You're viewing version 2.8 of the OpenSearch documentation. This version is no longer maintained. For the latest version, see the current documentation. For information about OpenSearch version maintenance, see Release Schedule and Maintenance Policy.
Mappings APIs
The following APIs can be used for a number of tasks related to mappings, from creating to getting and updating mappings.
Get Mappings View
Example request
GET /_plugins/_security_analytics/mappings/view
{
"index_name": "windows",
"rule_topic": "windows"
}
Example response
{
"properties": {
"windows-event_data-CommandLine": {
"path": "CommandLine",
"type": "alias"
},
"event_uid": {
"path": "EventID",
"type": "alias"
}
},
"unmapped_index_fields": [
"windows-event_data-CommandLine",
"unmapped_HiveName",
"src_ip",
"sha1",
"processPath",
"CallerProcessName",
"CallTrace",
"AuthenticationPackageName",
"AuditSourceName",
"AuditPolicyChanges",
"AttributeValue",
"AttributeLDAPDisplayName",
"ApplicationPath",
"Application",
"AllowedToDelegateTo",
"Address",
"Action",
"AccountType",
"AccountName",
"Accesses",
"AccessMask",
"AccessList"
]
}
Create Mappings
Example request
POST /_plugins/_security_analytics/mappings
{
"index_name": "windows",
"rule_topic": "windows",
"partial": true,
"alias_mappings": {
"properties": {
"event_uid": {
"type": "alias",
"path": "EventID"
}
}
}
}
Example response
{
"acknowledged": true
}
Get Mappings
Example request
GET /_plugins/_security_analytics/mappings
Example response
{
"windows": {
"mappings": {
"properties": {
"windows-event_data-CommandLine": {
"type": "alias",
"path": "CommandLine"
},
"event_uid": {
"type": "alias",
"path": "EventID"
}
}
}
}
}
Update Mappings
Example request
PUT /_plugins/_security_analytics/mappings
{
"index_name": "windows",
"field": "CommandLine",
"alias": "windows-event_data-CommandLine"
}
Example response
{
"acknowledged": true
}