From 69258b3ccdb7a49c26ecc1e72921f626389a219b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Wed, 18 Sep 2024 18:06:33 +0200 Subject: [PATCH 1/2] Add commands index template definition --- ecs/command/fields/custom/command.yml | 79 +++++++++++++++++++ ecs/command/fields/mapping-settings.json | 4 + ecs/command/fields/subset.yml | 8 ++ .../fields/template-settings-legacy.json | 20 +++++ ecs/command/fields/template-settings.json | 22 ++++++ 5 files changed, 133 insertions(+) create mode 100644 ecs/command/fields/custom/command.yml create mode 100644 ecs/command/fields/mapping-settings.json create mode 100644 ecs/command/fields/subset.yml create mode 100644 ecs/command/fields/template-settings-legacy.json create mode 100644 ecs/command/fields/template-settings.json diff --git a/ecs/command/fields/custom/command.yml b/ecs/command/fields/custom/command.yml new file mode 100644 index 0000000000000..90f91632be4e3 --- /dev/null +++ b/ecs/command/fields/custom/command.yml @@ -0,0 +1,79 @@ +--- +- name: command + title: Wazuh commands + short: Wazuh Inc. custom fields. + description: > + This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers. + type: group + group: 2 + fields: + - name: source + type: keyword + level: custom + description: > + Origin of the request. + - name: user + type: keyword + level: custom + description: > + The user that originated the request. + - name: target + type: keyword + level: custom + description: > + Wazuh Server Cluster name to send the command to. + - name: type + type: keyword + level: custom + description: > + The requested action type. One of 'agent_group', 'agent', 'wazuh_server'. + - name: action.type + type: keyword + level: custom + description: > + The actual requested action. One of Agent groups, Agent, Server cluster. + - name: action.args + type: keyword + level: custom + description: > + Array of command arguments, starting with the absolute path to the executable. + - name: action.version + type: keyword + level: custom + description: > + Version of the command's schema. + - name: timeout + type: short + level: custom + description: > + Time window in which the command has to be sent to its target. + - name: status + type: keyword + level: custom + description: > + Status within the Command Manager's context. One of 'pending', 'sent', 'success', 'failure'. + - name: result.code + type: short + level: custom + description: > + Status code returned by the target. + - name: result.message + type: keyword + level: custom + description: > + Result message returned by the target. + - name: result.data + type: keyword + level: custom + description: > + Result data returned by the target. + - name: request_id + type: short + level: custom + description: > + Unique identifier generated by the Command Manager. Auto-incremental. + - name: order_id + type: join + level: custom + description: > + Unique identifier generated by the Command Manager. Auto-incremental within the same Command Request ID. diff --git a/ecs/command/fields/mapping-settings.json b/ecs/command/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/command/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/command/fields/subset.yml b/ecs/command/fields/subset.yml new file mode 100644 index 0000000000000..4a9f0c63cf30a --- /dev/null +++ b/ecs/command/fields/subset.yml @@ -0,0 +1,8 @@ +--- +name: command +fields: + base: + fields: + tags: [] + command: + fields: "*" diff --git a/ecs/command/fields/template-settings-legacy.json b/ecs/command/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..896d926e2d48c --- /dev/null +++ b/ecs/command/fields/template-settings-legacy.json @@ -0,0 +1,20 @@ +{ + "index_patterns": [ + ".commands*" + ], + "order": 1, + "settings": { + "index": { + "hidden": true, + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "command.source", + "command.target", + "command.status", + "command.type" + ] + } + } +} \ No newline at end of file diff --git a/ecs/command/fields/template-settings.json b/ecs/command/fields/template-settings.json new file mode 100644 index 0000000000000..6041ec672f4bd --- /dev/null +++ b/ecs/command/fields/template-settings.json @@ -0,0 +1,22 @@ +{ + "index_patterns": [ + ".commands*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "hidden": true, + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "command.source", + "command.target", + "command.status", + "command.type" + ] + } + } + } +} \ No newline at end of file From 6848a2692a7c37f1c3638f7db25b1e5a808523b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Wed, 18 Sep 2024 18:30:12 +0200 Subject: [PATCH 2/2] Change oreder_id data type --- ecs/command/fields/custom/command.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ecs/command/fields/custom/command.yml b/ecs/command/fields/custom/command.yml index 90f91632be4e3..77d3427b2b7c4 100644 --- a/ecs/command/fields/custom/command.yml +++ b/ecs/command/fields/custom/command.yml @@ -73,7 +73,7 @@ description: > Unique identifier generated by the Command Manager. Auto-incremental. - name: order_id - type: join + type: short level: custom description: > Unique identifier generated by the Command Manager. Auto-incremental within the same Command Request ID.