From bb3d1690e04a8ef856d72bebfb528fe012043696 Mon Sep 17 00:00:00 2001 From: quebim Date: Fri, 29 Nov 2024 15:01:52 -0300 Subject: [PATCH] Update documentation --- ecs/docs/inventory-hardware.md | 97 ++------- ecs/docs/inventory-hotfixes.md | 50 ++--- ecs/docs/inventory-networks.md | 193 ++---------------- ecs/docs/inventory-packages.md | 11 +- ecs/docs/inventory-ports.md | 17 +- ecs/docs/inventory-processes.md | 51 ++++- ecs/docs/states-fim.md | 12 +- ecs/docs/states-vulnerability.md | 61 +++--- ecs/states-fim/fields/subset.yml | 2 - .../fields/custom/host.yml | 2 +- .../fields/custom/os.yml | 2 +- .../fields/custom/risk.yml | 2 +- 12 files changed, 146 insertions(+), 354 deletions(-) diff --git a/ecs/docs/inventory-hardware.md b/ecs/docs/inventory-hardware.md index 75baa484b83d1..832bacfbb1ae4 100644 --- a/ecs/docs/inventory-hardware.md +++ b/ecs/docs/inventory-hardware.md @@ -34,25 +34,17 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" observer: fields: serial_number: {} - host: - fields: - memory: - fields: - total: {} - free: {} - used: - fields: - percentage: {} - cpu: - fields: - name: {} - cores: {} - speed: {} + ``` ### Index settings @@ -64,77 +56,12 @@ fields: "template": { "settings": { "index": { - "number_of_replicas": "0", "number_of_shards": "1", - "query.default_field": ["observer.board_serial"], - "refresh_interval": "5s" - } - }, - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - } - }, - "type": "object" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" - } - }, - "type": "object" - } - }, - "type": "object" - } - } - }, - "observer": { - "properties": { - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "observer.board_serial" + ] } } } diff --git a/ecs/docs/inventory-hotfixes.md b/ecs/docs/inventory-hotfixes.md index fadc5377da19c..17606d9dba4ee 100644 --- a/ecs/docs/inventory-hotfixes.md +++ b/ecs/docs/inventory-hotfixes.md @@ -27,13 +27,19 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" package: fields: hotfix: fields: name: {} + ``` ### Index settings @@ -45,44 +51,12 @@ fields: "template": { "settings": { "index": { - "number_of_replicas": "0", "number_of_shards": "1", - "query.default_field": ["package.hotfix.name"], - "refresh_interval": "5s" - } - }, - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "hotfix": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - } - } + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "package.hotfix.name" + ] } } } diff --git a/ecs/docs/inventory-networks.md b/ecs/docs/inventory-networks.md index 6459cde110aac..87115fdc87608 100644 --- a/ecs/docs/inventory-networks.md +++ b/ecs/docs/inventory-networks.md @@ -51,34 +51,25 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} - destination: - fields: - ip: {} - port: {} - device: - fields: id: {} - file: - fields: - inode: {} - host: + name: {} + type: {} + version: {} + host: + fields: "*" + interface: fields: - ip: {} - mac: {} - network: - fields: - egress: - fields: - bytes: {} - packets: {} - ingress: - fields: - bytes: {} - packets: {} + mtu: {} + state: {} + type: {} network: fields: + broadcast: {} + dhcp: {} + gateway: {} + metric: {} + netmask: {} protocol: {} type: {} observer: @@ -89,14 +80,7 @@ fields: fields: alias: {} name: {} - process: - fields: - name: {} - pid: {} - source: - fields: - ip: {} - port: {} + ``` ### Index settings @@ -108,8 +92,9 @@ fields: "template": { "settings": { "index": { - "number_of_replicas": "0", "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", "query.default_field": [ "agent.id", "agent.groups", @@ -119,149 +104,7 @@ fields: "observer.ingress.interface.name", "observer.ingress.interface.alias", "process.name" - ], - "refresh_interval": "5s" - } - }, - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "device": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "inode": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - } - } - } - } - }, - "network": { - "properties": { - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "observer": { - "properties": { - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - } - } - }, - "process": { - "properties": { - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - } - } - }, - "source": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - } + ] } } } diff --git a/ecs/docs/inventory-packages.md b/ecs/docs/inventory-packages.md index 8091da88b85fa..417b7bced0bc5 100644 --- a/ecs/docs/inventory-packages.md +++ b/ecs/docs/inventory-packages.md @@ -47,10 +47,16 @@ fields: base: fields: "@timestamp": {} + tags: [] agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" package: fields: architecture: "" @@ -61,6 +67,7 @@ fields: size: {} type: "" version: "" + ``` ### Index settings @@ -78,7 +85,7 @@ fields: "query.default_field": [ "agent.id", "agent.groups", - "package.architecture" + "package.architecture", "package.name", "package.version", "package.type" diff --git a/ecs/docs/inventory-ports.md b/ecs/docs/inventory-ports.md index 863d2a000ac41..bbad0b8842f52 100644 --- a/ecs/docs/inventory-ports.md +++ b/ecs/docs/inventory-ports.md @@ -40,8 +40,13 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" destination: fields: ip: {} @@ -52,16 +57,6 @@ fields: file: fields: inode: {} - host: - fields: - network: - fields: - egress: - fields: - queue: {} - ingress: - fields: - queue: {} network: fields: protocol: {} diff --git a/ecs/docs/inventory-processes.md b/ecs/docs/inventory-processes.md index 087838f7f9c46..81572b8979705 100644 --- a/ecs/docs/inventory-processes.md +++ b/ecs/docs/inventory-processes.md @@ -66,10 +66,16 @@ fields: base: fields: "@timestamp": {} + tags: [] agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" process: fields: pid: {} @@ -101,7 +107,48 @@ fields: thread: fields: id: "" - tty: {} +``` + +```yml +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + List of groups the agent belong to. +``` + +```yml +--- +- name: host + reusable: + top_level: true + expected: + - { at: agent, as: host } +``` + +```yml +--- +- name: os + reusable: + top_level: false + expected: + - agent.host +``` + +```yml +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host ``` ### Index settings diff --git a/ecs/docs/states-fim.md b/ecs/docs/states-fim.md index 129fcf9ec94a6..af48052fdfff2 100644 --- a/ecs/docs/states-fim.md +++ b/ecs/docs/states-fim.md @@ -38,12 +38,20 @@ Based on ECS: ```yml --- -name: fim +name: wazuh-states-fim fields: + base: + fields: + tags: [] agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" file: fields: attributes: {} diff --git a/ecs/docs/states-vulnerability.md b/ecs/docs/states-vulnerability.md index 61718d1419873..c40a6e0709524 100644 --- a/ecs/docs/states-vulnerability.md +++ b/ecs/docs/states-vulnerability.md @@ -67,21 +67,19 @@ Based on ECS: name: wazuh-states-vulnerabilities fields: base: - tags: [] + fields: + tags: [] agent: - fields: "*" + fields: + groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" package: fields: "*" - host: - fields: - os: - fields: - full: "" - kernel: "" - name: "" - platform: "" - type: "" - version: "" vulnerability: fields: "*" wazuh: @@ -89,7 +87,6 @@ fields: ``` ```yml ---- - name: vulnerability title: Vulnerability group: 2 @@ -123,7 +120,6 @@ fields: ```yml --- ---- - name: wazuh title: Wazuh description: > @@ -151,26 +147,23 @@ fields: ```json { "index_patterns": ["wazuh-states-vulnerabilities*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.os.full", - "host.os.version", - "package.name", - "package.version", - "vulnerability.id", - "vulnerability.description", - "vulnerability.severity", - "wazuh.cluster.name" - ] - } + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "host.os.full", + "host.os.version", + "package.name", + "package.version", + "vulnerability.id", + "vulnerability.description", + "vulnerability.severity", + "wazuh.cluster.name" + ] } } } diff --git a/ecs/states-fim/fields/subset.yml b/ecs/states-fim/fields/subset.yml index fd2b14f8e9fc6..7eab78e238a21 100644 --- a/ecs/states-fim/fields/subset.yml +++ b/ecs/states-fim/fields/subset.yml @@ -37,5 +37,3 @@ fields: fields: key: {} value: {} - - diff --git a/ecs/states-inventory-processes/fields/custom/host.yml b/ecs/states-inventory-processes/fields/custom/host.yml index a0356d13da657..5bf50e3e3f675 100644 --- a/ecs/states-inventory-processes/fields/custom/host.yml +++ b/ecs/states-inventory-processes/fields/custom/host.yml @@ -3,4 +3,4 @@ reusable: top_level: true expected: - - { at: agent, as: host } \ No newline at end of file + - { at: agent, as: host } diff --git a/ecs/states-inventory-processes/fields/custom/os.yml b/ecs/states-inventory-processes/fields/custom/os.yml index 952c2d6e93a40..0181d44d62751 100644 --- a/ecs/states-inventory-processes/fields/custom/os.yml +++ b/ecs/states-inventory-processes/fields/custom/os.yml @@ -3,4 +3,4 @@ reusable: top_level: false expected: - - agent.host \ No newline at end of file + - agent.host diff --git a/ecs/states-inventory-processes/fields/custom/risk.yml b/ecs/states-inventory-processes/fields/custom/risk.yml index 1c06213bc6205..599a04a4f9d17 100644 --- a/ecs/states-inventory-processes/fields/custom/risk.yml +++ b/ecs/states-inventory-processes/fields/custom/risk.yml @@ -3,4 +3,4 @@ reusable: top_level: false expected: - - agent.host \ No newline at end of file + - agent.host