From 27350a5367b1ab8c853de60ca898ecfaba674628 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Tue, 12 Nov 2024 13:41:53 +0100 Subject: [PATCH 1/6] Migrate #462 to master (2.17.1) --- .../custom/{wazuh-agent.yml => agent.yml} | 0 ecs/docs/agents.md | 110 +++ ecs/docs/alerts.md | 635 ++++++++++++++++++ ecs/docs/commands.md | 154 +++++ ecs/docs/inventory-4.x.md | 70 ++ ecs/docs/inventory-hardware.md | 147 ++++ ecs/docs/inventory-hotfixes.md | 95 +++ ecs/docs/inventory-networks.md | 274 ++++++++ ecs/docs/inventory-packages.md | 90 +++ ecs/docs/inventory-ports.md | 108 +++ ecs/docs/inventory-processes.md | 131 ++++ ecs/docs/inventory-system.md | 103 +++ ecs/docs/states-fim.md | 100 +++ ecs/docs/states-vulnerability.md | 177 +++++ .../fields/custom/agent.yml | 11 + .../fields/custom/host.yml | 52 ++ .../fields/mapping-settings.json | 4 + .../fields/subset.yml | 28 + .../fields/template-settings-legacy.json | 14 + .../fields/template-settings.json | 18 + .../fields/custom/agent.yml | 12 + .../fields/custom/package.yml | 19 + .../fields/mapping-settings.json | 4 + .../fields/subset.yml | 16 + .../fields/template-settings-legacy.json | 14 + .../fields/template-settings.json | 18 + .../fields/custom/agent.yml | 12 + .../fields/custom/host.yml | 24 + .../fields/custom/interface.yml | 23 + .../fields/custom/network.yml | 33 + .../fields/mapping-settings.json | 4 + .../fields/subset.yml | 51 ++ .../fields/template-settings-legacy.json | 21 + .../fields/template-settings.json | 25 + .../fields/custom/agent.yml | 12 + .../fields/custom/host.yml | 14 + .../fields/custom/interface.yml | 13 + .../fields/mapping-settings.json | 4 + ecs/states-inventory-ports/fields/subset.yml | 45 ++ .../fields/template-settings-legacy.json | 18 + .../fields/template-settings.json | 22 + 41 files changed, 2725 insertions(+) rename ecs/agent/fields/custom/{wazuh-agent.yml => agent.yml} (100%) create mode 100644 ecs/docs/agents.md create mode 100644 ecs/docs/alerts.md create mode 100644 ecs/docs/commands.md create mode 100644 ecs/docs/inventory-4.x.md create mode 100644 ecs/docs/inventory-hardware.md create mode 100644 ecs/docs/inventory-hotfixes.md create mode 100644 ecs/docs/inventory-networks.md create mode 100644 ecs/docs/inventory-packages.md create mode 100644 ecs/docs/inventory-ports.md create mode 100644 ecs/docs/inventory-processes.md create mode 100644 ecs/docs/inventory-system.md create mode 100644 ecs/docs/states-fim.md create mode 100644 ecs/docs/states-vulnerability.md create mode 100644 ecs/states-inventory-hardware/fields/custom/agent.yml create mode 100644 ecs/states-inventory-hardware/fields/custom/host.yml create mode 100644 ecs/states-inventory-hardware/fields/mapping-settings.json create mode 100644 ecs/states-inventory-hardware/fields/subset.yml create mode 100644 ecs/states-inventory-hardware/fields/template-settings-legacy.json create mode 100644 ecs/states-inventory-hardware/fields/template-settings.json create mode 100644 ecs/states-inventory-hotfixes/fields/custom/agent.yml create mode 100644 ecs/states-inventory-hotfixes/fields/custom/package.yml create mode 100644 ecs/states-inventory-hotfixes/fields/mapping-settings.json create mode 100644 ecs/states-inventory-hotfixes/fields/subset.yml create mode 100644 ecs/states-inventory-hotfixes/fields/template-settings-legacy.json create mode 100644 ecs/states-inventory-hotfixes/fields/template-settings.json create mode 100644 ecs/states-inventory-networks/fields/custom/agent.yml create mode 100644 ecs/states-inventory-networks/fields/custom/host.yml create mode 100644 ecs/states-inventory-networks/fields/custom/interface.yml create mode 100644 ecs/states-inventory-networks/fields/custom/network.yml create mode 100644 ecs/states-inventory-networks/fields/mapping-settings.json create mode 100644 ecs/states-inventory-networks/fields/subset.yml create mode 100644 ecs/states-inventory-networks/fields/template-settings-legacy.json create mode 100644 ecs/states-inventory-networks/fields/template-settings.json create mode 100644 ecs/states-inventory-ports/fields/custom/agent.yml create mode 100644 ecs/states-inventory-ports/fields/custom/host.yml create mode 100644 ecs/states-inventory-ports/fields/custom/interface.yml create mode 100644 ecs/states-inventory-ports/fields/mapping-settings.json create mode 100644 ecs/states-inventory-ports/fields/subset.yml create mode 100644 ecs/states-inventory-ports/fields/template-settings-legacy.json create mode 100644 ecs/states-inventory-ports/fields/template-settings.json diff --git a/ecs/agent/fields/custom/wazuh-agent.yml b/ecs/agent/fields/custom/agent.yml similarity index 100% rename from ecs/agent/fields/custom/wazuh-agent.yml rename to ecs/agent/fields/custom/agent.yml diff --git a/ecs/docs/agents.md b/ecs/docs/agents.md new file mode 100644 index 0000000000000..b0a1619c5e877 --- /dev/null +++ b/ecs/docs/agents.md @@ -0,0 +1,110 @@ +## `agents` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh/issues/23396#issuecomment-2176402993 + +Based on ECS [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). + +| Field | ECS field | Type | Description | +| ----------------- | ---------------------- | ------- | ---------------------------------------------------------------------- | +| uuid | `agent.id` | keyword | Agent's ID | +| name | `agent.name` | keyword | Agent's name | +| groups | \*`agent.groups` | keyword | Agent's groups | +| internal_key | \*`agent.key` | keyword | Agent's registration key | +| type | `agent.type` | keyword | Type of agent | +| version | `agent.version` | keyword | Agent's version | +| connection_status | \*`agent.is_connected` | boolean | Agents' interpreted connection status depending on `agent.last_login` | +| last_keepalive | \*`agent.last_login` | date | Agent's last login | +| ip | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. | +| os\_\* | `host.os.full` | keyword | Operating system name, including the version or code name. | + +\* Custom field + +### ECS mapping + +```yml +--- +name: agent +fields: + base: + fields: + tags: [] + agent: + fields: + id: {} + name: {} + type: {} + version: {} + groups: {} + key: {} + last_login: {} + is_connected: {} + host: + fields: + ip: {} + os: + fields: + full: {} +``` + +```yml +--- +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. + - name: key + type: keyword + level: custom + description: > + The agent's registration key. + - name: last_login + type: date + level: custom + description: > + The agent's last login. + - name: is_connected + type: boolean + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. + +``` + +### Index settings + +```json +{ + "index_patterns": [".agents*"], + "priority": 1, + "template": { + "settings": { + "index": { + "hidden": true, + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "agent.name", + "agent.type", + "agent.version", + "agent.name", + "host.os.full", + "host.ip" + ] + } + } + } +} +``` diff --git a/ecs/docs/alerts.md b/ecs/docs/alerts.md new file mode 100644 index 0000000000000..134009eff9435 --- /dev/null +++ b/ecs/docs/alerts.md @@ -0,0 +1,635 @@ +## `wazuh-alerts-5.x` time series index + +Stateless index. + +### Fields summary + +For this stage, we are using all the fields of the ECS. No custom fields are used. As a result, we are using the default mapping of the ECS. + +- [ECS main mappings](https://github.com/elastic/ecs/blob/v8.11.0/schemas/subsets/main.yml) + +The generated template must match [this one](https://github.com/elastic/ecs/blob/v8.11.0/generated/elasticsearch/legacy/template.json). + +### ECS mapping + +```yml +--- +name: main +fields: + base: + fields: "*" + agent: + fields: "*" + as: + fields: "*" + client: + fields: + address: {} + as: + fields: "*" + bytes: {} + domain: {} + geo: + fields: "*" + ip: {} + mac: {} + nat: + fields: + ip: {} + port: {} + packets: {} + port: {} + subdomain: {} + registered_domain: {} + top_level_domain: {} + user: + fields: + domain: {} + email: {} + full_name: {} + group: + fields: "*" + hash: {} + id: {} + name: {} + roles: {} + cloud: + fields: "*" + code_signature: + fields: "*" + container: + fields: "*" + data_stream: + fields: "*" + destination: + fields: + address: {} + as: + fields: "*" + bytes: {} + domain: {} + geo: + fields: "*" + ip: {} + mac: {} + nat: + fields: + ip: {} + port: {} + packets: {} + port: {} + subdomain: {} + registered_domain: {} + top_level_domain: {} + user: + fields: + domain: {} + email: {} + full_name: {} + group: + fields: "*" + hash: {} + id: {} + name: {} + roles: {} + device: + fields: "*" + dll: + fields: "*" + dns: + fields: "*" + ecs: + fields: "*" + elf: + fields: "*" + email: + fields: "*" + error: + fields: "*" + event: + fields: "*" + faas: + fields: "*" + file: + fields: "*" + geo: + fields: "*" + group: + fields: "*" + hash: + fields: "*" + host: + fields: "*" + http: + fields: "*" + interface: + fields: "*" + log: + fields: "*" + macho: + fields: "*" + network: + fields: "*" + observer: + fields: "*" + orchestrator: + fields: "*" + organization: + fields: "*" + os: + fields: "*" + package: + fields: "*" + pe: + fields: "*" + process: + fields: + args: {} + args_count: {} + code_signature: + fields: "*" + command_line: {} + elf: + fields: "*" + end: {} + entity_id: {} + entry_leader: + fields: + args: {} + args_count: {} + command_line: {} + entity_id: {} + entry_meta: + fields: + type: {} + source: + fields: + ip: {} + executable: {} + interactive: {} + name: {} + parent: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + session_leader: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + pid: {} + vpid: {} + same_as_process: {} + start: {} + tty: + fields: + char_device: + fields: + major: {} + minor: {} + working_directory: {} + user: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + group: + fields: + id: {} + name: {} + real_group: + fields: + id: {} + name: {} + saved_group: + fields: + id: {} + name: {} + supplemental_groups: + fields: + id: {} + name: {} + attested_user: + fields: + id: {} + name: {} + attested_groups: + fields: + name: {} + entry_meta: + fields: + type: + docs_only: True + env_vars: {} + executable: {} + exit_code: {} + group_leader: + fields: + args: {} + args_count: {} + command_line: {} + entity_id: {} + executable: {} + interactive: {} + name: {} + pid: {} + vpid: {} + same_as_process: {} + start: {} + tty: + fields: + char_device: + fields: + major: {} + minor: {} + working_directory: {} + user: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + group: + fields: + id: {} + name: {} + real_group: + fields: + id: {} + name: {} + saved_group: + fields: + id: {} + name: {} + supplemental_groups: + fields: + id: {} + name: {} + hash: + fields: "*" + interactive: {} + io: + fields: "*" + macho: + fields: "*" + name: {} + parent: + fields: + args: {} + args_count: {} + code_signature: + fields: "*" + command_line: {} + elf: + fields: "*" + end: {} + entity_id: {} + executable: {} + exit_code: {} + group_leader: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + hash: + fields: "*" + interactive: {} + macho: + fields: "*" + name: {} + pe: + fields: "*" + pgid: {} + pid: {} + vpid: {} + start: {} + thread: + fields: + id: {} + name: {} + capabilities: + fields: + effective: {} + permitted: {} + title: {} + tty: + fields: + char_device: + fields: + major: {} + minor: {} + uptime: {} + working_directory: {} + user: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + group: + fields: + id: {} + name: {} + real_group: + fields: + id: {} + name: {} + saved_group: + fields: + id: {} + name: {} + supplemental_groups: + fields: + id: {} + name: {} + pe: + fields: "*" + pgid: {} + pid: {} + vpid: {} + previous: + fields: + args: {} + args_count: {} + executable: {} + real_group: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + same_as_process: + docs_only: True + saved_group: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + start: {} + supplemental_groups: + fields: + id: {} + name: {} + session_leader: + fields: + args: {} + args_count: {} + command_line: {} + entity_id: {} + executable: {} + interactive: {} + name: {} + pid: {} + vpid: {} + same_as_process: {} + start: {} + tty: + fields: + char_device: + fields: + major: {} + minor: {} + working_directory: {} + parent: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + session_leader: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + user: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + group: + fields: + id: {} + name: {} + real_group: + fields: + id: {} + name: {} + saved_group: + fields: + id: {} + name: {} + supplemental_groups: + fields: + id: {} + name: {} + thread: + fields: + id: {} + name: {} + capabilities: + fields: + effective: {} + permitted: {} + title: {} + tty: + fields: "*" + uptime: {} + user: + fields: + id: {} + name: {} + working_directory: {} + registry: + fields: "*" + related: + fields: "*" + risk: + fields: "*" + rule: + fields: "*" + server: + fields: + address: {} + as: + fields: "*" + bytes: {} + domain: {} + geo: + fields: "*" + ip: {} + mac: {} + nat: + fields: + ip: {} + port: {} + packets: {} + port: {} + subdomain: {} + registered_domain: {} + top_level_domain: {} + user: + fields: + domain: {} + email: {} + full_name: {} + group: + fields: "*" + hash: {} + id: {} + name: {} + roles: {} + service: + fields: "*" + source: + fields: + address: {} + as: + fields: "*" + bytes: {} + domain: {} + geo: + fields: "*" + ip: {} + mac: {} + nat: + fields: + ip: {} + port: {} + packets: {} + port: {} + subdomain: {} + registered_domain: {} + top_level_domain: {} + user: + fields: + domain: {} + email: {} + full_name: {} + group: + fields: "*" + hash: {} + id: {} + name: {} + roles: {} + threat: + fields: "*" + tls: + fields: "*" + tracing: + fields: "*" + url: + fields: "*" + user_agent: + fields: "*" + user: + fields: + changes: + fields: + domain: {} + email: {} + group: + fields: "*" + full_name: {} + hash: {} + id: {} + name: {} + roles: {} + domain: {} + effective: + fields: + domain: {} + email: {} + group: + fields: "*" + full_name: {} + hash: {} + id: {} + name: {} + roles: {} + email: {} + group: + fields: "*" + full_name: {} + hash: {} + id: {} + name: {} + risk: + fields: "*" + roles: {} + target: + fields: + domain: {} + email: {} + group: + fields: "*" + full_name: {} + hash: {} + id: {} + name: {} + roles: {} + vlan: + fields: "*" + vulnerability: + fields: "*" + x509: + fields: "*" +``` + +### + +```json +{ + "index_patterns": [ + "wazuh-alerts-5.x-*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": 2500 + } + }, + "refresh_interval": "5s" + } + } + } +} +``` diff --git a/ecs/docs/commands.md b/ecs/docs/commands.md new file mode 100644 index 0000000000000..0ca3ac82de0aa --- /dev/null +++ b/ecs/docs/commands.md @@ -0,0 +1,154 @@ +## `commands` index data model + +> [!NOTE] +> rev 0.1 - September 18th, 2024: Add initial model. +> rev 0.2 - September 30th, 2024: Change type of `request_id`, `order_id` and `id` to keyword. +> rev 0.3 - October 3rd, 2024: Change descriptions for `command.type`, `command.action.type`, `command.request_id`, `command.order_id`. +> rev 0.4 - October 9th, 2024: Apply changes described in https://github.com/wazuh/wazuh-indexer-plugins/issues/96#issue-2576028654. + +### Fields summary + +This index stores information about the commands executed by the agents. The index appears in 5.0.0 for the first time. + +| ECS field | Type | Description | +| -------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------- | +| \*`agent.groups` | keyword | Agent's groups | +| \*`command.source` | keyword | Origin of the request. One of [`Users/Services` (via Management API), `Engine` (via Management API), `Content manager` (directly)]. | +| \*`command.user` | keyword | The user that originated the request. This user may represent a Management API or Indexer API user depending on the source. | +| \*`command.target.id` | keyword | Unique identifier of the destination to send the command to. | +| \*`command.target.type` | keyword | The destination type. One of [`group`, `agent`, `server`], | +| \*`command.action.name` | keyword | The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... | +| \*`command.action.args` | keyword | Array of command arguments, starting with the absolute path to the executable. | +| \*`command.action.version` | keyword | Version of the command's schema. | +| \*`command.timeout` | short | Time window in which the command has to be sent to its target. | +| \*`command.status` | keyword | Status within the Command Manager's context. One of [`pending`, `sent`, `success`, `failure`]. | +| \*`command.result.code` | short | Status code returned by the target. | +| \*`command.result.message` | keyword | Result message returned by the target. | +| \*`command.result.data` | keyword | Result data returned by the target. | +| \*`command.request_id` | keyword | UUID generated by the Command Manager. | +| \*`command.order_id` | keyword | UUID generated by the Command Manager. | + +\* Custom field. + +### ECS mapping + +```yml +--- +name: command +fields: + base: + fields: + tags: [] + agent: + fields: + groups: {} + command: + fields: "*" +``` + +```yml +--- +- name: command + title: Wazuh commands + short: Wazuh Inc. custom fields. + description: > + This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers. + type: group + group: 2 + fields: + - name: source + type: keyword + level: custom + description: > + Origin of the request. + - name: user + type: keyword + level: custom + description: > + The user that originated the request. + - name: target.id + type: keyword + level: custom + description: > + Unique identifier of the destination to send the command to. + - name: target.type + type: keyword + level: custom + description: > + The destination type. One of [`group`, `agent`, `server`] + - name: action.name + type: keyword + level: custom + description: > + The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... + - name: action.args + type: keyword + level: custom + description: > + Array of command arguments, starting with the absolute path to the executable. + - name: action.version + type: keyword + level: custom + description: > + Version of the command's schema. + - name: timeout + type: short + level: custom + description: > + Time window in which the command has to be sent to its target. + - name: status + type: keyword + level: custom + description: > + Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure']. + - name: result.code + type: short + level: custom + description: > + Status code returned by the target. + - name: result.message + type: keyword + level: custom + description: > + Result message returned by the target. + - name: result.data + type: keyword + level: custom + description: > + Result data returned by the target. + - name: request_id + type: keyword + level: custom + description: > + UUID generated by the Command Manager. + - name: order_id + type: keyword + level: custom + description: > + UUID generated by the Command Manager. +``` + +### Index settings + +```json +{ + "index_patterns": [".commands*"], + "priority": 1, + "template": { + "settings": { + "index": { + "hidden": true, + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "command.source", + "command.target.type", + "command.status", + "command.action.name" + ] + } + } + } +} +``` diff --git a/ecs/docs/inventory-4.x.md b/ecs/docs/inventory-4.x.md new file mode 100644 index 0000000000000..fd77e266d97fd --- /dev/null +++ b/ecs/docs/inventory-4.x.md @@ -0,0 +1,70 @@ +## Migration to 5.x + +| Syscollector 4.x inventory table | Index 5.x | +| -------------------------------- | -------------------------------- | +| sys_processes | wazuh-states-inventory-processes | +| sys_hwinfo | wazuh-states-inventory-hardware | +| sys_osinfo | wazuh-states-inventory-system | +| sys_ports | wazuh-states-inventory-networks | +| sys_net\* | wazuh-states-inventory-networks | +| sys_programs | wazuh-states-inventory-packages | +| sys_hotfixes | wazuh-states-inventory-hotfixes | + +### sys_netiface + +| | Field name | ECS field name | Data type | Description | +| --- | ---------- | ------------------- | --------- | ------------------------------------------------ | +| x | name | network.name | KEYWORD | Name of the network interface | +| ? | adapter | | KEYWORD | Adapter name of the network interface | +| x | type | network.type | KEYWORD | Type of the network interface | +| * | state | network.state | KEYWORD | State of the network interface | +| * | mtu | network.mtu | INTEGER | Maximum transmission unit size | +| x | mac | network.mac | KEYWORD | MAC address of the network interface | +| | tx_packets | network.out.packets | INTEGER | Number of transmitted packets | +| | rx_packets | network.in.packets | INTEGER | Number of received packets | +| | tx_bytes | network.out.bytes | INTEGER | Number of transmitted bytes | +| | rx_bytes | network.in.bytes | INTEGER | Number of received bytes | +| | tx_errors | network.out.errors | INTEGER | Number of transmission errors | +| | rx_errors | network.in.errors | INTEGER | Number of reception errors | +| | tx_dropped | network.out.dropped | INTEGER | Number of dropped transmitted packets | +| | rx_dropped | network.in.dropped | INTEGER | Number of dropped received packets | +| x | item_id | | KEYWORD | Unique identifier for the network interface item | + +### sys_netproto + +| | Field name | ECS field name | Data type | Description | +| --- | ---------- | ------------------- | --------- | ----------------------------------------------- | +| r | iface | `sys_netiface.name` | KEYWORD | Name of the network interface | +| | type | network.type | KEYWORD | Type of network protocol | +| | gateway | network.gateway | KEYWORD | Gateway address | +| | dhcp | network.dhcp | KEYWORD | DHCP status (enabled, disabled, unknown, BOOTP) | +| | metric | network.metric | INTEGER | Metric of the network protocol | +| | item_id | | KEYWORD | Unique identifier for the network protocol item | + +### sys_netaddr + +| | Field name | ECS field name | Data type | Description | +| --- | ---------- | -------------------- | --------- | ---------------------------------------------- | +| r | iface | `sys_netproto.iface` | KEYWORD | Name of the network interface | +| | proto | `sys_netproto.type` | KEYWORD | Type of network protocol | +| | address | source.address | KEYWORD | Network address | +| | netmask | network.netmask | KEYWORD | Network mask | +| | broadcast | network.broadcast | KEYWORD | Broadcast address | +| | item_id | | KEYWORD | Unique identifier for the network address item | + +### sys_ports + +| | Field name | ECS field name | Data type | Description | +| --- | ----------- | -------------------- | --------- | ------------------------------------------- | +| | protocol | network.protocol | KEYWORD | Protocol used | +| | local_ip | source.ip | KEYWORD | Local IP address | +| | local_port | source.port | INTEGER | Local port number | +| | remote_ip | destination.ip | KEYWORD | Remote IP address | +| | remote_port | destination.port | INTEGER | Remote port number | +| | tx_queue | network.out.queue | INTEGER | Transmit queue length | +| | rx_queue | network.in.queue | INTEGER | Receive queue length | +| | inode | system.network.inode | INTEGER | Inode number | +| | state | network.transport | KEYWORD | State of the connection | +| | PID | process.pid | INTEGER | Process ID | +| | process | process.name | KEYWORD | Process name | +| | item_id | | KEYWORD | Unique identifier for the network port item | diff --git a/ecs/docs/inventory-hardware.md b/ecs/docs/inventory-hardware.md new file mode 100644 index 0000000000000..4f8c2ade7bcd3 --- /dev/null +++ b/ecs/docs/inventory-hardware.md @@ -0,0 +1,147 @@ +## `wazuh-states-inventory-hardware` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 + +Based on ECS: + +- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). +- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). + +| | Field name | ECS field name | Data type | Description | +| --- | ------------ | ----------------------------- | --------- | -------------------------------- | +| | scan_time | @timestamp | date | Timestamp of the scan | +| | board_serial | observer.serial_number | keyword | Serial number of the motherboard | +| * | cpu_name | host.cpu.name | keyword | Name of the CPU | +| * | cpu_cores | host.cpu.cores | long | Number of CPU cores | +| * | cpu_mhz | host.cpu.speed | long | Speed of the CPU in MHz | +| * | ram_total | host.memory.total | long | Total RAM in the system | +| * | ram_free | host.memory.free | long | Free RAM in the system | +| * | ram_usage | host.memory.used.percentage | long | RAM usage as a percentage | + +\* Custom fields + +### ECS mapping + +```yml +--- +name: wazuh-states-inventory-hardware +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + observer: + fields: + serial_number: {} + host: + fields: + memory: + fields: + total: {} + free: {} + used: + fields: + percentage: {} + cpu: + fields: + name: {} + cores: {} + speed: {} +``` + +### Index settings + +```json +{ + "index_patterns": [ + "wazuh-states-inventory-hardware*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "observer.board_serial" + ], + "refresh_interval": "5s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + } + }, + "type": "object" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "observer": { + "properties": { + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} + +``` diff --git a/ecs/docs/inventory-hotfixes.md b/ecs/docs/inventory-hotfixes.md new file mode 100644 index 0000000000000..4ec3ddd48cbcb --- /dev/null +++ b/ecs/docs/inventory-hotfixes.md @@ -0,0 +1,95 @@ +## `wazuh-states-inventory-hotfixes` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 + +Based on ECS: + +- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). + +| | Field name | ECS field name | Data type | Description | +| --- | ---------- | ------------------- | --------- | --------------------- | +| | scan_time | @timestamp | date | Timestamp of the scan | +| * | hotfix | package.hotfix.name | keyword | Name of the hotfix | + +\* Custom fields + +### ECS mapping + +```yml +--- +name: wazuh-states-inventory-hotfixes +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + package: + fields: + hotfix: + fields: + name: {} +``` + +### Index settings + +```json +{ + "index_patterns": [ + "wazuh-states-inventory-hotfixes*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "package.hotfix.name" + ], + "refresh_interval": "5s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "hotfix": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + } + } + } + } + } +} + +``` diff --git a/ecs/docs/inventory-networks.md b/ecs/docs/inventory-networks.md new file mode 100644 index 0000000000000..536b8c57ced41 --- /dev/null +++ b/ecs/docs/inventory-networks.md @@ -0,0 +1,274 @@ +## `wazuh-states-inventory-networks` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 + +Based on ECS: + +- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). +- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). +- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). + +| | Field name | ECS field name | Data type | Description | +| --- | ----------- | -------------------------------- | --------- | ---------------------------------------------------------------- | +| | adapter | observer.ingress.interface.alias | keyword | Adapter name of the network interface | +| | address | host.ip | ip | Network address | +| | iface | observer.ingress.interface.name | keyword | Name of the network interface | +| | item_id | device.id | keyword | Identifier of interface/protocol/address/port item | +| | mac | host.mac | keyword | MAC address of the network interface | +| | name | observer.ingress.interface.name | keyword | Name of the network interface | +| | proto | network.protocol | keyword | Type of network protocol | +| | rx_bytes | host.network.ingress.bytes | long | Number of received bytes | +| | rx_packets | host.network.ingress.packets | long | Number of received packets | +| | scan_time | @timestamp | date | Timestamp of the scan | +| | tx_bytes | host.network.egress.bytes | long | Number of transmitted bytes | +| | tx_packets | host.network.egress.packets | long | Number of transmitted packets | +| | type | network.type | keyword | IPv4 or IPv6 for protocols, interface type for interface records | +| * | broadcast | network.broadcast | ip | Broadcast address | +| * | dhcp | network.dhcp | keyword | DHCP status (enabled, disabled, unknown, BOOTP) | +| * | gateway | network.gateway | ip | Gateway address | +| * | metric | network.metric | long | Metric of the network protocol | +| * | mtu | interface.mtu | long | Maximum transmission unit size | +| * | netmask | network.netmask | ip | Network mask | +| * | rx_dropped | host.network.ingress.drops | long | Number of dropped received packets | +| * | rx_errors | host.network.ingress.errors | long | Number of reception errors | +| * | state | interface.state | keyword | State of the network interface | +| * | tx_dropped | host.network.egress.drops | long | Number of dropped transmitted packets | +| * | tx_errors | host.network.egress.errors | long | Number of transmission errors | +| * | type | interface.type | keyword | Interface type (eg. "wireless" or "ethernet") | + +\* Custom fields + + +### ECS mapping + +```yml +--- +name: wazuh-states-inventory-networks +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + destination: + fields: + ip: {} + port: {} + device: + fields: + id: {} + file: + fields: + inode: {} + host: + fields: + ip: {} + mac: {} + network: + fields: + egress: + fields: + bytes: {} + packets: {} + ingress: + fields: + bytes: {} + packets: {} + network: + fields: + protocol: {} + type: {} + observer: + fields: + ingress: + fields: + interface: + fields: + alias: {} + name: {} + process: + fields: + name: {} + pid: {} + source: + fields: + ip: {} + port: {} +``` + +### Index settings + +```json +{ + "index_patterns": [ + "wazuh-states-inventory-networks*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.id", + "agent.groups", + "device.id", + "event.id", + "host.ip", + "observer.ingress.interface.name", + "observer.ingress.interface.alias", + "process.name" + ], + "refresh_interval": "5s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "inode": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + } + } + }, + "network": { + "properties": { + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "observer": { + "properties": { + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + } + } + }, + "process": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + } + } + }, + "source": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + } + } + } + } +} + +``` diff --git a/ecs/docs/inventory-packages.md b/ecs/docs/inventory-packages.md new file mode 100644 index 0000000000000..127dc5cb10203 --- /dev/null +++ b/ecs/docs/inventory-packages.md @@ -0,0 +1,90 @@ +## `wazuh-states-inventory-packages` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 + +Based on ECS: + +- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). + +| Field name | ECS field name | Data type | Description | +| ------------ | ---------------------- | --------- | ----------------------------------------------------------------- | +| | `agent.id` | keyword | Agent's ID | +| | \*`agent.groups` | keyword | Agent's groups | +| scan_time | `@timestamp` | date | Timestamp of the scan | +| architecture | `package.architecture` | keyword | Package architecture. | +| description | `package.description` | keyword | Description of the package. | +| install_time | `package.installed` | date | Time when package was installed. | +| name | `package.name` | keyword | Package name. | +| location | `package.path` | keyword | Path where the package is installed. | +| size | `package.size` | long | Package size in bytes. | +| format | `package.type` | keyword | Type of package. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | +| version | `package.version` | keyword | Package version. | + +\* Custom field + +
Fields not included in ECS +

+ +| | Field name | ECS field name | Data type | Description | +| --- | ---------- | ----------------- | --------- | ------------------------------------------------------------------------- | +| ? | priority | | | Priority of the program | +| ? | section | | | Section of the program category the package belongs to in DEB package managers | +| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. | +| ? | multiarch | | | Multi-architecture compatibility | +| X | source | | | Source of the program - package manager | + +

+
+ +### ECS mapping + +```yml +--- +name: wazuh-states-inventory-packages +fields: + base: + fields: + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + package: + fields: + architecture: "" + description: "" + installed: {} + name: "" + path: "" + size: {} + type: "" + version: "" +``` + +### Index settings + +```json +{ + "index_patterns": ["wazuh-states-inventory-packages*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "package.architecture" + "package.name", + "package.version", + "package.type" + ] + } + } + } +} +``` diff --git a/ecs/docs/inventory-ports.md b/ecs/docs/inventory-ports.md new file mode 100644 index 0000000000000..51a2009139240 --- /dev/null +++ b/ecs/docs/inventory-ports.md @@ -0,0 +1,108 @@ +## `wazuh-states-inventory-ports` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 + +Based on ECS: + +- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). +- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). +- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). + +| | Field name | ECS field name | Data type | Description | +| --- | ----------- | -------------------------- | --------- | -------------------------------------------------- | +| | inode | file.inode | keyword | The unix inode of the port | +| | item_id | device.id | keyword | Identifier of interface/protocol/address/port item | +| | local_ip | source.ip | ip | Local IP address | +| | local_port | source.port | long | Local port number | +| | pid | process.pid | long | Process ID | +| | process | process.name | keyword | Process name | +| | protocol | network.protocol | keyword | Protocol used | +| | remote_ip | destination.ip | ip | Remote IP address | +| | remote_port | destination.port | long | Remote port number | +| | scan_time | @timestamp | date | Timestamp of the scan | +| * | rx_queue | host.network.ingress.queue | long | Receive queue length | +| * | state | interface.state | keyword | State of the network interface | +| * | tx_queue | host.network.egress.queue | long | Transmit queue length | + +\* Custom fields + + +### ECS mapping + +```yml +--- +name: wazuh-states-inventory-ports +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + destination: + fields: + ip: {} + port: {} + device: + fields: + id: {} + file: + fields: + inode: {} + host: + fields: + network: + fields: + egress: + fields: + queue: {} + ingress: + fields: + queue: {} + network: + fields: + protocol: {} + process: + fields: + name: {} + pid: {} + source: + fields: + ip: {} + port: {} + interface: + fields: + state: {} + +``` + +### Index settings + +```json +{ + "index_patterns": [ + "wazuh-states-inventory-ports*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "process.name", + "source.ip", + "destination.ip" + ] + } + } + } +} +``` diff --git a/ecs/docs/inventory-processes.md b/ecs/docs/inventory-processes.md new file mode 100644 index 0000000000000..6be9b7e790c0b --- /dev/null +++ b/ecs/docs/inventory-processes.md @@ -0,0 +1,131 @@ +## `wazuh-states-inventory-processes` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 + +Based on ECS: + +- [Process Fields](https://www.elastic.co/guide/en/ecs/current/ecs-process.html). + +| | Field name | ECS field name | Data type | Description | Comments | +| --- | ---------------- | ------------------------ | ------------------ | ------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | +| | `agent.id` | keyword | Agent's ID | +| | \*`agent.groups` | keyword | Agent's groups | +| | scan_time | `@timestamp` | date | Date/time when the event originated. | | +| | pid | `process.pid` | long | Process ID. | | +| | name | `process.name` | keyword | Process name. | | +| | ppid | `process.parent.pid` | long | Parent process ID. | | +| | cmd | `process.command_line` | wildcard | Full command line that started the process, including the absolute path to the executable, and all arguments. | | +| | argvs | `process.args` | keyword | Array of process arguments, starting with the absolute path to the executable. | | +| | euser | `process.user.id` | keyword | Unique identifier of the effective user. | | +| | ruser | `process.real_user.id` | keyword | Unique identifier of the real user. | | +| | suser | `process.saved_user.id` | keyword | Unique identifier of the saved user. | | +| | egroup | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | +| | rgroup | `process.real_group.id` | keyword | Unique identifier for the real group on the system/platform. | | +| | sgroup | `process.saved_group.id` | keyword | Unique identifier for the saved group on the system/platform. | | +| | start_time | `process.start` | date | The time the process started. | | +| ! | tgid | `process.thread.id` | **No ECS mapping** | Thread ID | `thread.group` is **not part of ECS;** but `thread.id` is. | +| ! | tty | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | Needs clarification | + +\* Custom field + +!: Fields awaiting analysis + +
Fields not included in ECS +

+ +| | Field name | ECS field name | Data type | Description | Comments | +| --- | ---------- | ------------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | +| x | state | `process.state` | **No ECS mapping** | State of the process | **Not part of ECS;** Maybe as a custom field. | +| x | utime | `process.cpu.user` | **No ECS mapping** | User mode CPU time | **Not part of ECS;** Maybe as a custom field. | +| x | stime | `process.cpu.system` | **No ECS mapping** | Kernel mode CPU time | **Not part of ECS;** Maybe as a custom field. | +| x? | fgroup | `process.group.file.id` | **No ECS mapping** | unknown | | +| x | priority | `process.priority` | **No ECS mapping** | Process priority | **Not part of ECS;** Maybe as a custom field. | +| x | nice | `process.nice` | **No ECS mapping** | Nice value | **Not part of ECS;** Maybe as a custom field. | +| x | size | `process.size` | **No ECS mapping** | Process size | **Not part of ECS;** Maybe as a custom field. | +| x | vm_size | `process.vm.size` | **No ECS mapping** | Virtual memory size | **Not part of ECS;** Maybe as a custom field. | +| x | resident | `process.memory.resident` | **No ECS mapping** | Resident set size | **Not part of ECS;** Maybe as a custom field. | +| x | share | `process.memory.share` | **No ECS mapping** | Shared memory size | **Not part of ECS;** Maybe as a custom field. | +| ! | pgrp | `process.group.id` | keyword | Process group | Isn't it duplicated ?? | +| x | session | `process.session` | **No ECS mapping** | Session ID | **Not part of ECS;** Needs clarification. | +| x | nlwp | `process.nlwp` | **No ECS mapping** | Number of light-weight processes | **Not part of ECS;** Needs clarification. | +| ! | tgid | `process.thread.id` | **No ECS mapping** | Thread ID ID | `thread.group` is **not part of ECS;** but `thread.id` is. | +| ! | tty | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | Needs clarification | +| x | processor | `host.cpu.processor` | **No ECS mapping** | Processor number | No ECS field refers to the core number of the CPU. | + +

+
+ + +### ECS mapping + +```yml +--- +name: wazuh-states-inventory-processes +fields: + base: + fields: + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + process: + fields: + pid: {} + name: "" + parent: + fields: + pid: {} + command_line: "" + args: "" + user: + fields: + id: "" + real_user: + fields: + id: "" + saved_user: + fields: + id: "" + group: + fields: + id: "" + real_group: + fields: + id: "" + saved_group: + fields: + id: "" + start: {} + thread: + fields: + id: "" + tty: {} +``` + +### Index settings + +```json +{ + "index_patterns": ["wazuh-states-inventory-processes*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "process.name", + "process.pid", + "process.command_line" + ] + } + } + } +} +``` diff --git a/ecs/docs/inventory-system.md b/ecs/docs/inventory-system.md new file mode 100644 index 0000000000000..ef53885ec1bc2 --- /dev/null +++ b/ecs/docs/inventory-system.md @@ -0,0 +1,103 @@ +## `wazuh-states-inventory-system` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 + +Based on ECS: + +- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). +- [Operating System Fields](https://www.elastic.co/guide/en/ecs/current/ecs-os.html). + +| Field name | ECS field name | Data type | Description | +| ------------ | ------------------- | --------- | ---------------------------------------------------------- | +| | `agent.id` | keyword | Agent's ID | +| | \*`agent.groups` | keyword | Agent's groups | +| scan_time | `@timestamp` | date | Date/time when the event originated. | +| architecture | `host.architecture` | keyword | Operating system architecture. | +| hostname | `host.hostname` | keyword | Hostname of the host. | +| os_build | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | +| os_codename | `host.os.full` | keyword | Operating system name, including the version or code name. | +| os_name | `host.os.name` | keyword | Operating system name, without the version. | +| os_platform | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | +| os_version | `host.os.version` | keyword | Operating system version as a raw string. | +| sysname | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | + +\* Custom field + +
Details +

+ +Removed fields: + +- os_display_version +- os_major (can be extracted from os_version) +- os_minor (can be extracted from os_version) +- os_patch (can be extracted from os_version) +- os_release +- reference +- release +- scan_id +- sysname +- version +- checksum + +Available fields: + +- `os.family` +- `hots.name` + +

+
+ +### ECS mapping + +```yml +--- +name: wazuh-states-inventory-system +fields: + base: + fields: + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + host: + fields: + architecture: {} + hostname: {} + name: {} + os: + fields: + kernel: {} + full: {} + platform: {} + version: {} + type: {} +``` + +### Index settings + +```json +{ + "index_patterns": ["wazuh-states-inventory-system*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "host.name", + "host.os.type", + "host.os.version" + ] + } + } + } +} +``` diff --git a/ecs/docs/states-fim.md b/ecs/docs/states-fim.md new file mode 100644 index 0000000000000..4d42e1e8a79fc --- /dev/null +++ b/ecs/docs/states-fim.md @@ -0,0 +1,100 @@ +## `wazuh-states-fim` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189377542 + +Based on ECS: + +- [File Fields](https://www.elastic.co/guide/en/ecs/current/ecs-file.html). +- [Registry Fields](https://www.elastic.co/guide/en/ecs/current/ecs-registry.html). + +| Field | ECS field | Type | Description | +| ------------- | ------------------ | ------- | ---------------------------------------------------------------- | +| | `agent.id` | keyword | Agent's ID | +| | \*`agent.groups` | keyword | Agent's groups | +| arch | \* ? | keyword | Is arch a file property? | +| attributes | `file.attributes` | keyword | Array of file attributes. | +| file | `file.name` | keyword | Name of the file including the extension, without the directory. | +| full_path | `file.path` | keyword | Full path to the file, including the file name. | +| gid | `file.gid` | keyword | Primary group ID (GID) of the file. | +| gname | `file.group` | keyword | Primary group name of the file. | +| inode | `file.inode` | keyword | Inode representing the file in the filesystem. | +| md5 | `file.hash.md5` | keyword | MD5 hash of the file. | +| mtime | `file.mtime` | date | Last time the file's metadata changed. | +| perm | `file.mode` | keyword | File permissions in octal mode. | +| sha1 | `file.hash.sha1` | keyword | SHA1 hash of the file. | +| sha256 | `file.hash.sha256` | keyword | SHA256 hash of the file. | +| size | `file.size` | long | File size in bytes. | +| symbolic_path | `file.target_path` | keyword | Target path for symlinks. | +| type | `file.type` | keyword | File type (file, dir, or symlink). | +| uid | `file.uid` | keyword | User ID (UID) of the file owner. | +| uname | `file.owner` | keyword | File owner’s username. | +| value_name | `registry.key` | keyword | Hive-relative path of keys. | +| value_type | `registry.value` | keyword | Name of the value written. | + +\* Custom field + +### ECS mapping + +```yml +--- +name: fim +fields: + agent: + fields: + id: {} + groups: {} + file: + fields: + attributes: {} + name: {} + path: {} + gid: {} + group: {} + inode: {} + hash: + fields: + md5: {} + sha1: {} + sha256: {} + mtime: {} + mode: {} + size: {} + target_path: {} + type: {} + uid: {} + owner: {} + registry: + fields: + key: {} + value: {} +``` + +### Index settings + +```json +{ + "index_patterns": ["wazuh-states-fim*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "file.name", + "file.path", + "file.target_path", + "file.group", + "file.uid", + "file.gid" + ] + } + } + } +} +``` diff --git a/ecs/docs/states-vulnerability.md b/ecs/docs/states-vulnerability.md new file mode 100644 index 0000000000000..fa7f4969d1c1f --- /dev/null +++ b/ecs/docs/states-vulnerability.md @@ -0,0 +1,177 @@ +## `wazuh-states-vulnerabilities` index data model + +### Fields summary + +The fields are based on https://github.com/wazuh/wazuh-indexer/blob/4.9.0/ecs/vulnerability-detector + +Based on ECS: + +- [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). +- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). +- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). +- [Vulnerability Fields](https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html). + +| ECS field | Type | Description | +| ----------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `agent.id` | keyword | Unique identifier of this agent (if one exists). | +| \*`agent.groups` | keyword | Agent's groups | +| `agent.name` | keyword | Custom name of the agent. | +| `agent.type` | keyword | Type of the agent. | +| `agent.version` | keyword | Version of the agent. | +| `host.os.full` | keyword | Operating system name, including the version or code name. | +| `host.os.kernel` | keyword | Operating system kernel version as a raw string. | +| `host.os.name` | keyword | Operating system name, without the version. | +| `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | +| `host.os.type` | keyword | Use the os.type field to categorize the operating system into one of the broad commercial families. | +| `host.os.version` | keyword | Operating system version as a raw string. | +| `package.architecture` | keyword | Package architecture. | +| `package.build_version` | keyword | Additional information about the build version of the installed package. | +| `package.checksum` | keyword | Checksum of the installed package for verification. | +| `package.description` | keyword | Description of the package. | +| `package.install_scope` | keyword | Indicating how the package was installed, e.g. user-local, global. | +| `package.installed` | date | Time when package was installed. | +| `package.license` | keyword | License under which the package was released. | +| `package.name` | keyword | Package name | +| `package.path` | keyword | Path where the package is installed. | +| `package.reference` | keyword | Home page or reference URL of the software in this package, if available. | +| `package.size` | long | Package size in bytes. | +| `package.type` | keyword | Type of package. | +| `package.version` | keyword | Package version | +| `vulnerability.category` | keyword | The type of system or architecture that the vulnerability affects | +| `vulnerability.classification` | keyword | The classification of the vulnerability scoring system. | +| `vulnerability.description` | keyword | The description of the vulnerability that provides additional context of the vulnerability | +| \*`vulnerability.detected_at` | date | Vulnerability's detection date. | +| `vulnerability.enumeration` | keyword | The type of identifier used for this vulnerability. | +| `vulnerability.id` | keyword | The identification (ID) is the number portion of a vulnerability entry. | +| \*`vulnerability.published_at` | date | Vulnerability's publication date. | +| `vulnerability.reference` | keyword | A resource that provides additional information, context, and mitigations for the identified vulnerability. | +| `vulnerability.report_id` | keyword | The report or scan identification number. | +| \*`vulnerability.scanner.source` | keyword | The origin of the decision of the scanner (AKA feed used to detect the vulnerability). | +| `vulnerability.scanner.vendor` | keyword | The name of the vulnerability scanner vendor. | +| `vulnerability.score.base` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | +| `vulnerability.score.environmental` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | +| `vulnerability.score.temporal` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | +| `vulnerability.score.version` | keyword | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. | +| `vulnerability.severity` | keyword | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. | +| \*`vulnerability.under_evaluation` | boolean | Indicates if the vulnerability is awaiting analysis by the NVD. | +| \*`wazuh.cluster.name` | keyword | Name of the Wazuh cluster. | +| \*`wazuh.cluster.node` | keyword | Name of the Wazuh cluster node. | +| \*`wazuh.schema.version` | keyword | Version of the Wazuh schema. | + +\* Custom field + +### ECS mapping + +```yml +--- +name: wazuh-states-vulnerabilities +fields: + base: + tags: [] + agent: + fields: "*" + package: + fields: "*" + host: + fields: + os: + fields: + full: "" + kernel: "" + name: "" + platform: "" + type: "" + version: "" + vulnerability: + fields: "*" + wazuh: + fields: "*" +``` + +```yml +--- +- name: vulnerability + title: Vulnerability + group: 2 + short: Fields to describe the vulnerability relevant to an event. + description: > + The vulnerability fields describe information about a vulnerability that is + relevant to an event. + type: group + fields: + - name: detected_at + type: date + level: custom + description: > + Vulnerability's detection date. + - name: published_at + type: date + level: custom + description: > + Vulnerability's publication date. + - name: under_evaluation + type: boolean + level: custom + description: > + Indicates if the vulnerability is awaiting analysis by the NVD. + - name: scanner.source + type: keyword + level: custom + description: > + The origin of the decision of the scanner (AKA feed used to detect the vulnerability). +``` + +```yml +--- +--- +- name: wazuh + title: Wazuh + description: > + Wazuh Inc. custom fields + fields: + - name: cluster.name + type: keyword + level: custom + description: > + Wazuh cluster name. + - name: cluster.node + type: keyword + level: custom + description: > + Wazuh cluster node name. + - name: schema.version + type: keyword + level: custom + description: > + Wazuh schema version. +``` + +### Index settings + +```json +{ + "index_patterns": ["wazuh-states-vulnerabilities*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "host.os.full", + "host.os.version", + "package.name", + "package.version", + "vulnerability.id", + "vulnerability.description", + "vulnerability.severity", + "wazuh.cluster.name" + ] + } + } + } +} +``` diff --git a/ecs/states-inventory-hardware/fields/custom/agent.yml b/ecs/states-inventory-hardware/fields/custom/agent.yml new file mode 100644 index 0000000000000..7f23b6a463e49 --- /dev/null +++ b/ecs/states-inventory-hardware/fields/custom/agent.yml @@ -0,0 +1,11 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. diff --git a/ecs/states-inventory-hardware/fields/custom/host.yml b/ecs/states-inventory-hardware/fields/custom/host.yml new file mode 100644 index 0000000000000..90cfdce2221dd --- /dev/null +++ b/ecs/states-inventory-hardware/fields/custom/host.yml @@ -0,0 +1,52 @@ +--- +- name: host + title: host + type: group + description: > + Host related data. + fields: + - name: memory + description: > + Memory related data + type: object + level: custom + - name: memory.total + description: > + Total memory in MB + type: long + level: custom + - name: memory.free + description: > + Free memory in MB + type: long + level: custom + - name: memory.used + description: > + Used memory related data + type: object + level: custom + - name: memory.used.percentage + description: > + Used memory percentage + type: long + level: custom + - name: cpu + description: > + CPU related data + type: object + level: custom + - name: cpu.name + description: > + CPU Model name + type: keyword + level: custom + - name: cpu.cores + description: > + Number of CPU cores + type: long + level: custom + - name: cpu.speed + description: > + CPU clock speed + type: long + level: custom \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/mapping-settings.json b/ecs/states-inventory-hardware/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/states-inventory-hardware/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/subset.yml b/ecs/states-inventory-hardware/fields/subset.yml new file mode 100644 index 0000000000000..ededa27a75013 --- /dev/null +++ b/ecs/states-inventory-hardware/fields/subset.yml @@ -0,0 +1,28 @@ +--- +name: wazuh-states-inventory-hardware +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + observer: + fields: + serial_number: {} + host: + fields: + memory: + fields: + total: {} + free: {} + used: + fields: + percentage: {} + cpu: + fields: + name: {} + cores: {} + speed: {} diff --git a/ecs/states-inventory-hardware/fields/template-settings-legacy.json b/ecs/states-inventory-hardware/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..b2281742d219e --- /dev/null +++ b/ecs/states-inventory-hardware/fields/template-settings-legacy.json @@ -0,0 +1,14 @@ +{ + "index_patterns": ["wazuh-states-inventory-hardware*"], + "order": 1, + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "observer.board_serial" + ] + } + } +} diff --git a/ecs/states-inventory-hardware/fields/template-settings.json b/ecs/states-inventory-hardware/fields/template-settings.json new file mode 100644 index 0000000000000..d8cf7b772921c --- /dev/null +++ b/ecs/states-inventory-hardware/fields/template-settings.json @@ -0,0 +1,18 @@ +{ + "index_patterns": [ + "wazuh-states-inventory-hardware*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "observer.board_serial" + ] + } + } + } +} \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/custom/agent.yml b/ecs/states-inventory-hotfixes/fields/custom/agent.yml new file mode 100644 index 0000000000000..3482123af637a --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/custom/agent.yml @@ -0,0 +1,12 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. diff --git a/ecs/states-inventory-hotfixes/fields/custom/package.yml b/ecs/states-inventory-hotfixes/fields/custom/package.yml new file mode 100644 index 0000000000000..deee7e1a03e63 --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/custom/package.yml @@ -0,0 +1,19 @@ +--- +- name: package + title: Package + type: group + group: 2 + description: > + Package related data. + fields: + - name: hotfix + type: object + level: custom + group: 2 + description: > + Hotfix related data. + - name: hotfix.name + type: keyword + level: custom + description: > + Name of the Hotfix. \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/mapping-settings.json b/ecs/states-inventory-hotfixes/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/subset.yml b/ecs/states-inventory-hotfixes/fields/subset.yml new file mode 100644 index 0000000000000..fcec48481c21e --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/subset.yml @@ -0,0 +1,16 @@ +--- +name: wazuh-states-inventory-hotfixes +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + package: + fields: + hotfix: + fields: + name: {} \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json b/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..390711717339d --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json @@ -0,0 +1,14 @@ +{ + "index_patterns": ["wazuh-states-inventory-hotfixes*"], + "order": 1, + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "package.hotfix.name" + ] + } + } +} diff --git a/ecs/states-inventory-hotfixes/fields/template-settings.json b/ecs/states-inventory-hotfixes/fields/template-settings.json new file mode 100644 index 0000000000000..0312d23702aa4 --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/template-settings.json @@ -0,0 +1,18 @@ +{ + "index_patterns": [ + "wazuh-states-inventory-hotfixes*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "package.hotfix.name" + ] + } + } + } +} \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/custom/agent.yml b/ecs/states-inventory-networks/fields/custom/agent.yml new file mode 100644 index 0000000000000..3482123af637a --- /dev/null +++ b/ecs/states-inventory-networks/fields/custom/agent.yml @@ -0,0 +1,12 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. diff --git a/ecs/states-inventory-networks/fields/custom/host.yml b/ecs/states-inventory-networks/fields/custom/host.yml new file mode 100644 index 0000000000000..1adf74051f434 --- /dev/null +++ b/ecs/states-inventory-networks/fields/custom/host.yml @@ -0,0 +1,24 @@ +--- +- name: host + title: Host + fields: + - name: network.egress.drops + type: long + level: custom + description: > + Number of dropped transmitted packets. + - name: network.egress.errors + type: long + level: custom + description: > + Number of transmission errors. + - name: network.ingress.drops + type: long + level: custom + description: > + Number of dropped received packets. + - name: network.ingress.errors + type: long + level: custom + description: > + Number of reception errors. diff --git a/ecs/states-inventory-networks/fields/custom/interface.yml b/ecs/states-inventory-networks/fields/custom/interface.yml new file mode 100644 index 0000000000000..57bfd2c5eb2eb --- /dev/null +++ b/ecs/states-inventory-networks/fields/custom/interface.yml @@ -0,0 +1,23 @@ +--- +- name: interface + title: Interface + type: group + group: 2 + description: > + Network interface related data. + fields: + - name: mtu + type: long + level: custom + description: > + Maximum transmission unit size. + - name: state + type: keyword + level: custom + description: > + State of the network interface. + - name: type + type: keyword + level: custom + description: > + Interface type. diff --git a/ecs/states-inventory-networks/fields/custom/network.yml b/ecs/states-inventory-networks/fields/custom/network.yml new file mode 100644 index 0000000000000..2387fdd645b68 --- /dev/null +++ b/ecs/states-inventory-networks/fields/custom/network.yml @@ -0,0 +1,33 @@ +--- +- name: network + title: Network + type: group + group: 2 + description: > + Network related data. + fields: + - name: broadcast + type: ip + level: custom + description: > + Broadcast address + - name: dhcp + type: keyword + level: custom + description: > + DHCP status (enabled, disabled, unknown, BOOTP) + - name: gateway + type: ip + level: custom + description: > + Gateway address + - name: metric + type: long + level: custom + description: > + Metric of the network protocol + - name: netmask + type: ip + level: custom + description: > + Network mask diff --git a/ecs/states-inventory-networks/fields/mapping-settings.json b/ecs/states-inventory-networks/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/states-inventory-networks/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/subset.yml b/ecs/states-inventory-networks/fields/subset.yml new file mode 100644 index 0000000000000..d60366d6938aa --- /dev/null +++ b/ecs/states-inventory-networks/fields/subset.yml @@ -0,0 +1,51 @@ +--- +name: wazuh-states-inventory-networks +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + host: + fields: + ip: {} + mac: {} + network: + fields: + egress: + fields: + bytes: {} + drops: {} + errors: {} + packets: {} + ingress: + fields: + bytes: {} + drops: {} + errors: {} + packets: {} + interface: + fields: + mtu: {} + state: {} + type: {} + network: + fields: + broadcast: {} + dhcp: {} + gateway: {} + metric: {} + netmask: {} + protocol: {} + type: {} + observer: + fields: + ingress: + fields: + interface: + fields: + alias: {} + name: {} diff --git a/ecs/states-inventory-networks/fields/template-settings-legacy.json b/ecs/states-inventory-networks/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..1f45768296427 --- /dev/null +++ b/ecs/states-inventory-networks/fields/template-settings-legacy.json @@ -0,0 +1,21 @@ +{ + "index_patterns": ["wazuh-states-inventory-networks*"], + "order": 1, + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "device.id", + "event.id", + "host.ip", + "observer.ingress.interface.name", + "observer.ingress.interface.alias", + "process.name" + ] + } + } +} diff --git a/ecs/states-inventory-networks/fields/template-settings.json b/ecs/states-inventory-networks/fields/template-settings.json new file mode 100644 index 0000000000000..a5607e1012689 --- /dev/null +++ b/ecs/states-inventory-networks/fields/template-settings.json @@ -0,0 +1,25 @@ +{ + "index_patterns": [ + "wazuh-states-inventory-networks*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "device.id", + "event.id", + "host.ip", + "observer.ingress.interface.name", + "observer.ingress.interface.alias", + "process.name" + ] + } + } + } +} \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/custom/agent.yml b/ecs/states-inventory-ports/fields/custom/agent.yml new file mode 100644 index 0000000000000..3482123af637a --- /dev/null +++ b/ecs/states-inventory-ports/fields/custom/agent.yml @@ -0,0 +1,12 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. diff --git a/ecs/states-inventory-ports/fields/custom/host.yml b/ecs/states-inventory-ports/fields/custom/host.yml new file mode 100644 index 0000000000000..57d032bb002c8 --- /dev/null +++ b/ecs/states-inventory-ports/fields/custom/host.yml @@ -0,0 +1,14 @@ +--- +- name: host + title: Host + fields: + - name: network.ingress.queue + type: long + level: custom + description: > + Receive queue length. + - name: network.egress.queue + type: long + level: custom + description: > + Transmit queue length. diff --git a/ecs/states-inventory-ports/fields/custom/interface.yml b/ecs/states-inventory-ports/fields/custom/interface.yml new file mode 100644 index 0000000000000..155961408d456 --- /dev/null +++ b/ecs/states-inventory-ports/fields/custom/interface.yml @@ -0,0 +1,13 @@ +--- +- name: interface + title: Interface + type: group + group: 2 + description: > + Network interface related data. + fields: + - name: state + type: keyword + level: custom + description: > + State of the network interface. diff --git a/ecs/states-inventory-ports/fields/mapping-settings.json b/ecs/states-inventory-ports/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/states-inventory-ports/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/subset.yml b/ecs/states-inventory-ports/fields/subset.yml new file mode 100644 index 0000000000000..27e2ac6abcb02 --- /dev/null +++ b/ecs/states-inventory-ports/fields/subset.yml @@ -0,0 +1,45 @@ +--- +name: wazuh-states-inventory-ports +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + destination: + fields: + ip: {} + port: {} + device: + fields: + id: {} + file: + fields: + inode: {} + host: + fields: + network: + fields: +# egress: +# fields: +# queue: {} + ingress: + fields: + queue: {} + network: + fields: + protocol: {} + process: + fields: + name: {} + pid: {} + source: + fields: + ip: {} + port: {} + interface: + fields: + state: {} diff --git a/ecs/states-inventory-ports/fields/template-settings-legacy.json b/ecs/states-inventory-ports/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..684b7689d70f3 --- /dev/null +++ b/ecs/states-inventory-ports/fields/template-settings-legacy.json @@ -0,0 +1,18 @@ +{ + "index_patterns": ["wazuh-states-inventory-ports*"], + "order": 1, + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "process.name", + "source.ip", + "destination.ip" + ] + } + } +} diff --git a/ecs/states-inventory-ports/fields/template-settings.json b/ecs/states-inventory-ports/fields/template-settings.json new file mode 100644 index 0000000000000..9324c929a4bfd --- /dev/null +++ b/ecs/states-inventory-ports/fields/template-settings.json @@ -0,0 +1,22 @@ +{ + "index_patterns": [ + "wazuh-states-inventory-ports*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "process.name", + "source.ip", + "destination.ip" + ] + } + } + } +} \ No newline at end of file From bd02bb937d636e324dd301012b90ed2fe0a6c6f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Tue, 12 Nov 2024 16:19:16 +0100 Subject: [PATCH 2/6] Clean documentation of Wazuh 5 indices --- ecs/agent/fields/custom/agent.yml | 6 +- ecs/command/fields/custom/agent.yml | 2 +- ecs/docs/agents.md | 69 +++-- ecs/docs/commands.md | 226 +++++++-------- ecs/docs/inventory-4.x.md | 70 ----- ecs/docs/states-fim.md | 145 +++++----- ecs/docs/states-vulnerability.md | 260 +++++++++--------- ecs/states-fim/fields/custom/agent.yml | 2 +- .../fields/custom/agent.yml | 2 +- 9 files changed, 355 insertions(+), 427 deletions(-) delete mode 100644 ecs/docs/inventory-4.x.md diff --git a/ecs/agent/fields/custom/agent.yml b/ecs/agent/fields/custom/agent.yml index 0492778271095..7e60469c0800f 100644 --- a/ecs/agent/fields/custom/agent.yml +++ b/ecs/agent/fields/custom/agent.yml @@ -9,17 +9,17 @@ type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. - name: key type: keyword level: custom description: > - The agent's registration key. + The registration key of the agent. - name: last_login type: date level: custom description: > - The agent's last login. + The last time the agent logged in. - name: is_connected type: boolean level: custom diff --git a/ecs/command/fields/custom/agent.yml b/ecs/command/fields/custom/agent.yml index 17b6f7324d830..fd3cb2e6c41c9 100644 --- a/ecs/command/fields/custom/agent.yml +++ b/ecs/command/fields/custom/agent.yml @@ -9,4 +9,4 @@ type: keyword level: custom description: > - The groups the agent belongs to. \ No newline at end of file + List of groups the agent belong to. \ No newline at end of file diff --git a/ecs/docs/agents.md b/ecs/docs/agents.md index b0a1619c5e877..a0d48de7f6d16 100644 --- a/ecs/docs/agents.md +++ b/ecs/docs/agents.md @@ -6,20 +6,20 @@ The fields are based on https://github.com/wazuh/wazuh/issues/23396#issuecomment Based on ECS [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). -| Field | ECS field | Type | Description | -| ----------------- | ---------------------- | ------- | ---------------------------------------------------------------------- | -| uuid | `agent.id` | keyword | Agent's ID | -| name | `agent.name` | keyword | Agent's name | -| groups | \*`agent.groups` | keyword | Agent's groups | -| internal_key | \*`agent.key` | keyword | Agent's registration key | -| type | `agent.type` | keyword | Type of agent | -| version | `agent.version` | keyword | Agent's version | -| connection_status | \*`agent.is_connected` | boolean | Agents' interpreted connection status depending on `agent.last_login` | -| last_keepalive | \*`agent.last_login` | date | Agent's last login | -| ip | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. | -| os\_\* | `host.os.full` | keyword | Operating system name, including the version or code name. | +| | Field | Type | Description | Example | +| --- | -------------------- | ------- | ---------------------------------------------------------------------- | ---------------------------------- | +| | `agent.id` | keyword | Unique identifier of this agent. | `8a4f500d` | +| | `agent.name` | keyword | Custom name of the agent. | `foo` | +| \* | `agent.groups` | keyword | List of groups the agent belong to. | `["group1", "group2"]` | +| \* | `agent.key` | keyword | The registration key of the agent. | `BfDbq0PpcLl9iWatJjY1shGvuQ4KXyOR` | +| | `agent.type` | keyword | Type of agent. | `endpoint` | +| | `agent.version` | keyword | Version of the agent. | `6.0.0-rc2` | +| \* | `agent.is_connected` | boolean | Agents' interpreted connection status depending on `agent.last_login`. | | +| \* | `agent.last_login` | date | The last time the agent logged in. | `11/11/2024 00:00:00` | +| | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. | `["192.168.56.11", "10.54.27.1"]` | +| | `host.os.full` | keyword | Operating system name, including the version or code name. | `Mac OS Mojave` | -\* Custom field +\* Custom field. ### ECS mapping @@ -77,34 +77,33 @@ fields: level: custom description: > Agents' interpreted connection status depending on `agent.last_login`. - ``` ### Index settings ```json { - "index_patterns": [".agents*"], - "priority": 1, - "template": { - "settings": { - "index": { - "hidden": true, - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "agent.name", - "agent.type", - "agent.version", - "agent.name", - "host.os.full", - "host.ip" - ] - } - } + "index_patterns": [".agents*"], + "priority": 1, + "template": { + "settings": { + "index": { + "hidden": true, + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "agent.name", + "agent.type", + "agent.version", + "agent.name", + "host.os.full", + "host.ip" + ] + } } + } } ``` diff --git a/ecs/docs/commands.md b/ecs/docs/commands.md index 0ca3ac82de0aa..afbd250a9885f 100644 --- a/ecs/docs/commands.md +++ b/ecs/docs/commands.md @@ -10,23 +10,23 @@ This index stores information about the commands executed by the agents. The index appears in 5.0.0 for the first time. -| ECS field | Type | Description | -| -------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------- | -| \*`agent.groups` | keyword | Agent's groups | -| \*`command.source` | keyword | Origin of the request. One of [`Users/Services` (via Management API), `Engine` (via Management API), `Content manager` (directly)]. | -| \*`command.user` | keyword | The user that originated the request. This user may represent a Management API or Indexer API user depending on the source. | -| \*`command.target.id` | keyword | Unique identifier of the destination to send the command to. | -| \*`command.target.type` | keyword | The destination type. One of [`group`, `agent`, `server`], | -| \*`command.action.name` | keyword | The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... | -| \*`command.action.args` | keyword | Array of command arguments, starting with the absolute path to the executable. | -| \*`command.action.version` | keyword | Version of the command's schema. | -| \*`command.timeout` | short | Time window in which the command has to be sent to its target. | -| \*`command.status` | keyword | Status within the Command Manager's context. One of [`pending`, `sent`, `success`, `failure`]. | -| \*`command.result.code` | short | Status code returned by the target. | -| \*`command.result.message` | keyword | Result message returned by the target. | -| \*`command.result.data` | keyword | Result data returned by the target. | -| \*`command.request_id` | keyword | UUID generated by the Command Manager. | -| \*`command.order_id` | keyword | UUID generated by the Command Manager. | +| | Field | Type | Description | +| --- | ------------------------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------- | +| \* | `agent.groups` | keyword | List of groups the agent belong to. | +| \* | `command.source` | keyword | Origin of the request. One of [`Users/Services` (via Management API), `Engine` (via Management API), `Content manager` (directly)]. | +| \* | `command.user` | keyword | The user that originated the request. This user may represent a Management API or Indexer API user depending on the source. | +| \* | `command.target.id` | keyword | Unique identifier of the destination to send the command to. | +| \* | `command.target.type` | keyword | The destination type. One of [`group`, `agent`, `server`], | +| \* | `command.action.name` | keyword | The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... | +| \* | `command.action.args` | keyword | Array of command arguments, starting with the absolute path to the executable. | +| \* | `command.action.version` | keyword | Version of the command's schema. | +| \* | `command.timeout` | short | Time window in which the command has to be sent to its target. | +| \* | `command.status` | keyword | Status within the Command Manager's context. One of [`pending`, `sent`, `success`, `failure`]. | +| \* | `command.result.code` | short | Status code returned by the target. | +| \* | `command.result.message` | keyword | Result message returned by the target. | +| \* | `command.result.data` | keyword | Result data returned by the target. | +| \* | `command.request_id` | keyword | UUID generated by the Command Manager. | +| \* | `command.order_id` | keyword | UUID generated by the Command Manager. | \* Custom field. @@ -36,14 +36,14 @@ This index stores information about the commands executed by the agents. The ind --- name: command fields: - base: - fields: - tags: [] - agent: - fields: - groups: {} - command: - fields: "*" + base: + fields: + tags: [] + agent: + fields: + groups: {} + command: + fields: "*" ``` ```yml @@ -52,103 +52,103 @@ fields: title: Wazuh commands short: Wazuh Inc. custom fields. description: > - This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers. + This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers. type: group group: 2 fields: - - name: source - type: keyword - level: custom - description: > - Origin of the request. - - name: user - type: keyword - level: custom - description: > - The user that originated the request. - - name: target.id - type: keyword - level: custom - description: > - Unique identifier of the destination to send the command to. - - name: target.type - type: keyword - level: custom - description: > - The destination type. One of [`group`, `agent`, `server`] - - name: action.name - type: keyword - level: custom - description: > - The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... - - name: action.args - type: keyword - level: custom - description: > - Array of command arguments, starting with the absolute path to the executable. - - name: action.version - type: keyword - level: custom - description: > - Version of the command's schema. - - name: timeout - type: short - level: custom - description: > - Time window in which the command has to be sent to its target. - - name: status - type: keyword - level: custom - description: > - Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure']. - - name: result.code - type: short - level: custom - description: > - Status code returned by the target. - - name: result.message - type: keyword - level: custom - description: > - Result message returned by the target. - - name: result.data - type: keyword - level: custom - description: > - Result data returned by the target. - - name: request_id - type: keyword - level: custom - description: > - UUID generated by the Command Manager. - - name: order_id - type: keyword - level: custom - description: > - UUID generated by the Command Manager. + - name: source + type: keyword + level: custom + description: > + Origin of the request. + - name: user + type: keyword + level: custom + description: > + The user that originated the request. + - name: target.id + type: keyword + level: custom + description: > + Unique identifier of the destination to send the command to. + - name: target.type + type: keyword + level: custom + description: > + The destination type. One of [`group`, `agent`, `server`] + - name: action.name + type: keyword + level: custom + description: > + The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... + - name: action.args + type: keyword + level: custom + description: > + Array of command arguments, starting with the absolute path to the executable. + - name: action.version + type: keyword + level: custom + description: > + Version of the command's schema. + - name: timeout + type: short + level: custom + description: > + Time window in which the command has to be sent to its target. + - name: status + type: keyword + level: custom + description: > + Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure']. + - name: result.code + type: short + level: custom + description: > + Status code returned by the target. + - name: result.message + type: keyword + level: custom + description: > + Result message returned by the target. + - name: result.data + type: keyword + level: custom + description: > + Result data returned by the target. + - name: request_id + type: keyword + level: custom + description: > + UUID generated by the Command Manager. + - name: order_id + type: keyword + level: custom + description: > + UUID generated by the Command Manager. ``` ### Index settings ```json { - "index_patterns": [".commands*"], - "priority": 1, - "template": { - "settings": { - "index": { - "hidden": true, - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "command.source", - "command.target.type", - "command.status", - "command.action.name" - ] - } - } + "index_patterns": [".commands*"], + "priority": 1, + "template": { + "settings": { + "index": { + "hidden": true, + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "command.source", + "command.target.type", + "command.status", + "command.action.name" + ] + } } + } } ``` diff --git a/ecs/docs/inventory-4.x.md b/ecs/docs/inventory-4.x.md deleted file mode 100644 index fd77e266d97fd..0000000000000 --- a/ecs/docs/inventory-4.x.md +++ /dev/null @@ -1,70 +0,0 @@ -## Migration to 5.x - -| Syscollector 4.x inventory table | Index 5.x | -| -------------------------------- | -------------------------------- | -| sys_processes | wazuh-states-inventory-processes | -| sys_hwinfo | wazuh-states-inventory-hardware | -| sys_osinfo | wazuh-states-inventory-system | -| sys_ports | wazuh-states-inventory-networks | -| sys_net\* | wazuh-states-inventory-networks | -| sys_programs | wazuh-states-inventory-packages | -| sys_hotfixes | wazuh-states-inventory-hotfixes | - -### sys_netiface - -| | Field name | ECS field name | Data type | Description | -| --- | ---------- | ------------------- | --------- | ------------------------------------------------ | -| x | name | network.name | KEYWORD | Name of the network interface | -| ? | adapter | | KEYWORD | Adapter name of the network interface | -| x | type | network.type | KEYWORD | Type of the network interface | -| * | state | network.state | KEYWORD | State of the network interface | -| * | mtu | network.mtu | INTEGER | Maximum transmission unit size | -| x | mac | network.mac | KEYWORD | MAC address of the network interface | -| | tx_packets | network.out.packets | INTEGER | Number of transmitted packets | -| | rx_packets | network.in.packets | INTEGER | Number of received packets | -| | tx_bytes | network.out.bytes | INTEGER | Number of transmitted bytes | -| | rx_bytes | network.in.bytes | INTEGER | Number of received bytes | -| | tx_errors | network.out.errors | INTEGER | Number of transmission errors | -| | rx_errors | network.in.errors | INTEGER | Number of reception errors | -| | tx_dropped | network.out.dropped | INTEGER | Number of dropped transmitted packets | -| | rx_dropped | network.in.dropped | INTEGER | Number of dropped received packets | -| x | item_id | | KEYWORD | Unique identifier for the network interface item | - -### sys_netproto - -| | Field name | ECS field name | Data type | Description | -| --- | ---------- | ------------------- | --------- | ----------------------------------------------- | -| r | iface | `sys_netiface.name` | KEYWORD | Name of the network interface | -| | type | network.type | KEYWORD | Type of network protocol | -| | gateway | network.gateway | KEYWORD | Gateway address | -| | dhcp | network.dhcp | KEYWORD | DHCP status (enabled, disabled, unknown, BOOTP) | -| | metric | network.metric | INTEGER | Metric of the network protocol | -| | item_id | | KEYWORD | Unique identifier for the network protocol item | - -### sys_netaddr - -| | Field name | ECS field name | Data type | Description | -| --- | ---------- | -------------------- | --------- | ---------------------------------------------- | -| r | iface | `sys_netproto.iface` | KEYWORD | Name of the network interface | -| | proto | `sys_netproto.type` | KEYWORD | Type of network protocol | -| | address | source.address | KEYWORD | Network address | -| | netmask | network.netmask | KEYWORD | Network mask | -| | broadcast | network.broadcast | KEYWORD | Broadcast address | -| | item_id | | KEYWORD | Unique identifier for the network address item | - -### sys_ports - -| | Field name | ECS field name | Data type | Description | -| --- | ----------- | -------------------- | --------- | ------------------------------------------- | -| | protocol | network.protocol | KEYWORD | Protocol used | -| | local_ip | source.ip | KEYWORD | Local IP address | -| | local_port | source.port | INTEGER | Local port number | -| | remote_ip | destination.ip | KEYWORD | Remote IP address | -| | remote_port | destination.port | INTEGER | Remote port number | -| | tx_queue | network.out.queue | INTEGER | Transmit queue length | -| | rx_queue | network.in.queue | INTEGER | Receive queue length | -| | inode | system.network.inode | INTEGER | Inode number | -| | state | network.transport | KEYWORD | State of the connection | -| | PID | process.pid | INTEGER | Process ID | -| | process | process.name | KEYWORD | Process name | -| | item_id | | KEYWORD | Unique identifier for the network port item | diff --git a/ecs/docs/states-fim.md b/ecs/docs/states-fim.md index 4d42e1e8a79fc..129fcf9ec94a6 100644 --- a/ecs/docs/states-fim.md +++ b/ecs/docs/states-fim.md @@ -6,34 +6,33 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec Based on ECS: -- [File Fields](https://www.elastic.co/guide/en/ecs/current/ecs-file.html). -- [Registry Fields](https://www.elastic.co/guide/en/ecs/current/ecs-registry.html). +- [File Fields](https://www.elastic.co/guide/en/ecs/current/ecs-file.html). +- [Registry Fields](https://www.elastic.co/guide/en/ecs/current/ecs-registry.html). -| Field | ECS field | Type | Description | -| ------------- | ------------------ | ------- | ---------------------------------------------------------------- | -| | `agent.id` | keyword | Agent's ID | -| | \*`agent.groups` | keyword | Agent's groups | -| arch | \* ? | keyword | Is arch a file property? | -| attributes | `file.attributes` | keyword | Array of file attributes. | -| file | `file.name` | keyword | Name of the file including the extension, without the directory. | -| full_path | `file.path` | keyword | Full path to the file, including the file name. | -| gid | `file.gid` | keyword | Primary group ID (GID) of the file. | -| gname | `file.group` | keyword | Primary group name of the file. | -| inode | `file.inode` | keyword | Inode representing the file in the filesystem. | -| md5 | `file.hash.md5` | keyword | MD5 hash of the file. | -| mtime | `file.mtime` | date | Last time the file's metadata changed. | -| perm | `file.mode` | keyword | File permissions in octal mode. | -| sha1 | `file.hash.sha1` | keyword | SHA1 hash of the file. | -| sha256 | `file.hash.sha256` | keyword | SHA256 hash of the file. | -| size | `file.size` | long | File size in bytes. | -| symbolic_path | `file.target_path` | keyword | Target path for symlinks. | -| type | `file.type` | keyword | File type (file, dir, or symlink). | -| uid | `file.uid` | keyword | User ID (UID) of the file owner. | -| uname | `file.owner` | keyword | File owner’s username. | -| value_name | `registry.key` | keyword | Hive-relative path of keys. | -| value_type | `registry.value` | keyword | Name of the value written. | +| | Field | Type | Description | Example | +| --- | ------------------ | ------- | ----------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | +| | `agent.id` | keyword | Unique identifier of this agent. | `8a4f500d` | +| \* | \*`agent.groups` | keyword | List of groups the agent belong to. | `["group1", "group2"]` | +| | `file.attributes` | keyword | Array of file attributes. | `["readonly", "system"]` | +| | `file.gid` | keyword | Primary group ID (GID) of the file. | `1001` | +| | `file.group` | keyword | Primary group name of the file. | `alice` | +| | `file.inode` | keyword | Inode representing the file in the filesystem. | `256383` | +| | `file.name` | keyword | Name of the file including the extension, without the directory. | `example.png` | +| | `file.mode` | keyword | File permissions in octal mode. | `0640` | +| | `file.mtime` | date | Last time the file's metadata changed. | | +| | `file.owner` | keyword | File owner’s username. | | +| | `file.path` | keyword | Full path to the file, including the file name. It should include the drive letter, when appropriate. | `/home/alice/example.png` | +| | `file.size` | long | File size in bytes. | `16384` | +| | `file.target_path` | keyword | Target path for symlinks. | | +| | `file.type` | keyword | File type (file, dir, or symlink). | `file` | +| | `file.uid` | keyword | User ID (UID) of the file owner. | `1001` | +| | `file.hash.md5` | keyword | MD5 hash of the file. | | +| | `file.hash.sha1` | keyword | SHA1 hash of the file. | | +| | `file.hash.sha256` | keyword | SHA256 hash of the file. | | +| | `registry.key` | keyword | Hive-relative path of keys. | `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe` | +| | `registry.value` | keyword | Name of the value written. | `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger` | -\* Custom field +\* Custom field. ### ECS mapping @@ -41,60 +40,60 @@ Based on ECS: --- name: fim fields: - agent: + agent: + fields: + id: {} + groups: {} + file: + fields: + attributes: {} + name: {} + path: {} + gid: {} + group: {} + inode: {} + hash: fields: - id: {} - groups: {} - file: - fields: - attributes: {} - name: {} - path: {} - gid: {} - group: {} - inode: {} - hash: - fields: - md5: {} - sha1: {} - sha256: {} - mtime: {} - mode: {} - size: {} - target_path: {} - type: {} - uid: {} - owner: {} - registry: - fields: - key: {} - value: {} + md5: {} + sha1: {} + sha256: {} + mtime: {} + mode: {} + size: {} + target_path: {} + type: {} + uid: {} + owner: {} + registry: + fields: + key: {} + value: {} ``` ### Index settings ```json { - "index_patterns": ["wazuh-states-fim*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "file.name", - "file.path", - "file.target_path", - "file.group", - "file.uid", - "file.gid" - ] - } - } + "index_patterns": ["wazuh-states-fim*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "file.name", + "file.path", + "file.target_path", + "file.group", + "file.uid", + "file.gid" + ] + } } + } } ``` diff --git a/ecs/docs/states-vulnerability.md b/ecs/docs/states-vulnerability.md index fa7f4969d1c1f..61718d1419873 100644 --- a/ecs/docs/states-vulnerability.md +++ b/ecs/docs/states-vulnerability.md @@ -6,59 +6,59 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/blob/4.9.0/ecs/vu Based on ECS: -- [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). -- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). -- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -- [Vulnerability Fields](https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html). +- [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). +- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). +- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). +- [Vulnerability Fields](https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html). -| ECS field | Type | Description | -| ----------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `agent.id` | keyword | Unique identifier of this agent (if one exists). | -| \*`agent.groups` | keyword | Agent's groups | -| `agent.name` | keyword | Custom name of the agent. | -| `agent.type` | keyword | Type of the agent. | -| `agent.version` | keyword | Version of the agent. | -| `host.os.full` | keyword | Operating system name, including the version or code name. | -| `host.os.kernel` | keyword | Operating system kernel version as a raw string. | -| `host.os.name` | keyword | Operating system name, without the version. | -| `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | -| `host.os.type` | keyword | Use the os.type field to categorize the operating system into one of the broad commercial families. | -| `host.os.version` | keyword | Operating system version as a raw string. | -| `package.architecture` | keyword | Package architecture. | -| `package.build_version` | keyword | Additional information about the build version of the installed package. | -| `package.checksum` | keyword | Checksum of the installed package for verification. | -| `package.description` | keyword | Description of the package. | -| `package.install_scope` | keyword | Indicating how the package was installed, e.g. user-local, global. | -| `package.installed` | date | Time when package was installed. | -| `package.license` | keyword | License under which the package was released. | -| `package.name` | keyword | Package name | -| `package.path` | keyword | Path where the package is installed. | -| `package.reference` | keyword | Home page or reference URL of the software in this package, if available. | -| `package.size` | long | Package size in bytes. | -| `package.type` | keyword | Type of package. | -| `package.version` | keyword | Package version | -| `vulnerability.category` | keyword | The type of system or architecture that the vulnerability affects | -| `vulnerability.classification` | keyword | The classification of the vulnerability scoring system. | -| `vulnerability.description` | keyword | The description of the vulnerability that provides additional context of the vulnerability | -| \*`vulnerability.detected_at` | date | Vulnerability's detection date. | -| `vulnerability.enumeration` | keyword | The type of identifier used for this vulnerability. | -| `vulnerability.id` | keyword | The identification (ID) is the number portion of a vulnerability entry. | -| \*`vulnerability.published_at` | date | Vulnerability's publication date. | -| `vulnerability.reference` | keyword | A resource that provides additional information, context, and mitigations for the identified vulnerability. | -| `vulnerability.report_id` | keyword | The report or scan identification number. | -| \*`vulnerability.scanner.source` | keyword | The origin of the decision of the scanner (AKA feed used to detect the vulnerability). | -| `vulnerability.scanner.vendor` | keyword | The name of the vulnerability scanner vendor. | -| `vulnerability.score.base` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | -| `vulnerability.score.environmental` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | -| `vulnerability.score.temporal` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | -| `vulnerability.score.version` | keyword | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. | -| `vulnerability.severity` | keyword | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. | -| \*`vulnerability.under_evaluation` | boolean | Indicates if the vulnerability is awaiting analysis by the NVD. | -| \*`wazuh.cluster.name` | keyword | Name of the Wazuh cluster. | -| \*`wazuh.cluster.node` | keyword | Name of the Wazuh cluster node. | -| \*`wazuh.schema.version` | keyword | Version of the Wazuh schema. | +| | Field | Type | Description | +| --- | ----------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| | `agent.id` | keyword | Unique identifier of this agent. | +| \* | `agent.groups` | keyword | List of groups the agent belong to. | +| | `agent.name` | keyword | Custom name of the agent. | +| | `agent.type` | keyword | Type of agent. | +| | `agent.version` | keyword | Version of the agent. | +| | `host.os.full` | keyword | Operating system name, including the version or code name. | +| | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | +| | `host.os.name` | keyword | Operating system name, without the version. | +| | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | +| | `host.os.type` | keyword | Use the os.type field to categorize the operating system into one of the broad commercial families. | +| | `host.os.version` | keyword | Operating system version as a raw string. | +| | `package.architecture` | keyword | Package architecture. | +| | `package.build_version` | keyword | Additional information about the build version of the installed package. | +| | `package.checksum` | keyword | Checksum of the installed package for verification. | +| | `package.description` | keyword | Description of the package. | +| | `package.install_scope` | keyword | Indicating how the package was installed, e.g. user-local, global. | +| | `package.installed` | date | Time when package was installed. | +| | `package.license` | keyword | License under which the package was released. | +| | `package.name` | keyword | Package name | +| | `package.path` | keyword | Path where the package is installed. | +| | `package.reference` | keyword | Home page or reference URL of the software in this package, if available. | +| | `package.size` | long | Package size in bytes. | +| | `package.type` | keyword | Type of package. | +| | `package.version` | keyword | Package version | +| | `vulnerability.category` | keyword | The type of system or architecture that the vulnerability affects | +| | `vulnerability.classification` | keyword | The classification of the vulnerability scoring system. | +| | `vulnerability.description` | keyword | The description of the vulnerability that provides additional context of the vulnerability | +| \* | `vulnerability.detected_at` | date | Vulnerability's detection date. | +| | `vulnerability.enumeration` | keyword | The type of identifier used for this vulnerability. | +| | `vulnerability.id` | keyword | The identification (ID) is the number portion of a vulnerability entry. | +| \* | `vulnerability.published_at` | date | Vulnerability's publication date. | +| | `vulnerability.reference` | keyword | A resource that provides additional information, context, and mitigations for the identified vulnerability. | +| | `vulnerability.report_id` | keyword | The report or scan identification number. | +| \* | `vulnerability.scanner.source` | keyword | The origin of the decision of the scanner (AKA feed used to detect the vulnerability). | +| | `vulnerability.scanner.vendor` | keyword | The name of the vulnerability scanner vendor. | +| | `vulnerability.score.base` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | +| | `vulnerability.score.environmental` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | +| | `vulnerability.score.temporal` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | +| | `vulnerability.score.version` | keyword | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. | +| | `vulnerability.severity` | keyword | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. | +| \* | `vulnerability.under_evaluation` | boolean | Indicates if the vulnerability is awaiting analysis by the NVD. | +| \* | `wazuh.cluster.name` | keyword | Name of the Wazuh cluster. | +| \* | `wazuh.cluster.node` | keyword | Name of the Wazuh cluster node. | +| \* | `wazuh.schema.version` | keyword | Version of the Wazuh schema. | -\* Custom field +\* Custom field. ### ECS mapping @@ -66,26 +66,26 @@ Based on ECS: --- name: wazuh-states-vulnerabilities fields: - base: - tags: [] - agent: - fields: "*" - package: - fields: "*" - host: + base: + tags: [] + agent: + fields: "*" + package: + fields: "*" + host: + fields: + os: fields: - os: - fields: - full: "" - kernel: "" - name: "" - platform: "" - type: "" - version: "" - vulnerability: - fields: "*" - wazuh: - fields: "*" + full: "" + kernel: "" + name: "" + platform: "" + type: "" + version: "" + vulnerability: + fields: "*" + wazuh: + fields: "*" ``` ```yml @@ -95,30 +95,30 @@ fields: group: 2 short: Fields to describe the vulnerability relevant to an event. description: > - The vulnerability fields describe information about a vulnerability that is - relevant to an event. + The vulnerability fields describe information about a vulnerability that is + relevant to an event. type: group fields: - - name: detected_at - type: date - level: custom - description: > - Vulnerability's detection date. - - name: published_at - type: date - level: custom - description: > - Vulnerability's publication date. - - name: under_evaluation - type: boolean - level: custom - description: > - Indicates if the vulnerability is awaiting analysis by the NVD. - - name: scanner.source - type: keyword - level: custom - description: > - The origin of the decision of the scanner (AKA feed used to detect the vulnerability). + - name: detected_at + type: date + level: custom + description: > + Vulnerability's detection date. + - name: published_at + type: date + level: custom + description: > + Vulnerability's publication date. + - name: under_evaluation + type: boolean + level: custom + description: > + Indicates if the vulnerability is awaiting analysis by the NVD. + - name: scanner.source + type: keyword + level: custom + description: > + The origin of the decision of the scanner (AKA feed used to detect the vulnerability). ``` ```yml @@ -127,51 +127,51 @@ fields: - name: wazuh title: Wazuh description: > - Wazuh Inc. custom fields + Wazuh Inc. custom fields fields: - - name: cluster.name - type: keyword - level: custom - description: > - Wazuh cluster name. - - name: cluster.node - type: keyword - level: custom - description: > - Wazuh cluster node name. - - name: schema.version - type: keyword - level: custom - description: > - Wazuh schema version. + - name: cluster.name + type: keyword + level: custom + description: > + Wazuh cluster name. + - name: cluster.node + type: keyword + level: custom + description: > + Wazuh cluster node name. + - name: schema.version + type: keyword + level: custom + description: > + Wazuh schema version. ``` ### Index settings ```json { - "index_patterns": ["wazuh-states-vulnerabilities*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.os.full", - "host.os.version", - "package.name", - "package.version", - "vulnerability.id", - "vulnerability.description", - "vulnerability.severity", - "wazuh.cluster.name" - ] - } - } + "index_patterns": ["wazuh-states-vulnerabilities*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "host.os.full", + "host.os.version", + "package.name", + "package.version", + "vulnerability.id", + "vulnerability.description", + "vulnerability.severity", + "wazuh.cluster.name" + ] + } } + } } ``` diff --git a/ecs/states-fim/fields/custom/agent.yml b/ecs/states-fim/fields/custom/agent.yml index 17b6f7324d830..fd3cb2e6c41c9 100644 --- a/ecs/states-fim/fields/custom/agent.yml +++ b/ecs/states-fim/fields/custom/agent.yml @@ -9,4 +9,4 @@ type: keyword level: custom description: > - The groups the agent belongs to. \ No newline at end of file + List of groups the agent belong to. \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/custom/agent.yml b/ecs/states-vulnerabilities/fields/custom/agent.yml index 3482123af637a..9feecf4e2da98 100644 --- a/ecs/states-vulnerabilities/fields/custom/agent.yml +++ b/ecs/states-vulnerabilities/fields/custom/agent.yml @@ -9,4 +9,4 @@ type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. From c8be4720236392b96b136e4ed731ef79dbbd29ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Tue, 12 Nov 2024 16:59:08 +0100 Subject: [PATCH 3/6] Update compatibility_request.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Álex Ruiz --- .github/ISSUE_TEMPLATE/compatibility_request.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/compatibility_request.md b/.github/ISSUE_TEMPLATE/compatibility_request.md index 0c596ff4a116b..a7d1bad7560f5 100644 --- a/.github/ISSUE_TEMPLATE/compatibility_request.md +++ b/.github/ISSUE_TEMPLATE/compatibility_request.md @@ -2,7 +2,7 @@ name: Compatibility request about: Suggest supporting a new version of OpenSearch title: 'Compatibility with OpenSearch (version)' -labels: request/operational, level/task, type/research +labels: request/operational, level/task, type/maintenance assignees: '' --- From 4f29128aa666ec616567cc3d5636343583089314 Mon Sep 17 00:00:00 2001 From: f-galland Date: Tue, 12 Nov 2024 13:05:40 -0300 Subject: [PATCH 4/6] Add ECS based description fields --- ecs/docs/inventory-hardware.md | 20 ++++----- ecs/docs/inventory-hotfixes.md | 8 ++-- ecs/docs/inventory-networks.md | 53 ++++++++++++----------- ecs/docs/inventory-packages.md | 40 +++++++++--------- ecs/docs/inventory-ports.md | 30 ++++++------- ecs/docs/inventory-processes.md | 74 ++++++++++++++++----------------- ecs/docs/inventory-system.md | 26 ++++++------ 7 files changed, 125 insertions(+), 126 deletions(-) diff --git a/ecs/docs/inventory-hardware.md b/ecs/docs/inventory-hardware.md index 4f8c2ade7bcd3..14165e8af2bc4 100644 --- a/ecs/docs/inventory-hardware.md +++ b/ecs/docs/inventory-hardware.md @@ -9,16 +9,16 @@ Based on ECS: - [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). - [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). -| | Field name | ECS field name | Data type | Description | -| --- | ------------ | ----------------------------- | --------- | -------------------------------- | -| | scan_time | @timestamp | date | Timestamp of the scan | -| | board_serial | observer.serial_number | keyword | Serial number of the motherboard | -| * | cpu_name | host.cpu.name | keyword | Name of the CPU | -| * | cpu_cores | host.cpu.cores | long | Number of CPU cores | -| * | cpu_mhz | host.cpu.speed | long | Speed of the CPU in MHz | -| * | ram_total | host.memory.total | long | Total RAM in the system | -| * | ram_free | host.memory.free | long | Free RAM in the system | -| * | ram_usage | host.memory.used.percentage | long | RAM usage as a percentage | +| | Field name | Data type | Description | Example | +| --- | --------------------------- | --------- | ------------------------------------ | ------- | +| | @timestamp | date | Date/time when the event originated. | | +| | observer.serial_number | keyword | Observer serial number. | | +| * | host.cpu.name | keyword | Name of the CPU | | +| * | host.cpu.cores | long | Number of CPU cores | | +| * | host.cpu.speed | long | Speed of the CPU in MHz | | +| * | host.memory.total | long | Total RAM in the system | | +| * | host.memory.free | long | Free RAM in the system | | +| * | host.memory.used.percentage | long | RAM usage as a percentage | | \* Custom fields diff --git a/ecs/docs/inventory-hotfixes.md b/ecs/docs/inventory-hotfixes.md index 4ec3ddd48cbcb..c37ef8c5f2ec6 100644 --- a/ecs/docs/inventory-hotfixes.md +++ b/ecs/docs/inventory-hotfixes.md @@ -8,10 +8,10 @@ Based on ECS: - [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). -| | Field name | ECS field name | Data type | Description | -| --- | ---------- | ------------------- | --------- | --------------------- | -| | scan_time | @timestamp | date | Timestamp of the scan | -| * | hotfix | package.hotfix.name | keyword | Name of the hotfix | +| | Field name | Data type | Description | Example | +| --- | ------------------- | --------- | --------------------- | ------- | +| | @timestamp | date | Timestamp of the scan | | +| * | package.hotfix.name | keyword | Name of the hotfix | | \* Custom fields diff --git a/ecs/docs/inventory-networks.md b/ecs/docs/inventory-networks.md index 536b8c57ced41..b287abd7d26a5 100644 --- a/ecs/docs/inventory-networks.md +++ b/ecs/docs/inventory-networks.md @@ -10,33 +10,32 @@ Based on ECS: - [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). - [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). -| | Field name | ECS field name | Data type | Description | -| --- | ----------- | -------------------------------- | --------- | ---------------------------------------------------------------- | -| | adapter | observer.ingress.interface.alias | keyword | Adapter name of the network interface | -| | address | host.ip | ip | Network address | -| | iface | observer.ingress.interface.name | keyword | Name of the network interface | -| | item_id | device.id | keyword | Identifier of interface/protocol/address/port item | -| | mac | host.mac | keyword | MAC address of the network interface | -| | name | observer.ingress.interface.name | keyword | Name of the network interface | -| | proto | network.protocol | keyword | Type of network protocol | -| | rx_bytes | host.network.ingress.bytes | long | Number of received bytes | -| | rx_packets | host.network.ingress.packets | long | Number of received packets | -| | scan_time | @timestamp | date | Timestamp of the scan | -| | tx_bytes | host.network.egress.bytes | long | Number of transmitted bytes | -| | tx_packets | host.network.egress.packets | long | Number of transmitted packets | -| | type | network.type | keyword | IPv4 or IPv6 for protocols, interface type for interface records | -| * | broadcast | network.broadcast | ip | Broadcast address | -| * | dhcp | network.dhcp | keyword | DHCP status (enabled, disabled, unknown, BOOTP) | -| * | gateway | network.gateway | ip | Gateway address | -| * | metric | network.metric | long | Metric of the network protocol | -| * | mtu | interface.mtu | long | Maximum transmission unit size | -| * | netmask | network.netmask | ip | Network mask | -| * | rx_dropped | host.network.ingress.drops | long | Number of dropped received packets | -| * | rx_errors | host.network.ingress.errors | long | Number of reception errors | -| * | state | interface.state | keyword | State of the network interface | -| * | tx_dropped | host.network.egress.drops | long | Number of dropped transmitted packets | -| * | tx_errors | host.network.egress.errors | long | Number of transmission errors | -| * | type | interface.type | keyword | Interface type (eg. "wireless" or "ethernet") | +| | Field name | Data type | Description | Example | +| --- | -------------------------------- | --------- | ----------------------------------------------------------------------------- | ------- | +| | @timestamp | date | Date/time when the event originated | | +| | device.id | keyword | The unique identifier of a device. | | +| | host.ip | ip | Host ip addresses | | +| | host.mac | keyword | Host MAC addresses. | | | +| | host.network.egress.bytes | long | The number of bytes sent on all network interfaces | | +| | host.network.egress.packets | long | The number of packets sent on all network interfaces | | +| | host.network.ingress.bytes | long | The number of bytes received on all network interfaces | | +| | host.network.ingress.packets | long | The number of packets received on all network interfaces | | +| | network.protocol | keyword | Application protocol name | | +| | network.type | keyword | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | | +| | observer.ingress.interface.alias | keyword | Interface alias | | +| | observer.ingress.interface.name | keyword | Interface name | | +| * | host.network.egress.drops | long | Number of dropped transmitted packets | | +| * | host.network.egress.errors | long | Number of transmission errors | | +| * | host.network.ingress.drops | long | Number of dropped received packets | | +| * | host.network.ingress.errors | long | Number of reception errors | | +| * | interface.mtu | long | Maximum transmission unit size | | +| * | interface.state | keyword | State of the network interface | | +| * | interface.type | keyword | Interface type (eg. "wireless" or "ethernet") | | +| * | network.broadcast | ip | Broadcast address | | +| * | network.dhcp | keyword | DHCP status (enabled, disabled, unknown, BOOTP) | | +| * | network.gateway | ip | Gateway address | | +| * | network.metric | long | Metric of the network protocol | | +| * | network.netmask | ip | Network mask | | \* Custom fields diff --git a/ecs/docs/inventory-packages.md b/ecs/docs/inventory-packages.md index 127dc5cb10203..d2433eabf5b4b 100644 --- a/ecs/docs/inventory-packages.md +++ b/ecs/docs/inventory-packages.md @@ -8,32 +8,32 @@ Based on ECS: - [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). -| Field name | ECS field name | Data type | Description | -| ------------ | ---------------------- | --------- | ----------------------------------------------------------------- | -| | `agent.id` | keyword | Agent's ID | -| | \*`agent.groups` | keyword | Agent's groups | -| scan_time | `@timestamp` | date | Timestamp of the scan | -| architecture | `package.architecture` | keyword | Package architecture. | -| description | `package.description` | keyword | Description of the package. | -| install_time | `package.installed` | date | Time when package was installed. | -| name | `package.name` | keyword | Package name. | -| location | `package.path` | keyword | Path where the package is installed. | -| size | `package.size` | long | Package size in bytes. | -| format | `package.type` | keyword | Type of package. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | -| version | `package.version` | keyword | Package version. | +| | Field name | Data type | Description | Example | +| --- | ---------------------- | --------- | ----------------------------------------------------------------- | ------- | +| | `agent.id` | keyword | Agent's ID | | +| * | `agent.groups` | keyword | Agent's groups | | +| | `@timestamp` | date | Timestamp of the scan | | +| | `package.architecture` | keyword | Package architecture. | | +| | `package.description` | keyword | Description of the package. | | +| | `package.installed` | date | Time when package was installed. | | +| | `package.name` | keyword | Package name. | | +| | `package.path` | keyword | Path where the package is installed. | | +| | `package.size` | long | Package size in bytes. | | +| | `package.type` | keyword | Type of package. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | | +| | `package.version` | keyword | Package version. | | \* Custom field
Fields not included in ECS

-| | Field name | ECS field name | Data type | Description | -| --- | ---------- | ----------------- | --------- | ------------------------------------------------------------------------- | -| ? | priority | | | Priority of the program | -| ? | section | | | Section of the program category the package belongs to in DEB package managers | -| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. | -| ? | multiarch | | | Multi-architecture compatibility | -| X | source | | | Source of the program - package manager | +| | Field name | ECS field name | Data type | Description | +| --- | ---------- | ----------------- | --------- | -------------------------------------------------------------------------------- | +| ? | priority | | | Priority of the program | +| ? | section | | | Section of the program category the package belongs to in DEB package managers | +| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. | +| ? | multiarch | | | Multi-architecture compatibility | +| X | source | | | Source of the program - package manager |

diff --git a/ecs/docs/inventory-ports.md b/ecs/docs/inventory-ports.md index 51a2009139240..8dd33d93726d9 100644 --- a/ecs/docs/inventory-ports.md +++ b/ecs/docs/inventory-ports.md @@ -10,21 +10,21 @@ Based on ECS: - [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). - [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -| | Field name | ECS field name | Data type | Description | -| --- | ----------- | -------------------------- | --------- | -------------------------------------------------- | -| | inode | file.inode | keyword | The unix inode of the port | -| | item_id | device.id | keyword | Identifier of interface/protocol/address/port item | -| | local_ip | source.ip | ip | Local IP address | -| | local_port | source.port | long | Local port number | -| | pid | process.pid | long | Process ID | -| | process | process.name | keyword | Process name | -| | protocol | network.protocol | keyword | Protocol used | -| | remote_ip | destination.ip | ip | Remote IP address | -| | remote_port | destination.port | long | Remote port number | -| | scan_time | @timestamp | date | Timestamp of the scan | -| * | rx_queue | host.network.ingress.queue | long | Receive queue length | -| * | state | interface.state | keyword | State of the network interface | -| * | tx_queue | host.network.egress.queue | long | Transmit queue length | +| | Field name | Data type | Description | Example | +| --- | -------------------------- | --------- | --------------------------------------------- | ------- | +| | @timestamp | date | Timestamp of the scan | | +| | destination.ip | ip | IP address of the destination | | +| | destination.port | long | Port of the destination | | +| | device.id | keyword | The unique identifier of a device | | +| | file.inode | keyword | Inode representing the file in the filesystem | | +| | network.protocol | keyword | Application protocol name | | +| | process.name | keyword | Process name | | +| | process.pid | long | Process ID | | +| | source.ip | ip | IP address of the source | | +| | source.port | long | Port of the source | | +| * | host.network.egress.queue | long | Transmit queue length | | +| * | host.network.ingress.queue | long | Receive queue length | | +| * | interface.state | keyword | State of the network interface | | \* Custom fields diff --git a/ecs/docs/inventory-processes.md b/ecs/docs/inventory-processes.md index 6be9b7e790c0b..33e3e42ee6fd8 100644 --- a/ecs/docs/inventory-processes.md +++ b/ecs/docs/inventory-processes.md @@ -8,25 +8,25 @@ Based on ECS: - [Process Fields](https://www.elastic.co/guide/en/ecs/current/ecs-process.html). -| | Field name | ECS field name | Data type | Description | Comments | -| --- | ---------------- | ------------------------ | ------------------ | ------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -| | `agent.id` | keyword | Agent's ID | -| | \*`agent.groups` | keyword | Agent's groups | -| | scan_time | `@timestamp` | date | Date/time when the event originated. | | -| | pid | `process.pid` | long | Process ID. | | -| | name | `process.name` | keyword | Process name. | | -| | ppid | `process.parent.pid` | long | Parent process ID. | | -| | cmd | `process.command_line` | wildcard | Full command line that started the process, including the absolute path to the executable, and all arguments. | | -| | argvs | `process.args` | keyword | Array of process arguments, starting with the absolute path to the executable. | | -| | euser | `process.user.id` | keyword | Unique identifier of the effective user. | | -| | ruser | `process.real_user.id` | keyword | Unique identifier of the real user. | | -| | suser | `process.saved_user.id` | keyword | Unique identifier of the saved user. | | -| | egroup | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | -| | rgroup | `process.real_group.id` | keyword | Unique identifier for the real group on the system/platform. | | -| | sgroup | `process.saved_group.id` | keyword | Unique identifier for the saved group on the system/platform. | | -| | start_time | `process.start` | date | The time the process started. | | -| ! | tgid | `process.thread.id` | **No ECS mapping** | Thread ID | `thread.group` is **not part of ECS;** but `thread.id` is. | -| ! | tty | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | Needs clarification | +| | Field name | Data type | Description | Comments | Examples | +| --- | ------------------------ | --------- | ---------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------- | +| | `@timestamp` | date | Date/time when the event originated | | | +| | `process.args` | keyword | Array of process arguments | | | +| | `process.command_line` | wildcard | process.command_line | | | +| | `process.name` | keyword | Process name | | | +| | `process.parent.pid` | long | Parent process ID | | | +| | `process.pid` | long | Process ID | | | +| | `process.real_group.id` | keyword | Unique identifier for the group on the system/platform | | | +| | `process.real_user.id` | keyword | Unique identifier of the user | | | +| | `process.saved_group.id` | keyword | Unique identifier for the group on the system/platform | | | +| | `process.saved_user.id` | keyword | Unique identifier of the user | | | +| | `process.start` | date | The time the process started | | | +| | `process.user.id` | keyword | Unique identifier of the user | | | +| | agent.id | keyword | Unique identifier of this agent | | | +| ! | `process.thread.id` | long | Thread ID | `thread.group` is **not part of ECS;** but `thread.id` is. | | +| ! | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | Needs clarification | | +| * | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | | +| * | agent.groups | keyword | Agent's groups | | | \* Custom field @@ -35,24 +35,24 @@ Based on ECS:
Fields not included in ECS

-| | Field name | ECS field name | Data type | Description | Comments | -| --- | ---------- | ------------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -| x | state | `process.state` | **No ECS mapping** | State of the process | **Not part of ECS;** Maybe as a custom field. | -| x | utime | `process.cpu.user` | **No ECS mapping** | User mode CPU time | **Not part of ECS;** Maybe as a custom field. | -| x | stime | `process.cpu.system` | **No ECS mapping** | Kernel mode CPU time | **Not part of ECS;** Maybe as a custom field. | -| x? | fgroup | `process.group.file.id` | **No ECS mapping** | unknown | | -| x | priority | `process.priority` | **No ECS mapping** | Process priority | **Not part of ECS;** Maybe as a custom field. | -| x | nice | `process.nice` | **No ECS mapping** | Nice value | **Not part of ECS;** Maybe as a custom field. | -| x | size | `process.size` | **No ECS mapping** | Process size | **Not part of ECS;** Maybe as a custom field. | -| x | vm_size | `process.vm.size` | **No ECS mapping** | Virtual memory size | **Not part of ECS;** Maybe as a custom field. | -| x | resident | `process.memory.resident` | **No ECS mapping** | Resident set size | **Not part of ECS;** Maybe as a custom field. | -| x | share | `process.memory.share` | **No ECS mapping** | Shared memory size | **Not part of ECS;** Maybe as a custom field. | -| ! | pgrp | `process.group.id` | keyword | Process group | Isn't it duplicated ?? | -| x | session | `process.session` | **No ECS mapping** | Session ID | **Not part of ECS;** Needs clarification. | -| x | nlwp | `process.nlwp` | **No ECS mapping** | Number of light-weight processes | **Not part of ECS;** Needs clarification. | -| ! | tgid | `process.thread.id` | **No ECS mapping** | Thread ID ID | `thread.group` is **not part of ECS;** but `thread.id` is. | -| ! | tty | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | Needs clarification | -| x | processor | `host.cpu.processor` | **No ECS mapping** | Processor number | No ECS field refers to the core number of the CPU. | +| | Field name | ECS field name | Data type | Description | Example | Comments | +| --- | ---------- | ------------------------- | ------------------ | ---------------------------------------------------------------------------------------------------- | ------- | ---------------------------------------------------------- | +| x | state | `process.state` | **No ECS mapping** | State of the process | | **Not part of ECS;** Maybe as a custom field. | +| x | utime | `process.cpu.user` | **No ECS mapping** | User mode CPU time | | **Not part of ECS;** Maybe as a custom field. | +| x | stime | `process.cpu.system` | **No ECS mapping** | Kernel mode CPU time | | **Not part of ECS;** Maybe as a custom field. | +| x? | fgroup | `process.group.file.id` | **No ECS mapping** | unknown | | | +| x | priority | `process.priority` | **No ECS mapping** | Process priority | | **Not part of ECS;** Maybe as a custom field. | +| x | nice | `process.nice` | **No ECS mapping** | Nice value | | **Not part of ECS;** Maybe as a custom field. | +| x | size | `process.size` | **No ECS mapping** | Process size | | **Not part of ECS;** Maybe as a custom field. | +| x | vm_size | `process.vm.size` | **No ECS mapping** | Virtual memory size | | **Not part of ECS;** Maybe as a custom field. | +| x | resident | `process.memory.resident` | **No ECS mapping** | Resident set size | | **Not part of ECS;** Maybe as a custom field. | +| x | share | `process.memory.share` | **No ECS mapping** | Shared memory size | | **Not part of ECS;** Maybe as a custom field. | +| ! | pgrp | `process.group.id` | keyword | Process group | | Isn't it duplicated ?? | +| x | session | `process.session` | **No ECS mapping** | Session ID | | **Not part of ECS;** Needs clarification. | +| x | nlwp | `process.nlwp` | **No ECS mapping** | Number of light-weight processes | | **Not part of ECS;** Needs clarification. | +| ! | tgid | `process.thread.id` | **No ECS mapping** | Thread ID ID | | `thread.group` is **not part of ECS;** but `thread.id` is. | +| ! | tty | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification | +| x | processor | `host.cpu.processor` | **No ECS mapping** | Processor number | | No ECS field refers to the core number of the CPU. |

diff --git a/ecs/docs/inventory-system.md b/ecs/docs/inventory-system.md index ef53885ec1bc2..b1080bba62704 100644 --- a/ecs/docs/inventory-system.md +++ b/ecs/docs/inventory-system.md @@ -9,19 +9,19 @@ Based on ECS: - [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). - [Operating System Fields](https://www.elastic.co/guide/en/ecs/current/ecs-os.html). -| Field name | ECS field name | Data type | Description | -| ------------ | ------------------- | --------- | ---------------------------------------------------------- | -| | `agent.id` | keyword | Agent's ID | -| | \*`agent.groups` | keyword | Agent's groups | -| scan_time | `@timestamp` | date | Date/time when the event originated. | -| architecture | `host.architecture` | keyword | Operating system architecture. | -| hostname | `host.hostname` | keyword | Hostname of the host. | -| os_build | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | -| os_codename | `host.os.full` | keyword | Operating system name, including the version or code name. | -| os_name | `host.os.name` | keyword | Operating system name, without the version. | -| os_platform | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | -| os_version | `host.os.version` | keyword | Operating system version as a raw string. | -| sysname | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | +| | Field name | Data type | Description | Example | +| --- | ------------------- | --------- | ---------------------------------------------------------- | ------- | +| | `@timestamp` | date | Date/time when the event originated. | | +| | `agent.id` | keyword | Agent's ID | | +| | `host.architecture` | keyword | Operating system architecture. | | +| | `host.hostname` | keyword | Hostname of the host. | | +| | `host.os.full` | keyword | Operating system name, including the version or code name. | | +| | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | | +| | `host.os.name` | keyword | Operating system name, without the version. | | +| | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | | +| | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | | +| | `host.os.version` | keyword | Operating system version as a raw string. | | +| * | `agent.groups` | keyword | Agent's groups | | \* Custom field From 6d73c3a0bc5b387ebda65470296b235604f0aef6 Mon Sep 17 00:00:00 2001 From: f-galland Date: Tue, 12 Nov 2024 13:16:17 -0300 Subject: [PATCH 5/6] Adding examples --- ecs/docs/inventory-hardware.md | 20 ++++++------- ecs/docs/inventory-hotfixes.md | 8 ++--- ecs/docs/inventory-networks.md | 52 ++++++++++++++++----------------- ecs/docs/inventory-packages.md | 26 ++++++++--------- ecs/docs/inventory-ports.md | 30 +++++++++---------- ecs/docs/inventory-processes.md | 38 ++++++++++++------------ ecs/docs/inventory-system.md | 26 ++++++++--------- 7 files changed, 100 insertions(+), 100 deletions(-) diff --git a/ecs/docs/inventory-hardware.md b/ecs/docs/inventory-hardware.md index 14165e8af2bc4..438b60ae1feb7 100644 --- a/ecs/docs/inventory-hardware.md +++ b/ecs/docs/inventory-hardware.md @@ -9,16 +9,16 @@ Based on ECS: - [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). - [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). -| | Field name | Data type | Description | Example | -| --- | --------------------------- | --------- | ------------------------------------ | ------- | -| | @timestamp | date | Date/time when the event originated. | | -| | observer.serial_number | keyword | Observer serial number. | | -| * | host.cpu.name | keyword | Name of the CPU | | -| * | host.cpu.cores | long | Number of CPU cores | | -| * | host.cpu.speed | long | Speed of the CPU in MHz | | -| * | host.memory.total | long | Total RAM in the system | | -| * | host.memory.free | long | Free RAM in the system | | -| * | host.memory.used.percentage | long | RAM usage as a percentage | | +| | Field name | Data type | Description | Example | +| --- | --------------------------- | --------- | ------------------------------------ | ------------------------ | +| | @timestamp | date | Date/time when the event originated. | 2016-05-23T08:05:34.853Z | +| | observer.serial_number | keyword | Observer serial number. | | +| * | host.cpu.name | keyword | Name of the CPU | | +| * | host.cpu.cores | long | Number of CPU cores | | +| * | host.cpu.speed | long | Speed of the CPU in MHz | | +| * | host.memory.total | long | Total RAM in the system | | +| * | host.memory.free | long | Free RAM in the system | | +| * | host.memory.used.percentage | long | RAM usage as a percentage | | \* Custom fields diff --git a/ecs/docs/inventory-hotfixes.md b/ecs/docs/inventory-hotfixes.md index c37ef8c5f2ec6..10b3f755c6df5 100644 --- a/ecs/docs/inventory-hotfixes.md +++ b/ecs/docs/inventory-hotfixes.md @@ -8,10 +8,10 @@ Based on ECS: - [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). -| | Field name | Data type | Description | Example | -| --- | ------------------- | --------- | --------------------- | ------- | -| | @timestamp | date | Timestamp of the scan | | -| * | package.hotfix.name | keyword | Name of the hotfix | | +| | Field name | Data type | Description | Example | +| --- | ------------------- | --------- | --------------------- | ------------------------ | +| | @timestamp | date | Timestamp of the scan | 2016-05-23T08:05:34.853Z | +| * | package.hotfix.name | keyword | Name of the hotfix | | \* Custom fields diff --git a/ecs/docs/inventory-networks.md b/ecs/docs/inventory-networks.md index b287abd7d26a5..7c24a6bcf56dc 100644 --- a/ecs/docs/inventory-networks.md +++ b/ecs/docs/inventory-networks.md @@ -10,32 +10,32 @@ Based on ECS: - [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). - [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). -| | Field name | Data type | Description | Example | -| --- | -------------------------------- | --------- | ----------------------------------------------------------------------------- | ------- | -| | @timestamp | date | Date/time when the event originated | | -| | device.id | keyword | The unique identifier of a device. | | -| | host.ip | ip | Host ip addresses | | -| | host.mac | keyword | Host MAC addresses. | | | -| | host.network.egress.bytes | long | The number of bytes sent on all network interfaces | | -| | host.network.egress.packets | long | The number of packets sent on all network interfaces | | -| | host.network.ingress.bytes | long | The number of bytes received on all network interfaces | | -| | host.network.ingress.packets | long | The number of packets received on all network interfaces | | -| | network.protocol | keyword | Application protocol name | | -| | network.type | keyword | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | | -| | observer.ingress.interface.alias | keyword | Interface alias | | -| | observer.ingress.interface.name | keyword | Interface name | | -| * | host.network.egress.drops | long | Number of dropped transmitted packets | | -| * | host.network.egress.errors | long | Number of transmission errors | | -| * | host.network.ingress.drops | long | Number of dropped received packets | | -| * | host.network.ingress.errors | long | Number of reception errors | | -| * | interface.mtu | long | Maximum transmission unit size | | -| * | interface.state | keyword | State of the network interface | | -| * | interface.type | keyword | Interface type (eg. "wireless" or "ethernet") | | -| * | network.broadcast | ip | Broadcast address | | -| * | network.dhcp | keyword | DHCP status (enabled, disabled, unknown, BOOTP) | | -| * | network.gateway | ip | Gateway address | | -| * | network.metric | long | Metric of the network protocol | | -| * | network.netmask | ip | Network mask | | +| | Field name | Data type | Description | Example | +| --- | -------------------------------- | --------- | ----------------------------------------------------------------------------- | ------------------------------------ | +| | @timestamp | date | Date/time when the event originated | 2016-05-23T08:05:34.853Z | +| | device.id | keyword | The unique identifier of a device. | 00000000-54b3-e7c7-0000-000046bffd97 | +| | host.ip | ip | Host ip addresses | 192.168.0.100 | +| | host.mac | keyword | Host MAC addresses. | | | +| | host.network.egress.bytes | long | The number of bytes sent on all network interfaces | | +| | host.network.egress.packets | long | The number of packets sent on all network interfaces | | +| | host.network.ingress.bytes | long | The number of bytes received on all network interfaces | | +| | host.network.ingress.packets | long | The number of packets received on all network interfaces | | +| | network.protocol | keyword | Application protocol name | http | +| | network.type | keyword | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | ipv4 | +| | observer.ingress.interface.alias | keyword | Interface alias | outside | +| | observer.ingress.interface.name | keyword | Interface name | eth0 | +| * | host.network.egress.drops | long | Number of dropped transmitted packets | | +| * | host.network.egress.errors | long | Number of transmission errors | | +| * | host.network.ingress.drops | long | Number of dropped received packets | | +| * | host.network.ingress.errors | long | Number of reception errors | | +| * | interface.mtu | long | Maximum transmission unit size | | +| * | interface.state | keyword | State of the network interface | | +| * | interface.type | keyword | Interface type (eg. "wireless" or "ethernet") | | +| * | network.broadcast | ip | Broadcast address | | +| * | network.dhcp | keyword | DHCP status (enabled, disabled, unknown, BOOTP) | | +| * | network.gateway | ip | Gateway address | | +| * | network.metric | long | Metric of the network protocol | | +| * | network.netmask | ip | Network mask | | \* Custom fields diff --git a/ecs/docs/inventory-packages.md b/ecs/docs/inventory-packages.md index d2433eabf5b4b..ae912f706096f 100644 --- a/ecs/docs/inventory-packages.md +++ b/ecs/docs/inventory-packages.md @@ -8,19 +8,19 @@ Based on ECS: - [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). -| | Field name | Data type | Description | Example | -| --- | ---------------------- | --------- | ----------------------------------------------------------------- | ------- | -| | `agent.id` | keyword | Agent's ID | | -| * | `agent.groups` | keyword | Agent's groups | | -| | `@timestamp` | date | Timestamp of the scan | | -| | `package.architecture` | keyword | Package architecture. | | -| | `package.description` | keyword | Description of the package. | | -| | `package.installed` | date | Time when package was installed. | | -| | `package.name` | keyword | Package name. | | -| | `package.path` | keyword | Path where the package is installed. | | -| | `package.size` | long | Package size in bytes. | | -| | `package.type` | keyword | Type of package. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | | -| | `package.version` | keyword | Package version. | | +| | Field name | Data type | Description | Example | +| --- | ---------------------- | --------- | ------------------------------------ | ------- | +| | `@timestamp` | date | Timestamp of the scan | | +| | `agent.id` | keyword | Unique identifier of this agent | | +| | `package.architecture` | keyword | Package architecture. | | +| | `package.description` | keyword | Description of the package. | | +| | `package.installed` | date | Time when package was installed. | | +| | `package.name` | keyword | Package name. | | +| | `package.path` | keyword | Path where the package is installed. | | +| | `package.size` | long | Package size in bytes. | | +| | `package.type` | keyword | Package type | | +| | `package.version` | keyword | Package version | | +| * | `agent.groups` | keyword | Agent's groups | | \* Custom field diff --git a/ecs/docs/inventory-ports.md b/ecs/docs/inventory-ports.md index 8dd33d93726d9..12aa286ce5021 100644 --- a/ecs/docs/inventory-ports.md +++ b/ecs/docs/inventory-ports.md @@ -10,21 +10,21 @@ Based on ECS: - [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). - [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -| | Field name | Data type | Description | Example | -| --- | -------------------------- | --------- | --------------------------------------------- | ------- | -| | @timestamp | date | Timestamp of the scan | | -| | destination.ip | ip | IP address of the destination | | -| | destination.port | long | Port of the destination | | -| | device.id | keyword | The unique identifier of a device | | -| | file.inode | keyword | Inode representing the file in the filesystem | | -| | network.protocol | keyword | Application protocol name | | -| | process.name | keyword | Process name | | -| | process.pid | long | Process ID | | -| | source.ip | ip | IP address of the source | | -| | source.port | long | Port of the source | | -| * | host.network.egress.queue | long | Transmit queue length | | -| * | host.network.ingress.queue | long | Receive queue length | | -| * | interface.state | keyword | State of the network interface | | +| | Field name | Data type | Description | Example | +| --- | -------------------------- | --------- | --------------------------------------------- | ------------------------------------ | +| | @timestamp | date | Timestamp of the scan | 2016-05-23T08:05:34.853Z | +| | destination.ip | ip | IP address of the destination | 192.168.0.100 | +| | destination.port | long | Port of the destination | | +| | device.id | keyword | The unique identifier of a device | 00000000-54b3-e7c7-0000-000046bffd97 | +| | file.inode | keyword | Inode representing the file in the filesystem | 256383 | +| | network.protocol | keyword | Application protocol name | http | +| | process.name | keyword | Process name | ssh | +| | process.pid | long | Process ID | 4242 | +| | source.ip | ip | IP address of the source | | +| | source.port | long | Port of the source | | +| * | host.network.egress.queue | long | Transmit queue length | | +| * | host.network.ingress.queue | long | Receive queue length | | +| * | interface.state | keyword | State of the network interface | | \* Custom fields diff --git a/ecs/docs/inventory-processes.md b/ecs/docs/inventory-processes.md index 33e3e42ee6fd8..f0b00ee1123c3 100644 --- a/ecs/docs/inventory-processes.md +++ b/ecs/docs/inventory-processes.md @@ -8,25 +8,25 @@ Based on ECS: - [Process Fields](https://www.elastic.co/guide/en/ecs/current/ecs-process.html). -| | Field name | Data type | Description | Comments | Examples | -| --- | ------------------------ | --------- | ---------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------- | -| | `@timestamp` | date | Date/time when the event originated | | | -| | `process.args` | keyword | Array of process arguments | | | -| | `process.command_line` | wildcard | process.command_line | | | -| | `process.name` | keyword | Process name | | | -| | `process.parent.pid` | long | Parent process ID | | | -| | `process.pid` | long | Process ID | | | -| | `process.real_group.id` | keyword | Unique identifier for the group on the system/platform | | | -| | `process.real_user.id` | keyword | Unique identifier of the user | | | -| | `process.saved_group.id` | keyword | Unique identifier for the group on the system/platform | | | -| | `process.saved_user.id` | keyword | Unique identifier of the user | | | -| | `process.start` | date | The time the process started | | | -| | `process.user.id` | keyword | Unique identifier of the user | | | -| | agent.id | keyword | Unique identifier of this agent | | | -| ! | `process.thread.id` | long | Thread ID | `thread.group` is **not part of ECS;** but `thread.id` is. | | -| ! | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | Needs clarification | | -| * | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | | -| * | agent.groups | keyword | Agent's groups | | | +| | Field name | Data type | Description | Examples | Comments | +| --- | ------------------------ | --------- | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ---------------------------------------------------------- | +| | `@timestamp` | date | Date/time when the event originated | 2016-05-23T08:05:34.853Z | | +| | `agent.id` | keyword | Unique identifier of this agent | 8a4f500d | | +| | `process.args` | keyword | Array of process arguments | ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] | | +| | `process.command_line` | wildcard | process.command_line | /usr/bin/ssh -l user 10.0.0.16 | | +| | `process.name` | keyword | Process name | ssh | | +| | `process.parent.pid` | long | Parent process ID | 4242 | | +| | `process.pid` | long | Process ID | 4242 | | +| | `process.real_group.id` | keyword | Unique identifier for the group on the system/platform | | | +| | `process.real_user.id` | keyword | Unique identifier of the user | S-1-5-21-202424912787-2692429404-2351956786-1000 | | +| | `process.saved_group.id` | keyword | Unique identifier for the group on the system/platform | | | +| | `process.saved_user.id` | keyword | Unique identifier of the user | S-1-5-21-202424912787-2692429404-2351956786-1000 | | +| | `process.start` | date | The time the process started | 2016-05-23T08:05:34.853Z | | +| | `process.user.id` | keyword | Unique identifier of the user | S-1-5-21-202424912787-2692429404-2351956786-1000 | | +| ! | `process.thread.id` | long | Thread ID | | `thread.group` is **not part of ECS;** but `thread.id` is. | +| ! | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification | +| * | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | | +| * | agent.groups | keyword | Agent's groups | | | \* Custom field diff --git a/ecs/docs/inventory-system.md b/ecs/docs/inventory-system.md index b1080bba62704..28109f2d99599 100644 --- a/ecs/docs/inventory-system.md +++ b/ecs/docs/inventory-system.md @@ -9,19 +9,19 @@ Based on ECS: - [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). - [Operating System Fields](https://www.elastic.co/guide/en/ecs/current/ecs-os.html). -| | Field name | Data type | Description | Example | -| --- | ------------------- | --------- | ---------------------------------------------------------- | ------- | -| | `@timestamp` | date | Date/time when the event originated. | | -| | `agent.id` | keyword | Agent's ID | | -| | `host.architecture` | keyword | Operating system architecture. | | -| | `host.hostname` | keyword | Hostname of the host. | | -| | `host.os.full` | keyword | Operating system name, including the version or code name. | | -| | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | | -| | `host.os.name` | keyword | Operating system name, without the version. | | -| | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | | -| | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | | -| | `host.os.version` | keyword | Operating system version as a raw string. | | -| * | `agent.groups` | keyword | Agent's groups | | +| | Field name | Data type | Description | Example | +| --- | ------------------- | --------- | ---------------------------------------------------------- | ------------------------ | +| | `@timestamp` | date | Date/time when the event originated. | 2016-05-23T08:05:34.853Z | +| | `agent.id` | keyword | Unique identifier of this agent. | 8a4f500d | +| | `host.architecture` | keyword | Operating system architecture. | x86_64 | +| | `host.hostname` | keyword | Hostname of the host. | | +| | `host.os.full` | keyword | Operating system name, including the version or code name. | Mac OS Mojave | +| | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | 4.4.0-112-generic | +| | `host.os.name` | keyword | Operating system name, without the version. | Mac OS X | +| | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | darwin | +| | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | macos | +| | `host.os.version` | keyword | Operating system version as a raw string. | 10.14.1 | +| * | `agent.groups` | keyword | Agent's groups | | \* Custom field From 3f9b1b82a0083acb2ca0a4eb3576b704b97020ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Tue, 12 Nov 2024 17:33:06 +0100 Subject: [PATCH 6/6] Some corrections --- ecs/docs/inventory-hardware.md | 33 ++-- ecs/docs/inventory-hotfixes.md | 19 +-- ecs/docs/inventory-networks.md | 64 ++++---- ecs/docs/inventory-packages.md | 58 +++---- ecs/docs/inventory-ports.md | 42 +++-- ecs/docs/inventory-processes.md | 147 +++++++++--------- ecs/docs/inventory-system.md | 128 +++++++-------- .../fields/custom/agent.yml | 2 +- .../fields/custom/agent.yml | 3 +- .../fields/custom/agent.yml | 3 +- .../fields/custom/agent.yml | 3 +- .../fields/custom/agent.yml | 3 +- .../fields/custom/agent.yml | 3 +- .../fields/custom/agent.yml | 3 +- 14 files changed, 243 insertions(+), 268 deletions(-) diff --git a/ecs/docs/inventory-hardware.md b/ecs/docs/inventory-hardware.md index 438b60ae1feb7..75baa484b83d1 100644 --- a/ecs/docs/inventory-hardware.md +++ b/ecs/docs/inventory-hardware.md @@ -6,19 +6,19 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec Based on ECS: -- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). +- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). +- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). -| | Field name | Data type | Description | Example | -| --- | --------------------------- | --------- | ------------------------------------ | ------------------------ | -| | @timestamp | date | Date/time when the event originated. | 2016-05-23T08:05:34.853Z | -| | observer.serial_number | keyword | Observer serial number. | | -| * | host.cpu.name | keyword | Name of the CPU | | -| * | host.cpu.cores | long | Number of CPU cores | | -| * | host.cpu.speed | long | Speed of the CPU in MHz | | -| * | host.memory.total | long | Total RAM in the system | | -| * | host.memory.free | long | Free RAM in the system | | -| * | host.memory.used.percentage | long | RAM usage as a percentage | | +| | Field name | Data type | Description | Example | +| --- | ----------------------------- | --------- | ------------------------------------ | -------------------------- | +| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | +| | `observer.serial_number` | keyword | Observer serial number. | | +| \* | `host.cpu.name` | keyword | Name of the CPU | | +| \* | `host.cpu.cores` | long | Number of CPU cores | | +| \* | `host.cpu.speed` | long | Speed of the CPU in MHz | | +| \* | `host.memory.total` | long | Total RAM in the system | | +| \* | `host.memory.free` | long | Free RAM in the system | | +| \* | `host.memory.used.percentage` | long | RAM usage as a percentage | | \* Custom fields @@ -59,18 +59,14 @@ fields: ```json { - "index_patterns": [ - "wazuh-states-inventory-hardware*" - ], + "index_patterns": ["wazuh-states-inventory-hardware*"], "priority": 1, "template": { "settings": { "index": { "number_of_replicas": "0", "number_of_shards": "1", - "query.default_field": [ - "observer.board_serial" - ], + "query.default_field": ["observer.board_serial"], "refresh_interval": "5s" } }, @@ -143,5 +139,4 @@ fields: } } } - ``` diff --git a/ecs/docs/inventory-hotfixes.md b/ecs/docs/inventory-hotfixes.md index 10b3f755c6df5..fadc5377da19c 100644 --- a/ecs/docs/inventory-hotfixes.md +++ b/ecs/docs/inventory-hotfixes.md @@ -6,12 +6,12 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec Based on ECS: -- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). +- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). -| | Field name | Data type | Description | Example | -| --- | ------------------- | --------- | --------------------- | ------------------------ | -| | @timestamp | date | Timestamp of the scan | 2016-05-23T08:05:34.853Z | -| * | package.hotfix.name | keyword | Name of the hotfix | | +| | Field name | Data type | Description | Example | +| --- | --------------------- | --------- | --------------------- | -------------------------- | +| | `@timestamp` | date | Timestamp of the scan | `2016-05-23T08:05:34.853Z` | +| \* | `package.hotfix.name` | keyword | Name of the hotfix | | \* Custom fields @@ -40,18 +40,14 @@ fields: ```json { - "index_patterns": [ - "wazuh-states-inventory-hotfixes*" - ], + "index_patterns": ["wazuh-states-inventory-hotfixes*"], "priority": 1, "template": { "settings": { "index": { "number_of_replicas": "0", "number_of_shards": "1", - "query.default_field": [ - "package.hotfix.name" - ], + "query.default_field": ["package.hotfix.name"], "refresh_interval": "5s" } }, @@ -91,5 +87,4 @@ fields: } } } - ``` diff --git a/ecs/docs/inventory-networks.md b/ecs/docs/inventory-networks.md index 7c24a6bcf56dc..6459cde110aac 100644 --- a/ecs/docs/inventory-networks.md +++ b/ecs/docs/inventory-networks.md @@ -6,40 +6,39 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec Based on ECS: -- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). -- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). -- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). +- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). +- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). +- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). -| | Field name | Data type | Description | Example | -| --- | -------------------------------- | --------- | ----------------------------------------------------------------------------- | ------------------------------------ | -| | @timestamp | date | Date/time when the event originated | 2016-05-23T08:05:34.853Z | -| | device.id | keyword | The unique identifier of a device. | 00000000-54b3-e7c7-0000-000046bffd97 | -| | host.ip | ip | Host ip addresses | 192.168.0.100 | -| | host.mac | keyword | Host MAC addresses. | | | -| | host.network.egress.bytes | long | The number of bytes sent on all network interfaces | | -| | host.network.egress.packets | long | The number of packets sent on all network interfaces | | -| | host.network.ingress.bytes | long | The number of bytes received on all network interfaces | | -| | host.network.ingress.packets | long | The number of packets received on all network interfaces | | -| | network.protocol | keyword | Application protocol name | http | -| | network.type | keyword | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | ipv4 | -| | observer.ingress.interface.alias | keyword | Interface alias | outside | -| | observer.ingress.interface.name | keyword | Interface name | eth0 | -| * | host.network.egress.drops | long | Number of dropped transmitted packets | | -| * | host.network.egress.errors | long | Number of transmission errors | | -| * | host.network.ingress.drops | long | Number of dropped received packets | | -| * | host.network.ingress.errors | long | Number of reception errors | | -| * | interface.mtu | long | Maximum transmission unit size | | -| * | interface.state | keyword | State of the network interface | | -| * | interface.type | keyword | Interface type (eg. "wireless" or "ethernet") | | -| * | network.broadcast | ip | Broadcast address | | -| * | network.dhcp | keyword | DHCP status (enabled, disabled, unknown, BOOTP) | | -| * | network.gateway | ip | Gateway address | | -| * | network.metric | long | Metric of the network protocol | | -| * | network.netmask | ip | Network mask | | +| | Field name | Data type | Description | Example | +| --- | ---------------------------------- | --------- | ------------------------------------------------------------------------------ | -------------------------------------- | +| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | +| | `device.id` | keyword | The unique identifier of a device. | `00000000-54b3-e7c7-0000-000046bffd97` | +| | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. | `["192.168.56.11", "10.54.27.1"]` | +| | `host.mac` | keyword | Host MAC addresses. | | +| | `host.network.egress.bytes` | long | The number of bytes sent on all network interfaces. | | +| | `host.network.egress.packets` | long | The number of packets sent on all network interfaces. | | +| | `host.network.ingress.bytes` | long | The number of bytes received on all network interfaces. | | +| | `host.network.ingress.packets` | long | The number of packets received on all network interfaces. | | +| | `network.protocol` | keyword | Application protocol name. | `http` | +| | `network.type` | keyword | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc. | `ipv4` | +| | `observer.ingress.interface.alias` | keyword | Interface alias. | `outside` | +| | `observer.ingress.interface.name` | keyword | Interface name. | `eth0` | +| \* | `host.network.egress.drops` | long | Number of dropped transmitted packets. | | +| \* | `host.network.egress.errors` | long | Number of transmission errors. | | +| \* | `host.network.ingress.drops` | long | Number of dropped received packets. | | +| \* | `host.network.ingress.errors` | long | Number of reception errors. | | +| \* | `interface.mtu` | long | Maximum transmission unit size. | | +| \* | `interface.state` | keyword | State of the network interface. | | +| \* | `interface.type` | keyword | Interface type (eg. "wireless" or "ethernet"). | | +| \* | `network.broadcast` | ip | Broadcast address. | | +| \* | `network.dhcp` | keyword | DHCP status (enabled, disabled, unknown, BOOTP). | | +| \* | `network.gateway` | ip | Gateway address. | | +| \* | `network.metric` | long | Metric of the network protocol. | | +| \* | `network.netmask` | ip | Network mask. | | \* Custom fields - ### ECS mapping ```yml @@ -104,9 +103,7 @@ fields: ```json { - "index_patterns": [ - "wazuh-states-inventory-networks*" - ], + "index_patterns": ["wazuh-states-inventory-networks*"], "priority": 1, "template": { "settings": { @@ -269,5 +266,4 @@ fields: } } } - ``` diff --git a/ecs/docs/inventory-packages.md b/ecs/docs/inventory-packages.md index ae912f706096f..8091da88b85fa 100644 --- a/ecs/docs/inventory-packages.md +++ b/ecs/docs/inventory-packages.md @@ -6,11 +6,11 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec Based on ECS: -- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). +- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). | | Field name | Data type | Description | Example | | --- | ---------------------- | --------- | ------------------------------------ | ------- | -| | `@timestamp` | date | Timestamp of the scan | | +| | `@timestamp` | date | Timestamp of the scan. | | | | `agent.id` | keyword | Unique identifier of this agent | | | | `package.architecture` | keyword | Package architecture. | | | | `package.description` | keyword | Description of the package. | | @@ -18,22 +18,22 @@ Based on ECS: | | `package.name` | keyword | Package name. | | | | `package.path` | keyword | Path where the package is installed. | | | | `package.size` | long | Package size in bytes. | | -| | `package.type` | keyword | Package type | | -| | `package.version` | keyword | Package version | | -| * | `agent.groups` | keyword | Agent's groups | | +| | `package.type` | keyword | Package type. | | +| | `package.version` | keyword | Package version. | | +| \* | `agent.groups` | keyword | List of groups the agent belong to. | | \* Custom field
Fields not included in ECS

-| | Field name | ECS field name | Data type | Description | -| --- | ---------- | ----------------- | --------- | -------------------------------------------------------------------------------- | -| ? | priority | | | Priority of the program | -| ? | section | | | Section of the program category the package belongs to in DEB package managers | -| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. | -| ? | multiarch | | | Multi-architecture compatibility | -| X | source | | | Source of the program - package manager | +| | Field name | ECS field name | Data type | Description | +| --- | ---------- | ----------------- | --------- | ------------------------------------------------------------------------------ | +| ? | priority | | | Priority of the program | +| ? | section | | | Section of the program category the package belongs to in DEB package managers | +| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. | +| ? | multiarch | | | Multi-architecture compatibility | +| X | source | | | Source of the program - package manager |

@@ -44,23 +44,23 @@ Based on ECS: --- name: wazuh-states-inventory-packages fields: - base: - fields: - "@timestamp": {} - agent: - fields: - id: {} - groups: {} - package: - fields: - architecture: "" - description: "" - installed: {} - name: "" - path: "" - size: {} - type: "" - version: "" + base: + fields: + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + package: + fields: + architecture: "" + description: "" + installed: {} + name: "" + path: "" + size: {} + type: "" + version: "" ``` ### Index settings diff --git a/ecs/docs/inventory-ports.md b/ecs/docs/inventory-ports.md index 12aa286ce5021..863d2a000ac41 100644 --- a/ecs/docs/inventory-ports.md +++ b/ecs/docs/inventory-ports.md @@ -6,29 +6,28 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec Based on ECS: -- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). -- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). -- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). +- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). +- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). +- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -| | Field name | Data type | Description | Example | -| --- | -------------------------- | --------- | --------------------------------------------- | ------------------------------------ | -| | @timestamp | date | Timestamp of the scan | 2016-05-23T08:05:34.853Z | -| | destination.ip | ip | IP address of the destination | 192.168.0.100 | -| | destination.port | long | Port of the destination | | -| | device.id | keyword | The unique identifier of a device | 00000000-54b3-e7c7-0000-000046bffd97 | -| | file.inode | keyword | Inode representing the file in the filesystem | 256383 | -| | network.protocol | keyword | Application protocol name | http | -| | process.name | keyword | Process name | ssh | -| | process.pid | long | Process ID | 4242 | -| | source.ip | ip | IP address of the source | | -| | source.port | long | Port of the source | | -| * | host.network.egress.queue | long | Transmit queue length | | -| * | host.network.ingress.queue | long | Receive queue length | | -| * | interface.state | keyword | State of the network interface | | +| | Field name | Data type | Description | Example | +| --- | ---------------------------- | --------- | ---------------------------------------------- | -------------------------------------- | +| | `@timestamp` | date | Timestamp of the scan. | `2016-05-23T08:05:34.853Z` | +| | `destination.ip` | ip | IP address of the destination. | `["192.168.0.100"]` | +| | `destination.port` | long | Port of the destination. | | +| | `device.id` | keyword | The unique identifier of a device. | `00000000-54b3-e7c7-0000-000046bffd97` | +| | `file.inode` | keyword | Inode representing the file in the filesystem. | `256383` | +| | `network.protocol` | keyword | Application protocol name. | `http` | +| | `process.name` | keyword | Process name. | `ssh` | +| | `process.pid` | long | Process ID. | `4242` | +| | `source.ip` | ip | IP address of the source. | `["192.168.0.100"]` | +| | `source.port` | long | Port of the source. | | +| \* | `host.network.egress.queue` | long | Transmit queue length. | | +| \* | `host.network.ingress.queue` | long | Receive queue length. | | +| \* | `interface.state` | keyword | State of the network interface. | | \* Custom fields - ### ECS mapping ```yml @@ -77,16 +76,13 @@ fields: interface: fields: state: {} - ``` ### Index settings ```json { - "index_patterns": [ - "wazuh-states-inventory-ports*" - ], + "index_patterns": ["wazuh-states-inventory-ports*"], "priority": 1, "template": { "settings": { diff --git a/ecs/docs/inventory-processes.md b/ecs/docs/inventory-processes.md index f0b00ee1123c3..087838f7f9c46 100644 --- a/ecs/docs/inventory-processes.md +++ b/ecs/docs/inventory-processes.md @@ -6,27 +6,27 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec Based on ECS: -- [Process Fields](https://www.elastic.co/guide/en/ecs/current/ecs-process.html). +- [Process Fields](https://www.elastic.co/guide/en/ecs/current/ecs-process.html). -| | Field name | Data type | Description | Examples | Comments | -| --- | ------------------------ | --------- | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ---------------------------------------------------------- | -| | `@timestamp` | date | Date/time when the event originated | 2016-05-23T08:05:34.853Z | | -| | `agent.id` | keyword | Unique identifier of this agent | 8a4f500d | | -| | `process.args` | keyword | Array of process arguments | ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] | | -| | `process.command_line` | wildcard | process.command_line | /usr/bin/ssh -l user 10.0.0.16 | | -| | `process.name` | keyword | Process name | ssh | | -| | `process.parent.pid` | long | Parent process ID | 4242 | | -| | `process.pid` | long | Process ID | 4242 | | -| | `process.real_group.id` | keyword | Unique identifier for the group on the system/platform | | | -| | `process.real_user.id` | keyword | Unique identifier of the user | S-1-5-21-202424912787-2692429404-2351956786-1000 | | -| | `process.saved_group.id` | keyword | Unique identifier for the group on the system/platform | | | -| | `process.saved_user.id` | keyword | Unique identifier of the user | S-1-5-21-202424912787-2692429404-2351956786-1000 | | -| | `process.start` | date | The time the process started | 2016-05-23T08:05:34.853Z | | -| | `process.user.id` | keyword | Unique identifier of the user | S-1-5-21-202424912787-2692429404-2351956786-1000 | | -| ! | `process.thread.id` | long | Thread ID | | `thread.group` is **not part of ECS;** but `thread.id` is. | -| ! | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification | -| * | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | | -| * | agent.groups | keyword | Agent's groups | | | +| | Field name | Data type | Description | Examples | Comments | +| --- | ------------------------ | --------- | ---------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------- | +| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | | +| | `agent.id` | keyword | Unique identifier of this agent. | `8a4f500d` | | +| | `process.args` | keyword | Array of process arguments. | `["/usr/bin/ssh", "-l", "user", "10.0.0.16"]` | | +| | `process.command_line` | wildcard | process.command_line. | `/usr/bin/ssh -l user 10.0.0.16` | | +| | `process.name` | keyword | Process name. | `ssh` | | +| | `process.parent.pid` | long | Parent process ID. | `4242` | | +| | `process.pid` | long | Process ID. | `4242` | | +| | `process.real_group.id` | keyword | Unique identifier for the group on the system/platform. | | | +| | `process.real_user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | +| | `process.saved_group.id` | keyword | Unique identifier for the group on the system/platform. | | | +| | `process.saved_user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | +| | `process.start` | date | The time the process started. | `2016-05-23T08:05:34.853Z` | | +| | `process.user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | +| ! | `process.thread.id` | long | Thread ID. | | `thread.group` is **not part of ECS;** but `thread.id` is. | +| ! | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification | +| \* | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | | +| \* | `agent.groups` | keyword | List of groups the agent belong to. | | | \* Custom field @@ -57,75 +57,74 @@ Based on ECS:

- ### ECS mapping ```yml --- name: wazuh-states-inventory-processes fields: - base: + base: + fields: + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + process: + fields: + pid: {} + name: "" + parent: + fields: + pid: {} + command_line: "" + args: "" + user: + fields: + id: "" + real_user: + fields: + id: "" + saved_user: + fields: + id: "" + group: + fields: + id: "" + real_group: fields: - "@timestamp": {} - agent: + id: "" + saved_group: fields: - id: {} - groups: {} - process: + id: "" + start: {} + thread: fields: - pid: {} - name: "" - parent: - fields: - pid: {} - command_line: "" - args: "" - user: - fields: - id: "" - real_user: - fields: - id: "" - saved_user: - fields: - id: "" - group: - fields: - id: "" - real_group: - fields: - id: "" - saved_group: - fields: - id: "" - start: {} - thread: - fields: - id: "" - tty: {} + id: "" + tty: {} ``` ### Index settings ```json { - "index_patterns": ["wazuh-states-inventory-processes*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "process.name", - "process.pid", - "process.command_line" - ] - } - } + "index_patterns": ["wazuh-states-inventory-processes*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "process.name", + "process.pid", + "process.command_line" + ] + } } + } } ``` diff --git a/ecs/docs/inventory-system.md b/ecs/docs/inventory-system.md index 28109f2d99599..1dbc69ff1139e 100644 --- a/ecs/docs/inventory-system.md +++ b/ecs/docs/inventory-system.md @@ -6,22 +6,22 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec Based on ECS: -- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -- [Operating System Fields](https://www.elastic.co/guide/en/ecs/current/ecs-os.html). - -| | Field name | Data type | Description | Example | -| --- | ------------------- | --------- | ---------------------------------------------------------- | ------------------------ | -| | `@timestamp` | date | Date/time when the event originated. | 2016-05-23T08:05:34.853Z | -| | `agent.id` | keyword | Unique identifier of this agent. | 8a4f500d | -| | `host.architecture` | keyword | Operating system architecture. | x86_64 | -| | `host.hostname` | keyword | Hostname of the host. | | -| | `host.os.full` | keyword | Operating system name, including the version or code name. | Mac OS Mojave | -| | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | 4.4.0-112-generic | -| | `host.os.name` | keyword | Operating system name, without the version. | Mac OS X | -| | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | darwin | -| | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | macos | -| | `host.os.version` | keyword | Operating system version as a raw string. | 10.14.1 | -| * | `agent.groups` | keyword | Agent's groups | | +- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). +- [Operating System Fields](https://www.elastic.co/guide/en/ecs/current/ecs-os.html). + +| | Field name | Data type | Description | Example | +| --- | ------------------- | --------- | ---------------------------------------------------------- | -------------------------- | +| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | +| | `agent.id` | keyword | Unique identifier of this agent. | `8a4f500d` | +| | `host.architecture` | keyword | Operating system architecture. | `x86_64` | +| | `host.hostname` | keyword | Hostname of the host. | | +| | `host.os.full` | keyword | Operating system name, including the version or code name. | `Mac OS Mojave` | +| | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | `4.4.0-112-generic` | +| | `host.os.name` | keyword | Operating system name, without the version. | `Mac OS X` | +| | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | `darwin` | +| | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | `macos` | +| | `host.os.version` | keyword | Operating system version as a raw string. | `10.14.1` | +| \* | `agent.groups` | keyword | List of groups the agent belong to. | | \* Custom field @@ -30,22 +30,22 @@ Based on ECS: Removed fields: -- os_display_version -- os_major (can be extracted from os_version) -- os_minor (can be extracted from os_version) -- os_patch (can be extracted from os_version) -- os_release -- reference -- release -- scan_id -- sysname -- version -- checksum +- os_display_version +- os_major (can be extracted from os_version) +- os_minor (can be extracted from os_version) +- os_patch (can be extracted from os_version) +- os_release +- reference +- release +- scan_id +- sysname +- version +- checksum Available fields: -- `os.family` -- `hots.name` +- `os.family` +- `hots.name`

@@ -56,48 +56,48 @@ Available fields: --- name: wazuh-states-inventory-system fields: - base: + base: + fields: + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + host: + fields: + architecture: {} + hostname: {} + name: {} + os: fields: - "@timestamp": {} - agent: - fields: - id: {} - groups: {} - host: - fields: - architecture: {} - hostname: {} - name: {} - os: - fields: - kernel: {} - full: {} - platform: {} - version: {} - type: {} + kernel: {} + full: {} + platform: {} + version: {} + type: {} ``` ### Index settings ```json { - "index_patterns": ["wazuh-states-inventory-system*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.name", - "host.os.type", - "host.os.version" - ] - } - } + "index_patterns": ["wazuh-states-inventory-system*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "host.name", + "host.os.type", + "host.os.version" + ] + } } + } } ``` diff --git a/ecs/states-inventory-hardware/fields/custom/agent.yml b/ecs/states-inventory-hardware/fields/custom/agent.yml index 7f23b6a463e49..d1a6751bcc934 100644 --- a/ecs/states-inventory-hardware/fields/custom/agent.yml +++ b/ecs/states-inventory-hardware/fields/custom/agent.yml @@ -8,4 +8,4 @@ type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. diff --git a/ecs/states-inventory-hotfixes/fields/custom/agent.yml b/ecs/states-inventory-hotfixes/fields/custom/agent.yml index 3482123af637a..d1a6751bcc934 100644 --- a/ecs/states-inventory-hotfixes/fields/custom/agent.yml +++ b/ecs/states-inventory-hotfixes/fields/custom/agent.yml @@ -3,10 +3,9 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group - group: 2 fields: - name: groups type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. diff --git a/ecs/states-inventory-networks/fields/custom/agent.yml b/ecs/states-inventory-networks/fields/custom/agent.yml index 3482123af637a..d1a6751bcc934 100644 --- a/ecs/states-inventory-networks/fields/custom/agent.yml +++ b/ecs/states-inventory-networks/fields/custom/agent.yml @@ -3,10 +3,9 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group - group: 2 fields: - name: groups type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. diff --git a/ecs/states-inventory-packages/fields/custom/agent.yml b/ecs/states-inventory-packages/fields/custom/agent.yml index 3482123af637a..d1a6751bcc934 100644 --- a/ecs/states-inventory-packages/fields/custom/agent.yml +++ b/ecs/states-inventory-packages/fields/custom/agent.yml @@ -3,10 +3,9 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group - group: 2 fields: - name: groups type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. diff --git a/ecs/states-inventory-ports/fields/custom/agent.yml b/ecs/states-inventory-ports/fields/custom/agent.yml index 3482123af637a..d1a6751bcc934 100644 --- a/ecs/states-inventory-ports/fields/custom/agent.yml +++ b/ecs/states-inventory-ports/fields/custom/agent.yml @@ -3,10 +3,9 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group - group: 2 fields: - name: groups type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. diff --git a/ecs/states-inventory-processes/fields/custom/agent.yml b/ecs/states-inventory-processes/fields/custom/agent.yml index 3482123af637a..d1a6751bcc934 100644 --- a/ecs/states-inventory-processes/fields/custom/agent.yml +++ b/ecs/states-inventory-processes/fields/custom/agent.yml @@ -3,10 +3,9 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group - group: 2 fields: - name: groups type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. diff --git a/ecs/states-inventory-system/fields/custom/agent.yml b/ecs/states-inventory-system/fields/custom/agent.yml index 3482123af637a..d1a6751bcc934 100644 --- a/ecs/states-inventory-system/fields/custom/agent.yml +++ b/ecs/states-inventory-system/fields/custom/agent.yml @@ -3,10 +3,9 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group - group: 2 fields: - name: groups type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to.