Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add default query fields to vulnerability detector index #40

Merged
merged 7 commits into from
Oct 20, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions ecs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ This script generates the ECS mappings for the Wazuh indices.
- Python 3.6 or higher
- jq

### Folder structure
### Folder structrue

There is a folder for each module. Inside each folder, there is a `fields` folder with the required
files to generate the mappings. These are the inputs for the ECS generator.
Expand Down Expand Up @@ -62,7 +62,7 @@ curl -u admin:admin -k -X PUT "https://indexer:9200/_index_template/wazuh-vulner
```

Notes:
- PUT and POST are interchangeable.
- PUT and POST are interchangable.
- The name of the index template does not matter. Any name can be used.
- Adjust credentials and URL accordingly.

Expand All @@ -83,7 +83,7 @@ are required.

For testing purposes, the script `generate_events.py` can be used to generate events for a given module.
Currently, it is only able to generate events for the `vulnerability-detector` module. To support other
modules, please extend or refactor the script.
modules, please extend of refactor the script.

The script prompts for the required parameters, so it can be launched without arguments:

Expand All @@ -95,7 +95,7 @@ The script will generate a JSON file with the events, and will also ask whether
indexer. If the upload option is selected, the script will ask for the indexer URL and port, credentials,
and index name.

The script uses a log file. Check it out for debugging or additional information.
The script uses log file. Check it out for debugging or additonal information.

#### References

Expand Down
18 changes: 17 additions & 1 deletion ecs/vulnerability-detector/fields/template-settings-legacy.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,23 @@
},
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "2s"
"refresh_interval": "2s",
"query.default_field": [
"base.tags",
"agent.id",
"ecs.version",
"event.id",
"event.module",
"event.severity",
"host.os.family",
"host.os.full.text",
"host.os.version",
"package.name",
"package.version",
"vulnerability.id",
"vulnerability.description.text",
"vulnerability.severity"
]
}
}
}
18 changes: 17 additions & 1 deletion ecs/vulnerability-detector/fields/template-settings.json
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,23 @@
},
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "2s"
"refresh_interval": "2s",
"query.default_field": [
"base.tags",
"agent.id",
"ecs.version",
"event.id",
"event.module",
"event.severity",
"host.os.family",
"host.os.full.text",
"host.os.version",
"package.name",
"package.version",
"vulnerability.id",
"vulnerability.description.text",
"vulnerability.severity"
]
}
}
}
Expand Down
Loading