From b7e3134aaf4e4fd3654f5a93f3bcdcd02b6f5555 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Fri, 20 Oct 2023 13:00:58 +0200 Subject: [PATCH] Add default query fields to vulnerability detector index (#40) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add ECS mappings generator, documentation and files for vulnerability detector * Add event generator script * Add default query fields --------- Signed-off-by: Álex Ruiz --- ecs/README.md | 8 ++++---- .../fields/template-settings-legacy.json | 18 +++++++++++++++++- .../fields/template-settings.json | 18 +++++++++++++++++- 3 files changed, 38 insertions(+), 6 deletions(-) diff --git a/ecs/README.md b/ecs/README.md index a2d353d245c81..d16301fa9bdff 100644 --- a/ecs/README.md +++ b/ecs/README.md @@ -8,7 +8,7 @@ This script generates the ECS mappings for the Wazuh indices. - Python 3.6 or higher - jq -### Folder structure +### Folder structrue There is a folder for each module. Inside each folder, there is a `fields` folder with the required files to generate the mappings. These are the inputs for the ECS generator. @@ -62,7 +62,7 @@ curl -u admin:admin -k -X PUT "https://indexer:9200/_index_template/wazuh-vulner ``` Notes: -- PUT and POST are interchangeable. +- PUT and POST are interchangable. - The name of the index template does not matter. Any name can be used. - Adjust credentials and URL accordingly. @@ -83,7 +83,7 @@ are required. For testing purposes, the script `generate_events.py` can be used to generate events for a given module. Currently, it is only able to generate events for the `vulnerability-detector` module. To support other -modules, please extend or refactor the script. +modules, please extend of refactor the script. The script prompts for the required parameters, so it can be launched without arguments: @@ -95,7 +95,7 @@ The script will generate a JSON file with the events, and will also ask whether indexer. If the upload option is selected, the script will ask for the indexer URL and port, credentials, and index name. -The script uses a log file. Check it out for debugging or additional information. +The script uses log file. Check it out for debugging or additonal information. #### References diff --git a/ecs/vulnerability-detector/fields/template-settings-legacy.json b/ecs/vulnerability-detector/fields/template-settings-legacy.json index 21ee9e7a850fc..5f3135175c9af 100644 --- a/ecs/vulnerability-detector/fields/template-settings-legacy.json +++ b/ecs/vulnerability-detector/fields/template-settings-legacy.json @@ -13,7 +13,23 @@ }, "number_of_shards": "1", "number_of_replicas": "0", - "refresh_interval": "2s" + "refresh_interval": "2s", + "query.default_field": [ + "base.tags", + "agent.id", + "ecs.version", + "event.id", + "event.module", + "event.severity", + "host.os.family", + "host.os.full.text", + "host.os.version", + "package.name", + "package.version", + "vulnerability.id", + "vulnerability.description.text", + "vulnerability.severity" + ] } } } \ No newline at end of file diff --git a/ecs/vulnerability-detector/fields/template-settings.json b/ecs/vulnerability-detector/fields/template-settings.json index bf2dcb4216aff..48e2b051599e8 100644 --- a/ecs/vulnerability-detector/fields/template-settings.json +++ b/ecs/vulnerability-detector/fields/template-settings.json @@ -14,7 +14,23 @@ }, "number_of_shards": "1", "number_of_replicas": "0", - "refresh_interval": "2s" + "refresh_interval": "2s", + "query.default_field": [ + "base.tags", + "agent.id", + "ecs.version", + "event.id", + "event.module", + "event.severity", + "host.os.family", + "host.os.full.text", + "host.os.version", + "package.name", + "package.version", + "vulnerability.id", + "vulnerability.description.text", + "vulnerability.severity" + ] } } }