From 271d17fec12b723a3988f23540fba97f5da0cfb5 Mon Sep 17 00:00:00 2001 From: f-galland Date: Tue, 12 Nov 2024 11:11:00 -0300 Subject: [PATCH 01/18] Migrate 525 to 2.17.1 --- ecs/agent/fields/custom/host.yml | 6 ++++++ ecs/agent/fields/custom/os.yml | 6 ++++++ ecs/agent/fields/custom/risk.yml | 6 ++++++ ecs/agent/fields/custom/wazuh-agent.yml | 9 +++++++-- ecs/agent/fields/subset.yml | 10 +++------- 5 files changed, 28 insertions(+), 9 deletions(-) create mode 100644 ecs/agent/fields/custom/host.yml create mode 100644 ecs/agent/fields/custom/os.yml create mode 100644 ecs/agent/fields/custom/risk.yml diff --git a/ecs/agent/fields/custom/host.yml b/ecs/agent/fields/custom/host.yml new file mode 100644 index 0000000000000..4398a5d791e6a --- /dev/null +++ b/ecs/agent/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: false + expected: + - agent \ No newline at end of file diff --git a/ecs/agent/fields/custom/os.yml b/ecs/agent/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/agent/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/agent/fields/custom/risk.yml b/ecs/agent/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/agent/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/agent/fields/custom/wazuh-agent.yml b/ecs/agent/fields/custom/wazuh-agent.yml index 0492778271095..7ad791f023672 100644 --- a/ecs/agent/fields/custom/wazuh-agent.yml +++ b/ecs/agent/fields/custom/wazuh-agent.yml @@ -20,8 +20,13 @@ level: custom description: > The agent's last login. - - name: is_connected - type: boolean + - name: status + type: keyword level: custom description: > Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/agent/fields/subset.yml b/ecs/agent/fields/subset.yml index 2d24cd20429f2..93442c30b420c 100644 --- a/ecs/agent/fields/subset.yml +++ b/ecs/agent/fields/subset.yml @@ -13,10 +13,6 @@ fields: groups: {} key: {} last_login: {} - is_connected: {} - host: - fields: - ip: {} - os: - fields: - full: {} \ No newline at end of file + status: {} + host: + fields: "*" \ No newline at end of file From c357c76fb4252a78cc816355c616315f72ae8607 Mon Sep 17 00:00:00 2001 From: f-galland Date: Tue, 12 Nov 2024 13:53:32 -0300 Subject: [PATCH 02/18] Adding custom agent.host custom field definitions to remaining indices --- ecs/alerts/fields/custom/agent.yml | 28 +++++++++- ecs/alerts/fields/custom/host.yml | 6 +++ ecs/alerts/fields/custom/os.yml | 6 +++ ecs/alerts/fields/custom/risk.yml | 6 +++ ecs/states-fim/fields/custom/host.yml | 6 +++ ecs/states-fim/fields/custom/os.yml | 6 +++ ecs/states-fim/fields/custom/risk.yml | 6 +++ .../fields/custom/agent.yml | 27 ++++++++++ .../fields/custom/host.yml | 54 ++----------------- .../fields/custom/os.yml | 6 +++ .../fields/custom/risk.yml | 6 +++ .../fields/custom/agent.yml | 27 ++++++++++ .../fields/custom/host.yml | 6 +++ .../fields/custom/os.yml | 6 +++ .../fields/custom/risk.yml | 6 +++ .../fields/custom/agent.yml | 27 ++++++++++ .../fields/custom/host.yml | 26 ++------- .../fields/custom/os.yml | 6 +++ .../fields/custom/risk.yml | 6 +++ .../fields/custom/agent.yml | 27 ++++++++++ .../fields/custom/host.yml | 6 +++ .../fields/custom/os.yml | 6 +++ .../fields/custom/risk.yml | 6 +++ .../fields/custom/agent.yml | 27 ++++++++++ .../fields/custom/host.yml | 16 ++---- .../fields/custom/os.yml | 6 +++ .../fields/custom/risk.yml | 6 +++ .../fields/custom/agent.yml | 27 ++++++++++ .../fields/custom/host.yml | 6 +++ .../fields/custom/os.yml | 6 +++ .../fields/custom/risk.yml | 6 +++ .../fields/custom/agent.yml | 27 ++++++++++ .../fields/custom/host.yml | 6 +++ .../fields/custom/os.yml | 6 +++ .../fields/custom/risk.yml | 6 +++ .../fields/custom/host.yml | 6 +++ .../fields/custom/os.yml | 6 +++ .../fields/custom/risk.yml | 6 +++ 38 files changed, 390 insertions(+), 85 deletions(-) create mode 100644 ecs/alerts/fields/custom/host.yml create mode 100644 ecs/alerts/fields/custom/os.yml create mode 100644 ecs/alerts/fields/custom/risk.yml create mode 100644 ecs/states-fim/fields/custom/host.yml create mode 100644 ecs/states-fim/fields/custom/os.yml create mode 100644 ecs/states-fim/fields/custom/risk.yml create mode 100644 ecs/states-inventory-hardware/fields/custom/os.yml create mode 100644 ecs/states-inventory-hardware/fields/custom/risk.yml create mode 100644 ecs/states-inventory-hotfixes/fields/custom/host.yml create mode 100644 ecs/states-inventory-hotfixes/fields/custom/os.yml create mode 100644 ecs/states-inventory-hotfixes/fields/custom/risk.yml create mode 100644 ecs/states-inventory-networks/fields/custom/os.yml create mode 100644 ecs/states-inventory-networks/fields/custom/risk.yml create mode 100644 ecs/states-inventory-packages/fields/custom/host.yml create mode 100644 ecs/states-inventory-packages/fields/custom/os.yml create mode 100644 ecs/states-inventory-packages/fields/custom/risk.yml create mode 100644 ecs/states-inventory-ports/fields/custom/os.yml create mode 100644 ecs/states-inventory-ports/fields/custom/risk.yml create mode 100644 ecs/states-inventory-processes/fields/custom/host.yml create mode 100644 ecs/states-inventory-processes/fields/custom/os.yml create mode 100644 ecs/states-inventory-processes/fields/custom/risk.yml create mode 100644 ecs/states-inventory-system/fields/custom/host.yml create mode 100644 ecs/states-inventory-system/fields/custom/os.yml create mode 100644 ecs/states-inventory-system/fields/custom/risk.yml create mode 100644 ecs/states-vulnerabilities/fields/custom/host.yml create mode 100644 ecs/states-vulnerabilities/fields/custom/os.yml create mode 100644 ecs/states-vulnerabilities/fields/custom/risk.yml diff --git a/ecs/alerts/fields/custom/agent.yml b/ecs/alerts/fields/custom/agent.yml index 3482123af637a..97004593f75a7 100644 --- a/ecs/alerts/fields/custom/agent.yml +++ b/ecs/alerts/fields/custom/agent.yml @@ -9,4 +9,30 @@ type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > +<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml + The agent's last login. + - name: status + type: keyword +======= + The last time the agent logged in. + - name: is_connected + type: boolean +>>>>>>> master:ecs/agent/fields/custom/agent.yml + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/alerts/fields/custom/host.yml b/ecs/alerts/fields/custom/host.yml new file mode 100644 index 0000000000000..4398a5d791e6a --- /dev/null +++ b/ecs/alerts/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: false + expected: + - agent \ No newline at end of file diff --git a/ecs/alerts/fields/custom/os.yml b/ecs/alerts/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/alerts/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/alerts/fields/custom/risk.yml b/ecs/alerts/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/alerts/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-fim/fields/custom/host.yml b/ecs/states-fim/fields/custom/host.yml new file mode 100644 index 0000000000000..4398a5d791e6a --- /dev/null +++ b/ecs/states-fim/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: false + expected: + - agent \ No newline at end of file diff --git a/ecs/states-fim/fields/custom/os.yml b/ecs/states-fim/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-fim/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-fim/fields/custom/risk.yml b/ecs/states-fim/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-fim/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/custom/agent.yml b/ecs/states-inventory-hardware/fields/custom/agent.yml index d1a6751bcc934..97004593f75a7 100644 --- a/ecs/states-inventory-hardware/fields/custom/agent.yml +++ b/ecs/states-inventory-hardware/fields/custom/agent.yml @@ -3,9 +3,36 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group + group: 2 fields: - name: groups type: keyword level: custom description: > List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > +<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml + The agent's last login. + - name: status + type: keyword +======= + The last time the agent logged in. + - name: is_connected + type: boolean +>>>>>>> master:ecs/agent/fields/custom/agent.yml + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/custom/host.yml b/ecs/states-inventory-hardware/fields/custom/host.yml index 90cfdce2221dd..4398a5d791e6a 100644 --- a/ecs/states-inventory-hardware/fields/custom/host.yml +++ b/ecs/states-inventory-hardware/fields/custom/host.yml @@ -1,52 +1,6 @@ --- - name: host - title: host - type: group - description: > - Host related data. - fields: - - name: memory - description: > - Memory related data - type: object - level: custom - - name: memory.total - description: > - Total memory in MB - type: long - level: custom - - name: memory.free - description: > - Free memory in MB - type: long - level: custom - - name: memory.used - description: > - Used memory related data - type: object - level: custom - - name: memory.used.percentage - description: > - Used memory percentage - type: long - level: custom - - name: cpu - description: > - CPU related data - type: object - level: custom - - name: cpu.name - description: > - CPU Model name - type: keyword - level: custom - - name: cpu.cores - description: > - Number of CPU cores - type: long - level: custom - - name: cpu.speed - description: > - CPU clock speed - type: long - level: custom \ No newline at end of file + reusable: + top_level: false + expected: + - agent \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/custom/os.yml b/ecs/states-inventory-hardware/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-inventory-hardware/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/custom/risk.yml b/ecs/states-inventory-hardware/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-inventory-hardware/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/custom/agent.yml b/ecs/states-inventory-hotfixes/fields/custom/agent.yml index d1a6751bcc934..97004593f75a7 100644 --- a/ecs/states-inventory-hotfixes/fields/custom/agent.yml +++ b/ecs/states-inventory-hotfixes/fields/custom/agent.yml @@ -3,9 +3,36 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group + group: 2 fields: - name: groups type: keyword level: custom description: > List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > +<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml + The agent's last login. + - name: status + type: keyword +======= + The last time the agent logged in. + - name: is_connected + type: boolean +>>>>>>> master:ecs/agent/fields/custom/agent.yml + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/custom/host.yml b/ecs/states-inventory-hotfixes/fields/custom/host.yml new file mode 100644 index 0000000000000..4398a5d791e6a --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: false + expected: + - agent \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/custom/os.yml b/ecs/states-inventory-hotfixes/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/custom/risk.yml b/ecs/states-inventory-hotfixes/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/custom/agent.yml b/ecs/states-inventory-networks/fields/custom/agent.yml index d1a6751bcc934..97004593f75a7 100644 --- a/ecs/states-inventory-networks/fields/custom/agent.yml +++ b/ecs/states-inventory-networks/fields/custom/agent.yml @@ -3,9 +3,36 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group + group: 2 fields: - name: groups type: keyword level: custom description: > List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > +<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml + The agent's last login. + - name: status + type: keyword +======= + The last time the agent logged in. + - name: is_connected + type: boolean +>>>>>>> master:ecs/agent/fields/custom/agent.yml + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/custom/host.yml b/ecs/states-inventory-networks/fields/custom/host.yml index 1adf74051f434..4398a5d791e6a 100644 --- a/ecs/states-inventory-networks/fields/custom/host.yml +++ b/ecs/states-inventory-networks/fields/custom/host.yml @@ -1,24 +1,6 @@ --- - name: host - title: Host - fields: - - name: network.egress.drops - type: long - level: custom - description: > - Number of dropped transmitted packets. - - name: network.egress.errors - type: long - level: custom - description: > - Number of transmission errors. - - name: network.ingress.drops - type: long - level: custom - description: > - Number of dropped received packets. - - name: network.ingress.errors - type: long - level: custom - description: > - Number of reception errors. + reusable: + top_level: false + expected: + - agent \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/custom/os.yml b/ecs/states-inventory-networks/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-inventory-networks/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/custom/risk.yml b/ecs/states-inventory-networks/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-inventory-networks/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/custom/agent.yml b/ecs/states-inventory-packages/fields/custom/agent.yml index d1a6751bcc934..97004593f75a7 100644 --- a/ecs/states-inventory-packages/fields/custom/agent.yml +++ b/ecs/states-inventory-packages/fields/custom/agent.yml @@ -3,9 +3,36 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group + group: 2 fields: - name: groups type: keyword level: custom description: > List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > +<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml + The agent's last login. + - name: status + type: keyword +======= + The last time the agent logged in. + - name: is_connected + type: boolean +>>>>>>> master:ecs/agent/fields/custom/agent.yml + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/custom/host.yml b/ecs/states-inventory-packages/fields/custom/host.yml new file mode 100644 index 0000000000000..4398a5d791e6a --- /dev/null +++ b/ecs/states-inventory-packages/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: false + expected: + - agent \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/custom/os.yml b/ecs/states-inventory-packages/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-inventory-packages/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/custom/risk.yml b/ecs/states-inventory-packages/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-inventory-packages/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/custom/agent.yml b/ecs/states-inventory-ports/fields/custom/agent.yml index d1a6751bcc934..97004593f75a7 100644 --- a/ecs/states-inventory-ports/fields/custom/agent.yml +++ b/ecs/states-inventory-ports/fields/custom/agent.yml @@ -3,9 +3,36 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group + group: 2 fields: - name: groups type: keyword level: custom description: > List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > +<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml + The agent's last login. + - name: status + type: keyword +======= + The last time the agent logged in. + - name: is_connected + type: boolean +>>>>>>> master:ecs/agent/fields/custom/agent.yml + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/custom/host.yml b/ecs/states-inventory-ports/fields/custom/host.yml index 57d032bb002c8..4398a5d791e6a 100644 --- a/ecs/states-inventory-ports/fields/custom/host.yml +++ b/ecs/states-inventory-ports/fields/custom/host.yml @@ -1,14 +1,6 @@ --- - name: host - title: Host - fields: - - name: network.ingress.queue - type: long - level: custom - description: > - Receive queue length. - - name: network.egress.queue - type: long - level: custom - description: > - Transmit queue length. + reusable: + top_level: false + expected: + - agent \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/custom/os.yml b/ecs/states-inventory-ports/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-inventory-ports/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/custom/risk.yml b/ecs/states-inventory-ports/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-inventory-ports/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/custom/agent.yml b/ecs/states-inventory-processes/fields/custom/agent.yml index d1a6751bcc934..97004593f75a7 100644 --- a/ecs/states-inventory-processes/fields/custom/agent.yml +++ b/ecs/states-inventory-processes/fields/custom/agent.yml @@ -3,9 +3,36 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group + group: 2 fields: - name: groups type: keyword level: custom description: > List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > +<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml + The agent's last login. + - name: status + type: keyword +======= + The last time the agent logged in. + - name: is_connected + type: boolean +>>>>>>> master:ecs/agent/fields/custom/agent.yml + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/custom/host.yml b/ecs/states-inventory-processes/fields/custom/host.yml new file mode 100644 index 0000000000000..4398a5d791e6a --- /dev/null +++ b/ecs/states-inventory-processes/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: false + expected: + - agent \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/custom/os.yml b/ecs/states-inventory-processes/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-inventory-processes/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/custom/risk.yml b/ecs/states-inventory-processes/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-inventory-processes/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/custom/agent.yml b/ecs/states-inventory-system/fields/custom/agent.yml index d1a6751bcc934..97004593f75a7 100644 --- a/ecs/states-inventory-system/fields/custom/agent.yml +++ b/ecs/states-inventory-system/fields/custom/agent.yml @@ -3,9 +3,36 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group + group: 2 fields: - name: groups type: keyword level: custom description: > List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > +<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml + The agent's last login. + - name: status + type: keyword +======= + The last time the agent logged in. + - name: is_connected + type: boolean +>>>>>>> master:ecs/agent/fields/custom/agent.yml + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/custom/host.yml b/ecs/states-inventory-system/fields/custom/host.yml new file mode 100644 index 0000000000000..4398a5d791e6a --- /dev/null +++ b/ecs/states-inventory-system/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: false + expected: + - agent \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/custom/os.yml b/ecs/states-inventory-system/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-inventory-system/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/custom/risk.yml b/ecs/states-inventory-system/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-inventory-system/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/custom/host.yml b/ecs/states-vulnerabilities/fields/custom/host.yml new file mode 100644 index 0000000000000..4398a5d791e6a --- /dev/null +++ b/ecs/states-vulnerabilities/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: false + expected: + - agent \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/custom/os.yml b/ecs/states-vulnerabilities/fields/custom/os.yml new file mode 100644 index 0000000000000..952c2d6e93a40 --- /dev/null +++ b/ecs/states-vulnerabilities/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/custom/risk.yml b/ecs/states-vulnerabilities/fields/custom/risk.yml new file mode 100644 index 0000000000000..1c06213bc6205 --- /dev/null +++ b/ecs/states-vulnerabilities/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host \ No newline at end of file From 2cd512ede1e170e1a2ea6bbd21863f4c8dd3d3a8 Mon Sep 17 00:00:00 2001 From: f-galland Date: Tue, 12 Nov 2024 14:48:26 -0300 Subject: [PATCH 03/18] Add custom fields to index templates --- ecs/agent/fields/custom/agent.yml | 6 ---- ecs/alerts/fields/custom/agent.yml | 6 ---- ecs/states-fim/fields/subset.yml | 2 ++ .../fields/custom/agent.yml | 6 ---- .../fields/custom/host.yml | 4 +-- .../fields/subset.yml | 29 ++++++++++--------- .../fields/custom/agent.yml | 6 ---- .../fields/subset.yml | 4 ++- .../fields/custom/agent.yml | 6 ---- .../fields/subset.yml | 2 ++ .../fields/custom/agent.yml | 6 ---- .../fields/subset.yml | 2 ++ .../fields/custom/agent.yml | 6 ---- ecs/states-inventory-ports/fields/subset.yml | 2 ++ .../fields/custom/agent.yml | 6 ---- .../fields/subset.yml | 4 ++- .../fields/custom/agent.yml | 6 ---- ecs/states-inventory-system/fields/subset.yml | 2 ++ .../fields/custom/agent.yml | 20 +++++++++++++ 19 files changed, 54 insertions(+), 71 deletions(-) diff --git a/ecs/agent/fields/custom/agent.yml b/ecs/agent/fields/custom/agent.yml index 97004593f75a7..060c820218b8a 100644 --- a/ecs/agent/fields/custom/agent.yml +++ b/ecs/agent/fields/custom/agent.yml @@ -19,15 +19,9 @@ type: date level: custom description: > -<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml The agent's last login. - name: status type: keyword -======= - The last time the agent logged in. - - name: is_connected - type: boolean ->>>>>>> master:ecs/agent/fields/custom/agent.yml level: custom description: > Agents' interpreted connection status depending on `agent.last_login`. diff --git a/ecs/alerts/fields/custom/agent.yml b/ecs/alerts/fields/custom/agent.yml index 97004593f75a7..060c820218b8a 100644 --- a/ecs/alerts/fields/custom/agent.yml +++ b/ecs/alerts/fields/custom/agent.yml @@ -19,15 +19,9 @@ type: date level: custom description: > -<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml The agent's last login. - name: status type: keyword -======= - The last time the agent logged in. - - name: is_connected - type: boolean ->>>>>>> master:ecs/agent/fields/custom/agent.yml level: custom description: > Agents' interpreted connection status depending on `agent.last_login`. diff --git a/ecs/states-fim/fields/subset.yml b/ecs/states-fim/fields/subset.yml index 00be04f87e645..a4ccc0b055d18 100644 --- a/ecs/states-fim/fields/subset.yml +++ b/ecs/states-fim/fields/subset.yml @@ -8,6 +8,8 @@ fields: fields: id: {} groups: {} + host: + fields: "*" file: fields: attributes: {} diff --git a/ecs/states-inventory-hardware/fields/custom/agent.yml b/ecs/states-inventory-hardware/fields/custom/agent.yml index 97004593f75a7..060c820218b8a 100644 --- a/ecs/states-inventory-hardware/fields/custom/agent.yml +++ b/ecs/states-inventory-hardware/fields/custom/agent.yml @@ -19,15 +19,9 @@ type: date level: custom description: > -<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml The agent's last login. - name: status type: keyword -======= - The last time the agent logged in. - - name: is_connected - type: boolean ->>>>>>> master:ecs/agent/fields/custom/agent.yml level: custom description: > Agents' interpreted connection status depending on `agent.last_login`. diff --git a/ecs/states-inventory-hardware/fields/custom/host.yml b/ecs/states-inventory-hardware/fields/custom/host.yml index 4398a5d791e6a..a0356d13da657 100644 --- a/ecs/states-inventory-hardware/fields/custom/host.yml +++ b/ecs/states-inventory-hardware/fields/custom/host.yml @@ -1,6 +1,6 @@ --- - name: host reusable: - top_level: false + top_level: true expected: - - agent \ No newline at end of file + - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/subset.yml b/ecs/states-inventory-hardware/fields/subset.yml index ededa27a75013..c55a99a19fa39 100644 --- a/ecs/states-inventory-hardware/fields/subset.yml +++ b/ecs/states-inventory-hardware/fields/subset.yml @@ -9,20 +9,23 @@ fields: fields: id: {} groups: {} + host: + fields: "*" observer: fields: serial_number: {} host: - fields: - memory: - fields: - total: {} - free: {} - used: - fields: - percentage: {} - cpu: - fields: - name: {} - cores: {} - speed: {} + fields: "*" +# fields: +# memory: +# fields: +# total: {} +# free: {} +# used: +# fields: +# percentage: {} +# cpu: +# fields: +# name: {} +# cores: {} +# speed: {} diff --git a/ecs/states-inventory-hotfixes/fields/custom/agent.yml b/ecs/states-inventory-hotfixes/fields/custom/agent.yml index 97004593f75a7..060c820218b8a 100644 --- a/ecs/states-inventory-hotfixes/fields/custom/agent.yml +++ b/ecs/states-inventory-hotfixes/fields/custom/agent.yml @@ -19,15 +19,9 @@ type: date level: custom description: > -<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml The agent's last login. - name: status type: keyword -======= - The last time the agent logged in. - - name: is_connected - type: boolean ->>>>>>> master:ecs/agent/fields/custom/agent.yml level: custom description: > Agents' interpreted connection status depending on `agent.last_login`. diff --git a/ecs/states-inventory-hotfixes/fields/subset.yml b/ecs/states-inventory-hotfixes/fields/subset.yml index fcec48481c21e..bb45a59614e57 100644 --- a/ecs/states-inventory-hotfixes/fields/subset.yml +++ b/ecs/states-inventory-hotfixes/fields/subset.yml @@ -9,8 +9,10 @@ fields: fields: id: {} groups: {} + host: + fields: "*" package: fields: hotfix: fields: - name: {} \ No newline at end of file + name: {} diff --git a/ecs/states-inventory-networks/fields/custom/agent.yml b/ecs/states-inventory-networks/fields/custom/agent.yml index 97004593f75a7..060c820218b8a 100644 --- a/ecs/states-inventory-networks/fields/custom/agent.yml +++ b/ecs/states-inventory-networks/fields/custom/agent.yml @@ -19,15 +19,9 @@ type: date level: custom description: > -<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml The agent's last login. - name: status type: keyword -======= - The last time the agent logged in. - - name: is_connected - type: boolean ->>>>>>> master:ecs/agent/fields/custom/agent.yml level: custom description: > Agents' interpreted connection status depending on `agent.last_login`. diff --git a/ecs/states-inventory-networks/fields/subset.yml b/ecs/states-inventory-networks/fields/subset.yml index d60366d6938aa..38db42c691d59 100644 --- a/ecs/states-inventory-networks/fields/subset.yml +++ b/ecs/states-inventory-networks/fields/subset.yml @@ -9,6 +9,8 @@ fields: fields: id: {} groups: {} + host: + fields: "*" host: fields: ip: {} diff --git a/ecs/states-inventory-packages/fields/custom/agent.yml b/ecs/states-inventory-packages/fields/custom/agent.yml index 97004593f75a7..060c820218b8a 100644 --- a/ecs/states-inventory-packages/fields/custom/agent.yml +++ b/ecs/states-inventory-packages/fields/custom/agent.yml @@ -19,15 +19,9 @@ type: date level: custom description: > -<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml The agent's last login. - name: status type: keyword -======= - The last time the agent logged in. - - name: is_connected - type: boolean ->>>>>>> master:ecs/agent/fields/custom/agent.yml level: custom description: > Agents' interpreted connection status depending on `agent.last_login`. diff --git a/ecs/states-inventory-packages/fields/subset.yml b/ecs/states-inventory-packages/fields/subset.yml index 49028288fea80..b53db8f38c21d 100644 --- a/ecs/states-inventory-packages/fields/subset.yml +++ b/ecs/states-inventory-packages/fields/subset.yml @@ -9,6 +9,8 @@ fields: fields: id: {} groups: {} + host: + fields: "*" package: fields: architecture: "" diff --git a/ecs/states-inventory-ports/fields/custom/agent.yml b/ecs/states-inventory-ports/fields/custom/agent.yml index 97004593f75a7..060c820218b8a 100644 --- a/ecs/states-inventory-ports/fields/custom/agent.yml +++ b/ecs/states-inventory-ports/fields/custom/agent.yml @@ -19,15 +19,9 @@ type: date level: custom description: > -<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml The agent's last login. - name: status type: keyword -======= - The last time the agent logged in. - - name: is_connected - type: boolean ->>>>>>> master:ecs/agent/fields/custom/agent.yml level: custom description: > Agents' interpreted connection status depending on `agent.last_login`. diff --git a/ecs/states-inventory-ports/fields/subset.yml b/ecs/states-inventory-ports/fields/subset.yml index 27e2ac6abcb02..51cc1bad8ed52 100644 --- a/ecs/states-inventory-ports/fields/subset.yml +++ b/ecs/states-inventory-ports/fields/subset.yml @@ -9,6 +9,8 @@ fields: fields: id: {} groups: {} + host: + fields: "*" destination: fields: ip: {} diff --git a/ecs/states-inventory-processes/fields/custom/agent.yml b/ecs/states-inventory-processes/fields/custom/agent.yml index 97004593f75a7..060c820218b8a 100644 --- a/ecs/states-inventory-processes/fields/custom/agent.yml +++ b/ecs/states-inventory-processes/fields/custom/agent.yml @@ -19,15 +19,9 @@ type: date level: custom description: > -<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml The agent's last login. - name: status type: keyword -======= - The last time the agent logged in. - - name: is_connected - type: boolean ->>>>>>> master:ecs/agent/fields/custom/agent.yml level: custom description: > Agents' interpreted connection status depending on `agent.last_login`. diff --git a/ecs/states-inventory-processes/fields/subset.yml b/ecs/states-inventory-processes/fields/subset.yml index 29e97c8969d86..c597a5d1d4d2a 100644 --- a/ecs/states-inventory-processes/fields/subset.yml +++ b/ecs/states-inventory-processes/fields/subset.yml @@ -8,7 +8,9 @@ fields: agent: fields: id: {} - groups: {} + groups: {} + host: + fields: "*" process: fields: pid: {} diff --git a/ecs/states-inventory-system/fields/custom/agent.yml b/ecs/states-inventory-system/fields/custom/agent.yml index 97004593f75a7..060c820218b8a 100644 --- a/ecs/states-inventory-system/fields/custom/agent.yml +++ b/ecs/states-inventory-system/fields/custom/agent.yml @@ -19,15 +19,9 @@ type: date level: custom description: > -<<<<<<< HEAD:ecs/agent/fields/custom/wazuh-agent.yml The agent's last login. - name: status type: keyword -======= - The last time the agent logged in. - - name: is_connected - type: boolean ->>>>>>> master:ecs/agent/fields/custom/agent.yml level: custom description: > Agents' interpreted connection status depending on `agent.last_login`. diff --git a/ecs/states-inventory-system/fields/subset.yml b/ecs/states-inventory-system/fields/subset.yml index fe9be3affb7af..b441ff816a503 100644 --- a/ecs/states-inventory-system/fields/subset.yml +++ b/ecs/states-inventory-system/fields/subset.yml @@ -9,6 +9,8 @@ fields: fields: id: {} groups: {} + host: + fields: "*" host: fields: architecture: {} diff --git a/ecs/states-vulnerabilities/fields/custom/agent.yml b/ecs/states-vulnerabilities/fields/custom/agent.yml index 9feecf4e2da98..060c820218b8a 100644 --- a/ecs/states-vulnerabilities/fields/custom/agent.yml +++ b/ecs/states-vulnerabilities/fields/custom/agent.yml @@ -10,3 +10,23 @@ level: custom description: > List of groups the agent belong to. + - name: key + type: keyword + level: custom + description: > + The registration key of the agent. + - name: last_login + type: date + level: custom + description: > + The agent's last login. + - name: status + type: keyword + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + allowed_values: + - name: active + description: Active agent status + - name: disconnected + description: Disconnected agent status \ No newline at end of file From 004870f40d80f3796d56f322e1bde13abf72453a Mon Sep 17 00:00:00 2001 From: f-galland Date: Tue, 12 Nov 2024 14:52:50 -0300 Subject: [PATCH 04/18] Fix host custom schema --- .../fields/custom/host.yml | 48 ++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/ecs/states-inventory-hardware/fields/custom/host.yml b/ecs/states-inventory-hardware/fields/custom/host.yml index a0356d13da657..7df6e4dacae6d 100644 --- a/ecs/states-inventory-hardware/fields/custom/host.yml +++ b/ecs/states-inventory-hardware/fields/custom/host.yml @@ -3,4 +3,50 @@ reusable: top_level: true expected: - - { at: agent, as: host } \ No newline at end of file + - { at: agent, as: host } + fields: + - name: memory + description: > + Memory related data + type: object + level: custom + - name: memory.total + description: > + Total memory in MB + type: long + level: custom + - name: memory.free + description: > + Free memory in MB + type: long + level: custom + - name: memory.used + description: > + Used memory related data + type: object + level: custom + - name: memory.used.percentage + description: > + Used memory percentage + type: long + level: custom + - name: cpu + description: > + CPU related data + type: object + level: custom + - name: cpu.name + description: > + CPU Model name + type: keyword + level: custom + - name: cpu.cores + description: > + Number of CPU cores + type: long + level: custom + - name: cpu.speed + description: > + CPU clock speed + type: long + level: custom \ No newline at end of file From 9ed839f4850631475dd1ae648d8c1fcdc8f773a0 Mon Sep 17 00:00:00 2001 From: f-galland Date: Tue, 12 Nov 2024 14:57:51 -0300 Subject: [PATCH 05/18] Fix host custom schema in networks template --- .../fields/custom/host.yml | 25 +++++++++++++++++-- .../fields/subset.yml | 18 +------------ 2 files changed, 24 insertions(+), 19 deletions(-) diff --git a/ecs/states-inventory-networks/fields/custom/host.yml b/ecs/states-inventory-networks/fields/custom/host.yml index 4398a5d791e6a..dada3cf6c0288 100644 --- a/ecs/states-inventory-networks/fields/custom/host.yml +++ b/ecs/states-inventory-networks/fields/custom/host.yml @@ -1,6 +1,27 @@ --- - name: host reusable: - top_level: false + top_level: true expected: - - agent \ No newline at end of file + - { at: agent, as: host } + fields: + - name: network.egress.drops + type: long + level: custom + description: > + Number of dropped transmitted packets. + - name: network.egress.errors + type: long + level: custom + description: > + Number of transmission errors. + - name: network.ingress.drops + type: long + level: custom + description: > + Number of dropped received packets. + - name: network.ingress.errors + type: long + level: custom + description: > + Number of reception errors. \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/subset.yml b/ecs/states-inventory-networks/fields/subset.yml index 38db42c691d59..9e7e6d0dafd37 100644 --- a/ecs/states-inventory-networks/fields/subset.yml +++ b/ecs/states-inventory-networks/fields/subset.yml @@ -12,23 +12,7 @@ fields: host: fields: "*" host: - fields: - ip: {} - mac: {} - network: - fields: - egress: - fields: - bytes: {} - drops: {} - errors: {} - packets: {} - ingress: - fields: - bytes: {} - drops: {} - errors: {} - packets: {} + fields: "*" interface: fields: mtu: {} From d97339e9e0ce40126452078a68c3bd63c33f7415 Mon Sep 17 00:00:00 2001 From: f-galland Date: Tue, 12 Nov 2024 15:01:21 -0300 Subject: [PATCH 06/18] Fix host custom schema in ports template --- ecs/states-inventory-ports/fields/custom/host.yml | 15 +++++++++++++-- ecs/states-inventory-ports/fields/subset.yml | 10 +--------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/ecs/states-inventory-ports/fields/custom/host.yml b/ecs/states-inventory-ports/fields/custom/host.yml index 4398a5d791e6a..1ce10e63f92d4 100644 --- a/ecs/states-inventory-ports/fields/custom/host.yml +++ b/ecs/states-inventory-ports/fields/custom/host.yml @@ -1,6 +1,17 @@ --- - name: host reusable: - top_level: false + top_level: true expected: - - agent \ No newline at end of file + - { at: agent, as: host } + fields: + - name: network.ingress.queue + type: long + level: custom + description: > + Receive queue length. + - name: network.egress.queue + type: long + level: custom + description: > + Transmit queue length. \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/subset.yml b/ecs/states-inventory-ports/fields/subset.yml index 51cc1bad8ed52..1fcd3b4fb0e3c 100644 --- a/ecs/states-inventory-ports/fields/subset.yml +++ b/ecs/states-inventory-ports/fields/subset.yml @@ -22,15 +22,7 @@ fields: fields: inode: {} host: - fields: - network: - fields: -# egress: -# fields: -# queue: {} - ingress: - fields: - queue: {} + fields: "*" network: fields: protocol: {} From c1ab48dc07334750d2d47cb2637e686aa0347716 Mon Sep 17 00:00:00 2001 From: f-galland Date: Wed, 13 Nov 2024 07:20:25 -0300 Subject: [PATCH 07/18] Fix host field in states-vulnerabilities --- .../fields/subset.yml | 13 ------------- .../fields/custom/host.yml | 4 ++-- ecs/states-vulnerabilities/fields/subset.yml | 19 +++++++++---------- 3 files changed, 11 insertions(+), 25 deletions(-) diff --git a/ecs/states-inventory-hardware/fields/subset.yml b/ecs/states-inventory-hardware/fields/subset.yml index c55a99a19fa39..fbd87d84f9ef1 100644 --- a/ecs/states-inventory-hardware/fields/subset.yml +++ b/ecs/states-inventory-hardware/fields/subset.yml @@ -16,16 +16,3 @@ fields: serial_number: {} host: fields: "*" -# fields: -# memory: -# fields: -# total: {} -# free: {} -# used: -# fields: -# percentage: {} -# cpu: -# fields: -# name: {} -# cores: {} -# speed: {} diff --git a/ecs/states-vulnerabilities/fields/custom/host.yml b/ecs/states-vulnerabilities/fields/custom/host.yml index 4398a5d791e6a..a0356d13da657 100644 --- a/ecs/states-vulnerabilities/fields/custom/host.yml +++ b/ecs/states-vulnerabilities/fields/custom/host.yml @@ -1,6 +1,6 @@ --- - name: host reusable: - top_level: false + top_level: true expected: - - agent \ No newline at end of file + - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/subset.yml b/ecs/states-vulnerabilities/fields/subset.yml index 6b616dfb624d0..d0b44d3a712f1 100644 --- a/ecs/states-vulnerabilities/fields/subset.yml +++ b/ecs/states-vulnerabilities/fields/subset.yml @@ -5,19 +5,18 @@ fields: fields: tags: [] agent: - fields: "*" + fields: + groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" package: fields: "*" host: - fields: - os: - fields: - full: "" - kernel: "" - name: "" - platform: "" - type: "" - version: "" + fields: "*" vulnerability: fields: "*" wazuh: From a7db90e4f09a80f4e2084c70313c898650b692e0 Mon Sep 17 00:00:00 2001 From: f-galland Date: Wed, 13 Nov 2024 07:29:11 -0300 Subject: [PATCH 08/18] Include specific agent fields in alerts index subset --- ecs/alerts/fields/subset.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ecs/alerts/fields/subset.yml b/ecs/alerts/fields/subset.yml index fa784b9806d6c..8e9508407de7f 100644 --- a/ecs/alerts/fields/subset.yml +++ b/ecs/alerts/fields/subset.yml @@ -4,7 +4,14 @@ fields: base: fields: "*" agent: - fields: "*" + fields: + groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" as: fields: "*" client: From 3e6a9eed8ad74b2a9cfa0c4d951478ab3a8a54f6 Mon Sep 17 00:00:00 2001 From: f-galland Date: Wed, 13 Nov 2024 07:42:59 -0300 Subject: [PATCH 09/18] Add agent and host fields to states-fim --- ecs/states-fim/fields/custom/host.yml | 4 ++-- ecs/states-fim/fields/subset.yml | 7 ++++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ecs/states-fim/fields/custom/host.yml b/ecs/states-fim/fields/custom/host.yml index 4398a5d791e6a..a0356d13da657 100644 --- a/ecs/states-fim/fields/custom/host.yml +++ b/ecs/states-fim/fields/custom/host.yml @@ -1,6 +1,6 @@ --- - name: host reusable: - top_level: false + top_level: true expected: - - agent \ No newline at end of file + - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-fim/fields/subset.yml b/ecs/states-fim/fields/subset.yml index a4ccc0b055d18..a9e6f01ce45b0 100644 --- a/ecs/states-fim/fields/subset.yml +++ b/ecs/states-fim/fields/subset.yml @@ -6,8 +6,11 @@ fields: tags: [] agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} host: fields: "*" file: @@ -30,6 +33,8 @@ fields: type: {} uid: {} owner: {} + host: + fields: "*" registry: fields: key: {} From 85c11e513a7e1f430858cac34bab64388120859a Mon Sep 17 00:00:00 2001 From: f-galland Date: Wed, 13 Nov 2024 07:44:21 -0300 Subject: [PATCH 10/18] Add host fields to alerts top level --- ecs/alerts/fields/custom/host.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ecs/alerts/fields/custom/host.yml b/ecs/alerts/fields/custom/host.yml index 4398a5d791e6a..a0356d13da657 100644 --- a/ecs/alerts/fields/custom/host.yml +++ b/ecs/alerts/fields/custom/host.yml @@ -1,6 +1,6 @@ --- - name: host reusable: - top_level: false + top_level: true expected: - - agent \ No newline at end of file + - { at: agent, as: host } \ No newline at end of file From 2308399130d87d32367494113e1a29c2fdd877cd Mon Sep 17 00:00:00 2001 From: f-galland Date: Wed, 13 Nov 2024 07:47:48 -0300 Subject: [PATCH 11/18] Add agent fields to states-inventory-hardware --- ecs/states-inventory-hardware/fields/subset.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ecs/states-inventory-hardware/fields/subset.yml b/ecs/states-inventory-hardware/fields/subset.yml index fbd87d84f9ef1..da5a194e26ddf 100644 --- a/ecs/states-inventory-hardware/fields/subset.yml +++ b/ecs/states-inventory-hardware/fields/subset.yml @@ -7,8 +7,11 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} host: fields: "*" observer: From b08d0d8b6c8dd61dfa369d36c621d829de8ec143 Mon Sep 17 00:00:00 2001 From: f-galland Date: Wed, 13 Nov 2024 07:49:11 -0300 Subject: [PATCH 12/18] Add agent fields to states-inventory-hardware --- ecs/states-inventory-hotfixes/fields/custom/host.yml | 4 ++-- ecs/states-inventory-hotfixes/fields/subset.yml | 7 ++++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ecs/states-inventory-hotfixes/fields/custom/host.yml b/ecs/states-inventory-hotfixes/fields/custom/host.yml index 4398a5d791e6a..a0356d13da657 100644 --- a/ecs/states-inventory-hotfixes/fields/custom/host.yml +++ b/ecs/states-inventory-hotfixes/fields/custom/host.yml @@ -1,6 +1,6 @@ --- - name: host reusable: - top_level: false + top_level: true expected: - - agent \ No newline at end of file + - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/subset.yml b/ecs/states-inventory-hotfixes/fields/subset.yml index bb45a59614e57..7bb4f66950326 100644 --- a/ecs/states-inventory-hotfixes/fields/subset.yml +++ b/ecs/states-inventory-hotfixes/fields/subset.yml @@ -7,10 +7,15 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} host: fields: "*" + host: + fields: "*" package: fields: hotfix: From 51be8558a91a9b088a4617467688bc58496ee7c4 Mon Sep 17 00:00:00 2001 From: f-galland Date: Wed, 13 Nov 2024 07:51:36 -0300 Subject: [PATCH 13/18] Add agent fields to states-inventory-hotfixes --- ecs/states-inventory-networks/fields/subset.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ecs/states-inventory-networks/fields/subset.yml b/ecs/states-inventory-networks/fields/subset.yml index 9e7e6d0dafd37..24392a19582a2 100644 --- a/ecs/states-inventory-networks/fields/subset.yml +++ b/ecs/states-inventory-networks/fields/subset.yml @@ -7,8 +7,11 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} host: fields: "*" host: From 579331411851d999494969354b4c2a626d2b8390 Mon Sep 17 00:00:00 2001 From: f-galland Date: Wed, 13 Nov 2024 07:53:35 -0300 Subject: [PATCH 14/18] Add agent fields to states-inventory-packages --- ecs/states-inventory-packages/fields/custom/host.yml | 4 ++-- ecs/states-inventory-packages/fields/subset.yml | 7 ++++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ecs/states-inventory-packages/fields/custom/host.yml b/ecs/states-inventory-packages/fields/custom/host.yml index 4398a5d791e6a..a0356d13da657 100644 --- a/ecs/states-inventory-packages/fields/custom/host.yml +++ b/ecs/states-inventory-packages/fields/custom/host.yml @@ -1,6 +1,6 @@ --- - name: host reusable: - top_level: false + top_level: true expected: - - agent \ No newline at end of file + - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/subset.yml b/ecs/states-inventory-packages/fields/subset.yml index b53db8f38c21d..f2fdfb2fad9a0 100644 --- a/ecs/states-inventory-packages/fields/subset.yml +++ b/ecs/states-inventory-packages/fields/subset.yml @@ -7,10 +7,15 @@ fields: tags: [] agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} host: fields: "*" + host: + fields: "*" package: fields: architecture: "" From 2a76a54d0bde227705fda9856c1e739d7d4e4cd2 Mon Sep 17 00:00:00 2001 From: f-galland Date: Wed, 13 Nov 2024 07:54:55 -0300 Subject: [PATCH 15/18] Add agent fields to states-inventory-ports --- ecs/states-inventory-ports/fields/subset.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ecs/states-inventory-ports/fields/subset.yml b/ecs/states-inventory-ports/fields/subset.yml index 1fcd3b4fb0e3c..549917083aaa8 100644 --- a/ecs/states-inventory-ports/fields/subset.yml +++ b/ecs/states-inventory-ports/fields/subset.yml @@ -7,8 +7,11 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} host: fields: "*" destination: From c93697021f76d91e347aea6760ff8648428be669 Mon Sep 17 00:00:00 2001 From: f-galland Date: Wed, 13 Nov 2024 07:59:00 -0300 Subject: [PATCH 16/18] Add agent fields to states-inventory-processes --- ecs/states-inventory-processes/fields/custom/host.yml | 4 ++-- ecs/states-inventory-processes/fields/subset.yml | 7 ++++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ecs/states-inventory-processes/fields/custom/host.yml b/ecs/states-inventory-processes/fields/custom/host.yml index 4398a5d791e6a..a0356d13da657 100644 --- a/ecs/states-inventory-processes/fields/custom/host.yml +++ b/ecs/states-inventory-processes/fields/custom/host.yml @@ -1,6 +1,6 @@ --- - name: host reusable: - top_level: false + top_level: true expected: - - agent \ No newline at end of file + - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/subset.yml b/ecs/states-inventory-processes/fields/subset.yml index c597a5d1d4d2a..55693facfee71 100644 --- a/ecs/states-inventory-processes/fields/subset.yml +++ b/ecs/states-inventory-processes/fields/subset.yml @@ -7,10 +7,15 @@ fields: tags: [] agent: fields: + groups: {} id: {} - groups: {} + name: {} + type: {} + version: {} host: fields: "*" + host: + fields: "*" process: fields: pid: {} From f42019fb4b376ac0414eb22f5c1bbff2520c4df2 Mon Sep 17 00:00:00 2001 From: f-galland Date: Wed, 13 Nov 2024 08:07:25 -0300 Subject: [PATCH 17/18] Add agent fields to states-inventory-system --- .../fields/custom/host.yml | 4 ++-- ecs/states-inventory-system/fields/subset.yml | 17 +++++------------ 2 files changed, 7 insertions(+), 14 deletions(-) diff --git a/ecs/states-inventory-system/fields/custom/host.yml b/ecs/states-inventory-system/fields/custom/host.yml index 4398a5d791e6a..a0356d13da657 100644 --- a/ecs/states-inventory-system/fields/custom/host.yml +++ b/ecs/states-inventory-system/fields/custom/host.yml @@ -1,6 +1,6 @@ --- - name: host reusable: - top_level: false + top_level: true expected: - - agent \ No newline at end of file + - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/subset.yml b/ecs/states-inventory-system/fields/subset.yml index b441ff816a503..c31262f1c8970 100644 --- a/ecs/states-inventory-system/fields/subset.yml +++ b/ecs/states-inventory-system/fields/subset.yml @@ -7,19 +7,12 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} host: fields: "*" host: - fields: - architecture: {} - hostname: {} - name: {} - os: - fields: - kernel: {} - full: {} - platform: {} - version: {} - type: {} + fields: "*" From ca6346c83db462ef5d1f6d809eda928eed465bf3 Mon Sep 17 00:00:00 2001 From: Alex Ruiz Date: Wed, 13 Nov 2024 12:29:51 +0100 Subject: [PATCH 18/18] Add all-in-one script --- ecs/README.md | 40 ++++++++++++++++++++++++++----- ecs/agent/fields/custom/agent.yml | 2 +- 2 files changed, 35 insertions(+), 7 deletions(-) diff --git a/ecs/README.md b/ecs/README.md index 6ba6641b64ce9..35e4e783bbd98 100644 --- a/ecs/README.md +++ b/ecs/README.md @@ -45,16 +45,16 @@ files to generate the mappings. These are the inputs for the ECS generator. * INDEXER_SRC: Path to the wazuh-indexer repository * MODULE: Module to generate mappings for * --upload : Upload generated index template to the OpenSearch cluster. Defaults to https://localhost:9200 - Example: generate.sh v8.11.0 ~/wazuh-indexer vulnerability-detector --upload https://indexer:9200 + Example: generate.sh v8.11.0 ~/wazuh-indexer states-vulnerabilities --upload https://indexer:9200 ``` 3. Use the `generate.sh` script to generate the mappings for a module. The script takes 3 arguments, plus 2 optional arguments to upload the mappings to the `wazuh-indexer`. Both, composable and legacy mappings -are generated. For example, to generate the mappings for the `vulnerability-detector` module using the +are generated. For example, to generate the mappings for the `states-vulnerabilities` module using the ECS version `v8.11.0` and assuming that path of this repository is `~/wazuh/wazuh-indexer`: ```bash - ./generate.sh v8.11.0 ~/wazuh/wazuh-indexer vulnerability-detector + ./generate.sh v8.11.0 ~/wazuh/wazuh-indexer states-vulnerabilities ``` The tool will output the folder where they have been generated. @@ -62,7 +62,7 @@ are generated. For example, to generate the mappings for the `vulnerability-dete ```console Loading schemas from git ref v8.11.0 Running generator. ECS version 8.11.0 - Mappings saved to ~/wazuh/wazuh-indexer/ecs/vulnerability-detector/mappings/v8.11.0 + Mappings saved to ~/wazuh/wazuh-indexer/ecs/states-vulnerabilities/mappings/v8.11.0 ``` 4. When you are done. Exit the virtual environment. @@ -93,7 +93,7 @@ The script takes care of these changes automatically, generating the `opensearch You can either upload the index template using cURL or the UI (dev tools). ```bash -curl -u admin:admin -k -X PUT "https://indexer:9200/_index_template/wazuh-vulnerability-detector" -H "Content-Type: application/json" -d @opensearch-template.json +curl -u admin:admin -k -X PUT "https://indexer:9200/_index_template/wazuh-states-vulnerabilities" -H "Content-Type: application/json" -d @opensearch-template.json ``` Notes: @@ -117,7 +117,7 @@ are required. ### Event generator For testing purposes, the script `generate_events.py` can be used to generate events for a given module. -Currently, it is only able to generate events for the `vulnerability-detector` module. To support other +Currently, it is only able to generate events for the `states-vulnerabilities` module. To support other modules, please extend of refactor the script. The script prompts for the required parameters, so it can be launched without arguments: @@ -137,3 +137,31 @@ The script uses log file. Check it out for debugging or additional information. - [ECS repository](https://github.com/elastic/ecs) - [ECS usage](https://github.com/elastic/ecs/blob/main/USAGE.md) - [ECS field reference](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) + +### All-in-one script + +```bash +#!/bin/bash + +indices=( + agent + alerts + command + states-fim + states-inventory-hardware + states-inventory-hotfixes + states-inventory-networks + states-inventory-packages + states-inventory-ports + states-inventory-processes + states-inventory-system + states-vulnerabilities +) + +ECS="v8.11.0" +WI_REPO_PATH=~/wazuh/wazuh-indexer + +for index in "${indices[@]}"; do + bash generate.sh $ECS $WI_REPO_PATH "$index" +done +``` diff --git a/ecs/agent/fields/custom/agent.yml b/ecs/agent/fields/custom/agent.yml index 060c820218b8a..03aa894c9d385 100644 --- a/ecs/agent/fields/custom/agent.yml +++ b/ecs/agent/fields/custom/agent.yml @@ -19,7 +19,7 @@ type: date level: custom description: > - The agent's last login. + The last time the agent logged in. - name: status type: keyword level: custom