Nest ECS Host fields under Agent

[AlexRuiz7]

Description

As Wazuh can analyze information extracted from agentless devices, we want to differentiate the information about the hosts running Wazuh Agents and host information related to the event. In order to do so, we have decided to nest the Host fields under the Agent object. We are aware that this change breaks the ECS, but we remove confusions and achieve consistency instead. Moreover, we have decided to include every Host field in the mappings of every index so the Agents and the Engine can use them to their will.

Functional requirements

For every index (but .commands):

• Agents' information is included (see Enrich index templates with agents' information #525).
• All the ECS Host fields must be included in the mappings.
• ECS Host fields must be nested under the Agent object.
• Host fields are also present where expected in ECS (root level).

Implementation restrictions

• Use the existing tooling to regenerate the index templates.
• Update or modify the tooling if required.
• Changes apply to stateful and stateless indices.

Plan

• Update index definitions in wazuh-indexer/ecs
• Update event generators in wazuh-indexer/ecs
• Update index templates in wazuh-indexer-plugins/plugins/setup

[f-galland]

Reusing field groups is a built-in feature to the ecs tooling:

• https://github.com/elastic/ecs/blob/2ff030d0e0497fde043d8567588afd16b3dc858c/schemas/README.md?plain=1#L40

In order to nest the whole host object beneath agent, a custom yml schema needs to be added under agent/fields/custom that reads as follows:

---
- name: host
  reusable:
    top_level: false
    expected:
      - agent

This field also needs to be included in subset.yml:

name: agent
fields:
[...]
  agent:
    fields:
      [...]
      host:
        fields: "*"