From 27350a5367b1ab8c853de60ca898ecfaba674628 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Tue, 12 Nov 2024 13:41:53 +0100 Subject: [PATCH] Migrate #462 to master (2.17.1) --- .../custom/{wazuh-agent.yml => agent.yml} | 0 ecs/docs/agents.md | 110 +++ ecs/docs/alerts.md | 635 ++++++++++++++++++ ecs/docs/commands.md | 154 +++++ ecs/docs/inventory-4.x.md | 70 ++ ecs/docs/inventory-hardware.md | 147 ++++ ecs/docs/inventory-hotfixes.md | 95 +++ ecs/docs/inventory-networks.md | 274 ++++++++ ecs/docs/inventory-packages.md | 90 +++ ecs/docs/inventory-ports.md | 108 +++ ecs/docs/inventory-processes.md | 131 ++++ ecs/docs/inventory-system.md | 103 +++ ecs/docs/states-fim.md | 100 +++ ecs/docs/states-vulnerability.md | 177 +++++ .../fields/custom/agent.yml | 11 + .../fields/custom/host.yml | 52 ++ .../fields/mapping-settings.json | 4 + .../fields/subset.yml | 28 + .../fields/template-settings-legacy.json | 14 + .../fields/template-settings.json | 18 + .../fields/custom/agent.yml | 12 + .../fields/custom/package.yml | 19 + .../fields/mapping-settings.json | 4 + .../fields/subset.yml | 16 + .../fields/template-settings-legacy.json | 14 + .../fields/template-settings.json | 18 + .../fields/custom/agent.yml | 12 + .../fields/custom/host.yml | 24 + .../fields/custom/interface.yml | 23 + .../fields/custom/network.yml | 33 + .../fields/mapping-settings.json | 4 + .../fields/subset.yml | 51 ++ .../fields/template-settings-legacy.json | 21 + .../fields/template-settings.json | 25 + .../fields/custom/agent.yml | 12 + .../fields/custom/host.yml | 14 + .../fields/custom/interface.yml | 13 + .../fields/mapping-settings.json | 4 + ecs/states-inventory-ports/fields/subset.yml | 45 ++ .../fields/template-settings-legacy.json | 18 + .../fields/template-settings.json | 22 + 41 files changed, 2725 insertions(+) rename ecs/agent/fields/custom/{wazuh-agent.yml => agent.yml} (100%) create mode 100644 ecs/docs/agents.md create mode 100644 ecs/docs/alerts.md create mode 100644 ecs/docs/commands.md create mode 100644 ecs/docs/inventory-4.x.md create mode 100644 ecs/docs/inventory-hardware.md create mode 100644 ecs/docs/inventory-hotfixes.md create mode 100644 ecs/docs/inventory-networks.md create mode 100644 ecs/docs/inventory-packages.md create mode 100644 ecs/docs/inventory-ports.md create mode 100644 ecs/docs/inventory-processes.md create mode 100644 ecs/docs/inventory-system.md create mode 100644 ecs/docs/states-fim.md create mode 100644 ecs/docs/states-vulnerability.md create mode 100644 ecs/states-inventory-hardware/fields/custom/agent.yml create mode 100644 ecs/states-inventory-hardware/fields/custom/host.yml create mode 100644 ecs/states-inventory-hardware/fields/mapping-settings.json create mode 100644 ecs/states-inventory-hardware/fields/subset.yml create mode 100644 ecs/states-inventory-hardware/fields/template-settings-legacy.json create mode 100644 ecs/states-inventory-hardware/fields/template-settings.json create mode 100644 ecs/states-inventory-hotfixes/fields/custom/agent.yml create mode 100644 ecs/states-inventory-hotfixes/fields/custom/package.yml create mode 100644 ecs/states-inventory-hotfixes/fields/mapping-settings.json create mode 100644 ecs/states-inventory-hotfixes/fields/subset.yml create mode 100644 ecs/states-inventory-hotfixes/fields/template-settings-legacy.json create mode 100644 ecs/states-inventory-hotfixes/fields/template-settings.json create mode 100644 ecs/states-inventory-networks/fields/custom/agent.yml create mode 100644 ecs/states-inventory-networks/fields/custom/host.yml create mode 100644 ecs/states-inventory-networks/fields/custom/interface.yml create mode 100644 ecs/states-inventory-networks/fields/custom/network.yml create mode 100644 ecs/states-inventory-networks/fields/mapping-settings.json create mode 100644 ecs/states-inventory-networks/fields/subset.yml create mode 100644 ecs/states-inventory-networks/fields/template-settings-legacy.json create mode 100644 ecs/states-inventory-networks/fields/template-settings.json create mode 100644 ecs/states-inventory-ports/fields/custom/agent.yml create mode 100644 ecs/states-inventory-ports/fields/custom/host.yml create mode 100644 ecs/states-inventory-ports/fields/custom/interface.yml create mode 100644 ecs/states-inventory-ports/fields/mapping-settings.json create mode 100644 ecs/states-inventory-ports/fields/subset.yml create mode 100644 ecs/states-inventory-ports/fields/template-settings-legacy.json create mode 100644 ecs/states-inventory-ports/fields/template-settings.json diff --git a/ecs/agent/fields/custom/wazuh-agent.yml b/ecs/agent/fields/custom/agent.yml similarity index 100% rename from ecs/agent/fields/custom/wazuh-agent.yml rename to ecs/agent/fields/custom/agent.yml diff --git a/ecs/docs/agents.md b/ecs/docs/agents.md new file mode 100644 index 0000000000000..b0a1619c5e877 --- /dev/null +++ b/ecs/docs/agents.md @@ -0,0 +1,110 @@ +## `agents` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh/issues/23396#issuecomment-2176402993 + +Based on ECS [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). + +| Field | ECS field | Type | Description | +| ----------------- | ---------------------- | ------- | ---------------------------------------------------------------------- | +| uuid | `agent.id` | keyword | Agent's ID | +| name | `agent.name` | keyword | Agent's name | +| groups | \*`agent.groups` | keyword | Agent's groups | +| internal_key | \*`agent.key` | keyword | Agent's registration key | +| type | `agent.type` | keyword | Type of agent | +| version | `agent.version` | keyword | Agent's version | +| connection_status | \*`agent.is_connected` | boolean | Agents' interpreted connection status depending on `agent.last_login` | +| last_keepalive | \*`agent.last_login` | date | Agent's last login | +| ip | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. | +| os\_\* | `host.os.full` | keyword | Operating system name, including the version or code name. | + +\* Custom field + +### ECS mapping + +```yml +--- +name: agent +fields: + base: + fields: + tags: [] + agent: + fields: + id: {} + name: {} + type: {} + version: {} + groups: {} + key: {} + last_login: {} + is_connected: {} + host: + fields: + ip: {} + os: + fields: + full: {} +``` + +```yml +--- +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. + - name: key + type: keyword + level: custom + description: > + The agent's registration key. + - name: last_login + type: date + level: custom + description: > + The agent's last login. + - name: is_connected + type: boolean + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + +``` + +### Index settings + +```json +{ + "index_patterns": [".agents*"], + "priority": 1, + "template": { + "settings": { + "index": { + "hidden": true, + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "agent.name", + "agent.type", + "agent.version", + "agent.name", + "host.os.full", + "host.ip" + ] + } + } + } +} +``` diff --git a/ecs/docs/alerts.md b/ecs/docs/alerts.md new file mode 100644 index 0000000000000..134009eff9435 --- /dev/null +++ b/ecs/docs/alerts.md @@ -0,0 +1,635 @@ +## `wazuh-alerts-5.x` time series index + +Stateless index. + +### Fields summary + +For this stage, we are using all the fields of the ECS. No custom fields are used. As a result, we are using the default mapping of the ECS. + +- [ECS main mappings](https://github.com/elastic/ecs/blob/v8.11.0/schemas/subsets/main.yml) + +The generated template must match [this one](https://github.com/elastic/ecs/blob/v8.11.0/generated/elasticsearch/legacy/template.json). + +### ECS mapping + +```yml +--- +name: main +fields: + base: + fields: "*" + agent: + fields: "*" + as: + fields: "*" + client: + fields: + address: {} + as: + fields: "*" + bytes: {} + domain: {} + geo: + fields: "*" + ip: {} + mac: {} + nat: + fields: + ip: {} + port: {} + packets: {} + port: {} + subdomain: {} + registered_domain: {} + top_level_domain: {} + user: + fields: + domain: {} + email: {} + full_name: {} + group: + fields: "*" + hash: {} + id: {} + name: {} + roles: {} + cloud: + fields: "*" + code_signature: + fields: "*" + container: + fields: "*" + data_stream: + fields: "*" + destination: + fields: + address: {} + as: + fields: "*" + bytes: {} + domain: {} + geo: + fields: "*" + ip: {} + mac: {} + nat: + fields: + ip: {} + port: {} + packets: {} + port: {} + subdomain: {} + registered_domain: {} + top_level_domain: {} + user: + fields: + domain: {} + email: {} + full_name: {} + group: + fields: "*" + hash: {} + id: {} + name: {} + roles: {} + device: + fields: "*" + dll: + fields: "*" + dns: + fields: "*" + ecs: + fields: "*" + elf: + fields: "*" + email: + fields: "*" + error: + fields: "*" + event: + fields: "*" + faas: + fields: "*" + file: + fields: "*" + geo: + fields: "*" + group: + fields: "*" + hash: + fields: "*" + host: + fields: "*" + http: + fields: "*" + interface: + fields: "*" + log: + fields: "*" + macho: + fields: "*" + network: + fields: "*" + observer: + fields: "*" + orchestrator: + fields: "*" + organization: + fields: "*" + os: + fields: "*" + package: + fields: "*" + pe: + fields: "*" + process: + fields: + args: {} + args_count: {} + code_signature: + fields: "*" + command_line: {} + elf: + fields: "*" + end: {} + entity_id: {} + entry_leader: + fields: + args: {} + args_count: {} + command_line: {} + entity_id: {} + entry_meta: + fields: + type: {} + source: + fields: + ip: {} + executable: {} + interactive: {} + name: {} + parent: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + session_leader: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + pid: {} + vpid: {} + same_as_process: {} + start: {} + tty: + fields: + char_device: + fields: + major: {} + minor: {} + working_directory: {} + user: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + group: + fields: + id: {} + name: {} + real_group: + fields: + id: {} + name: {} + saved_group: + fields: + id: {} + name: {} + supplemental_groups: + fields: + id: {} + name: {} + attested_user: + fields: + id: {} + name: {} + attested_groups: + fields: + name: {} + entry_meta: + fields: + type: + docs_only: True + env_vars: {} + executable: {} + exit_code: {} + group_leader: + fields: + args: {} + args_count: {} + command_line: {} + entity_id: {} + executable: {} + interactive: {} + name: {} + pid: {} + vpid: {} + same_as_process: {} + start: {} + tty: + fields: + char_device: + fields: + major: {} + minor: {} + working_directory: {} + user: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + group: + fields: + id: {} + name: {} + real_group: + fields: + id: {} + name: {} + saved_group: + fields: + id: {} + name: {} + supplemental_groups: + fields: + id: {} + name: {} + hash: + fields: "*" + interactive: {} + io: + fields: "*" + macho: + fields: "*" + name: {} + parent: + fields: + args: {} + args_count: {} + code_signature: + fields: "*" + command_line: {} + elf: + fields: "*" + end: {} + entity_id: {} + executable: {} + exit_code: {} + group_leader: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + hash: + fields: "*" + interactive: {} + macho: + fields: "*" + name: {} + pe: + fields: "*" + pgid: {} + pid: {} + vpid: {} + start: {} + thread: + fields: + id: {} + name: {} + capabilities: + fields: + effective: {} + permitted: {} + title: {} + tty: + fields: + char_device: + fields: + major: {} + minor: {} + uptime: {} + working_directory: {} + user: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + group: + fields: + id: {} + name: {} + real_group: + fields: + id: {} + name: {} + saved_group: + fields: + id: {} + name: {} + supplemental_groups: + fields: + id: {} + name: {} + pe: + fields: "*" + pgid: {} + pid: {} + vpid: {} + previous: + fields: + args: {} + args_count: {} + executable: {} + real_group: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + same_as_process: + docs_only: True + saved_group: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + start: {} + supplemental_groups: + fields: + id: {} + name: {} + session_leader: + fields: + args: {} + args_count: {} + command_line: {} + entity_id: {} + executable: {} + interactive: {} + name: {} + pid: {} + vpid: {} + same_as_process: {} + start: {} + tty: + fields: + char_device: + fields: + major: {} + minor: {} + working_directory: {} + parent: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + session_leader: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + user: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + group: + fields: + id: {} + name: {} + real_group: + fields: + id: {} + name: {} + saved_group: + fields: + id: {} + name: {} + supplemental_groups: + fields: + id: {} + name: {} + thread: + fields: + id: {} + name: {} + capabilities: + fields: + effective: {} + permitted: {} + title: {} + tty: + fields: "*" + uptime: {} + user: + fields: + id: {} + name: {} + working_directory: {} + registry: + fields: "*" + related: + fields: "*" + risk: + fields: "*" + rule: + fields: "*" + server: + fields: + address: {} + as: + fields: "*" + bytes: {} + domain: {} + geo: + fields: "*" + ip: {} + mac: {} + nat: + fields: + ip: {} + port: {} + packets: {} + port: {} + subdomain: {} + registered_domain: {} + top_level_domain: {} + user: + fields: + domain: {} + email: {} + full_name: {} + group: + fields: "*" + hash: {} + id: {} + name: {} + roles: {} + service: + fields: "*" + source: + fields: + address: {} + as: + fields: "*" + bytes: {} + domain: {} + geo: + fields: "*" + ip: {} + mac: {} + nat: + fields: + ip: {} + port: {} + packets: {} + port: {} + subdomain: {} + registered_domain: {} + top_level_domain: {} + user: + fields: + domain: {} + email: {} + full_name: {} + group: + fields: "*" + hash: {} + id: {} + name: {} + roles: {} + threat: + fields: "*" + tls: + fields: "*" + tracing: + fields: "*" + url: + fields: "*" + user_agent: + fields: "*" + user: + fields: + changes: + fields: + domain: {} + email: {} + group: + fields: "*" + full_name: {} + hash: {} + id: {} + name: {} + roles: {} + domain: {} + effective: + fields: + domain: {} + email: {} + group: + fields: "*" + full_name: {} + hash: {} + id: {} + name: {} + roles: {} + email: {} + group: + fields: "*" + full_name: {} + hash: {} + id: {} + name: {} + risk: + fields: "*" + roles: {} + target: + fields: + domain: {} + email: {} + group: + fields: "*" + full_name: {} + hash: {} + id: {} + name: {} + roles: {} + vlan: + fields: "*" + vulnerability: + fields: "*" + x509: + fields: "*" +``` + +### + +```json +{ + "index_patterns": [ + "wazuh-alerts-5.x-*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": 2500 + } + }, + "refresh_interval": "5s" + } + } + } +} +``` diff --git a/ecs/docs/commands.md b/ecs/docs/commands.md new file mode 100644 index 0000000000000..0ca3ac82de0aa --- /dev/null +++ b/ecs/docs/commands.md @@ -0,0 +1,154 @@ +## `commands` index data model + +> [!NOTE] +> rev 0.1 - September 18th, 2024: Add initial model. +> rev 0.2 - September 30th, 2024: Change type of `request_id`, `order_id` and `id` to keyword. +> rev 0.3 - October 3rd, 2024: Change descriptions for `command.type`, `command.action.type`, `command.request_id`, `command.order_id`. +> rev 0.4 - October 9th, 2024: Apply changes described in https://github.com/wazuh/wazuh-indexer-plugins/issues/96#issue-2576028654. + +### Fields summary + +This index stores information about the commands executed by the agents. The index appears in 5.0.0 for the first time. + +| ECS field | Type | Description | +| -------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------- | +| \*`agent.groups` | keyword | Agent's groups | +| \*`command.source` | keyword | Origin of the request. One of [`Users/Services` (via Management API), `Engine` (via Management API), `Content manager` (directly)]. | +| \*`command.user` | keyword | The user that originated the request. This user may represent a Management API or Indexer API user depending on the source. | +| \*`command.target.id` | keyword | Unique identifier of the destination to send the command to. | +| \*`command.target.type` | keyword | The destination type. One of [`group`, `agent`, `server`], | +| \*`command.action.name` | keyword | The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... | +| \*`command.action.args` | keyword | Array of command arguments, starting with the absolute path to the executable. | +| \*`command.action.version` | keyword | Version of the command's schema. | +| \*`command.timeout` | short | Time window in which the command has to be sent to its target. | +| \*`command.status` | keyword | Status within the Command Manager's context. One of [`pending`, `sent`, `success`, `failure`]. | +| \*`command.result.code` | short | Status code returned by the target. | +| \*`command.result.message` | keyword | Result message returned by the target. | +| \*`command.result.data` | keyword | Result data returned by the target. | +| \*`command.request_id` | keyword | UUID generated by the Command Manager. | +| \*`command.order_id` | keyword | UUID generated by the Command Manager. | + +\* Custom field. + +### ECS mapping + +```yml +--- +name: command +fields: + base: + fields: + tags: [] + agent: + fields: + groups: {} + command: + fields: "*" +``` + +```yml +--- +- name: command + title: Wazuh commands + short: Wazuh Inc. custom fields. + description: > + This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers. + type: group + group: 2 + fields: + - name: source + type: keyword + level: custom + description: > + Origin of the request. + - name: user + type: keyword + level: custom + description: > + The user that originated the request. + - name: target.id + type: keyword + level: custom + description: > + Unique identifier of the destination to send the command to. + - name: target.type + type: keyword + level: custom + description: > + The destination type. One of [`group`, `agent`, `server`] + - name: action.name + type: keyword + level: custom + description: > + The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... + - name: action.args + type: keyword + level: custom + description: > + Array of command arguments, starting with the absolute path to the executable. + - name: action.version + type: keyword + level: custom + description: > + Version of the command's schema. + - name: timeout + type: short + level: custom + description: > + Time window in which the command has to be sent to its target. + - name: status + type: keyword + level: custom + description: > + Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure']. + - name: result.code + type: short + level: custom + description: > + Status code returned by the target. + - name: result.message + type: keyword + level: custom + description: > + Result message returned by the target. + - name: result.data + type: keyword + level: custom + description: > + Result data returned by the target. + - name: request_id + type: keyword + level: custom + description: > + UUID generated by the Command Manager. + - name: order_id + type: keyword + level: custom + description: > + UUID generated by the Command Manager. +``` + +### Index settings + +```json +{ + "index_patterns": [".commands*"], + "priority": 1, + "template": { + "settings": { + "index": { + "hidden": true, + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "command.source", + "command.target.type", + "command.status", + "command.action.name" + ] + } + } + } +} +``` diff --git a/ecs/docs/inventory-4.x.md b/ecs/docs/inventory-4.x.md new file mode 100644 index 0000000000000..fd77e266d97fd --- /dev/null +++ b/ecs/docs/inventory-4.x.md @@ -0,0 +1,70 @@ +## Migration to 5.x + +| Syscollector 4.x inventory table | Index 5.x | +| -------------------------------- | -------------------------------- | +| sys_processes | wazuh-states-inventory-processes | +| sys_hwinfo | wazuh-states-inventory-hardware | +| sys_osinfo | wazuh-states-inventory-system | +| sys_ports | wazuh-states-inventory-networks | +| sys_net\* | wazuh-states-inventory-networks | +| sys_programs | wazuh-states-inventory-packages | +| sys_hotfixes | wazuh-states-inventory-hotfixes | + +### sys_netiface + +| | Field name | ECS field name | Data type | Description | +| --- | ---------- | ------------------- | --------- | ------------------------------------------------ | +| x | name | network.name | KEYWORD | Name of the network interface | +| ? | adapter | | KEYWORD | Adapter name of the network interface | +| x | type | network.type | KEYWORD | Type of the network interface | +| * | state | network.state | KEYWORD | State of the network interface | +| * | mtu | network.mtu | INTEGER | Maximum transmission unit size | +| x | mac | network.mac | KEYWORD | MAC address of the network interface | +| | tx_packets | network.out.packets | INTEGER | Number of transmitted packets | +| | rx_packets | network.in.packets | INTEGER | Number of received packets | +| | tx_bytes | network.out.bytes | INTEGER | Number of transmitted bytes | +| | rx_bytes | network.in.bytes | INTEGER | Number of received bytes | +| | tx_errors | network.out.errors | INTEGER | Number of transmission errors | +| | rx_errors | network.in.errors | INTEGER | Number of reception errors | +| | tx_dropped | network.out.dropped | INTEGER | Number of dropped transmitted packets | +| | rx_dropped | network.in.dropped | INTEGER | Number of dropped received packets | +| x | item_id | | KEYWORD | Unique identifier for the network interface item | + +### sys_netproto + +| | Field name | ECS field name | Data type | Description | +| --- | ---------- | ------------------- | --------- | ----------------------------------------------- | +| r | iface | `sys_netiface.name` | KEYWORD | Name of the network interface | +| | type | network.type | KEYWORD | Type of network protocol | +| | gateway | network.gateway | KEYWORD | Gateway address | +| | dhcp | network.dhcp | KEYWORD | DHCP status (enabled, disabled, unknown, BOOTP) | +| | metric | network.metric | INTEGER | Metric of the network protocol | +| | item_id | | KEYWORD | Unique identifier for the network protocol item | + +### sys_netaddr + +| | Field name | ECS field name | Data type | Description | +| --- | ---------- | -------------------- | --------- | ---------------------------------------------- | +| r | iface | `sys_netproto.iface` | KEYWORD | Name of the network interface | +| | proto | `sys_netproto.type` | KEYWORD | Type of network protocol | +| | address | source.address | KEYWORD | Network address | +| | netmask | network.netmask | KEYWORD | Network mask | +| | broadcast | network.broadcast | KEYWORD | Broadcast address | +| | item_id | | KEYWORD | Unique identifier for the network address item | + +### sys_ports + +| | Field name | ECS field name | Data type | Description | +| --- | ----------- | -------------------- | --------- | ------------------------------------------- | +| | protocol | network.protocol | KEYWORD | Protocol used | +| | local_ip | source.ip | KEYWORD | Local IP address | +| | local_port | source.port | INTEGER | Local port number | +| | remote_ip | destination.ip | KEYWORD | Remote IP address | +| | remote_port | destination.port | INTEGER | Remote port number | +| | tx_queue | network.out.queue | INTEGER | Transmit queue length | +| | rx_queue | network.in.queue | INTEGER | Receive queue length | +| | inode | system.network.inode | INTEGER | Inode number | +| | state | network.transport | KEYWORD | State of the connection | +| | PID | process.pid | INTEGER | Process ID | +| | process | process.name | KEYWORD | Process name | +| | item_id | | KEYWORD | Unique identifier for the network port item | diff --git a/ecs/docs/inventory-hardware.md b/ecs/docs/inventory-hardware.md new file mode 100644 index 0000000000000..4f8c2ade7bcd3 --- /dev/null +++ b/ecs/docs/inventory-hardware.md @@ -0,0 +1,147 @@ +## `wazuh-states-inventory-hardware` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 + +Based on ECS: + +- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). +- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). + +| | Field name | ECS field name | Data type | Description | +| --- | ------------ | ----------------------------- | --------- | -------------------------------- | +| | scan_time | @timestamp | date | Timestamp of the scan | +| | board_serial | observer.serial_number | keyword | Serial number of the motherboard | +| * | cpu_name | host.cpu.name | keyword | Name of the CPU | +| * | cpu_cores | host.cpu.cores | long | Number of CPU cores | +| * | cpu_mhz | host.cpu.speed | long | Speed of the CPU in MHz | +| * | ram_total | host.memory.total | long | Total RAM in the system | +| * | ram_free | host.memory.free | long | Free RAM in the system | +| * | ram_usage | host.memory.used.percentage | long | RAM usage as a percentage | + +\* Custom fields + +### ECS mapping + +```yml +--- +name: wazuh-states-inventory-hardware +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + observer: + fields: + serial_number: {} + host: + fields: + memory: + fields: + total: {} + free: {} + used: + fields: + percentage: {} + cpu: + fields: + name: {} + cores: {} + speed: {} +``` + +### Index settings + +```json +{ + "index_patterns": [ + "wazuh-states-inventory-hardware*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "observer.board_serial" + ], + "refresh_interval": "5s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + } + }, + "type": "object" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "observer": { + "properties": { + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} + +``` diff --git a/ecs/docs/inventory-hotfixes.md b/ecs/docs/inventory-hotfixes.md new file mode 100644 index 0000000000000..4ec3ddd48cbcb --- /dev/null +++ b/ecs/docs/inventory-hotfixes.md @@ -0,0 +1,95 @@ +## `wazuh-states-inventory-hotfixes` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 + +Based on ECS: + +- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). + +| | Field name | ECS field name | Data type | Description | +| --- | ---------- | ------------------- | --------- | --------------------- | +| | scan_time | @timestamp | date | Timestamp of the scan | +| * | hotfix | package.hotfix.name | keyword | Name of the hotfix | + +\* Custom fields + +### ECS mapping + +```yml +--- +name: wazuh-states-inventory-hotfixes +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + package: + fields: + hotfix: + fields: + name: {} +``` + +### Index settings + +```json +{ + "index_patterns": [ + "wazuh-states-inventory-hotfixes*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "package.hotfix.name" + ], + "refresh_interval": "5s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "hotfix": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + } + } + } + } + } +} + +``` diff --git a/ecs/docs/inventory-networks.md b/ecs/docs/inventory-networks.md new file mode 100644 index 0000000000000..536b8c57ced41 --- /dev/null +++ b/ecs/docs/inventory-networks.md @@ -0,0 +1,274 @@ +## `wazuh-states-inventory-networks` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 + +Based on ECS: + +- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). +- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). +- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). + +| | Field name | ECS field name | Data type | Description | +| --- | ----------- | -------------------------------- | --------- | ---------------------------------------------------------------- | +| | adapter | observer.ingress.interface.alias | keyword | Adapter name of the network interface | +| | address | host.ip | ip | Network address | +| | iface | observer.ingress.interface.name | keyword | Name of the network interface | +| | item_id | device.id | keyword | Identifier of interface/protocol/address/port item | +| | mac | host.mac | keyword | MAC address of the network interface | +| | name | observer.ingress.interface.name | keyword | Name of the network interface | +| | proto | network.protocol | keyword | Type of network protocol | +| | rx_bytes | host.network.ingress.bytes | long | Number of received bytes | +| | rx_packets | host.network.ingress.packets | long | Number of received packets | +| | scan_time | @timestamp | date | Timestamp of the scan | +| | tx_bytes | host.network.egress.bytes | long | Number of transmitted bytes | +| | tx_packets | host.network.egress.packets | long | Number of transmitted packets | +| | type | network.type | keyword | IPv4 or IPv6 for protocols, interface type for interface records | +| * | broadcast | network.broadcast | ip | Broadcast address | +| * | dhcp | network.dhcp | keyword | DHCP status (enabled, disabled, unknown, BOOTP) | +| * | gateway | network.gateway | ip | Gateway address | +| * | metric | network.metric | long | Metric of the network protocol | +| * | mtu | interface.mtu | long | Maximum transmission unit size | +| * | netmask | network.netmask | ip | Network mask | +| * | rx_dropped | host.network.ingress.drops | long | Number of dropped received packets | +| * | rx_errors | host.network.ingress.errors | long | Number of reception errors | +| * | state | interface.state | keyword | State of the network interface | +| * | tx_dropped | host.network.egress.drops | long | Number of dropped transmitted packets | +| * | tx_errors | host.network.egress.errors | long | Number of transmission errors | +| * | type | interface.type | keyword | Interface type (eg. "wireless" or "ethernet") | + +\* Custom fields + + +### ECS mapping + +```yml +--- +name: wazuh-states-inventory-networks +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + destination: + fields: + ip: {} + port: {} + device: + fields: + id: {} + file: + fields: + inode: {} + host: + fields: + ip: {} + mac: {} + network: + fields: + egress: + fields: + bytes: {} + packets: {} + ingress: + fields: + bytes: {} + packets: {} + network: + fields: + protocol: {} + type: {} + observer: + fields: + ingress: + fields: + interface: + fields: + alias: {} + name: {} + process: + fields: + name: {} + pid: {} + source: + fields: + ip: {} + port: {} +``` + +### Index settings + +```json +{ + "index_patterns": [ + "wazuh-states-inventory-networks*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.id", + "agent.groups", + "device.id", + "event.id", + "host.ip", + "observer.ingress.interface.name", + "observer.ingress.interface.alias", + "process.name" + ], + "refresh_interval": "5s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "inode": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + } + } + }, + "network": { + "properties": { + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "observer": { + "properties": { + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + } + } + }, + "process": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + } + } + }, + "source": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + } + } + } + } +} + +``` diff --git a/ecs/docs/inventory-packages.md b/ecs/docs/inventory-packages.md new file mode 100644 index 0000000000000..127dc5cb10203 --- /dev/null +++ b/ecs/docs/inventory-packages.md @@ -0,0 +1,90 @@ +## `wazuh-states-inventory-packages` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 + +Based on ECS: + +- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). + +| Field name | ECS field name | Data type | Description | +| ------------ | ---------------------- | --------- | ----------------------------------------------------------------- | +| | `agent.id` | keyword | Agent's ID | +| | \*`agent.groups` | keyword | Agent's groups | +| scan_time | `@timestamp` | date | Timestamp of the scan | +| architecture | `package.architecture` | keyword | Package architecture. | +| description | `package.description` | keyword | Description of the package. | +| install_time | `package.installed` | date | Time when package was installed. | +| name | `package.name` | keyword | Package name. | +| location | `package.path` | keyword | Path where the package is installed. | +| size | `package.size` | long | Package size in bytes. | +| format | `package.type` | keyword | Type of package. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | +| version | `package.version` | keyword | Package version. | + +\* Custom field + +
Fields not included in ECS +

+ +| | Field name | ECS field name | Data type | Description | +| --- | ---------- | ----------------- | --------- | ------------------------------------------------------------------------- | +| ? | priority | | | Priority of the program | +| ? | section | | | Section of the program category the package belongs to in DEB package managers | +| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. | +| ? | multiarch | | | Multi-architecture compatibility | +| X | source | | | Source of the program - package manager | + +

+
+ +### ECS mapping + +```yml +--- +name: wazuh-states-inventory-packages +fields: + base: + fields: + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + package: + fields: + architecture: "" + description: "" + installed: {} + name: "" + path: "" + size: {} + type: "" + version: "" +``` + +### Index settings + +```json +{ + "index_patterns": ["wazuh-states-inventory-packages*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "package.architecture" + "package.name", + "package.version", + "package.type" + ] + } + } + } +} +``` diff --git a/ecs/docs/inventory-ports.md b/ecs/docs/inventory-ports.md new file mode 100644 index 0000000000000..51a2009139240 --- /dev/null +++ b/ecs/docs/inventory-ports.md @@ -0,0 +1,108 @@ +## `wazuh-states-inventory-ports` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 + +Based on ECS: + +- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). +- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). +- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). + +| | Field name | ECS field name | Data type | Description | +| --- | ----------- | -------------------------- | --------- | -------------------------------------------------- | +| | inode | file.inode | keyword | The unix inode of the port | +| | item_id | device.id | keyword | Identifier of interface/protocol/address/port item | +| | local_ip | source.ip | ip | Local IP address | +| | local_port | source.port | long | Local port number | +| | pid | process.pid | long | Process ID | +| | process | process.name | keyword | Process name | +| | protocol | network.protocol | keyword | Protocol used | +| | remote_ip | destination.ip | ip | Remote IP address | +| | remote_port | destination.port | long | Remote port number | +| | scan_time | @timestamp | date | Timestamp of the scan | +| * | rx_queue | host.network.ingress.queue | long | Receive queue length | +| * | state | interface.state | keyword | State of the network interface | +| * | tx_queue | host.network.egress.queue | long | Transmit queue length | + +\* Custom fields + + +### ECS mapping + +```yml +--- +name: wazuh-states-inventory-ports +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + destination: + fields: + ip: {} + port: {} + device: + fields: + id: {} + file: + fields: + inode: {} + host: + fields: + network: + fields: + egress: + fields: + queue: {} + ingress: + fields: + queue: {} + network: + fields: + protocol: {} + process: + fields: + name: {} + pid: {} + source: + fields: + ip: {} + port: {} + interface: + fields: + state: {} + +``` + +### Index settings + +```json +{ + "index_patterns": [ + "wazuh-states-inventory-ports*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "process.name", + "source.ip", + "destination.ip" + ] + } + } + } +} +``` diff --git a/ecs/docs/inventory-processes.md b/ecs/docs/inventory-processes.md new file mode 100644 index 0000000000000..6be9b7e790c0b --- /dev/null +++ b/ecs/docs/inventory-processes.md @@ -0,0 +1,131 @@ +## `wazuh-states-inventory-processes` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 + +Based on ECS: + +- [Process Fields](https://www.elastic.co/guide/en/ecs/current/ecs-process.html). + +| | Field name | ECS field name | Data type | Description | Comments | +| --- | ---------------- | ------------------------ | ------------------ | ------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | +| | `agent.id` | keyword | Agent's ID | +| | \*`agent.groups` | keyword | Agent's groups | +| | scan_time | `@timestamp` | date | Date/time when the event originated. | | +| | pid | `process.pid` | long | Process ID. | | +| | name | `process.name` | keyword | Process name. | | +| | ppid | `process.parent.pid` | long | Parent process ID. | | +| | cmd | `process.command_line` | wildcard | Full command line that started the process, including the absolute path to the executable, and all arguments. | | +| | argvs | `process.args` | keyword | Array of process arguments, starting with the absolute path to the executable. | | +| | euser | `process.user.id` | keyword | Unique identifier of the effective user. | | +| | ruser | `process.real_user.id` | keyword | Unique identifier of the real user. | | +| | suser | `process.saved_user.id` | keyword | Unique identifier of the saved user. | | +| | egroup | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | +| | rgroup | `process.real_group.id` | keyword | Unique identifier for the real group on the system/platform. | | +| | sgroup | `process.saved_group.id` | keyword | Unique identifier for the saved group on the system/platform. | | +| | start_time | `process.start` | date | The time the process started. | | +| ! | tgid | `process.thread.id` | **No ECS mapping** | Thread ID | `thread.group` is **not part of ECS;** but `thread.id` is. | +| ! | tty | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | Needs clarification | + +\* Custom field + +!: Fields awaiting analysis + +
Fields not included in ECS +

+ +| | Field name | ECS field name | Data type | Description | Comments | +| --- | ---------- | ------------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | +| x | state | `process.state` | **No ECS mapping** | State of the process | **Not part of ECS;** Maybe as a custom field. | +| x | utime | `process.cpu.user` | **No ECS mapping** | User mode CPU time | **Not part of ECS;** Maybe as a custom field. | +| x | stime | `process.cpu.system` | **No ECS mapping** | Kernel mode CPU time | **Not part of ECS;** Maybe as a custom field. | +| x? | fgroup | `process.group.file.id` | **No ECS mapping** | unknown | | +| x | priority | `process.priority` | **No ECS mapping** | Process priority | **Not part of ECS;** Maybe as a custom field. | +| x | nice | `process.nice` | **No ECS mapping** | Nice value | **Not part of ECS;** Maybe as a custom field. | +| x | size | `process.size` | **No ECS mapping** | Process size | **Not part of ECS;** Maybe as a custom field. | +| x | vm_size | `process.vm.size` | **No ECS mapping** | Virtual memory size | **Not part of ECS;** Maybe as a custom field. | +| x | resident | `process.memory.resident` | **No ECS mapping** | Resident set size | **Not part of ECS;** Maybe as a custom field. | +| x | share | `process.memory.share` | **No ECS mapping** | Shared memory size | **Not part of ECS;** Maybe as a custom field. | +| ! | pgrp | `process.group.id` | keyword | Process group | Isn't it duplicated ?? | +| x | session | `process.session` | **No ECS mapping** | Session ID | **Not part of ECS;** Needs clarification. | +| x | nlwp | `process.nlwp` | **No ECS mapping** | Number of light-weight processes | **Not part of ECS;** Needs clarification. | +| ! | tgid | `process.thread.id` | **No ECS mapping** | Thread ID ID | `thread.group` is **not part of ECS;** but `thread.id` is. | +| ! | tty | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | Needs clarification | +| x | processor | `host.cpu.processor` | **No ECS mapping** | Processor number | No ECS field refers to the core number of the CPU. | + +

+
+ + +### ECS mapping + +```yml +--- +name: wazuh-states-inventory-processes +fields: + base: + fields: + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + process: + fields: + pid: {} + name: "" + parent: + fields: + pid: {} + command_line: "" + args: "" + user: + fields: + id: "" + real_user: + fields: + id: "" + saved_user: + fields: + id: "" + group: + fields: + id: "" + real_group: + fields: + id: "" + saved_group: + fields: + id: "" + start: {} + thread: + fields: + id: "" + tty: {} +``` + +### Index settings + +```json +{ + "index_patterns": ["wazuh-states-inventory-processes*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "process.name", + "process.pid", + "process.command_line" + ] + } + } + } +} +``` diff --git a/ecs/docs/inventory-system.md b/ecs/docs/inventory-system.md new file mode 100644 index 0000000000000..ef53885ec1bc2 --- /dev/null +++ b/ecs/docs/inventory-system.md @@ -0,0 +1,103 @@ +## `wazuh-states-inventory-system` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 + +Based on ECS: + +- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). +- [Operating System Fields](https://www.elastic.co/guide/en/ecs/current/ecs-os.html). + +| Field name | ECS field name | Data type | Description | +| ------------ | ------------------- | --------- | ---------------------------------------------------------- | +| | `agent.id` | keyword | Agent's ID | +| | \*`agent.groups` | keyword | Agent's groups | +| scan_time | `@timestamp` | date | Date/time when the event originated. | +| architecture | `host.architecture` | keyword | Operating system architecture. | +| hostname | `host.hostname` | keyword | Hostname of the host. | +| os_build | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | +| os_codename | `host.os.full` | keyword | Operating system name, including the version or code name. | +| os_name | `host.os.name` | keyword | Operating system name, without the version. | +| os_platform | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | +| os_version | `host.os.version` | keyword | Operating system version as a raw string. | +| sysname | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | + +\* Custom field + +
Details +

+ +Removed fields: + +- os_display_version +- os_major (can be extracted from os_version) +- os_minor (can be extracted from os_version) +- os_patch (can be extracted from os_version) +- os_release +- reference +- release +- scan_id +- sysname +- version +- checksum + +Available fields: + +- `os.family` +- `hots.name` + +

+
+ +### ECS mapping + +```yml +--- +name: wazuh-states-inventory-system +fields: + base: + fields: + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + host: + fields: + architecture: {} + hostname: {} + name: {} + os: + fields: + kernel: {} + full: {} + platform: {} + version: {} + type: {} +``` + +### Index settings + +```json +{ + "index_patterns": ["wazuh-states-inventory-system*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "host.name", + "host.os.type", + "host.os.version" + ] + } + } + } +} +``` diff --git a/ecs/docs/states-fim.md b/ecs/docs/states-fim.md new file mode 100644 index 0000000000000..4d42e1e8a79fc --- /dev/null +++ b/ecs/docs/states-fim.md @@ -0,0 +1,100 @@ +## `wazuh-states-fim` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189377542 + +Based on ECS: + +- [File Fields](https://www.elastic.co/guide/en/ecs/current/ecs-file.html). +- [Registry Fields](https://www.elastic.co/guide/en/ecs/current/ecs-registry.html). + +| Field | ECS field | Type | Description | +| ------------- | ------------------ | ------- | ---------------------------------------------------------------- | +| | `agent.id` | keyword | Agent's ID | +| | \*`agent.groups` | keyword | Agent's groups | +| arch | \* ? | keyword | Is arch a file property? | +| attributes | `file.attributes` | keyword | Array of file attributes. | +| file | `file.name` | keyword | Name of the file including the extension, without the directory. | +| full_path | `file.path` | keyword | Full path to the file, including the file name. | +| gid | `file.gid` | keyword | Primary group ID (GID) of the file. | +| gname | `file.group` | keyword | Primary group name of the file. | +| inode | `file.inode` | keyword | Inode representing the file in the filesystem. | +| md5 | `file.hash.md5` | keyword | MD5 hash of the file. | +| mtime | `file.mtime` | date | Last time the file's metadata changed. | +| perm | `file.mode` | keyword | File permissions in octal mode. | +| sha1 | `file.hash.sha1` | keyword | SHA1 hash of the file. | +| sha256 | `file.hash.sha256` | keyword | SHA256 hash of the file. | +| size | `file.size` | long | File size in bytes. | +| symbolic_path | `file.target_path` | keyword | Target path for symlinks. | +| type | `file.type` | keyword | File type (file, dir, or symlink). | +| uid | `file.uid` | keyword | User ID (UID) of the file owner. | +| uname | `file.owner` | keyword | File owner’s username. | +| value_name | `registry.key` | keyword | Hive-relative path of keys. | +| value_type | `registry.value` | keyword | Name of the value written. | + +\* Custom field + +### ECS mapping + +```yml +--- +name: fim +fields: + agent: + fields: + id: {} + groups: {} + file: + fields: + attributes: {} + name: {} + path: {} + gid: {} + group: {} + inode: {} + hash: + fields: + md5: {} + sha1: {} + sha256: {} + mtime: {} + mode: {} + size: {} + target_path: {} + type: {} + uid: {} + owner: {} + registry: + fields: + key: {} + value: {} +``` + +### Index settings + +```json +{ + "index_patterns": ["wazuh-states-fim*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "file.name", + "file.path", + "file.target_path", + "file.group", + "file.uid", + "file.gid" + ] + } + } + } +} +``` diff --git a/ecs/docs/states-vulnerability.md b/ecs/docs/states-vulnerability.md new file mode 100644 index 0000000000000..fa7f4969d1c1f --- /dev/null +++ b/ecs/docs/states-vulnerability.md @@ -0,0 +1,177 @@ +## `wazuh-states-vulnerabilities` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/blob/4.9.0/ecs/vulnerability-detector + +Based on ECS: + +- [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). +- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). +- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). +- [Vulnerability Fields](https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html). + +| ECS field | Type | Description | +| ----------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `agent.id` | keyword | Unique identifier of this agent (if one exists). | +| \*`agent.groups` | keyword | Agent's groups | +| `agent.name` | keyword | Custom name of the agent. | +| `agent.type` | keyword | Type of the agent. | +| `agent.version` | keyword | Version of the agent. | +| `host.os.full` | keyword | Operating system name, including the version or code name. | +| `host.os.kernel` | keyword | Operating system kernel version as a raw string. | +| `host.os.name` | keyword | Operating system name, without the version. | +| `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | +| `host.os.type` | keyword | Use the os.type field to categorize the operating system into one of the broad commercial families. | +| `host.os.version` | keyword | Operating system version as a raw string. | +| `package.architecture` | keyword | Package architecture. | +| `package.build_version` | keyword | Additional information about the build version of the installed package. | +| `package.checksum` | keyword | Checksum of the installed package for verification. | +| `package.description` | keyword | Description of the package. | +| `package.install_scope` | keyword | Indicating how the package was installed, e.g. user-local, global. | +| `package.installed` | date | Time when package was installed. | +| `package.license` | keyword | License under which the package was released. | +| `package.name` | keyword | Package name | +| `package.path` | keyword | Path where the package is installed. | +| `package.reference` | keyword | Home page or reference URL of the software in this package, if available. | +| `package.size` | long | Package size in bytes. | +| `package.type` | keyword | Type of package. | +| `package.version` | keyword | Package version | +| `vulnerability.category` | keyword | The type of system or architecture that the vulnerability affects | +| `vulnerability.classification` | keyword | The classification of the vulnerability scoring system. | +| `vulnerability.description` | keyword | The description of the vulnerability that provides additional context of the vulnerability | +| \*`vulnerability.detected_at` | date | Vulnerability's detection date. | +| `vulnerability.enumeration` | keyword | The type of identifier used for this vulnerability. | +| `vulnerability.id` | keyword | The identification (ID) is the number portion of a vulnerability entry. | +| \*`vulnerability.published_at` | date | Vulnerability's publication date. | +| `vulnerability.reference` | keyword | A resource that provides additional information, context, and mitigations for the identified vulnerability. | +| `vulnerability.report_id` | keyword | The report or scan identification number. | +| \*`vulnerability.scanner.source` | keyword | The origin of the decision of the scanner (AKA feed used to detect the vulnerability). | +| `vulnerability.scanner.vendor` | keyword | The name of the vulnerability scanner vendor. | +| `vulnerability.score.base` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | +| `vulnerability.score.environmental` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | +| `vulnerability.score.temporal` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | +| `vulnerability.score.version` | keyword | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. | +| `vulnerability.severity` | keyword | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. | +| \*`vulnerability.under_evaluation` | boolean | Indicates if the vulnerability is awaiting analysis by the NVD. | +| \*`wazuh.cluster.name` | keyword | Name of the Wazuh cluster. | +| \*`wazuh.cluster.node` | keyword | Name of the Wazuh cluster node. | +| \*`wazuh.schema.version` | keyword | Version of the Wazuh schema. | + +\* Custom field + +### ECS mapping + +```yml +--- +name: wazuh-states-vulnerabilities +fields: + base: + tags: [] + agent: + fields: "*" + package: + fields: "*" + host: + fields: + os: + fields: + full: "" + kernel: "" + name: "" + platform: "" + type: "" + version: "" + vulnerability: + fields: "*" + wazuh: + fields: "*" +``` + +```yml +--- +- name: vulnerability + title: Vulnerability + group: 2 + short: Fields to describe the vulnerability relevant to an event. + description: > + The vulnerability fields describe information about a vulnerability that is + relevant to an event. + type: group + fields: + - name: detected_at + type: date + level: custom + description: > + Vulnerability's detection date. + - name: published_at + type: date + level: custom + description: > + Vulnerability's publication date. + - name: under_evaluation + type: boolean + level: custom + description: > + Indicates if the vulnerability is awaiting analysis by the NVD. + - name: scanner.source + type: keyword + level: custom + description: > + The origin of the decision of the scanner (AKA feed used to detect the vulnerability). +``` + +```yml +--- +--- +- name: wazuh + title: Wazuh + description: > + Wazuh Inc. custom fields + fields: + - name: cluster.name + type: keyword + level: custom + description: > + Wazuh cluster name. + - name: cluster.node + type: keyword + level: custom + description: > + Wazuh cluster node name. + - name: schema.version + type: keyword + level: custom + description: > + Wazuh schema version. +``` + +### Index settings + +```json +{ + "index_patterns": ["wazuh-states-vulnerabilities*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "host.os.full", + "host.os.version", + "package.name", + "package.version", + "vulnerability.id", + "vulnerability.description", + "vulnerability.severity", + "wazuh.cluster.name" + ] + } + } + } +} +``` diff --git a/ecs/states-inventory-hardware/fields/custom/agent.yml b/ecs/states-inventory-hardware/fields/custom/agent.yml new file mode 100644 index 0000000000000..7f23b6a463e49 --- /dev/null +++ b/ecs/states-inventory-hardware/fields/custom/agent.yml @@ -0,0 +1,11 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. diff --git a/ecs/states-inventory-hardware/fields/custom/host.yml b/ecs/states-inventory-hardware/fields/custom/host.yml new file mode 100644 index 0000000000000..90cfdce2221dd --- /dev/null +++ b/ecs/states-inventory-hardware/fields/custom/host.yml @@ -0,0 +1,52 @@ +--- +- name: host + title: host + type: group + description: > + Host related data. + fields: + - name: memory + description: > + Memory related data + type: object + level: custom + - name: memory.total + description: > + Total memory in MB + type: long + level: custom + - name: memory.free + description: > + Free memory in MB + type: long + level: custom + - name: memory.used + description: > + Used memory related data + type: object + level: custom + - name: memory.used.percentage + description: > + Used memory percentage + type: long + level: custom + - name: cpu + description: > + CPU related data + type: object + level: custom + - name: cpu.name + description: > + CPU Model name + type: keyword + level: custom + - name: cpu.cores + description: > + Number of CPU cores + type: long + level: custom + - name: cpu.speed + description: > + CPU clock speed + type: long + level: custom \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/mapping-settings.json b/ecs/states-inventory-hardware/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/states-inventory-hardware/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/subset.yml b/ecs/states-inventory-hardware/fields/subset.yml new file mode 100644 index 0000000000000..ededa27a75013 --- /dev/null +++ b/ecs/states-inventory-hardware/fields/subset.yml @@ -0,0 +1,28 @@ +--- +name: wazuh-states-inventory-hardware +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + observer: + fields: + serial_number: {} + host: + fields: + memory: + fields: + total: {} + free: {} + used: + fields: + percentage: {} + cpu: + fields: + name: {} + cores: {} + speed: {} diff --git a/ecs/states-inventory-hardware/fields/template-settings-legacy.json b/ecs/states-inventory-hardware/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..b2281742d219e --- /dev/null +++ b/ecs/states-inventory-hardware/fields/template-settings-legacy.json @@ -0,0 +1,14 @@ +{ + "index_patterns": ["wazuh-states-inventory-hardware*"], + "order": 1, + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "observer.board_serial" + ] + } + } +} diff --git a/ecs/states-inventory-hardware/fields/template-settings.json b/ecs/states-inventory-hardware/fields/template-settings.json new file mode 100644 index 0000000000000..d8cf7b772921c --- /dev/null +++ b/ecs/states-inventory-hardware/fields/template-settings.json @@ -0,0 +1,18 @@ +{ + "index_patterns": [ + "wazuh-states-inventory-hardware*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "observer.board_serial" + ] + } + } + } +} \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/custom/agent.yml b/ecs/states-inventory-hotfixes/fields/custom/agent.yml new file mode 100644 index 0000000000000..3482123af637a --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/custom/agent.yml @@ -0,0 +1,12 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. diff --git a/ecs/states-inventory-hotfixes/fields/custom/package.yml b/ecs/states-inventory-hotfixes/fields/custom/package.yml new file mode 100644 index 0000000000000..deee7e1a03e63 --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/custom/package.yml @@ -0,0 +1,19 @@ +--- +- name: package + title: Package + type: group + group: 2 + description: > + Package related data. + fields: + - name: hotfix + type: object + level: custom + group: 2 + description: > + Hotfix related data. + - name: hotfix.name + type: keyword + level: custom + description: > + Name of the Hotfix. \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/mapping-settings.json b/ecs/states-inventory-hotfixes/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/subset.yml b/ecs/states-inventory-hotfixes/fields/subset.yml new file mode 100644 index 0000000000000..fcec48481c21e --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/subset.yml @@ -0,0 +1,16 @@ +--- +name: wazuh-states-inventory-hotfixes +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + package: + fields: + hotfix: + fields: + name: {} \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json b/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..390711717339d --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json @@ -0,0 +1,14 @@ +{ + "index_patterns": ["wazuh-states-inventory-hotfixes*"], + "order": 1, + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "package.hotfix.name" + ] + } + } +} diff --git a/ecs/states-inventory-hotfixes/fields/template-settings.json b/ecs/states-inventory-hotfixes/fields/template-settings.json new file mode 100644 index 0000000000000..0312d23702aa4 --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/template-settings.json @@ -0,0 +1,18 @@ +{ + "index_patterns": [ + "wazuh-states-inventory-hotfixes*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "package.hotfix.name" + ] + } + } + } +} \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/custom/agent.yml b/ecs/states-inventory-networks/fields/custom/agent.yml new file mode 100644 index 0000000000000..3482123af637a --- /dev/null +++ b/ecs/states-inventory-networks/fields/custom/agent.yml @@ -0,0 +1,12 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. diff --git a/ecs/states-inventory-networks/fields/custom/host.yml b/ecs/states-inventory-networks/fields/custom/host.yml new file mode 100644 index 0000000000000..1adf74051f434 --- /dev/null +++ b/ecs/states-inventory-networks/fields/custom/host.yml @@ -0,0 +1,24 @@ +--- +- name: host + title: Host + fields: + - name: network.egress.drops + type: long + level: custom + description: > + Number of dropped transmitted packets. + - name: network.egress.errors + type: long + level: custom + description: > + Number of transmission errors. + - name: network.ingress.drops + type: long + level: custom + description: > + Number of dropped received packets. + - name: network.ingress.errors + type: long + level: custom + description: > + Number of reception errors. diff --git a/ecs/states-inventory-networks/fields/custom/interface.yml b/ecs/states-inventory-networks/fields/custom/interface.yml new file mode 100644 index 0000000000000..57bfd2c5eb2eb --- /dev/null +++ b/ecs/states-inventory-networks/fields/custom/interface.yml @@ -0,0 +1,23 @@ +--- +- name: interface + title: Interface + type: group + group: 2 + description: > + Network interface related data. + fields: + - name: mtu + type: long + level: custom + description: > + Maximum transmission unit size. + - name: state + type: keyword + level: custom + description: > + State of the network interface. + - name: type + type: keyword + level: custom + description: > + Interface type. diff --git a/ecs/states-inventory-networks/fields/custom/network.yml b/ecs/states-inventory-networks/fields/custom/network.yml new file mode 100644 index 0000000000000..2387fdd645b68 --- /dev/null +++ b/ecs/states-inventory-networks/fields/custom/network.yml @@ -0,0 +1,33 @@ +--- +- name: network + title: Network + type: group + group: 2 + description: > + Network related data. + fields: + - name: broadcast + type: ip + level: custom + description: > + Broadcast address + - name: dhcp + type: keyword + level: custom + description: > + DHCP status (enabled, disabled, unknown, BOOTP) + - name: gateway + type: ip + level: custom + description: > + Gateway address + - name: metric + type: long + level: custom + description: > + Metric of the network protocol + - name: netmask + type: ip + level: custom + description: > + Network mask diff --git a/ecs/states-inventory-networks/fields/mapping-settings.json b/ecs/states-inventory-networks/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/states-inventory-networks/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/subset.yml b/ecs/states-inventory-networks/fields/subset.yml new file mode 100644 index 0000000000000..d60366d6938aa --- /dev/null +++ b/ecs/states-inventory-networks/fields/subset.yml @@ -0,0 +1,51 @@ +--- +name: wazuh-states-inventory-networks +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + host: + fields: + ip: {} + mac: {} + network: + fields: + egress: + fields: + bytes: {} + drops: {} + errors: {} + packets: {} + ingress: + fields: + bytes: {} + drops: {} + errors: {} + packets: {} + interface: + fields: + mtu: {} + state: {} + type: {} + network: + fields: + broadcast: {} + dhcp: {} + gateway: {} + metric: {} + netmask: {} + protocol: {} + type: {} + observer: + fields: + ingress: + fields: + interface: + fields: + alias: {} + name: {} diff --git a/ecs/states-inventory-networks/fields/template-settings-legacy.json b/ecs/states-inventory-networks/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..1f45768296427 --- /dev/null +++ b/ecs/states-inventory-networks/fields/template-settings-legacy.json @@ -0,0 +1,21 @@ +{ + "index_patterns": ["wazuh-states-inventory-networks*"], + "order": 1, + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "device.id", + "event.id", + "host.ip", + "observer.ingress.interface.name", + "observer.ingress.interface.alias", + "process.name" + ] + } + } +} diff --git a/ecs/states-inventory-networks/fields/template-settings.json b/ecs/states-inventory-networks/fields/template-settings.json new file mode 100644 index 0000000000000..a5607e1012689 --- /dev/null +++ b/ecs/states-inventory-networks/fields/template-settings.json @@ -0,0 +1,25 @@ +{ + "index_patterns": [ + "wazuh-states-inventory-networks*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "device.id", + "event.id", + "host.ip", + "observer.ingress.interface.name", + "observer.ingress.interface.alias", + "process.name" + ] + } + } + } +} \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/custom/agent.yml b/ecs/states-inventory-ports/fields/custom/agent.yml new file mode 100644 index 0000000000000..3482123af637a --- /dev/null +++ b/ecs/states-inventory-ports/fields/custom/agent.yml @@ -0,0 +1,12 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. diff --git a/ecs/states-inventory-ports/fields/custom/host.yml b/ecs/states-inventory-ports/fields/custom/host.yml new file mode 100644 index 0000000000000..57d032bb002c8 --- /dev/null +++ b/ecs/states-inventory-ports/fields/custom/host.yml @@ -0,0 +1,14 @@ +--- +- name: host + title: Host + fields: + - name: network.ingress.queue + type: long + level: custom + description: > + Receive queue length. + - name: network.egress.queue + type: long + level: custom + description: > + Transmit queue length. diff --git a/ecs/states-inventory-ports/fields/custom/interface.yml b/ecs/states-inventory-ports/fields/custom/interface.yml new file mode 100644 index 0000000000000..155961408d456 --- /dev/null +++ b/ecs/states-inventory-ports/fields/custom/interface.yml @@ -0,0 +1,13 @@ +--- +- name: interface + title: Interface + type: group + group: 2 + description: > + Network interface related data. + fields: + - name: state + type: keyword + level: custom + description: > + State of the network interface. diff --git a/ecs/states-inventory-ports/fields/mapping-settings.json b/ecs/states-inventory-ports/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/states-inventory-ports/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/subset.yml b/ecs/states-inventory-ports/fields/subset.yml new file mode 100644 index 0000000000000..27e2ac6abcb02 --- /dev/null +++ b/ecs/states-inventory-ports/fields/subset.yml @@ -0,0 +1,45 @@ +--- +name: wazuh-states-inventory-ports +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + destination: + fields: + ip: {} + port: {} + device: + fields: + id: {} + file: + fields: + inode: {} + host: + fields: + network: + fields: +# egress: +# fields: +# queue: {} + ingress: + fields: + queue: {} + network: + fields: + protocol: {} + process: + fields: + name: {} + pid: {} + source: + fields: + ip: {} + port: {} + interface: + fields: + state: {} diff --git a/ecs/states-inventory-ports/fields/template-settings-legacy.json b/ecs/states-inventory-ports/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..684b7689d70f3 --- /dev/null +++ b/ecs/states-inventory-ports/fields/template-settings-legacy.json @@ -0,0 +1,18 @@ +{ + "index_patterns": ["wazuh-states-inventory-ports*"], + "order": 1, + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "process.name", + "source.ip", + "destination.ip" + ] + } + } +} diff --git a/ecs/states-inventory-ports/fields/template-settings.json b/ecs/states-inventory-ports/fields/template-settings.json new file mode 100644 index 0000000000000..9324c929a4bfd --- /dev/null +++ b/ecs/states-inventory-ports/fields/template-settings.json @@ -0,0 +1,22 @@ +{ + "index_patterns": [ + "wazuh-states-inventory-ports*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "process.name", + "source.ip", + "destination.ip" + ] + } + } + } +} \ No newline at end of file