From 98d42e865efa54a8abb95b0cdf5408dc89eb6b20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Tue, 19 Mar 2024 22:04:02 +0100 Subject: [PATCH 1/2] Update wazuh-states-vulnerabilities index mapping --- .../event-generator/event_generator.py | 6 ++++-- ecs/vulnerability-detector/fields/custom/wazuh.yml | 12 +++++++++++- ecs/vulnerability-detector/fields/subset.yml | 1 - 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/ecs/vulnerability-detector/event-generator/event_generator.py b/ecs/vulnerability-detector/event-generator/event_generator.py index 0ed75ec9600a1..060868d02ba97 100755 --- a/ecs/vulnerability-detector/event-generator/event_generator.py +++ b/ecs/vulnerability-detector/event-generator/event_generator.py @@ -179,7 +179,9 @@ def generate_random_wazuh(): }, 'schema': { 'version': '1.7.0' - } + }, + 'detected_at': generate_random_date(), + 'published_at': generate_random_date() } return wazuh @@ -188,7 +190,7 @@ def generate_random_data(number): data = [] for _ in range(number): event_data = { - '@timestamp': generate_random_date(), + # '@timestamp': generate_random_date(), 'agent': generate_random_agent(), # 'ecs': {'version': '1.7.0'}, # 'event': generate_random_event(), diff --git a/ecs/vulnerability-detector/fields/custom/wazuh.yml b/ecs/vulnerability-detector/fields/custom/wazuh.yml index f7bcf4f897c07..a692fdd625187 100644 --- a/ecs/vulnerability-detector/fields/custom/wazuh.yml +++ b/ecs/vulnerability-detector/fields/custom/wazuh.yml @@ -23,4 +23,14 @@ type: keyword level: custom description: > - Wazuh schema version. \ No newline at end of file + Wazuh schema version. + - name: detected_at + type: date + level: custom + description: > + Vulnerability's detection date. + - name: published_at + type: date + level: custom + description: > + Vulnerability's publication date. \ No newline at end of file diff --git a/ecs/vulnerability-detector/fields/subset.yml b/ecs/vulnerability-detector/fields/subset.yml index f5b0d60757794..951f7e492d1c2 100644 --- a/ecs/vulnerability-detector/fields/subset.yml +++ b/ecs/vulnerability-detector/fields/subset.yml @@ -3,7 +3,6 @@ name: vulnerability_detector fields: base: fields: - "@timestamp": {} tags: [] message: "" agent: From a4b0834bfe3b800c8a63b6542a1825075d0d7755 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Mon, 25 Mar 2024 15:13:40 +0100 Subject: [PATCH 2/2] Extend ECS Vulnerability fields --- ecs/generate.sh | 2 +- .../event-generator/event_generator.py | 6 +++--- .../fields/custom/vulnerability.yml | 19 +++++++++++++++++++ .../fields/custom/wazuh.yml | 10 ---------- 4 files changed, 23 insertions(+), 14 deletions(-) create mode 100644 ecs/vulnerability-detector/fields/custom/vulnerability.yml diff --git a/ecs/generate.sh b/ecs/generate.sh index c819c72a8ca76..4b747c0c9a0cb 100755 --- a/ecs/generate.sh +++ b/ecs/generate.sh @@ -23,7 +23,7 @@ generate_mappings() { # Generate mappings python scripts/generator.py --strict --ref "$ECS_VERSION" \ - --include "$IN_FILES_DIR/custom/wazuh.yml" \ + --include "$IN_FILES_DIR/custom/" \ --subset "$IN_FILES_DIR/subset.yml" \ --template-settings "$IN_FILES_DIR/template-settings.json" \ --template-settings-legacy "$IN_FILES_DIR/template-settings-legacy.json" \ diff --git a/ecs/vulnerability-detector/event-generator/event_generator.py b/ecs/vulnerability-detector/event-generator/event_generator.py index 060868d02ba97..73f8e8be71205 100755 --- a/ecs/vulnerability-detector/event-generator/event_generator.py +++ b/ecs/vulnerability-detector/event-generator/event_generator.py @@ -163,7 +163,9 @@ def generate_random_vulnerability(): 'temporal': round(random.uniform(0, 10), 1), 'version': round(random.uniform(0, 10), 1) }, - 'severity': random.choice(['Low', 'Medium', 'High', 'Critical']) + 'severity': random.choice(['Low', 'Medium', 'High', 'Critical']), + 'detected_at': generate_random_date(), + 'published_at': generate_random_date(), } return vulnerability @@ -180,8 +182,6 @@ def generate_random_wazuh(): 'schema': { 'version': '1.7.0' }, - 'detected_at': generate_random_date(), - 'published_at': generate_random_date() } return wazuh diff --git a/ecs/vulnerability-detector/fields/custom/vulnerability.yml b/ecs/vulnerability-detector/fields/custom/vulnerability.yml new file mode 100644 index 0000000000000..51be3282cc161 --- /dev/null +++ b/ecs/vulnerability-detector/fields/custom/vulnerability.yml @@ -0,0 +1,19 @@ +- name: vulnerability + title: Vulnerability + group: 2 + short: Fields to describe the vulnerability relevant to an event. + description: > + The vulnerability fields describe information about a vulnerability that is + relevant to an event. + type: group + fields: + - name: detected_at + type: date + level: custom + description: > + Vulnerability's detection date. + - name: published_at + type: date + level: custom + description: > + Vulnerability's publication date. \ No newline at end of file diff --git a/ecs/vulnerability-detector/fields/custom/wazuh.yml b/ecs/vulnerability-detector/fields/custom/wazuh.yml index a692fdd625187..235a746758812 100644 --- a/ecs/vulnerability-detector/fields/custom/wazuh.yml +++ b/ecs/vulnerability-detector/fields/custom/wazuh.yml @@ -24,13 +24,3 @@ level: custom description: > Wazuh schema version. - - name: detected_at - type: date - level: custom - description: > - Vulnerability's detection date. - - name: published_at - type: date - level: custom - description: > - Vulnerability's publication date. \ No newline at end of file