From e15bae8e73853a2da971f25985200dd1516df562 Mon Sep 17 00:00:00 2001 From: Fede Galland <99492720+f-galland@users.noreply.github.com> Date: Wed, 13 Nov 2024 08:30:58 -0300 Subject: [PATCH] Update indices with agents information (#544) * Migrate 525 to 2.17.1 * Adding custom agent.host custom field definitions to remaining indices * Add custom fields to index templates * Fix host custom schema * Fix host custom schema in networks template * Fix host custom schema in ports template * Fix host field in states-vulnerabilities * Include specific agent fields in alerts index subset * Add agent and host fields to states-fim * Add host fields to alerts top level * Add agent fields to states-inventory-hardware * Add agent fields to states-inventory-hardware * Add agent fields to states-inventory-hotfixes * Add agent fields to states-inventory-packages * Add agent fields to states-inventory-ports * Add agent fields to states-inventory-processes * Add agent fields to states-inventory-system * Add all-in-one script --------- Co-authored-by: Alex Ruiz --- ecs/README.md | 40 ++++++++++++++++--- ecs/agent/fields/custom/agent.yml | 9 ++++- ecs/agent/fields/custom/host.yml | 6 +++ ecs/agent/fields/custom/os.yml | 6 +++ ecs/agent/fields/custom/risk.yml | 6 +++ ecs/agent/fields/subset.yml | 10 ++--- ecs/alerts/fields/custom/agent.yml | 22 +++++++++- ecs/alerts/fields/custom/host.yml | 6 +++ ecs/alerts/fields/custom/os.yml | 6 +++ ecs/alerts/fields/custom/risk.yml | 6 +++ ecs/alerts/fields/subset.yml | 9 ++++- ecs/states-fim/fields/custom/host.yml | 6 +++ ecs/states-fim/fields/custom/os.yml | 6 +++ ecs/states-fim/fields/custom/risk.yml | 6 +++ ecs/states-fim/fields/subset.yml | 9 ++++- .../fields/custom/agent.yml | 21 ++++++++++ .../fields/custom/host.yml | 8 ++-- .../fields/custom/os.yml | 6 +++ .../fields/custom/risk.yml | 6 +++ .../fields/subset.yml | 21 ++++------ .../fields/custom/agent.yml | 21 ++++++++++ .../fields/custom/host.yml | 6 +++ .../fields/custom/os.yml | 6 +++ .../fields/custom/risk.yml | 6 +++ .../fields/subset.yml | 11 ++++- .../fields/custom/agent.yml | 21 ++++++++++ .../fields/custom/host.yml | 7 +++- .../fields/custom/os.yml | 6 +++ .../fields/custom/risk.yml | 6 +++ .../fields/subset.yml | 25 ++++-------- .../fields/custom/agent.yml | 21 ++++++++++ .../fields/custom/host.yml | 6 +++ .../fields/custom/os.yml | 6 +++ .../fields/custom/risk.yml | 6 +++ .../fields/subset.yml | 9 ++++- .../fields/custom/agent.yml | 21 ++++++++++ .../fields/custom/host.yml | 7 +++- .../fields/custom/os.yml | 6 +++ .../fields/custom/risk.yml | 6 +++ ecs/states-inventory-ports/fields/subset.yml | 17 ++++---- .../fields/custom/agent.yml | 21 ++++++++++ .../fields/custom/host.yml | 6 +++ .../fields/custom/os.yml | 6 +++ .../fields/custom/risk.yml | 6 +++ .../fields/subset.yml | 9 ++++- .../fields/custom/agent.yml | 21 ++++++++++ .../fields/custom/host.yml | 6 +++ .../fields/custom/os.yml | 6 +++ .../fields/custom/risk.yml | 6 +++ ecs/states-inventory-system/fields/subset.yml | 19 ++++----- .../fields/custom/agent.yml | 20 ++++++++++ .../fields/custom/host.yml | 6 +++ .../fields/custom/os.yml | 6 +++ .../fields/custom/risk.yml | 6 +++ ecs/states-vulnerabilities/fields/subset.yml | 19 +++++---- 55 files changed, 504 insertions(+), 94 deletions(-) create mode 100644 ecs/agent/fields/custom/host.yml create mode 100644 ecs/agent/fields/custom/os.yml create mode 100644 ecs/agent/fields/custom/risk.yml create mode 100644 ecs/alerts/fields/custom/host.yml create mode 100644 ecs/alerts/fields/custom/os.yml create mode 100644 ecs/alerts/fields/custom/risk.yml create mode 100644 ecs/states-fim/fields/custom/host.yml create mode 100644 ecs/states-fim/fields/custom/os.yml create mode 100644 ecs/states-fim/fields/custom/risk.yml create mode 100644 ecs/states-inventory-hardware/fields/custom/os.yml create mode 100644 ecs/states-inventory-hardware/fields/custom/risk.yml create mode 100644 ecs/states-inventory-hotfixes/fields/custom/host.yml create mode 100644 ecs/states-inventory-hotfixes/fields/custom/os.yml create mode 100644 ecs/states-inventory-hotfixes/fields/custom/risk.yml create mode 100644 ecs/states-inventory-networks/fields/custom/os.yml create mode 100644 ecs/states-inventory-networks/fields/custom/risk.yml create mode 100644 ecs/states-inventory-packages/fields/custom/host.yml create mode 100644 ecs/states-inventory-packages/fields/custom/os.yml create mode 100644 ecs/states-inventory-packages/fields/custom/risk.yml create mode 100644 ecs/states-inventory-ports/fields/custom/os.yml create mode 100644 ecs/states-inventory-ports/fields/custom/risk.yml create mode 100644 ecs/states-inventory-processes/fields/custom/host.yml create mode 100644 ecs/states-inventory-processes/fields/custom/os.yml create mode 100644 ecs/states-inventory-processes/fields/custom/risk.yml create mode 100644 ecs/states-inventory-system/fields/custom/host.yml create mode 100644 ecs/states-inventory-system/fields/custom/os.yml create mode 100644 ecs/states-inventory-system/fields/custom/risk.yml create mode 100644 ecs/states-vulnerabilities/fields/custom/host.yml create mode 100644 ecs/states-vulnerabilities/fields/custom/os.yml create mode 100644 ecs/states-vulnerabilities/fields/custom/risk.yml diff --git a/ecs/README.md b/ecs/README.md index 6ba6641b64ce9..35e4e783bbd98 100644 --- a/ecs/README.md +++ b/ecs/README.md @@ -45,16 +45,16 @@ files to generate the mappings. These are the inputs for the ECS generator. * INDEXER_SRC: Path to the wazuh-indexer repository * MODULE: Module to generate mappings for * --upload : Upload generated index template to the OpenSearch cluster. Defaults to https://localhost:9200 - Example: generate.sh v8.11.0 ~/wazuh-indexer vulnerability-detector --upload https://indexer:9200 + Example: generate.sh v8.11.0 ~/wazuh-indexer states-vulnerabilities --upload https://indexer:9200 ``` 3. Use the `generate.sh` script to generate the mappings for a module. The script takes 3 arguments, plus 2 optional arguments to upload the mappings to the `wazuh-indexer`. Both, composable and legacy mappings -are generated. For example, to generate the mappings for the `vulnerability-detector` module using the +are generated. For example, to generate the mappings for the `states-vulnerabilities` module using the ECS version `v8.11.0` and assuming that path of this repository is `~/wazuh/wazuh-indexer`: ```bash - ./generate.sh v8.11.0 ~/wazuh/wazuh-indexer vulnerability-detector + ./generate.sh v8.11.0 ~/wazuh/wazuh-indexer states-vulnerabilities ``` The tool will output the folder where they have been generated. @@ -62,7 +62,7 @@ are generated. For example, to generate the mappings for the `vulnerability-dete ```console Loading schemas from git ref v8.11.0 Running generator. ECS version 8.11.0 - Mappings saved to ~/wazuh/wazuh-indexer/ecs/vulnerability-detector/mappings/v8.11.0 + Mappings saved to ~/wazuh/wazuh-indexer/ecs/states-vulnerabilities/mappings/v8.11.0 ``` 4. When you are done. Exit the virtual environment. @@ -93,7 +93,7 @@ The script takes care of these changes automatically, generating the `opensearch You can either upload the index template using cURL or the UI (dev tools). ```bash -curl -u admin:admin -k -X PUT "https://indexer:9200/_index_template/wazuh-vulnerability-detector" -H "Content-Type: application/json" -d @opensearch-template.json +curl -u admin:admin -k -X PUT "https://indexer:9200/_index_template/wazuh-states-vulnerabilities" -H "Content-Type: application/json" -d @opensearch-template.json ``` Notes: @@ -117,7 +117,7 @@ are required. ### Event generator For testing purposes, the script `generate_events.py` can be used to generate events for a given module. -Currently, it is only able to generate events for the `vulnerability-detector` module. To support other +Currently, it is only able to generate events for the `states-vulnerabilities` module. To support other modules, please extend of refactor the script. The script prompts for the required parameters, so it can be launched without arguments: @@ -137,3 +137,31 @@ The script uses log file. Check it out for debugging or additional information. - [ECS repository](https://github.com/elastic/ecs) - [ECS usage](https://github.com/elastic/ecs/blob/main/USAGE.md) - [ECS field reference](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) + +### All-in-one script + +```bash +#!/bin/bash + +indices=( + agent + alerts + command + states-fim + states-inventory-hardware + states-inventory-hotfixes + states-inventory-networks + states-inventory-packages + states-inventory-ports + states-inventory-processes + states-inventory-system + states-vulnerabilities +) + +ECS="v8.11.0" +WI_REPO_PATH=~/wazuh/wazuh-indexer + +for index in "${indices[@]}"; do + bash generate.sh $ECS $WI_REPO_PATH "$index" +done +``` diff --git a/ecs/agent/fields/custom/agent.yml b/ecs/agent/fields/custom/agent.yml index 7e60469c0800f..03aa894c9d385 100644 --- a/ecs/agent/fields/custom/agent.yml +++ b/ecs/agent/fields/custom/agent.yml @@ -20,8 +20,13 @@ level: custom description: > The last time the agent logged in. - - name: is_connected - type: boolean + - name: status + type: keyword level: custom description: > Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/agent/fields/custom/host.yml b/ecs/agent/fields/custom/host.yml new file mode 100644 index 0000000000000..4398a5d791e6a --- /dev/null +++ b/ecs/agent/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: false + expected: + - agent \ No newline at end of file diff --git a/ecs/agent/fields/custom/os.yml b/ecs/agent/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/agent/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/agent/fields/custom/risk.yml b/ecs/agent/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/agent/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/agent/fields/subset.yml b/ecs/agent/fields/subset.yml index 2d24cd20429f2..93442c30b420c 100644 --- a/ecs/agent/fields/subset.yml +++ b/ecs/agent/fields/subset.yml @@ -13,10 +13,6 @@ fields: groups: {} key: {} last_login: {} - is_connected: {} - host: - fields: - ip: {} - os: - fields: - full: {} \ No newline at end of file + status: {} + host: + fields: "*" \ No newline at end of file diff --git a/ecs/alerts/fields/custom/agent.yml b/ecs/alerts/fields/custom/agent.yml index 3482123af637a..060c820218b8a 100644 --- a/ecs/alerts/fields/custom/agent.yml +++ b/ecs/alerts/fields/custom/agent.yml @@ -9,4 +9,24 @@ type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > + The agent's last login. + - name: status + type: keyword + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/alerts/fields/custom/host.yml b/ecs/alerts/fields/custom/host.yml new file mode 100644 index 0000000000000..a0356d13da657 --- /dev/null +++ b/ecs/alerts/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: true + expected: + - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/alerts/fields/custom/os.yml b/ecs/alerts/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/alerts/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/alerts/fields/custom/risk.yml b/ecs/alerts/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/alerts/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/alerts/fields/subset.yml b/ecs/alerts/fields/subset.yml index fa784b9806d6c..8e9508407de7f 100644 --- a/ecs/alerts/fields/subset.yml +++ b/ecs/alerts/fields/subset.yml @@ -4,7 +4,14 @@ fields: base: fields: "*" agent: - fields: "*" + fields: + groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" as: fields: "*" client: diff --git a/ecs/states-fim/fields/custom/host.yml b/ecs/states-fim/fields/custom/host.yml new file mode 100644 index 0000000000000..a0356d13da657 --- /dev/null +++ b/ecs/states-fim/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: true + expected: + - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-fim/fields/custom/os.yml b/ecs/states-fim/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-fim/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-fim/fields/custom/risk.yml b/ecs/states-fim/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-fim/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-fim/fields/subset.yml b/ecs/states-fim/fields/subset.yml index 00be04f87e645..a9e6f01ce45b0 100644 --- a/ecs/states-fim/fields/subset.yml +++ b/ecs/states-fim/fields/subset.yml @@ -6,8 +6,13 @@ fields: tags: [] agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" file: fields: attributes: {} @@ -28,6 +33,8 @@ fields: type: {} uid: {} owner: {} + host: + fields: "*" registry: fields: key: {} diff --git a/ecs/states-inventory-hardware/fields/custom/agent.yml b/ecs/states-inventory-hardware/fields/custom/agent.yml index d1a6751bcc934..060c820218b8a 100644 --- a/ecs/states-inventory-hardware/fields/custom/agent.yml +++ b/ecs/states-inventory-hardware/fields/custom/agent.yml @@ -3,9 +3,30 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group + group: 2 fields: - name: groups type: keyword level: custom description: > List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > + The agent's last login. + - name: status + type: keyword + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/custom/host.yml b/ecs/states-inventory-hardware/fields/custom/host.yml index 90cfdce2221dd..7df6e4dacae6d 100644 --- a/ecs/states-inventory-hardware/fields/custom/host.yml +++ b/ecs/states-inventory-hardware/fields/custom/host.yml @@ -1,9 +1,9 @@ --- - name: host - title: host - type: group - description: > - Host related data. + reusable: + top_level: true + expected: + - { at: agent, as: host } fields: - name: memory description: > diff --git a/ecs/states-inventory-hardware/fields/custom/os.yml b/ecs/states-inventory-hardware/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-inventory-hardware/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/custom/risk.yml b/ecs/states-inventory-hardware/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-inventory-hardware/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/subset.yml b/ecs/states-inventory-hardware/fields/subset.yml index ededa27a75013..da5a194e26ddf 100644 --- a/ecs/states-inventory-hardware/fields/subset.yml +++ b/ecs/states-inventory-hardware/fields/subset.yml @@ -7,22 +7,15 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" observer: fields: serial_number: {} host: - fields: - memory: - fields: - total: {} - free: {} - used: - fields: - percentage: {} - cpu: - fields: - name: {} - cores: {} - speed: {} + fields: "*" diff --git a/ecs/states-inventory-hotfixes/fields/custom/agent.yml b/ecs/states-inventory-hotfixes/fields/custom/agent.yml index d1a6751bcc934..060c820218b8a 100644 --- a/ecs/states-inventory-hotfixes/fields/custom/agent.yml +++ b/ecs/states-inventory-hotfixes/fields/custom/agent.yml @@ -3,9 +3,30 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group + group: 2 fields: - name: groups type: keyword level: custom description: > List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > + The agent's last login. + - name: status + type: keyword + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/custom/host.yml b/ecs/states-inventory-hotfixes/fields/custom/host.yml new file mode 100644 index 0000000000000..a0356d13da657 --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: true + expected: + - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/custom/os.yml b/ecs/states-inventory-hotfixes/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/custom/risk.yml b/ecs/states-inventory-hotfixes/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/subset.yml b/ecs/states-inventory-hotfixes/fields/subset.yml index fcec48481c21e..7bb4f66950326 100644 --- a/ecs/states-inventory-hotfixes/fields/subset.yml +++ b/ecs/states-inventory-hotfixes/fields/subset.yml @@ -7,10 +7,17 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" + host: + fields: "*" package: fields: hotfix: fields: - name: {} \ No newline at end of file + name: {} diff --git a/ecs/states-inventory-networks/fields/custom/agent.yml b/ecs/states-inventory-networks/fields/custom/agent.yml index d1a6751bcc934..060c820218b8a 100644 --- a/ecs/states-inventory-networks/fields/custom/agent.yml +++ b/ecs/states-inventory-networks/fields/custom/agent.yml @@ -3,9 +3,30 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group + group: 2 fields: - name: groups type: keyword level: custom description: > List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > + The agent's last login. + - name: status + type: keyword + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/custom/host.yml b/ecs/states-inventory-networks/fields/custom/host.yml index 1adf74051f434..dada3cf6c0288 100644 --- a/ecs/states-inventory-networks/fields/custom/host.yml +++ b/ecs/states-inventory-networks/fields/custom/host.yml @@ -1,6 +1,9 @@ --- - name: host - title: Host + reusable: + top_level: true + expected: + - { at: agent, as: host } fields: - name: network.egress.drops type: long @@ -21,4 +24,4 @@ type: long level: custom description: > - Number of reception errors. + Number of reception errors. \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/custom/os.yml b/ecs/states-inventory-networks/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-inventory-networks/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/custom/risk.yml b/ecs/states-inventory-networks/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-inventory-networks/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/subset.yml b/ecs/states-inventory-networks/fields/subset.yml index d60366d6938aa..24392a19582a2 100644 --- a/ecs/states-inventory-networks/fields/subset.yml +++ b/ecs/states-inventory-networks/fields/subset.yml @@ -7,26 +7,15 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" host: - fields: - ip: {} - mac: {} - network: - fields: - egress: - fields: - bytes: {} - drops: {} - errors: {} - packets: {} - ingress: - fields: - bytes: {} - drops: {} - errors: {} - packets: {} + fields: "*" interface: fields: mtu: {} diff --git a/ecs/states-inventory-packages/fields/custom/agent.yml b/ecs/states-inventory-packages/fields/custom/agent.yml index d1a6751bcc934..060c820218b8a 100644 --- a/ecs/states-inventory-packages/fields/custom/agent.yml +++ b/ecs/states-inventory-packages/fields/custom/agent.yml @@ -3,9 +3,30 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group + group: 2 fields: - name: groups type: keyword level: custom description: > List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > + The agent's last login. + - name: status + type: keyword + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/custom/host.yml b/ecs/states-inventory-packages/fields/custom/host.yml new file mode 100644 index 0000000000000..a0356d13da657 --- /dev/null +++ b/ecs/states-inventory-packages/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: true + expected: + - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/custom/os.yml b/ecs/states-inventory-packages/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-inventory-packages/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/custom/risk.yml b/ecs/states-inventory-packages/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-inventory-packages/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/subset.yml b/ecs/states-inventory-packages/fields/subset.yml index 49028288fea80..f2fdfb2fad9a0 100644 --- a/ecs/states-inventory-packages/fields/subset.yml +++ b/ecs/states-inventory-packages/fields/subset.yml @@ -7,8 +7,15 @@ fields: tags: [] agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" + host: + fields: "*" package: fields: architecture: "" diff --git a/ecs/states-inventory-ports/fields/custom/agent.yml b/ecs/states-inventory-ports/fields/custom/agent.yml index d1a6751bcc934..060c820218b8a 100644 --- a/ecs/states-inventory-ports/fields/custom/agent.yml +++ b/ecs/states-inventory-ports/fields/custom/agent.yml @@ -3,9 +3,30 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group + group: 2 fields: - name: groups type: keyword level: custom description: > List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > + The agent's last login. + - name: status + type: keyword + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/custom/host.yml b/ecs/states-inventory-ports/fields/custom/host.yml index 57d032bb002c8..1ce10e63f92d4 100644 --- a/ecs/states-inventory-ports/fields/custom/host.yml +++ b/ecs/states-inventory-ports/fields/custom/host.yml @@ -1,6 +1,9 @@ --- - name: host - title: Host + reusable: + top_level: true + expected: + - { at: agent, as: host } fields: - name: network.ingress.queue type: long @@ -11,4 +14,4 @@ type: long level: custom description: > - Transmit queue length. + Transmit queue length. \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/custom/os.yml b/ecs/states-inventory-ports/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-inventory-ports/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/custom/risk.yml b/ecs/states-inventory-ports/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-inventory-ports/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/subset.yml b/ecs/states-inventory-ports/fields/subset.yml index 27e2ac6abcb02..549917083aaa8 100644 --- a/ecs/states-inventory-ports/fields/subset.yml +++ b/ecs/states-inventory-ports/fields/subset.yml @@ -7,8 +7,13 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" destination: fields: ip: {} @@ -20,15 +25,7 @@ fields: fields: inode: {} host: - fields: - network: - fields: -# egress: -# fields: -# queue: {} - ingress: - fields: - queue: {} + fields: "*" network: fields: protocol: {} diff --git a/ecs/states-inventory-processes/fields/custom/agent.yml b/ecs/states-inventory-processes/fields/custom/agent.yml index d1a6751bcc934..060c820218b8a 100644 --- a/ecs/states-inventory-processes/fields/custom/agent.yml +++ b/ecs/states-inventory-processes/fields/custom/agent.yml @@ -3,9 +3,30 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group + group: 2 fields: - name: groups type: keyword level: custom description: > List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > + The agent's last login. + - name: status + type: keyword + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/custom/host.yml b/ecs/states-inventory-processes/fields/custom/host.yml new file mode 100644 index 0000000000000..a0356d13da657 --- /dev/null +++ b/ecs/states-inventory-processes/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: true + expected: + - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/custom/os.yml b/ecs/states-inventory-processes/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-inventory-processes/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/custom/risk.yml b/ecs/states-inventory-processes/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-inventory-processes/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/subset.yml b/ecs/states-inventory-processes/fields/subset.yml index 29e97c8969d86..55693facfee71 100644 --- a/ecs/states-inventory-processes/fields/subset.yml +++ b/ecs/states-inventory-processes/fields/subset.yml @@ -7,8 +7,15 @@ fields: tags: [] agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" + host: + fields: "*" process: fields: pid: {} diff --git a/ecs/states-inventory-system/fields/custom/agent.yml b/ecs/states-inventory-system/fields/custom/agent.yml index d1a6751bcc934..060c820218b8a 100644 --- a/ecs/states-inventory-system/fields/custom/agent.yml +++ b/ecs/states-inventory-system/fields/custom/agent.yml @@ -3,9 +3,30 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group + group: 2 fields: - name: groups type: keyword level: custom description: > List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > + The agent's last login. + - name: status + type: keyword + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/custom/host.yml b/ecs/states-inventory-system/fields/custom/host.yml new file mode 100644 index 0000000000000..a0356d13da657 --- /dev/null +++ b/ecs/states-inventory-system/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: true + expected: + - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/custom/os.yml b/ecs/states-inventory-system/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-inventory-system/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/custom/risk.yml b/ecs/states-inventory-system/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-inventory-system/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/subset.yml b/ecs/states-inventory-system/fields/subset.yml index fe9be3affb7af..c31262f1c8970 100644 --- a/ecs/states-inventory-system/fields/subset.yml +++ b/ecs/states-inventory-system/fields/subset.yml @@ -7,17 +7,12 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} - host: - fields: - architecture: {} - hostname: {} + id: {} name: {} - os: - fields: - kernel: {} - full: {} - platform: {} - version: {} - type: {} + type: {} + version: {} + host: + fields: "*" + host: + fields: "*" diff --git a/ecs/states-vulnerabilities/fields/custom/agent.yml b/ecs/states-vulnerabilities/fields/custom/agent.yml index 9feecf4e2da98..060c820218b8a 100644 --- a/ecs/states-vulnerabilities/fields/custom/agent.yml +++ b/ecs/states-vulnerabilities/fields/custom/agent.yml @@ -10,3 +10,23 @@ level: custom description: > List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > + The agent's last login. + - name: status + type: keyword + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/custom/host.yml b/ecs/states-vulnerabilities/fields/custom/host.yml new file mode 100644 index 0000000000000..a0356d13da657 --- /dev/null +++ b/ecs/states-vulnerabilities/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: true + expected: + - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/custom/os.yml b/ecs/states-vulnerabilities/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-vulnerabilities/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/custom/risk.yml b/ecs/states-vulnerabilities/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-vulnerabilities/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/subset.yml b/ecs/states-vulnerabilities/fields/subset.yml index 6b616dfb624d0..d0b44d3a712f1 100644 --- a/ecs/states-vulnerabilities/fields/subset.yml +++ b/ecs/states-vulnerabilities/fields/subset.yml @@ -5,19 +5,18 @@ fields: fields: tags: [] agent: - fields: "*" + fields: + groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" package: fields: "*" host: - fields: - os: - fields: - full: "" - kernel: "" - name: "" - platform: "" - type: "" - version: "" + fields: "*" vulnerability: fields: "*" wazuh: