls.ts    |  2 -
 .../legacy_uptime/lib/alerts/tls_legacy.ts    |  2 -
 22 files changed, 3 insertions(+), 153 deletions(-)
 delete mode 100644 x-pack/plugins/apm/server/routes/alerts/rule_types/get_alert_registration.ts
 delete mode 100644 x-pack/plugins/infra/server/lib/alerting/get_alert_registration.ts
 delete mode 100644 x-pack/plugins/observability/server/lib/rules/get_alert_registration.ts
 delete mode 100644 x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/get_alert_registration.ts

diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index a0544e480c4a39..8ad880a562c8cc 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -112,6 +112,7 @@ export class AlertsService implements IAlertsService {
 
         this.initialized = true;
       } catch (err) {
+        this.options.logger.error(`Error installing common resources for AlertsService. No additional resources will be installed and rule execution may be impacted.`);
         this.initialized = false;
       }
 
diff --git a/x-pack/plugins/alerting/server/plugin.ts b/x-pack/plugins/alerting/server/plugin.ts
index 3159e350eda3d8..c16d41248ca6a3 100644
--- a/x-pack/plugins/alerting/server/plugin.ts
+++ b/x-pack/plugins/alerting/server/plugin.ts
@@ -237,9 +237,6 @@ export class AlertingPlugin {
           .getStartServices()
           .then(([{ elasticsearch }]) => elasticsearch.client.asInternalUser),
       });
-      // TODO - should an initialization failure throw an error?
-      // we do retry all resource installation steps but if all the retries fail
-      // do we just disable alerts writing?
       this.alertsService!.initialize();
     }
 
diff --git a/x-pack/plugins/apm/server/routes/alerts/rule_types/anomaly/register_anomaly_rule_type.ts b/x-pack/plugins/apm/server/routes/alerts/rule_types/anomaly/register_anomaly_rule_type.ts
index 0a21c965a3e550..889b249ceca3b9 100644
--- a/x-pack/plugins/apm/server/routes/alerts/rule_types/anomaly/register_anomaly_rule_type.ts
+++ b/x-pack/plugins/apm/server/routes/alerts/rule_types/anomaly/register_anomaly_rule_type.ts
@@ -49,7 +49,6 @@ import { getMLJobs } from '../../../service_map/get_service_anomalies';
 import { apmActionVariables } from '../../action_variables';
 import { RegisterRuleDependencies } from '../../register_apm_rule_types';
 import { getServiceGroupFieldsForAnomaly } from './get_service_group_fields_for_anomaly';
-import { alertRegistration } from '../get_alert_registration';
 
 const paramsSchema = schema.object({
   serviceName: schema.maybe(schema.string()),
@@ -107,7 +106,6 @@ export function registerAnomalyRuleType({
       producer: 'apm',
       minimumLicenseRequired: 'basic',
       isExportable: true,
-      alerts: alertRegistration,
       executor: async ({ params, services, spaceId }) => {
         if (!ml) {
           return {};
diff --git a/x-pack/plugins/apm/server/routes/alerts/rule_types/error_count/register_error_count_rule_type.ts b/x-pack/plugins/apm/server/routes/alerts/rule_types/error_count/register_error_count_rule_type.ts
index 3340b2502ae777..276e817093f404 100644
--- a/x-pack/plugins/apm/server/routes/alerts/rule_types/error_count/register_error_count_rule_type.ts
+++ b/x-pack/plugins/apm/server/routes/alerts/rule_types/error_count/register_error_count_rule_type.ts
@@ -44,7 +44,6 @@ import {
   getServiceGroupFieldsAgg,
   getServiceGroupFields,
 } from '../get_service_group_fields';
-import { alertRegistration } from '../get_alert_registration';
 
 const paramsSchema = schema.object({
   windowSize: schema.number(),
@@ -95,7 +94,6 @@ export function registerErrorCountRuleType({
       producer: APM_SERVER_FEATURE_ID,
       minimumLicenseRequired: 'basic',
       isExportable: true,
-      alerts: alertRegistration,
       executor: async ({ params: ruleParams, services, spaceId }) => {
         const config = await firstValueFrom(config$);
 
diff --git a/x-pack/plugins/apm/server/routes/alerts/rule_types/get_alert_registration.ts b/x-pack/plugins/apm/server/routes/alerts/rule_types/get_alert_registration.ts
deleted file mode 100644
index 4e2350a341dce9..00000000000000
--- a/x-pack/plugins/apm/server/routes/alerts/rule_types/get_alert_registration.ts
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { IRuleTypeAlerts } from '@kbn/alerting-plugin/server/types';
-import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map';
-import {
-  AGENT_NAME,
-  PROCESSOR_EVENT,
-  SERVICE_ENVIRONMENT,
-  SERVICE_LANGUAGE_NAME,
-  SERVICE_NAME,
-  TRANSACTION_TYPE,
-} from '../../../../common/es_fields/apm';
-
-export const alertRegistration: IRuleTypeAlerts = {
-  context: 'observability.apm',
-  fieldMap: {
-    ...experimentalRuleFieldMap,
-    [SERVICE_NAME]: {
-      type: 'keyword',
-      required: false,
-    },
-    [SERVICE_ENVIRONMENT]: {
-      type: 'keyword',
-      required: false,
-    },
-    [TRANSACTION_TYPE]: {
-      type: 'keyword',
-      required: false,
-    },
-    [PROCESSOR_EVENT]: {
-      type: 'keyword',
-      required: false,
-    },
-    [AGENT_NAME]: {
-      type: 'keyword',
-      required: false,
-    },
-    [SERVICE_LANGUAGE_NAME]: {
-      type: 'keyword',
-      required: false,
-    },
-    labels: {
-      type: 'object',
-      dynamic: true,
-      required: false,
-    },
-  },
-};
diff --git a/x-pack/plugins/apm/server/routes/alerts/rule_types/transaction_duration/register_transaction_duration_rule_type.ts b/x-pack/plugins/apm/server/routes/alerts/rule_types/transaction_duration/register_transaction_duration_rule_type.ts
index da6bc5954f794b..56cf1fc466584a 100644
--- a/x-pack/plugins/apm/server/routes/alerts/rule_types/transaction_duration/register_transaction_duration_rule_type.ts
+++ b/x-pack/plugins/apm/server/routes/alerts/rule_types/transaction_duration/register_transaction_duration_rule_type.ts
@@ -57,7 +57,6 @@ import {
   getServiceGroupFields,
   getServiceGroupFieldsAgg,
 } from '../get_service_group_fields';
-import { alertRegistration } from '../get_alert_registration';
 
 const paramsSchema = schema.object({
   serviceName: schema.string(),
@@ -114,7 +113,6 @@ export function registerTransactionDurationRuleType({
     producer: APM_SERVER_FEATURE_ID,
     minimumLicenseRequired: 'basic',
     isExportable: true,
-    alerts: alertRegistration,
     executor: async ({ params: ruleParams, services, spaceId }) => {
       const config = await firstValueFrom(config$);
 
diff --git a/x-pack/plugins/apm/server/routes/alerts/rule_types/transaction_error_rate/register_transaction_error_rate_rule_type.ts b/x-pack/plugins/apm/server/routes/alerts/rule_types/transaction_error_rate/register_transaction_error_rate_rule_type.ts
index cf1e9702b0e517..cda1c0a9f2f880 100644
--- a/x-pack/plugins/apm/server/routes/alerts/rule_types/transaction_error_rate/register_transaction_error_rate_rule_type.ts
+++ b/x-pack/plugins/apm/server/routes/alerts/rule_types/transaction_error_rate/register_transaction_error_rate_rule_type.ts
@@ -50,7 +50,6 @@ import {
   getServiceGroupFields,
   getServiceGroupFieldsAgg,
 } from '../get_service_group_fields';
-import { alertRegistration } from '../get_alert_registration';
 
 const paramsSchema = schema.object({
   windowSize: schema.number(),
@@ -103,7 +102,6 @@ export function registerTransactionErrorRateRuleType({
       producer: APM_SERVER_FEATURE_ID,
       minimumLicenseRequired: 'basic',
       isExportable: true,
-      alerts: alertRegistration,
       executor: async ({ services, spaceId, params: ruleParams }) => {
         const config = await firstValueFrom(config$);
 
diff --git a/x-pack/plugins/infra/server/lib/alerting/get_alert_registration.ts b/x-pack/plugins/infra/server/lib/alerting/get_alert_registration.ts
deleted file mode 100644
index 24e9750e50293f..00000000000000
--- a/x-pack/plugins/infra/server/lib/alerting/get_alert_registration.ts
+++ /dev/null
@@ -1,19 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { IRuleTypeAlerts } from '@kbn/alerting-plugin/server/types';
-import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map';
-
-export const logAlertRegistration: IRuleTypeAlerts = {
-  context: 'observability.logs',
-  fieldMap: experimentalRuleFieldMap,
-};
-
-export const metricAlertRegistration: IRuleTypeAlerts = {
-  context: 'observability.metrics',
-  fieldMap: experimentalRuleFieldMap,
-};
diff --git a/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/register_inventory_metric_threshold_rule_type.ts b/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/register_inventory_metric_threshold_rule_type.ts
index e5135cb54f834c..a5ba2c32ada6e4 100644
--- a/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/register_inventory_metric_threshold_rule_type.ts
+++ b/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/register_inventory_metric_threshold_rule_type.ts
@@ -51,7 +51,6 @@ import {
   FIRED_ACTIONS_ID,
   WARNING_ACTIONS,
 } from './inventory_metric_threshold_executor';
-import { metricAlertRegistration } from '../get_alert_registration';
 
 const condition = schema.object({
   threshold: schema.arrayOf(schema.number()),
@@ -127,7 +126,6 @@ export async function registerMetricInventoryThresholdRuleType(
         { name: 'tags', description: tagsActionVariableDescription },
       ],
     },
-    alerts: metricAlertRegistration,
     getSummarizedAlerts: libs.metricsRules.createGetSummarizedAlerts(),
   });
 }
diff --git a/x-pack/plugins/infra/server/lib/alerting/log_threshold/register_log_threshold_rule_type.ts b/x-pack/plugins/infra/server/lib/alerting/log_threshold/register_log_threshold_rule_type.ts
index db24b28aaa1b1c..ce04dd70361133 100644
--- a/x-pack/plugins/infra/server/lib/alerting/log_threshold/register_log_threshold_rule_type.ts
+++ b/x-pack/plugins/infra/server/lib/alerting/log_threshold/register_log_threshold_rule_type.ts
@@ -19,7 +19,6 @@ import {
   alertDetailUrlActionVariableDescription,
   groupByKeysActionVariableDescription,
 } from '../common/messages';
-import { logAlertRegistration } from '../get_alert_registration';
 
 const timestampActionVariableDescription = i18n.translate(
   'xpack.infra.logs.alerting.threshold.timestampActionVariableDescription',
@@ -146,7 +145,6 @@ export async function registerLogThresholdRuleType(
       ],
     },
     producer: 'logs',
-    alerts: logAlertRegistration,
     getSummarizedAlerts: libs.logsRules.createGetSummarizedAlerts(),
   });
 }
diff --git a/x-pack/plugins/infra/server/lib/alerting/metric_anomaly/register_metric_anomaly_rule_type.ts b/x-pack/plugins/infra/server/lib/alerting/metric_anomaly/register_metric_anomaly_rule_type.ts
index 608ee9890e6621..b27ae6889fd284 100644
--- a/x-pack/plugins/infra/server/lib/alerting/metric_anomaly/register_metric_anomaly_rule_type.ts
+++ b/x-pack/plugins/infra/server/lib/alerting/metric_anomaly/register_metric_anomaly_rule_type.ts
@@ -23,7 +23,6 @@ import { METRIC_ANOMALY_ALERT_TYPE_ID } from '../../../../common/alerting/metric
 import { InfraBackendLibs } from '../../infra_types';
 import { oneOfLiterals, validateIsStringElasticsearchJSONFilter } from '../common/utils';
 import { alertStateActionVariableDescription } from '../common/messages';
-import { metricAlertRegistration } from '../get_alert_registration';
 
 export type MetricAnomalyAllowedActionGroups = typeof FIRED_ACTIONS_ID;
 
@@ -115,5 +114,4 @@ export const registerMetricAnomalyRuleType = (
       },
     ],
   },
-  alerts: metricAlertRegistration,
 });
diff --git a/x-pack/plugins/infra/server/lib/alerting/metric_threshold/register_metric_threshold_rule_type.ts b/x-pack/plugins/infra/server/lib/alerting/metric_threshold/register_metric_threshold_rule_type.ts
index 981877a4c5cae5..55e2379bcf19a6 100644
--- a/x-pack/plugins/infra/server/lib/alerting/metric_threshold/register_metric_threshold_rule_type.ts
+++ b/x-pack/plugins/infra/server/lib/alerting/metric_threshold/register_metric_threshold_rule_type.ts
@@ -41,7 +41,6 @@ import {
   WARNING_ACTIONS,
   NO_DATA_ACTIONS,
 } from './metric_threshold_executor';
-import { metricAlertRegistration } from '../get_alert_registration';
 
 type MetricThresholdAllowedActionGroups = ActionGroupIdsOf<
   typeof FIRED_ACTIONS | typeof WARNING_ACTIONS | typeof NO_DATA_ACTIONS
@@ -128,7 +127,6 @@ export async function registerMetricThresholdRuleType(
       ],
     },
     producer: 'infrastructure',
-    alerts: metricAlertRegistration,
     getSummarizedAlerts: libs.metricsRules.createGetSummarizedAlerts(),
   });
 }
diff --git a/x-pack/plugins/observability/server/lib/rules/get_alert_registration.ts b/x-pack/plugins/observability/server/lib/rules/get_alert_registration.ts
deleted file mode 100644
index 2097c78e7c20fc..00000000000000
--- a/x-pack/plugins/observability/server/lib/rules/get_alert_registration.ts
+++ /dev/null
@@ -1,15 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { IRuleTypeAlerts } from '@kbn/alerting-plugin/server/types';
-import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map';
-import { RULE_REGISTRATION_CONTEXT } from '../../common/constants';
-
-export const alertRegistration: IRuleTypeAlerts = {
-  context: RULE_REGISTRATION_CONTEXT,
-  fieldMap: experimentalRuleFieldMap,
-};
diff --git a/x-pack/plugins/observability/server/lib/rules/slo_burn_rate/register.ts b/x-pack/plugins/observability/server/lib/rules/slo_burn_rate/register.ts
index f6271b75a8085e..b85f70413e3cbb 100644
--- a/x-pack/plugins/observability/server/lib/rules/slo_burn_rate/register.ts
+++ b/x-pack/plugins/observability/server/lib/rules/slo_burn_rate/register.ts
@@ -11,7 +11,6 @@ import { LicenseType } from '@kbn/licensing-plugin/server';
 import { createLifecycleExecutor } from '@kbn/rule-registry-plugin/server';
 
 import { SLO_BURN_RATE_RULE_ID } from '../../../../common/constants';
-import { alertRegistration } from '../get_alert_registration';
 import { FIRED_ACTION, getRuleExecutor } from './executor';
 
 const durationSchema = schema.object({
@@ -52,7 +51,6 @@ export function sloBurnRateRuleType(createLifecycleRuleExecutor: CreateLifecycle
         { name: 'shortWindow', description: windowActionVariableDescription },
       ],
     },
-    alert: alertRegistration,
   };
 }
 
diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.test.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.test.ts
index 3a6dbc4f209827..4e2d591bf88bd0 100644
--- a/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.test.ts
+++ b/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.test.ts
@@ -13,12 +13,10 @@ it('matches snapshot', () => {
   expect(experimentalRuleFieldMap).toMatchInlineSnapshot(`
     Object {
       "kibana.alert.evaluation.threshold": Object {
-        "required": false,
         "scaling_factor": 100,
         "type": "scaled_float",
       },
       "kibana.alert.evaluation.value": Object {
-        "required": false,
         "scaling_factor": 100,
         "type": "scaled_float",
       },
diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.ts
index 3859ebe6df9b6b..92f93015309c0b 100644
--- a/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.ts
+++ b/x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.ts
@@ -8,12 +8,8 @@
 import * as Fields from '../../technical_rule_data_field_names';
 
 export const experimentalRuleFieldMap = {
-  [Fields.ALERT_EVALUATION_THRESHOLD]: {
-    type: 'scaled_float',
-    scaling_factor: 100,
-    required: false,
-  },
-  [Fields.ALERT_EVALUATION_VALUE]: { type: 'scaled_float', scaling_factor: 100, required: false },
+  [Fields.ALERT_EVALUATION_THRESHOLD]: { type: 'scaled_float', scaling_factor: 100 },
+  [Fields.ALERT_EVALUATION_VALUE]: { type: 'scaled_float', scaling_factor: 100 },
 } as const;
 
 export type ExperimentalRuleFieldMap = typeof experimentalRuleFieldMap;
diff --git a/x-pack/plugins/synthetics/common/rules/uptime_rule_field_map.ts b/x-pack/plugins/synthetics/common/rules/uptime_rule_field_map.ts
index be097ed8d8268c..ff69d3a5e6e7fa 100644
--- a/x-pack/plugins/synthetics/common/rules/uptime_rule_field_map.ts
+++ b/x-pack/plugins/synthetics/common/rules/uptime_rule_field_map.ts
@@ -9,62 +9,48 @@ export const uptimeRuleFieldMap = {
   // common fields
   'monitor.id': {
     type: 'keyword',
-    required: false,
   },
   'url.full': {
     type: 'keyword',
-    required: false,
   },
   'observer.geo.name': {
     type: 'keyword',
-    required: false,
   },
   // monitor status alert fields
   'error.message': {
     type: 'text',
-    required: false,
   },
   'agent.name': {
     type: 'keyword',
-    required: false,
   },
   'monitor.name': {
     type: 'keyword',
-    required: false,
   },
   'monitor.type': {
     type: 'keyword',
-    required: false,
   },
   // tls alert fields
   'tls.server.x509.issuer.common_name': {
     type: 'keyword',
-    required: false,
   },
   'tls.server.x509.subject.common_name': {
     type: 'keyword',
-    required: false,
   },
   'tls.server.x509.not_after': {
     type: 'date',
-    required: false,
   },
   'tls.server.x509.not_before': {
     type: 'date',
-    required: false,
   },
   'tls.server.hash.sha256': {
     type: 'keyword',
-    required: false,
   },
   // anomaly alert fields
   'anomaly.start': {
     type: 'date',
-    required: false,
   },
   'anomaly.bucket_span.minutes': {
     type: 'keyword',
-    required: false,
   },
 } as const;
 
diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/duration_anomaly.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/duration_anomaly.ts
index 14509b3d852368..dc780a4d2ec3aa 100644
--- a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/duration_anomaly.ts
+++ b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/duration_anomaly.ts
@@ -33,7 +33,6 @@ import { DurationAnomalyTranslations as CommonDurationAnomalyTranslations } from
 import { getMonitorRouteFromMonitorId } from '../../../../common/utils/get_monitor_url';
 
 import { ALERT_REASON_MSG, ACTION_VARIABLES, VIEW_IN_APP_URL } from './action_variables';
-import { alertRegistration } from './get_alert_registration';
 
 export type ActionGroupIds = ActionGroupIdsOf<typeof DURATION_ANOMALY>;
 
@@ -110,7 +109,6 @@ export const durationAnomalyAlertFactory: UptimeAlertTypeFactory<ActionGroupIds>
     ],
     state: [...durationAnomalyTranslations.actionVariables, ...commonStateTranslations],
   },
-  alerts: alertRegistration,
   isExportable: true,
   minimumLicenseRequired: 'platinum',
   doesSetRecoveryContext: true,
diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/get_alert_registration.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/get_alert_registration.ts
deleted file mode 100644
index 7f299af2a2db2f..00000000000000
--- a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/get_alert_registration.ts
+++ /dev/null
@@ -1,15 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { IRuleTypeAlerts } from '@kbn/alerting-plugin/server/types';
-import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map';
-import { uptimeRuleFieldMap } from '../../../../common/rules/uptime_rule_field_map';
-
-export const alertRegistration: IRuleTypeAlerts = {
-  context: 'observability.uptime',
-  fieldMap: { ...uptimeRuleFieldMap, ...experimentalRuleFieldMap },
-};
diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/status_check.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/status_check.ts
index e613086adb2768..49593c95727a5c 100644
--- a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/status_check.ts
+++ b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/status_check.ts
@@ -51,7 +51,6 @@ import {
   VIEW_IN_APP_URL,
 } from './action_variables';
 import { getMonitorRouteFromMonitorId } from '../../../../common/utils/get_monitor_url';
-import { alertRegistration } from './get_alert_registration';
 
 export type ActionGroupIds = ActionGroupIdsOf<typeof MONITOR_STATUS>;
 
@@ -334,7 +333,6 @@ export const statusCheckAlertFactory: UptimeAlertTypeFactory<ActionGroupIds> = (
     ],
     state: [...commonMonitorStateI18, ...commonStateTranslations],
   },
-  alerts: alertRegistration,
   isExportable: true,
   minimumLicenseRequired: 'basic',
   doesSetRecoveryContext: true,
diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.ts
index 5af15c24028a02..44b191e7202381 100644
--- a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.ts
+++ b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.ts
@@ -24,7 +24,6 @@ import { TlsTranslations } from '../../../../common/translations';
 import { savedObjectsAdapter } from '../saved_objects/saved_objects';
 import { UptimeEsClient } from '../lib';
 import { ACTION_VARIABLES, ALERT_DETAILS_URL } from './action_variables';
-import { alertRegistration } from './get_alert_registration';
 
 export type ActionGroupIds = ActionGroupIdsOf<typeof TLS>;
 
@@ -129,7 +128,6 @@ export const tlsAlertFactory: UptimeAlertTypeFactory<ActionGroupIds> = (
     state: [...tlsTranslations.actionVariables, ...commonStateTranslations],
   },
   isExportable: true,
-  alerts: alertRegistration,
   minimumLicenseRequired: 'basic',
   doesSetRecoveryContext: true,
   async executor({
diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls_legacy.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls_legacy.ts
index 41514765bb262e..732b6ca45bc95a 100644
--- a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls_legacy.ts
+++ b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls_legacy.ts
@@ -24,7 +24,6 @@ import {
   DEFAULT_SIZE,
   DEFAULT_TO,
 } from '../../../../common/requests/get_certs_request_body';
-import { alertRegistration } from './get_alert_registration';
 
 export type ActionGroupIds = ActionGroupIdsOf<typeof TLS_LEGACY>;
 
@@ -113,7 +112,6 @@ export const tlsLegacyAlertFactory: UptimeAlertTypeFactory<ActionGroupIds> = (_s
   },
   isExportable: true,
   minimumLicenseRequired: 'basic',
-  alerts: alertRegistration,
   async executor({ services: { alertFactory, scopedClusterClient, savedObjectsClient }, state }) {
     const dynamicSettings = await savedObjectsAdapter.getUptimeDynamicSettings(savedObjectsClient);
 

From 87488e2a41edb725ce9890b6d37aece7458a52d0 Mon Sep 17 00:00:00 2001
From: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Date: Thu, 5 Jan 2023 19:33:11 +0000
Subject: [PATCH 34/42] [CI] Auto-commit changed files from 'node
 scripts/precommit_hook.js --ref HEAD~1..HEAD --fix'

---
 .../plugins/alerting/server/alerts_service/alerts_service.ts  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index 8ad880a562c8cc..5fe0fc5c18b8a7 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -112,7 +112,9 @@ export class AlertsService implements IAlertsService {
 
         this.initialized = true;
       } catch (err) {
-        this.options.logger.error(`Error installing common resources for AlertsService. No additional resources will be installed and rule execution may be impacted.`);
+        this.options.logger.error(
+          `Error installing common resources for AlertsService. No additional resources will be installed and rule execution may be impacted.`
+        );
         this.initialized = false;
       }
 

From ea470cfd7687468ce7281feeb86c2ddf0406720f Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Thu, 5 Jan 2023 15:46:15 -0500
Subject: [PATCH 35/42] Allowing empty fieldMap to just use common component
 template

---
 .../alerts_service/alerts_service.test.ts     | 62 +++++++++++++++++++
 .../server/alerts_service/alerts_service.ts   | 39 +++++++-----
 .../server/rule_types/es_query/rule_type.ts   |  4 ++
 3 files changed, 91 insertions(+), 14 deletions(-)

diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
index a62310d2c01eb5..222c05d6132121 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
@@ -318,6 +318,68 @@ describe('Alerts Service', () => {
       });
     });
 
+    test('should not install component template for context fieldMap is empty', async () => {
+      alertsService.register({
+        context: 'empty',
+        fieldMap: { },
+      });
+      await new Promise((r) => setTimeout(r, 50));
+      expect(await alertsService.isContextInitialized('empty')).toEqual(
+        true
+      );
+
+      expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody);
+
+      expect(clusterClient.cluster.putComponentTemplate).toHaveBeenCalledTimes(1);
+      const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0];
+      expect(componentTemplate1.name).toEqual('alerts-common-component-template');
+
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith(
+        {
+          name: `.alerts-empty-default-template`,
+          body: {
+            index_patterns: [`.alerts-empty-default-*`],
+            composed_of: [
+              'alerts-common-component-template',
+            ],
+            template: {
+              settings: {
+                auto_expand_replicas: '0-1',
+                hidden: true,
+                'index.lifecycle': {
+                  name: 'alerts-default-ilm-policy',
+                  rollover_alias: `.alerts-empty-default`,
+                },
+                'index.mapping.total_fields.limit': 2500,
+              },
+              mappings: {
+                dynamic: false,
+              },
+            },
+            _meta: {
+              managed: true,
+            },
+          },
+        }
+      );
+      expect(clusterClient.indices.getAlias).toHaveBeenCalledWith({
+        index: '.alerts-empty-default-*',
+      });
+      expect(clusterClient.indices.putSettings).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.simulateIndexTemplate).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.putMapping).toHaveBeenCalledTimes(2);
+      expect(clusterClient.indices.create).toHaveBeenCalledWith({
+        index: '.alerts-empty-default-000001',
+        body: {
+          aliases: {
+            '.alerts-empty-default': {
+              is_write_index: true,
+            },
+          },
+        },
+      });
+    });
+
     test('should skip initialization if context already exists', async () => {
       alertsService.register(TestRegistrationContext);
       alertsService.register(TestRegistrationContext);
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index 8ad880a562c8cc..880387b0c673e5 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -112,7 +112,9 @@ export class AlertsService implements IAlertsService {
 
         this.initialized = true;
       } catch (err) {
-        this.options.logger.error(`Error installing common resources for AlertsService. No additional resources will be installed and rule execution may be impacted.`);
+        this.options.logger.error(
+          `Error installing common resources for AlertsService. No additional resources will be installed and rule execution may be impacted.`
+        );
         this.initialized = false;
       }
 
@@ -144,19 +146,28 @@ export class AlertsService implements IAlertsService {
     const indexTemplateAndPattern = getIndexTemplateAndPattern(context);
 
     // Context specific initialization installs component template, index template and write index
-    const initFns = [
-      async () =>
-        await this.createOrUpdateComponentTemplate(
-          esClient,
-          getComponentTemplate(fieldMap, context)
-        ),
-      async () =>
-        await this.createOrUpdateIndexTemplate(esClient, indexTemplateAndPattern, [
-          getComponentTemplateName(),
-          getComponentTemplateName(context),
-        ]),
-      async () => await this.createConcreteWriteIndex(esClient, indexTemplateAndPattern),
-    ];
+    // If fieldMap is empty, don't create context specific component template
+    const initFns = isEmpty(fieldMap)
+      ? [
+          async () =>
+            await this.createOrUpdateIndexTemplate(esClient, indexTemplateAndPattern, [
+              getComponentTemplateName(),
+            ]),
+          async () => await this.createConcreteWriteIndex(esClient, indexTemplateAndPattern),
+        ]
+      : [
+          async () =>
+            await this.createOrUpdateComponentTemplate(
+              esClient,
+              getComponentTemplate(fieldMap, context)
+            ),
+          async () =>
+            await this.createOrUpdateIndexTemplate(esClient, indexTemplateAndPattern, [
+              getComponentTemplateName(),
+              getComponentTemplateName(context),
+            ]),
+          async () => await this.createConcreteWriteIndex(esClient, indexTemplateAndPattern),
+        ];
 
     for (const fn of initFns) {
       await this.installWithTimeout(async () => await fn(), timeoutMs);
diff --git a/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.ts b/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.ts
index c56f691cc2580d..f8196712cd932e 100644
--- a/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.ts
+++ b/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.ts
@@ -187,5 +187,9 @@ export function getRuleType(
     },
     producer: STACK_ALERTS_FEATURE_ID,
     doesSetRecoveryContext: true,
+    alerts: {
+      context: 'stack',
+      fieldMap: {},
+    },
   };
 }

From 2f039429753745a5cd4ff4892c0e4b81af8f7715 Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Thu, 5 Jan 2023 16:02:28 -0500
Subject: [PATCH 36/42] Cleanup

---
 .../src/default_alerts_as_data.ts             | 18 -------
 .../field_maps/alert_field_map.ts             | 30 -----------
 .../alerts_service/alerts_service.test.ts     | 50 ++++++++-----------
 .../tests/alerting/alerts_as_data.ts          | 12 ++++-
 4 files changed, 32 insertions(+), 78 deletions(-)

diff --git a/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts b/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
index 9a1939127bef3c..aca216b68da650 100644
--- a/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
+++ b/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
@@ -16,14 +16,6 @@ const ALERT_NAMESPACE = `${KIBANA_NAMESPACE}.alert` as const;
 const ALERT_ACTION_GROUP = `${ALERT_NAMESPACE}.action_group` as const;
 const ALERT_DURATION = `${ALERT_NAMESPACE}.duration.us` as const;
 const ALERT_END = `${ALERT_NAMESPACE}.end` as const;
-const ALERT_EVALUATION_RESULTS = `${ALERT_NAMESPACE}.evaluation_results` as const;
-const ALERT_EVALUATION_RESULTS_THRESHOLDS_COMPARATOR =
-  `${ALERT_NAMESPACE}.evaluation_results.thresholds.comparator` as const;
-const ALERT_EVALUATION_RESULTS_THRESHOLDS_TYPE =
-  `${ALERT_NAMESPACE}.evaluation_results.thresholds.type` as const;
-const ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE =
-  `${ALERT_NAMESPACE}.evaluation_results.thresholds.value` as const;
-const ALERT_EVALUATION_RESULTS_VALUE = `${ALERT_NAMESPACE}.evaluation_results.value` as const;
 const ALERT_FLAPPING = `${ALERT_NAMESPACE}.flapping` as const;
 const ALERT_ID = `${ALERT_NAMESPACE}.id` as const;
 const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const;
@@ -55,11 +47,6 @@ const fields = {
   ALERT_ACTION_GROUP,
   ALERT_DURATION,
   ALERT_END,
-  ALERT_EVALUATION_RESULTS,
-  ALERT_EVALUATION_RESULTS_THRESHOLDS_COMPARATOR,
-  ALERT_EVALUATION_RESULTS_THRESHOLDS_TYPE,
-  ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE,
-  ALERT_EVALUATION_RESULTS_VALUE,
   ALERT_FLAPPING,
   ALERT_ID,
   ALERT_REASON,
@@ -86,11 +73,6 @@ export {
   ALERT_ACTION_GROUP,
   ALERT_DURATION,
   ALERT_END,
-  ALERT_EVALUATION_RESULTS,
-  ALERT_EVALUATION_RESULTS_THRESHOLDS_COMPARATOR,
-  ALERT_EVALUATION_RESULTS_THRESHOLDS_TYPE,
-  ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE,
-  ALERT_EVALUATION_RESULTS_VALUE,
   ALERT_FLAPPING,
   ALERT_ID,
   ALERT_REASON,
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts
index 87d64c0ebfc89a..438131810807ec 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts
@@ -9,11 +9,6 @@ import {
   ALERT_ACTION_GROUP,
   ALERT_DURATION,
   ALERT_END,
-  ALERT_EVALUATION_RESULTS,
-  ALERT_EVALUATION_RESULTS_THRESHOLDS_COMPARATOR,
-  ALERT_EVALUATION_RESULTS_THRESHOLDS_TYPE,
-  ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE,
-  ALERT_EVALUATION_RESULTS_VALUE,
   ALERT_FLAPPING,
   ALERT_ID,
   ALERT_REASON,
@@ -148,31 +143,6 @@ export const alertFieldMap = {
     array: true,
     required: false,
   },
-  [ALERT_EVALUATION_RESULTS]: {
-    type: 'object',
-    array: true,
-    required: false,
-  },
-  [ALERT_EVALUATION_RESULTS_THRESHOLDS_COMPARATOR]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_EVALUATION_RESULTS_THRESHOLDS_TYPE]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [ALERT_EVALUATION_RESULTS_THRESHOLDS_VALUE]: {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  [ALERT_EVALUATION_RESULTS_VALUE]: {
-    type: 'float',
-    array: false,
-    required: false,
-  },
   [ALERT_FLAPPING]: {
     type: 'boolean',
     array: false,
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
index 222c05d6132121..ba3623526591f7 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.test.ts
@@ -321,12 +321,10 @@ describe('Alerts Service', () => {
     test('should not install component template for context fieldMap is empty', async () => {
       alertsService.register({
         context: 'empty',
-        fieldMap: { },
+        fieldMap: {},
       });
       await new Promise((r) => setTimeout(r, 50));
-      expect(await alertsService.isContextInitialized('empty')).toEqual(
-        true
-      );
+      expect(await alertsService.isContextInitialized('empty')).toEqual(true);
 
       expect(clusterClient.ilm.putLifecycle).toHaveBeenCalledWith(IlmPutBody);
 
@@ -334,34 +332,30 @@ describe('Alerts Service', () => {
       const componentTemplate1 = clusterClient.cluster.putComponentTemplate.mock.calls[0][0];
       expect(componentTemplate1.name).toEqual('alerts-common-component-template');
 
-      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith(
-        {
-          name: `.alerts-empty-default-template`,
-          body: {
-            index_patterns: [`.alerts-empty-default-*`],
-            composed_of: [
-              'alerts-common-component-template',
-            ],
-            template: {
-              settings: {
-                auto_expand_replicas: '0-1',
-                hidden: true,
-                'index.lifecycle': {
-                  name: 'alerts-default-ilm-policy',
-                  rollover_alias: `.alerts-empty-default`,
-                },
-                'index.mapping.total_fields.limit': 2500,
-              },
-              mappings: {
-                dynamic: false,
+      expect(clusterClient.indices.putIndexTemplate).toHaveBeenCalledWith({
+        name: `.alerts-empty-default-template`,
+        body: {
+          index_patterns: [`.alerts-empty-default-*`],
+          composed_of: ['alerts-common-component-template'],
+          template: {
+            settings: {
+              auto_expand_replicas: '0-1',
+              hidden: true,
+              'index.lifecycle': {
+                name: 'alerts-default-ilm-policy',
+                rollover_alias: `.alerts-empty-default`,
               },
+              'index.mapping.total_fields.limit': 2500,
             },
-            _meta: {
-              managed: true,
+            mappings: {
+              dynamic: false,
             },
           },
-        }
-      );
+          _meta: {
+            managed: true,
+          },
+        },
+      });
       expect(clusterClient.indices.getAlias).toHaveBeenCalledWith({
         index: '.alerts-empty-default-*',
       });
diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/alerts_as_data.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/alerts_as_data.ts
index 9173546024e672..13cb9bcd337f97 100644
--- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/alerts_as_data.ts
+++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/alerts_as_data.ts
@@ -65,7 +65,7 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex
     });
 
     it('should install context specific alerts as data resources on startup', async () => {
-      const componentTemplateName = 'alerts-test.always-firing-default-component-template';
+      const componentTemplateName = 'alerts-test.always-firing-component-template';
       const indexTemplateName = '.alerts-test.always-firing-default-template';
       const indexName = '.alerts-test.always-firing-default-000001';
       const contextSpecificMappings = {
@@ -115,7 +115,7 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex
       ]);
       expect(contextIndexTemplate.index_template.composed_of).to.eql([
         'alerts-common-component-template',
-        'alerts-test.always-firing-component-default-template',
+        'alerts-test.always-firing-component-template',
       ]);
       expect(contextIndexTemplate.index_template.template!.mappings).to.eql({
         dynamic: false,
@@ -146,6 +146,14 @@ export default function createAlertsAsDataTest({ getService }: FtrProviderContex
         },
       });
 
+      expect(contextIndex[indexName].mappings).to.eql({
+        dynamic: 'false',
+        properties: {
+          ...contextSpecificMappings,
+          ...commonFrameworkMappings.properties,
+        },
+      });
+
       expect(contextIndex[indexName].settings?.index?.lifecycle).to.eql({
         name: 'alerts-default-ilm-policy',
         rollover_alias: '.alerts-test.always-firing-default',

From 3167b136eb6ff0ad0f08a15bf7f42b1b51896b4f Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Thu, 5 Jan 2023 17:46:16 -0500
Subject: [PATCH 37/42] Fixing unit test

---
 .../field_maps/mapping_from_field_map.test.ts | 21 -------------------
 1 file changed, 21 deletions(-)

diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
index 04cd85d67869a1..01cdadbe39cc97 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
@@ -201,27 +201,6 @@ describe('mappingFromFieldMap', () => {
                 end: {
                   type: 'date',
                 },
-                evaluation_results: {
-                  type: 'object',
-                  properties: {
-                    thresholds: {
-                      properties: {
-                        comparator: {
-                          type: 'keyword',
-                        },
-                        type: {
-                          type: 'keyword',
-                        },
-                        value: {
-                          type: 'keyword',
-                        },
-                      },
-                    },
-                    value: {
-                      type: 'float',
-                    },
-                  },
-                },
                 flapping: {
                   type: 'boolean',
                 },

From 49ca18897d7d5f803cb02c94249f8108d7e6216a Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Mon, 9 Jan 2023 08:54:30 -0500
Subject: [PATCH 38/42] Reverting change to es query rule

---
 .../stack_alerts/server/rule_types/es_query/rule_type.ts      | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.ts b/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.ts
index f8196712cd932e..c56f691cc2580d 100644
--- a/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.ts
+++ b/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.ts
@@ -187,9 +187,5 @@ export function getRuleType(
     },
     producer: STACK_ALERTS_FEATURE_ID,
     doesSetRecoveryContext: true,
-    alerts: {
-      context: 'stack',
-      fieldMap: {},
-    },
   };
 }

From ae6a7844f12bebf85940d4556fba1290bc709caf Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Mon, 9 Jan 2023 09:34:13 -0500
Subject: [PATCH 39/42] Adding comments to alerts as data fields

---
 .../src/default_alerts_as_data.ts             | 50 +++++++++++++++++--
 .../src/technical_field_names.ts              |  2 +-
 .../field_maps/alert_field_map.ts             |  6 ---
 .../field_maps/mapping_from_field_map.test.ts |  3 --
 4 files changed, 46 insertions(+), 15 deletions(-)

diff --git a/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts b/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
index aca216b68da650..b428bea94cdcd1 100644
--- a/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
+++ b/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
@@ -9,32 +9,74 @@
 import { ValuesType } from 'utility-types';
 
 const KIBANA_NAMESPACE = 'kibana' as const;
+const ALERT_NAMESPACE = `${KIBANA_NAMESPACE}.alert` as const;
+const ALERT_RULE_NAMESPACE = `${ALERT_NAMESPACE}.rule` as const;
+
+// kibana.space_ids - space ID(s) of the rule that created this alert
 const SPACE_IDS = `${KIBANA_NAMESPACE}.space_ids` as const;
+
+// kibana.version - Kibana version that this alert was created
 const VERSION = `${KIBANA_NAMESPACE}.version` as const;
 
-const ALERT_NAMESPACE = `${KIBANA_NAMESPACE}.alert` as const;
+// kibana.alert.action_group - framework action group ID for this alert
 const ALERT_ACTION_GROUP = `${ALERT_NAMESPACE}.action_group` as const;
+
+// kibana.alert.duration.us - alert duration in nanoseconds - updated each execution
+// that the alert is active
 const ALERT_DURATION = `${ALERT_NAMESPACE}.duration.us` as const;
+
+// kibana.alert.end - timestamp when the alert is auto-recovered by the framework
 const ALERT_END = `${ALERT_NAMESPACE}.end` as const;
+
+// kibana.alert.flapping - whether the alert is currently in a flapping state
 const ALERT_FLAPPING = `${ALERT_NAMESPACE}.flapping` as const;
+
+// kibana.alert.id - alert ID, also known as alert instance ID
 const ALERT_ID = `${ALERT_NAMESPACE}.id` as const;
+
+// kibana.alert.reason - human readable reason that this alert is active
 const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const;
-const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const;
+
+// kibana.alert.start - timestamp when the alert is first active
 const ALERT_START = `${ALERT_NAMESPACE}.start` as const;
+
+// kibana.alert.status - active/recovered status of alert
 const ALERT_STATUS = `${ALERT_NAMESPACE}.status` as const;
+
+// kibana.alert.time_range - time range of alert from kibana.alert.start to now
 const ALERT_TIME_RANGE = `${ALERT_NAMESPACE}.time_range` as const;
+
+// kibana.alert.uuid - unique ID for the active span of this alert
 const ALERT_UUID = `${ALERT_NAMESPACE}.uuid` as const;
+
+// kibana.alert.workflow_status - open/closed status of alert
 const ALERT_WORKFLOW_STATUS = `${ALERT_NAMESPACE}.workflow_status` as const;
 
-const ALERT_RULE_NAMESPACE = `${ALERT_NAMESPACE}.rule` as const;
+// kibana.alert.rule.category - rule type name for rule that generated this alert
 const ALERT_RULE_CATEGORY = `${ALERT_RULE_NAMESPACE}.category` as const;
+
+// kibana.alert.rule.consumer - consumer for rule that generated this alert
 const ALERT_RULE_CONSUMER = `${ALERT_RULE_NAMESPACE}.consumer` as const;
+
+// kibana.alert.rule.execution.uuid - unique ID for the rule execution that generated this alert
 const ALERT_RULE_EXECUTION_UUID = `${ALERT_RULE_NAMESPACE}.execution.uuid` as const;
+
+// kibana.alert.rule.name - rule name for rule that generated this alert
 const ALERT_RULE_NAME = `${ALERT_RULE_NAMESPACE}.name` as const;
+
+// kibana.alert.rule.parameters - rule parameters for rule that generated this alert
 const ALERT_RULE_PARAMETERS = `${ALERT_RULE_NAMESPACE}.parameters` as const;
+
+// kibana.alert.rule.producer - rule type producer for rule that generated this alert
 const ALERT_RULE_PRODUCER = `${ALERT_RULE_NAMESPACE}.producer` as const;
+
+// kibana.alert.rule.tags - rule tags for rule that generated this alert
 const ALERT_RULE_TAGS = `${ALERT_RULE_NAMESPACE}.tags` as const;
+
+// kibana.alert.rule_type_id - rule type id for rule that generated this alert
 const ALERT_RULE_TYPE_ID = `${ALERT_RULE_NAMESPACE}.rule_type_id` as const;
+
+// kibana.alert.rule.uuid - rule ID for rule that generated this alert
 const ALERT_RULE_UUID = `${ALERT_RULE_NAMESPACE}.uuid` as const;
 
 const namespaces = {
@@ -59,7 +101,6 @@ const fields = {
   ALERT_RULE_TAGS,
   ALERT_RULE_TYPE_ID,
   ALERT_RULE_UUID,
-  ALERT_SEVERITY,
   ALERT_START,
   ALERT_STATUS,
   ALERT_TIME_RANGE,
@@ -85,7 +126,6 @@ export {
   ALERT_RULE_TAGS,
   ALERT_RULE_TYPE_ID,
   ALERT_RULE_UUID,
-  ALERT_SEVERITY,
   ALERT_START,
   ALERT_STATUS,
   ALERT_TIME_RANGE,
diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts
index fe90a36443cff0..873a7d87122864 100644
--- a/packages/kbn-rule-data-utils/src/technical_field_names.ts
+++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@@ -23,7 +23,6 @@ import {
   ALERT_RULE_TAGS,
   ALERT_RULE_TYPE_ID,
   ALERT_RULE_UUID,
-  ALERT_SEVERITY,
   ALERT_START,
   ALERT_STATUS,
   ALERT_TIME_RANGE,
@@ -50,6 +49,7 @@ const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as
 const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const;
 const ALERT_INSTANCE_ID = `${ALERT_NAMESPACE}.instance.id` as const;
 const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const;
+const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const;
 const ALERT_SYSTEM_STATUS = `${ALERT_NAMESPACE}.system_status` as const;
 const ALERT_WORKFLOW_REASON = `${ALERT_NAMESPACE}.workflow_reason` as const;
 const ALERT_WORKFLOW_USER = `${ALERT_NAMESPACE}.workflow_user` as const;
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts
index 438131810807ec..4613415e0fa002 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/alert_field_map.ts
@@ -21,7 +21,6 @@ import {
   ALERT_RULE_TAGS,
   ALERT_RULE_TYPE_ID,
   ALERT_RULE_UUID,
-  ALERT_SEVERITY,
   ALERT_START,
   ALERT_STATUS,
   ALERT_TIME_RANGE,
@@ -88,11 +87,6 @@ export const alertFieldMap = {
     array: false,
     required: false,
   },
-  [ALERT_SEVERITY]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
   [ALERT_STATUS]: {
     type: 'keyword',
     array: false,
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
index 01cdadbe39cc97..2f2cac2367e8bd 100644
--- a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
+++ b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
@@ -246,9 +246,6 @@ describe('mappingFromFieldMap', () => {
                     },
                   },
                 },
-                severity: {
-                  type: 'keyword',
-                },
                 start: {
                   type: 'date',
                 },

From 277647446dc4b8284566f9bf6b433d489c93b7d4 Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Mon, 9 Jan 2023 09:54:24 -0500
Subject: [PATCH 40/42] Fixing types

---
 packages/kbn-rule-data-utils/src/technical_field_names.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts
index 873a7d87122864..89eca0f9230464 100644
--- a/packages/kbn-rule-data-utils/src/technical_field_names.ts
+++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@@ -210,6 +210,7 @@ export {
   ALERT_RULE_UPDATED_AT,
   ALERT_RULE_UPDATED_BY,
   ALERT_RULE_VERSION,
+  ALERT_SEVERITY,
   ALERT_SYSTEM_STATUS,
   ECS_VERSION,
   EVENT_ACTION,

From 9d48b9f57e51be86c945f080bea2f562d4983827 Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Mon, 23 Jan 2023 08:18:03 -0500
Subject: [PATCH 41/42] PR feedback

---
 .../alerting/server/alerts_service/alerts_service.ts       | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index 880387b0c673e5..a3d36fa371e93a 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -478,6 +478,7 @@ export class AlertsService implements IAlertsService {
     installFn: () => Promise<void>,
     timeoutMs: number = INSTALLATION_TIMEOUT
   ): Promise<void> {
+    let serverStopped: boolean = false;
     try {
       let timeoutId: NodeJS.Timeout;
       const install = async (): Promise<void> => {
@@ -496,8 +497,8 @@ export class AlertsService implements IAlertsService {
 
           firstValueFrom(this.options.pluginStop$).then(() => {
             clearTimeout(timeoutId);
-            const msg = 'Server is stopping; must stop all async operations';
-            reject(new Error(msg));
+            serverStopped = true;
+            reject(new Error('Server is stopping; must stop all async operations'));
           });
         });
       };
@@ -506,7 +507,7 @@ export class AlertsService implements IAlertsService {
     } catch (e) {
       this.options.logger.error(e);
 
-      if (e?.message.indexOf('Server is stopping') < 0) {
+      if (!serverStopped) {
         const reason = e?.message || 'Unknown reason';
         throw new Error(`Failure during installation. ${reason}`);
       }

From 6b74e18c233a5113c6d28e6b531debb15ffeeb7f Mon Sep 17 00:00:00 2001
From: Ying <ying.mao@elastic.co>
Date: Mon, 23 Jan 2023 09:56:29 -0500
Subject: [PATCH 42/42] Throwing error regardless

---
 .../alerting/server/alerts_service/alerts_service.ts      | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
index a3d36fa371e93a..0742be50c4fa40 100644
--- a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -478,7 +478,6 @@ export class AlertsService implements IAlertsService {
     installFn: () => Promise<void>,
     timeoutMs: number = INSTALLATION_TIMEOUT
   ): Promise<void> {
-    let serverStopped: boolean = false;
     try {
       let timeoutId: NodeJS.Timeout;
       const install = async (): Promise<void> => {
@@ -497,7 +496,6 @@ export class AlertsService implements IAlertsService {
 
           firstValueFrom(this.options.pluginStop$).then(() => {
             clearTimeout(timeoutId);
-            serverStopped = true;
             reject(new Error('Server is stopping; must stop all async operations'));
           });
         });
@@ -507,10 +505,8 @@ export class AlertsService implements IAlertsService {
     } catch (e) {
       this.options.logger.error(e);
 
-      if (!serverStopped) {
-        const reason = e?.message || 'Unknown reason';
-        throw new Error(`Failure during installation. ${reason}`);
-      }
+      const reason = e?.message || 'Unknown reason';
+      throw new Error(`Failure during installation. ${reason}`);
     }
   }
 }