diff --git a/ecs/agent/fields/custom/agent.yml b/ecs/agent/fields/custom/agent.yml index 0492778271095..7e60469c0800f 100644 --- a/ecs/agent/fields/custom/agent.yml +++ b/ecs/agent/fields/custom/agent.yml @@ -9,17 +9,17 @@ type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. - name: key type: keyword level: custom description: > - The agent's registration key. + The registration key of the agent. - name: last_login type: date level: custom description: > - The agent's last login. + The last time the agent logged in. - name: is_connected type: boolean level: custom diff --git a/ecs/command/fields/custom/agent.yml b/ecs/command/fields/custom/agent.yml index 17b6f7324d830..fd3cb2e6c41c9 100644 --- a/ecs/command/fields/custom/agent.yml +++ b/ecs/command/fields/custom/agent.yml @@ -9,4 +9,4 @@ type: keyword level: custom description: > - The groups the agent belongs to. \ No newline at end of file + List of groups the agent belong to. \ No newline at end of file diff --git a/ecs/docs/agents.md b/ecs/docs/agents.md index b0a1619c5e877..a0d48de7f6d16 100644 --- a/ecs/docs/agents.md +++ b/ecs/docs/agents.md @@ -6,20 +6,20 @@ The fields are based on https://github.com/wazuh/wazuh/issues/23396#issuecomment Based on ECS [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). -| Field | ECS field | Type | Description | -| ----------------- | ---------------------- | ------- | ---------------------------------------------------------------------- | -| uuid | `agent.id` | keyword | Agent's ID | -| name | `agent.name` | keyword | Agent's name | -| groups | \*`agent.groups` | keyword | Agent's groups | -| internal_key | \*`agent.key` | keyword | Agent's registration key | -| type | `agent.type` | keyword | Type of agent | -| version | `agent.version` | keyword | Agent's version | -| connection_status | \*`agent.is_connected` | boolean | Agents' interpreted connection status depending on `agent.last_login` | -| last_keepalive | \*`agent.last_login` | date | Agent's last login | -| ip | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. | -| os\_\* | `host.os.full` | keyword | Operating system name, including the version or code name. | +| | Field | Type | Description | Example | +| --- | -------------------- | ------- | ---------------------------------------------------------------------- | ---------------------------------- | +| | `agent.id` | keyword | Unique identifier of this agent. | `8a4f500d` | +| | `agent.name` | keyword | Custom name of the agent. | `foo` | +| \* | `agent.groups` | keyword | List of groups the agent belong to. | `["group1", "group2"]` | +| \* | `agent.key` | keyword | The registration key of the agent. | `BfDbq0PpcLl9iWatJjY1shGvuQ4KXyOR` | +| | `agent.type` | keyword | Type of agent. | `endpoint` | +| | `agent.version` | keyword | Version of the agent. | `6.0.0-rc2` | +| \* | `agent.is_connected` | boolean | Agents' interpreted connection status depending on `agent.last_login`. | | +| \* | `agent.last_login` | date | The last time the agent logged in. | `11/11/2024 00:00:00` | +| | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. | `["192.168.56.11", "10.54.27.1"]` | +| | `host.os.full` | keyword | Operating system name, including the version or code name. | `Mac OS Mojave` | -\* Custom field +\* Custom field. ### ECS mapping @@ -77,34 +77,33 @@ fields: level: custom description: > Agents' interpreted connection status depending on `agent.last_login`. - ``` ### Index settings ```json { - "index_patterns": [".agents*"], - "priority": 1, - "template": { - "settings": { - "index": { - "hidden": true, - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "agent.name", - "agent.type", - "agent.version", - "agent.name", - "host.os.full", - "host.ip" - ] - } - } + "index_patterns": [".agents*"], + "priority": 1, + "template": { + "settings": { + "index": { + "hidden": true, + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "agent.name", + "agent.type", + "agent.version", + "agent.name", + "host.os.full", + "host.ip" + ] + } } + } } ``` diff --git a/ecs/docs/commands.md b/ecs/docs/commands.md index 0ca3ac82de0aa..afbd250a9885f 100644 --- a/ecs/docs/commands.md +++ b/ecs/docs/commands.md @@ -10,23 +10,23 @@ This index stores information about the commands executed by the agents. The index appears in 5.0.0 for the first time. -| ECS field | Type | Description | -| -------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------- | -| \*`agent.groups` | keyword | Agent's groups | -| \*`command.source` | keyword | Origin of the request. One of [`Users/Services` (via Management API), `Engine` (via Management API), `Content manager` (directly)]. | -| \*`command.user` | keyword | The user that originated the request. This user may represent a Management API or Indexer API user depending on the source. | -| \*`command.target.id` | keyword | Unique identifier of the destination to send the command to. | -| \*`command.target.type` | keyword | The destination type. One of [`group`, `agent`, `server`], | -| \*`command.action.name` | keyword | The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... | -| \*`command.action.args` | keyword | Array of command arguments, starting with the absolute path to the executable. | -| \*`command.action.version` | keyword | Version of the command's schema. | -| \*`command.timeout` | short | Time window in which the command has to be sent to its target. | -| \*`command.status` | keyword | Status within the Command Manager's context. One of [`pending`, `sent`, `success`, `failure`]. | -| \*`command.result.code` | short | Status code returned by the target. | -| \*`command.result.message` | keyword | Result message returned by the target. | -| \*`command.result.data` | keyword | Result data returned by the target. | -| \*`command.request_id` | keyword | UUID generated by the Command Manager. | -| \*`command.order_id` | keyword | UUID generated by the Command Manager. | +| | Field | Type | Description | +| --- | ------------------------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------- | +| \* | `agent.groups` | keyword | List of groups the agent belong to. | +| \* | `command.source` | keyword | Origin of the request. One of [`Users/Services` (via Management API), `Engine` (via Management API), `Content manager` (directly)]. | +| \* | `command.user` | keyword | The user that originated the request. This user may represent a Management API or Indexer API user depending on the source. | +| \* | `command.target.id` | keyword | Unique identifier of the destination to send the command to. | +| \* | `command.target.type` | keyword | The destination type. One of [`group`, `agent`, `server`], | +| \* | `command.action.name` | keyword | The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... | +| \* | `command.action.args` | keyword | Array of command arguments, starting with the absolute path to the executable. | +| \* | `command.action.version` | keyword | Version of the command's schema. | +| \* | `command.timeout` | short | Time window in which the command has to be sent to its target. | +| \* | `command.status` | keyword | Status within the Command Manager's context. One of [`pending`, `sent`, `success`, `failure`]. | +| \* | `command.result.code` | short | Status code returned by the target. | +| \* | `command.result.message` | keyword | Result message returned by the target. | +| \* | `command.result.data` | keyword | Result data returned by the target. | +| \* | `command.request_id` | keyword | UUID generated by the Command Manager. | +| \* | `command.order_id` | keyword | UUID generated by the Command Manager. | \* Custom field. @@ -36,14 +36,14 @@ This index stores information about the commands executed by the agents. The ind --- name: command fields: - base: - fields: - tags: [] - agent: - fields: - groups: {} - command: - fields: "*" + base: + fields: + tags: [] + agent: + fields: + groups: {} + command: + fields: "*" ``` ```yml @@ -52,103 +52,103 @@ fields: title: Wazuh commands short: Wazuh Inc. custom fields. description: > - This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers. + This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers. type: group group: 2 fields: - - name: source - type: keyword - level: custom - description: > - Origin of the request. - - name: user - type: keyword - level: custom - description: > - The user that originated the request. - - name: target.id - type: keyword - level: custom - description: > - Unique identifier of the destination to send the command to. - - name: target.type - type: keyword - level: custom - description: > - The destination type. One of [`group`, `agent`, `server`] - - name: action.name - type: keyword - level: custom - description: > - The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... - - name: action.args - type: keyword - level: custom - description: > - Array of command arguments, starting with the absolute path to the executable. - - name: action.version - type: keyword - level: custom - description: > - Version of the command's schema. - - name: timeout - type: short - level: custom - description: > - Time window in which the command has to be sent to its target. - - name: status - type: keyword - level: custom - description: > - Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure']. - - name: result.code - type: short - level: custom - description: > - Status code returned by the target. - - name: result.message - type: keyword - level: custom - description: > - Result message returned by the target. - - name: result.data - type: keyword - level: custom - description: > - Result data returned by the target. - - name: request_id - type: keyword - level: custom - description: > - UUID generated by the Command Manager. - - name: order_id - type: keyword - level: custom - description: > - UUID generated by the Command Manager. + - name: source + type: keyword + level: custom + description: > + Origin of the request. + - name: user + type: keyword + level: custom + description: > + The user that originated the request. + - name: target.id + type: keyword + level: custom + description: > + Unique identifier of the destination to send the command to. + - name: target.type + type: keyword + level: custom + description: > + The destination type. One of [`group`, `agent`, `server`] + - name: action.name + type: keyword + level: custom + description: > + The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... + - name: action.args + type: keyword + level: custom + description: > + Array of command arguments, starting with the absolute path to the executable. + - name: action.version + type: keyword + level: custom + description: > + Version of the command's schema. + - name: timeout + type: short + level: custom + description: > + Time window in which the command has to be sent to its target. + - name: status + type: keyword + level: custom + description: > + Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure']. + - name: result.code + type: short + level: custom + description: > + Status code returned by the target. + - name: result.message + type: keyword + level: custom + description: > + Result message returned by the target. + - name: result.data + type: keyword + level: custom + description: > + Result data returned by the target. + - name: request_id + type: keyword + level: custom + description: > + UUID generated by the Command Manager. + - name: order_id + type: keyword + level: custom + description: > + UUID generated by the Command Manager. ``` ### Index settings ```json { - "index_patterns": [".commands*"], - "priority": 1, - "template": { - "settings": { - "index": { - "hidden": true, - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "command.source", - "command.target.type", - "command.status", - "command.action.name" - ] - } - } + "index_patterns": [".commands*"], + "priority": 1, + "template": { + "settings": { + "index": { + "hidden": true, + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "command.source", + "command.target.type", + "command.status", + "command.action.name" + ] + } } + } } ``` diff --git a/ecs/docs/inventory-4.x.md b/ecs/docs/inventory-4.x.md deleted file mode 100644 index fd77e266d97fd..0000000000000 --- a/ecs/docs/inventory-4.x.md +++ /dev/null @@ -1,70 +0,0 @@ -## Migration to 5.x - -| Syscollector 4.x inventory table | Index 5.x | -| -------------------------------- | -------------------------------- | -| sys_processes | wazuh-states-inventory-processes | -| sys_hwinfo | wazuh-states-inventory-hardware | -| sys_osinfo | wazuh-states-inventory-system | -| sys_ports | wazuh-states-inventory-networks | -| sys_net\* | wazuh-states-inventory-networks | -| sys_programs | wazuh-states-inventory-packages | -| sys_hotfixes | wazuh-states-inventory-hotfixes | - -### sys_netiface - -| | Field name | ECS field name | Data type | Description | -| --- | ---------- | ------------------- | --------- | ------------------------------------------------ | -| x | name | network.name | KEYWORD | Name of the network interface | -| ? | adapter | | KEYWORD | Adapter name of the network interface | -| x | type | network.type | KEYWORD | Type of the network interface | -| * | state | network.state | KEYWORD | State of the network interface | -| * | mtu | network.mtu | INTEGER | Maximum transmission unit size | -| x | mac | network.mac | KEYWORD | MAC address of the network interface | -| | tx_packets | network.out.packets | INTEGER | Number of transmitted packets | -| | rx_packets | network.in.packets | INTEGER | Number of received packets | -| | tx_bytes | network.out.bytes | INTEGER | Number of transmitted bytes | -| | rx_bytes | network.in.bytes | INTEGER | Number of received bytes | -| | tx_errors | network.out.errors | INTEGER | Number of transmission errors | -| | rx_errors | network.in.errors | INTEGER | Number of reception errors | -| | tx_dropped | network.out.dropped | INTEGER | Number of dropped transmitted packets | -| | rx_dropped | network.in.dropped | INTEGER | Number of dropped received packets | -| x | item_id | | KEYWORD | Unique identifier for the network interface item | - -### sys_netproto - -| | Field name | ECS field name | Data type | Description | -| --- | ---------- | ------------------- | --------- | ----------------------------------------------- | -| r | iface | `sys_netiface.name` | KEYWORD | Name of the network interface | -| | type | network.type | KEYWORD | Type of network protocol | -| | gateway | network.gateway | KEYWORD | Gateway address | -| | dhcp | network.dhcp | KEYWORD | DHCP status (enabled, disabled, unknown, BOOTP) | -| | metric | network.metric | INTEGER | Metric of the network protocol | -| | item_id | | KEYWORD | Unique identifier for the network protocol item | - -### sys_netaddr - -| | Field name | ECS field name | Data type | Description | -| --- | ---------- | -------------------- | --------- | ---------------------------------------------- | -| r | iface | `sys_netproto.iface` | KEYWORD | Name of the network interface | -| | proto | `sys_netproto.type` | KEYWORD | Type of network protocol | -| | address | source.address | KEYWORD | Network address | -| | netmask | network.netmask | KEYWORD | Network mask | -| | broadcast | network.broadcast | KEYWORD | Broadcast address | -| | item_id | | KEYWORD | Unique identifier for the network address item | - -### sys_ports - -| | Field name | ECS field name | Data type | Description | -| --- | ----------- | -------------------- | --------- | ------------------------------------------- | -| | protocol | network.protocol | KEYWORD | Protocol used | -| | local_ip | source.ip | KEYWORD | Local IP address | -| | local_port | source.port | INTEGER | Local port number | -| | remote_ip | destination.ip | KEYWORD | Remote IP address | -| | remote_port | destination.port | INTEGER | Remote port number | -| | tx_queue | network.out.queue | INTEGER | Transmit queue length | -| | rx_queue | network.in.queue | INTEGER | Receive queue length | -| | inode | system.network.inode | INTEGER | Inode number | -| | state | network.transport | KEYWORD | State of the connection | -| | PID | process.pid | INTEGER | Process ID | -| | process | process.name | KEYWORD | Process name | -| | item_id | | KEYWORD | Unique identifier for the network port item | diff --git a/ecs/docs/states-fim.md b/ecs/docs/states-fim.md index 4d42e1e8a79fc..129fcf9ec94a6 100644 --- a/ecs/docs/states-fim.md +++ b/ecs/docs/states-fim.md @@ -6,34 +6,33 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec Based on ECS: -- [File Fields](https://www.elastic.co/guide/en/ecs/current/ecs-file.html). -- [Registry Fields](https://www.elastic.co/guide/en/ecs/current/ecs-registry.html). +- [File Fields](https://www.elastic.co/guide/en/ecs/current/ecs-file.html). +- [Registry Fields](https://www.elastic.co/guide/en/ecs/current/ecs-registry.html). -| Field | ECS field | Type | Description | -| ------------- | ------------------ | ------- | ---------------------------------------------------------------- | -| | `agent.id` | keyword | Agent's ID | -| | \*`agent.groups` | keyword | Agent's groups | -| arch | \* ? | keyword | Is arch a file property? | -| attributes | `file.attributes` | keyword | Array of file attributes. | -| file | `file.name` | keyword | Name of the file including the extension, without the directory. | -| full_path | `file.path` | keyword | Full path to the file, including the file name. | -| gid | `file.gid` | keyword | Primary group ID (GID) of the file. | -| gname | `file.group` | keyword | Primary group name of the file. | -| inode | `file.inode` | keyword | Inode representing the file in the filesystem. | -| md5 | `file.hash.md5` | keyword | MD5 hash of the file. | -| mtime | `file.mtime` | date | Last time the file's metadata changed. | -| perm | `file.mode` | keyword | File permissions in octal mode. | -| sha1 | `file.hash.sha1` | keyword | SHA1 hash of the file. | -| sha256 | `file.hash.sha256` | keyword | SHA256 hash of the file. | -| size | `file.size` | long | File size in bytes. | -| symbolic_path | `file.target_path` | keyword | Target path for symlinks. | -| type | `file.type` | keyword | File type (file, dir, or symlink). | -| uid | `file.uid` | keyword | User ID (UID) of the file owner. | -| uname | `file.owner` | keyword | File owner’s username. | -| value_name | `registry.key` | keyword | Hive-relative path of keys. | -| value_type | `registry.value` | keyword | Name of the value written. | +| | Field | Type | Description | Example | +| --- | ------------------ | ------- | ----------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | +| | `agent.id` | keyword | Unique identifier of this agent. | `8a4f500d` | +| \* | \*`agent.groups` | keyword | List of groups the agent belong to. | `["group1", "group2"]` | +| | `file.attributes` | keyword | Array of file attributes. | `["readonly", "system"]` | +| | `file.gid` | keyword | Primary group ID (GID) of the file. | `1001` | +| | `file.group` | keyword | Primary group name of the file. | `alice` | +| | `file.inode` | keyword | Inode representing the file in the filesystem. | `256383` | +| | `file.name` | keyword | Name of the file including the extension, without the directory. | `example.png` | +| | `file.mode` | keyword | File permissions in octal mode. | `0640` | +| | `file.mtime` | date | Last time the file's metadata changed. | | +| | `file.owner` | keyword | File owner’s username. | | +| | `file.path` | keyword | Full path to the file, including the file name. It should include the drive letter, when appropriate. | `/home/alice/example.png` | +| | `file.size` | long | File size in bytes. | `16384` | +| | `file.target_path` | keyword | Target path for symlinks. | | +| | `file.type` | keyword | File type (file, dir, or symlink). | `file` | +| | `file.uid` | keyword | User ID (UID) of the file owner. | `1001` | +| | `file.hash.md5` | keyword | MD5 hash of the file. | | +| | `file.hash.sha1` | keyword | SHA1 hash of the file. | | +| | `file.hash.sha256` | keyword | SHA256 hash of the file. | | +| | `registry.key` | keyword | Hive-relative path of keys. | `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe` | +| | `registry.value` | keyword | Name of the value written. | `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger` | -\* Custom field +\* Custom field. ### ECS mapping @@ -41,60 +40,60 @@ Based on ECS: --- name: fim fields: - agent: + agent: + fields: + id: {} + groups: {} + file: + fields: + attributes: {} + name: {} + path: {} + gid: {} + group: {} + inode: {} + hash: fields: - id: {} - groups: {} - file: - fields: - attributes: {} - name: {} - path: {} - gid: {} - group: {} - inode: {} - hash: - fields: - md5: {} - sha1: {} - sha256: {} - mtime: {} - mode: {} - size: {} - target_path: {} - type: {} - uid: {} - owner: {} - registry: - fields: - key: {} - value: {} + md5: {} + sha1: {} + sha256: {} + mtime: {} + mode: {} + size: {} + target_path: {} + type: {} + uid: {} + owner: {} + registry: + fields: + key: {} + value: {} ``` ### Index settings ```json { - "index_patterns": ["wazuh-states-fim*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "file.name", - "file.path", - "file.target_path", - "file.group", - "file.uid", - "file.gid" - ] - } - } + "index_patterns": ["wazuh-states-fim*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "file.name", + "file.path", + "file.target_path", + "file.group", + "file.uid", + "file.gid" + ] + } } + } } ``` diff --git a/ecs/docs/states-vulnerability.md b/ecs/docs/states-vulnerability.md index fa7f4969d1c1f..61718d1419873 100644 --- a/ecs/docs/states-vulnerability.md +++ b/ecs/docs/states-vulnerability.md @@ -6,59 +6,59 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/blob/4.9.0/ecs/vu Based on ECS: -- [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). -- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). -- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -- [Vulnerability Fields](https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html). +- [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). +- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). +- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). +- [Vulnerability Fields](https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html). -| ECS field | Type | Description | -| ----------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `agent.id` | keyword | Unique identifier of this agent (if one exists). | -| \*`agent.groups` | keyword | Agent's groups | -| `agent.name` | keyword | Custom name of the agent. | -| `agent.type` | keyword | Type of the agent. | -| `agent.version` | keyword | Version of the agent. | -| `host.os.full` | keyword | Operating system name, including the version or code name. | -| `host.os.kernel` | keyword | Operating system kernel version as a raw string. | -| `host.os.name` | keyword | Operating system name, without the version. | -| `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | -| `host.os.type` | keyword | Use the os.type field to categorize the operating system into one of the broad commercial families. | -| `host.os.version` | keyword | Operating system version as a raw string. | -| `package.architecture` | keyword | Package architecture. | -| `package.build_version` | keyword | Additional information about the build version of the installed package. | -| `package.checksum` | keyword | Checksum of the installed package for verification. | -| `package.description` | keyword | Description of the package. | -| `package.install_scope` | keyword | Indicating how the package was installed, e.g. user-local, global. | -| `package.installed` | date | Time when package was installed. | -| `package.license` | keyword | License under which the package was released. | -| `package.name` | keyword | Package name | -| `package.path` | keyword | Path where the package is installed. | -| `package.reference` | keyword | Home page or reference URL of the software in this package, if available. | -| `package.size` | long | Package size in bytes. | -| `package.type` | keyword | Type of package. | -| `package.version` | keyword | Package version | -| `vulnerability.category` | keyword | The type of system or architecture that the vulnerability affects | -| `vulnerability.classification` | keyword | The classification of the vulnerability scoring system. | -| `vulnerability.description` | keyword | The description of the vulnerability that provides additional context of the vulnerability | -| \*`vulnerability.detected_at` | date | Vulnerability's detection date. | -| `vulnerability.enumeration` | keyword | The type of identifier used for this vulnerability. | -| `vulnerability.id` | keyword | The identification (ID) is the number portion of a vulnerability entry. | -| \*`vulnerability.published_at` | date | Vulnerability's publication date. | -| `vulnerability.reference` | keyword | A resource that provides additional information, context, and mitigations for the identified vulnerability. | -| `vulnerability.report_id` | keyword | The report or scan identification number. | -| \*`vulnerability.scanner.source` | keyword | The origin of the decision of the scanner (AKA feed used to detect the vulnerability). | -| `vulnerability.scanner.vendor` | keyword | The name of the vulnerability scanner vendor. | -| `vulnerability.score.base` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | -| `vulnerability.score.environmental` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | -| `vulnerability.score.temporal` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | -| `vulnerability.score.version` | keyword | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. | -| `vulnerability.severity` | keyword | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. | -| \*`vulnerability.under_evaluation` | boolean | Indicates if the vulnerability is awaiting analysis by the NVD. | -| \*`wazuh.cluster.name` | keyword | Name of the Wazuh cluster. | -| \*`wazuh.cluster.node` | keyword | Name of the Wazuh cluster node. | -| \*`wazuh.schema.version` | keyword | Version of the Wazuh schema. | +| | Field | Type | Description | +| --- | ----------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| | `agent.id` | keyword | Unique identifier of this agent. | +| \* | `agent.groups` | keyword | List of groups the agent belong to. | +| | `agent.name` | keyword | Custom name of the agent. | +| | `agent.type` | keyword | Type of agent. | +| | `agent.version` | keyword | Version of the agent. | +| | `host.os.full` | keyword | Operating system name, including the version or code name. | +| | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | +| | `host.os.name` | keyword | Operating system name, without the version. | +| | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | +| | `host.os.type` | keyword | Use the os.type field to categorize the operating system into one of the broad commercial families. | +| | `host.os.version` | keyword | Operating system version as a raw string. | +| | `package.architecture` | keyword | Package architecture. | +| | `package.build_version` | keyword | Additional information about the build version of the installed package. | +| | `package.checksum` | keyword | Checksum of the installed package for verification. | +| | `package.description` | keyword | Description of the package. | +| | `package.install_scope` | keyword | Indicating how the package was installed, e.g. user-local, global. | +| | `package.installed` | date | Time when package was installed. | +| | `package.license` | keyword | License under which the package was released. | +| | `package.name` | keyword | Package name | +| | `package.path` | keyword | Path where the package is installed. | +| | `package.reference` | keyword | Home page or reference URL of the software in this package, if available. | +| | `package.size` | long | Package size in bytes. | +| | `package.type` | keyword | Type of package. | +| | `package.version` | keyword | Package version | +| | `vulnerability.category` | keyword | The type of system or architecture that the vulnerability affects | +| | `vulnerability.classification` | keyword | The classification of the vulnerability scoring system. | +| | `vulnerability.description` | keyword | The description of the vulnerability that provides additional context of the vulnerability | +| \* | `vulnerability.detected_at` | date | Vulnerability's detection date. | +| | `vulnerability.enumeration` | keyword | The type of identifier used for this vulnerability. | +| | `vulnerability.id` | keyword | The identification (ID) is the number portion of a vulnerability entry. | +| \* | `vulnerability.published_at` | date | Vulnerability's publication date. | +| | `vulnerability.reference` | keyword | A resource that provides additional information, context, and mitigations for the identified vulnerability. | +| | `vulnerability.report_id` | keyword | The report or scan identification number. | +| \* | `vulnerability.scanner.source` | keyword | The origin of the decision of the scanner (AKA feed used to detect the vulnerability). | +| | `vulnerability.scanner.vendor` | keyword | The name of the vulnerability scanner vendor. | +| | `vulnerability.score.base` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | +| | `vulnerability.score.environmental` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | +| | `vulnerability.score.temporal` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | +| | `vulnerability.score.version` | keyword | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. | +| | `vulnerability.severity` | keyword | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. | +| \* | `vulnerability.under_evaluation` | boolean | Indicates if the vulnerability is awaiting analysis by the NVD. | +| \* | `wazuh.cluster.name` | keyword | Name of the Wazuh cluster. | +| \* | `wazuh.cluster.node` | keyword | Name of the Wazuh cluster node. | +| \* | `wazuh.schema.version` | keyword | Version of the Wazuh schema. | -\* Custom field +\* Custom field. ### ECS mapping @@ -66,26 +66,26 @@ Based on ECS: --- name: wazuh-states-vulnerabilities fields: - base: - tags: [] - agent: - fields: "*" - package: - fields: "*" - host: + base: + tags: [] + agent: + fields: "*" + package: + fields: "*" + host: + fields: + os: fields: - os: - fields: - full: "" - kernel: "" - name: "" - platform: "" - type: "" - version: "" - vulnerability: - fields: "*" - wazuh: - fields: "*" + full: "" + kernel: "" + name: "" + platform: "" + type: "" + version: "" + vulnerability: + fields: "*" + wazuh: + fields: "*" ``` ```yml @@ -95,30 +95,30 @@ fields: group: 2 short: Fields to describe the vulnerability relevant to an event. description: > - The vulnerability fields describe information about a vulnerability that is - relevant to an event. + The vulnerability fields describe information about a vulnerability that is + relevant to an event. type: group fields: - - name: detected_at - type: date - level: custom - description: > - Vulnerability's detection date. - - name: published_at - type: date - level: custom - description: > - Vulnerability's publication date. - - name: under_evaluation - type: boolean - level: custom - description: > - Indicates if the vulnerability is awaiting analysis by the NVD. - - name: scanner.source - type: keyword - level: custom - description: > - The origin of the decision of the scanner (AKA feed used to detect the vulnerability). + - name: detected_at + type: date + level: custom + description: > + Vulnerability's detection date. + - name: published_at + type: date + level: custom + description: > + Vulnerability's publication date. + - name: under_evaluation + type: boolean + level: custom + description: > + Indicates if the vulnerability is awaiting analysis by the NVD. + - name: scanner.source + type: keyword + level: custom + description: > + The origin of the decision of the scanner (AKA feed used to detect the vulnerability). ``` ```yml @@ -127,51 +127,51 @@ fields: - name: wazuh title: Wazuh description: > - Wazuh Inc. custom fields + Wazuh Inc. custom fields fields: - - name: cluster.name - type: keyword - level: custom - description: > - Wazuh cluster name. - - name: cluster.node - type: keyword - level: custom - description: > - Wazuh cluster node name. - - name: schema.version - type: keyword - level: custom - description: > - Wazuh schema version. + - name: cluster.name + type: keyword + level: custom + description: > + Wazuh cluster name. + - name: cluster.node + type: keyword + level: custom + description: > + Wazuh cluster node name. + - name: schema.version + type: keyword + level: custom + description: > + Wazuh schema version. ``` ### Index settings ```json { - "index_patterns": ["wazuh-states-vulnerabilities*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.os.full", - "host.os.version", - "package.name", - "package.version", - "vulnerability.id", - "vulnerability.description", - "vulnerability.severity", - "wazuh.cluster.name" - ] - } - } + "index_patterns": ["wazuh-states-vulnerabilities*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "host.os.full", + "host.os.version", + "package.name", + "package.version", + "vulnerability.id", + "vulnerability.description", + "vulnerability.severity", + "wazuh.cluster.name" + ] + } } + } } ``` diff --git a/ecs/states-fim/fields/custom/agent.yml b/ecs/states-fim/fields/custom/agent.yml index 17b6f7324d830..fd3cb2e6c41c9 100644 --- a/ecs/states-fim/fields/custom/agent.yml +++ b/ecs/states-fim/fields/custom/agent.yml @@ -9,4 +9,4 @@ type: keyword level: custom description: > - The groups the agent belongs to. \ No newline at end of file + List of groups the agent belong to. \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/custom/agent.yml b/ecs/states-vulnerabilities/fields/custom/agent.yml index 3482123af637a..9feecf4e2da98 100644 --- a/ecs/states-vulnerabilities/fields/custom/agent.yml +++ b/ecs/states-vulnerabilities/fields/custom/agent.yml @@ -9,4 +9,4 @@ type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to.