Add missing interface and process.tty fields to index templates

[f-galland]

Description

As part of the MVP tests, it was determined that we need to modify the index mappings to include:

• interface.state within wazuh-states-inventory-ports
• process.tty within wazuh-states-inventory-processes

[f-galland]

Running the event generator throws no errors:

(venv) fede@tyner:~/src/wazuh-indexer/ecs/states-inventory-ports/event-generator (580-ecs-ports-add-interface-at-root *)
$ python3 event_generator.py 
How many events do you want to generate? 100
Do you want to inject the generated data into your indexer? (y/n) y
Enter the IP of your Indexer (default: '127.0.0.1'): 
Enter the port of your Indexer (default: '9200'): 
Enter the index name (default: 'wazuh-states-inventory-ports'): 
Username (default: 'admin'): 
Password (default: 'admin'): 

The document gets indexed properly, and an interface.status object is present:

(venv) fede@tyner:~/src/wazuh-indexer/ecs/states-inventory-ports/event-generator (580-ecs-ports-add-interface-at-root *)
$ curl http://localhost:9200/wazuh-states-inventory-ports/_search?pretty -H 'Content-Type: application/json' -d '{"query": { "match_all": {} },"size": 1 }'
{
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 100,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "wazuh-states-inventory-ports",
        "_id" : "V7DOm5MBXCL9QpZ_s3du",
        "_score" : 1.0,
        "_source" : {
          "@timestamp" : "2024-11-28T21:41:13.260963Z",
          "agent" : {
            "id" : "agent53",
            "name" : "Agent96",
            "type" : "linux",
            "version" : "v4-stable",
            "groups" : [
              "group78",
              "group19"
            ],
            "host" : {
              "architecture" : "x86_64",
              "boot" : {
                "id" : "bootid6918"
              },
              "cpu" : {
                "usage" : 12.457154223303768
              },
              "disk" : {
                "read" : {
                  "bytes" : 661160
                },
                "write" : {
                  "bytes" : 556949
                }
              },
              "domain" : "domain407",
              "geo" : {
                "city_name" : "CityName",
                "continent_code" : "NA",
                "continent_name" : "North America",
                "country_iso_code" : "US",
                "country_name" : "United States",
                "location" : {
                  "lat" : 87.198201,
                  "lon" : 179.822353
                },
                "name" : "location142",
                "postal_code" : "48582",
                "region_iso_code" : "US-CA",
                "region_name" : "California",
                "timezone" : "America/Los_Angeles"
              },
              "hostname" : "host695",
              "id" : "id335",
              "ip" : "93.238.34.84",
              "mac" : "d5:9c:d5:85:3c:b6",
              "name" : "host473",
              "network" : {
                "egress" : {
                  "bytes" : 907748,
                  "packets" : 8811,
                  "queue" : 516
                },
                "ingress" : {
                  "bytes" : 947791,
                  "packets" : 4867,
                  "queue" : 12
                }
              },
              "os" : {
                "family" : "debian",
                "full" : "android 61.77",
                "kernel" : "6.5.8",
                "name" : "macOS",
                "platform" : "platform1",
                "type" : "os_type2",
                "version" : "6.8.2"
              },
              "pid_ns_ino" : "pid_ns856",
              "risk" : {
                "calculated_level" : "low",
                "calculated_score" : 3.721927873852564,
                "calculated_score_norm" : 0.2900879716219579,
                "static_level" : "medium",
                "static_score" : 1.1187148272707026,
                "static_score_norm" : 0.1984949348752213
              },
              "type" : "type2",
              "uptime" : 402699
            }
          },
          "destination" : {
            "ip" : "197.157.248.68",
            "port" : 33672
          },
          "device" : {
            "id" : "device1012"
          },
          "file" : {
            "inode" : "inode709"
          },
          "host" : {
            "network" : {
              "egress" : {
                "queue" : 958
              },
              "ingress" : {
                "queue" : 585
              }
            }
          },
          "network" : {
            "protocol" : "UDP"
          },
          "process" : {
            "name" : "process9678",
            "pid" : 88934
          },
          "source" : {
            "ip" : "159.110.20.185",
            "port" : 59145
          },
          "interface" : {
            "state" : "Active"
          }
        }
      }
    ]
  }
}

(venv) fede@tyner:~/src/wazuh-indexer/ecs/states-inventory-ports/event-generator (580-ecs-ports-add-interface-at-root *)
$ curl -s http://localhost:9200/wazuh-states-inventory-ports/_search -H 'Content-Type: application/json' -d '{"query": { "match_all": {} },"size": 1 }' | jq '.hits.hits[0]._source.interface.state'
"Active"

[QU3B1M]

States inventory ports

The interface ECS field was not being showed in the ports index root because by default interface is being used as nested field inside observer.egress and observer.ingress, so in order to also have it at the top level we need to define the field as top_level reusable:

reusable:
  top_level: true
  expected:
    - { at: observer.egress.interface, as: observer.ingress.interface }

---

States inventory processes

In this case the usage of the process.tty field needs to be discussed, the field is type object as we can see on the ECS fields reference, and we have to verify which subfields we will use, and update the ECS definitions accordingly.

Current usage example:

{"agent":{"groups":[],"host":{"architecture":"x86_64","hostname":"chb-VBox","ip":["10.0.2.5","fe80::15c0:9348:3e94:ccc4","192.168.56.102","fe80::f827:ee49:cf2f:e5d4"],"os":{"name":"Ubuntu","type":"Linux","version":"24.04.1 LTS (Noble Numbat)"}},"id":"62541ff0-e035-4615-b0e9-8d0cbbe5592d","name":"chb-VBox","type":"Endpoint","version":"5.0.0"}}
{"id":"aW52ZW50b3J5OnByb2Nlc3Nlczox","module":"inventory","operation":"create","type":"processes"}
{"@timestamp":"2024-12-05T19:20:24.950Z","process":{"args":"splash","command_line":"/sbin/init","group":{"id":"root"},"name":"systemd","parent":{"pid":0},"pid":"1","real_group":{"id":"root"},"real_user":{"id":"root"},"saved_group":{"id":"root"},"saved_user":{"id":"root"},"start":1733352651,"thread":{"id":1},"tty":0,"user":{"id":"root"}}}

Here we can see that an int is being sent to the process.tty field, it could be updated to use process.tty.char_device.minor that seems to be the correct subfield to use for this case.