Add ECS tty field to states-inventory-processes index
#582
Assignees
Labels
Comments
This was referenced Dec 6, 2024
|
Implemented ECS field to processes mapping and index template, and updated the processes' event generator Document is being created and indexed using the event_generator python states-inventory-processes/event-generator/event_generator.py
How many events do you want to generate? 1
Do you want to inject the generated data into your indexer? (y/n) y
Enter the IP of your Indexer (default: '127.0.0.1'):
Enter the port of your Indexer (default: '9200'):
Enter the index name (default: 'wazuh-states-inventory-processes'):
Username (default: 'admin'):
Password (default: 'admin'): curl "http://127.0.0.1:9200/wazuh-states-inventory-processes/_search"
{"took":37,"timed_out":false,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":1,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"wazuh-states-inventory-processes","_id":"xFl9nJMBmCbqF54MLSRF","_score":1.0,"_source":{"@timestamp": "2024-12-03T09:11:29.917264Z", "agent": {"id": "agent47", "name": "Agent69", "type": "macos", "version": "v4-stable", "groups": ["group29", "group51"], "host": {"architecture": "arm64", "boot": {"id": "bootid329"}, "cpu": {"usage": 18.575911445995775}, "disk": {"read": {"bytes": 692035}, "write": {"bytes": 628663}}, "domain": "domain985", "geo": {"city_name": "CityName", "continent_code": "NA", "continent_name": "North America", "country_iso_code": "US", "country_name": "United States", "location": {"lat": 0.669758, "lon": 106.825856}, "name": "location360", "postal_code": "67075", "region_iso_code": "US-CA", "region_name": "California", "timezone": "America/Los_Angeles"}, "hostname": "host524", "id": "id613", "ip": "254.18.150.120", "mac": "41:8a:d1:ba:04:3d", "name": "host31", "network": {"egress": {"bytes": 271521, "packets": 7782}, "ingress": {"bytes": 989738, "packets": 4030}}, "os": {"family": "RHEL", "full": "ubuntu 1.66", "kernel": "7.6.9", "name": "Windows", "platform": "platform1", "type": "os_type2", "version": "1.3.0"}, "pid_ns_ino": "pid_ns9012", "risk": {"calculated_level": "low", "calculated_score": 1.2468027111501057, "calculated_score_norm": 0.6185025826734944, "static_level": "low", "static_score": 9.981133589199018, "static_score_norm": 0.6663020810075714}, "type": "type1", "uptime": 54873}}, "process": {"args": "arg3668", "command_line": "command3053", "group": {"id": "groupid4862"}, "name": "process7151", "parent": {"pid": 4679}, "pid": 9747, "real_group": {"id": "realgroupid948"}, "real_user": {"id": "realuserid5319"}, "saved_group": {"id": "savedgroupid6671"}, "saved_user": {"id": "saveduserid4572"}, "start": "2024-11-28T00:41:32.051812Z", "thread": {"id": 5382}, "user": {"id": "userid7811"}, "tty": {"char_device": {"major": 0}}}}}]}}The index template is loaded correctly curl "http://localhost:9200/_template/index-template-processes?pretty=true"
{
"index-template-processes" : {
"order" : 0,
"index_patterns" : [
"wazuh-states-inventory-processes*"
],
"settings" : {
"index" : {
"refresh_interval" : "5s",
"number_of_shards" : "1",
"number_of_replicas" : "0",
"query" : {
"default_field" : [
"agent.id",
"agent.groups",
"process.name",
"process.pid",
"process.command_line"
]
}
}
},
"mappings" : {
"dynamic" : "strict",
"date_detection" : false,
"properties" : {
"agent" : {
"properties" : {
"host" : {
"properties" : {
"os" : {
"properties" : {
"kernel" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"name" : {
"ignore_above" : 1024,
"fields" : {
"text" : {
"type" : "match_only_text"
}
},
"type" : "keyword"
},
"family" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"type" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"version" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"platform" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"full" : {
"ignore_above" : 1024,
"fields" : {
"text" : {
"type" : "match_only_text"
}
},
"type" : "keyword"
}
}
},
"ip" : {
"type" : "ip"
},
"cpu" : {
"properties" : {
"usage" : {
"type" : "float"
}
}
},
"pid_ns_ino" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"type" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"mac" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"network" : {
"properties" : {
"ingress" : {
"properties" : {
"bytes" : {
"type" : "long"
},
"packets" : {
"type" : "long"
}
}
},
"egress" : {
"properties" : {
"bytes" : {
"type" : "long"
},
"packets" : {
"type" : "long"
}
}
}
}
},
"uptime" : {
"type" : "long"
},
"geo" : {
"properties" : {
"continent_name" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"region_iso_code" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"city_name" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"country_iso_code" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"timezone" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"country_name" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"name" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"continent_code" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"location" : {
"type" : "geo_point"
},
"region_name" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"postal_code" : {
"ignore_above" : 1024,
"type" : "keyword"
}
}
},
"disk" : {
"properties" : {
"read" : {
"properties" : {
"bytes" : {
"type" : "long"
}
}
},
"write" : {
"properties" : {
"bytes" : {
"type" : "long"
}
}
}
}
},
"hostname" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"domain" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"name" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"risk" : {
"properties" : {
"calculated_score" : {
"type" : "float"
},
"static_score_norm" : {
"type" : "float"
},
"static_level" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"calculated_score_norm" : {
"type" : "float"
},
"static_score" : {
"type" : "float"
},
"calculated_level" : {
"ignore_above" : 1024,
"type" : "keyword"
}
}
},
"id" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"boot" : {
"properties" : {
"id" : {
"ignore_above" : 1024,
"type" : "keyword"
}
}
},
"architecture" : {
"ignore_above" : 1024,
"type" : "keyword"
}
}
},
"name" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"groups" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"id" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"type" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"version" : {
"ignore_above" : 1024,
"type" : "keyword"
}
}
},
"process" : {
"properties" : {
"parent" : {
"properties" : {
"pid" : {
"type" : "long"
}
}
},
"saved_user" : {
"properties" : {
"id" : {
"ignore_above" : 1024,
"type" : "keyword"
}
}
},
"real_user" : {
"properties" : {
"id" : {
"ignore_above" : 1024,
"type" : "keyword"
}
}
},
"start" : {
"type" : "date"
},
"pid" : {
"type" : "long"
},
"thread" : {
"properties" : {
"id" : {
"type" : "long"
}
}
},
"args" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"name" : {
"ignore_above" : 1024,
"fields" : {
"text" : {
"type" : "match_only_text"
}
},
"type" : "keyword"
},
"tty" : {
"type" : "object",
"properties" : {
"char_device" : {
"properties" : {
"major" : {
"type" : "long"
}
}
}
}
},
"saved_group" : {
"properties" : {
"id" : {
"ignore_above" : 1024,
"type" : "keyword"
}
}
},
"real_group" : {
"properties" : {
"id" : {
"ignore_above" : 1024,
"type" : "keyword"
}
}
},
"user" : {
"properties" : {
"id" : {
"ignore_above" : 1024,
"type" : "keyword"
}
}
},
"command_line" : {
"fields" : {
"text" : {
"type" : "match_only_text"
}
},
"type" : "wildcard"
},
"group" : {
"properties" : {
"id" : {
"ignore_above" : 1024,
"type" : "keyword"
}
}
}
}
},
"@timestamp" : {
"type" : "date"
}
}
},
"aliases" : { }
}
}
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Implement the field
process.tty.char_device.majorinto thestates-inventory-processesindex definition and update the index template on the setup pluginThe text was updated successfully, but these errors were encountered: