Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ECS docs #462

Closed
wants to merge 35 commits into from
Closed

Add ECS docs #462

Show file tree
Hide file tree
Changes from 18 commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
8891e75
Add ECS docs
AlexRuiz7 Oct 15, 2024
eb10ddd
Fix somes titles from ECS docs
AlexRuiz7 Oct 15, 2024
fc22c80
Merge 4.10.2 into master (#475)
AlexRuiz7 Oct 18, 2024
7420623
Fix tar packages plugin bundling (#466)
f-galland Oct 18, 2024
0310567
Implement Vagrantfile for generic testing environment (#474)
QU3B1M Oct 18, 2024
7918036
Fix pre-start.sh script for Vagrant environment (#479)
QU3B1M Oct 21, 2024
54cda64
Remove tailing hyphen from the states-vulnerabilities index pattern
AlexRuiz7 Oct 22, 2024
d8934c6
Use latest version of the states-vulnerabilities index template
AlexRuiz7 Oct 22, 2024
bf276c1
Merge branch 'master' into 270-add-ecs-index-templates
AlexRuiz7 Oct 22, 2024
7a9feb4
Merge branch 'master' into 270-add-ecs-index-templates
AlexRuiz7 Oct 22, 2024
0200822
Update states-vulnerability doc fixing groups field naming
QU3B1M Oct 23, 2024
528ee41
Merge branch 'master' into 270-add-ecs-index-templates
AlexRuiz7 Nov 5, 2024
3336994
Add documentation for network fields mappings
f-galland Nov 6, 2024
db57564
Set the right types for network fields
f-galland Nov 6, 2024
713c223
Fix remaining pending fields
f-galland Nov 6, 2024
7371312
Add states-inventory-networks mappings and template
f-galland Nov 7, 2024
a1084f5
Remove event.id from custom fields
f-galland Nov 7, 2024
21c938b
Add states-inventory-hardware mapping files
f-galland Nov 7, 2024
db78863
Add hotfixes template files
f-galland Nov 7, 2024
e83b2b5
Moving hardware specs from device to host
f-galland Nov 7, 2024
45a8f39
Add custom level flag to custom hardware fields
f-galland Nov 7, 2024
ec73406
Fix custom fields in hotfixes template
f-galland Nov 7, 2024
284a6b3
Fix nested custom fields
f-galland Nov 8, 2024
979d5b7
Switch nested objects to dotted notation
f-galland Nov 8, 2024
a9606b0
Used dotted notation for hotfixes
f-galland Nov 8, 2024
1f668f7
Add agent object
f-galland Nov 8, 2024
af58561
Fix doc files
f-galland Nov 8, 2024
e22b417
Split ports to its own index
f-galland Nov 11, 2024
0b6ae82
Add ports docs
f-galland Nov 11, 2024
4731cd0
Add ports docs
f-galland Nov 11, 2024
3a93c10
Remove port fields off networks table
f-galland Nov 11, 2024
a55f688
Update networks index subset
f-galland Nov 11, 2024
e7eeb81
Update networks index custom fields
f-galland Nov 11, 2024
73776e6
Update ecs/docs/inventory-4.x.md
AlexRuiz7 Nov 11, 2024
76fd1a5
Merge branch 'master-2.16.0' into 270-add-ecs-index-templates
AlexRuiz7 Nov 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
0 ecs/agent/fields/custom/wazuh-agent.yml → ecs/agent/fields/custom/agent.yml
View file
Open in desktop
File renamed without changes.
110 changes: 110 additions & 0 deletions ecs/docs/agents.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
## `agents` index data model

### Fields summary

The fields are based on https://github.com/wazuh/wazuh/issues/23396#issuecomment-2176402993

Based on ECS [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html).

| Field | ECS field | Type | Description |
| ----------------- | ---------------------- | ------- | ---------------------------------------------------------------------- |
| uuid | `agent.id` | keyword | Agent's ID |
| name | `agent.name` | keyword | Agent's name |
| groups | \*`agent.groups` | keyword | Agent's groups |
| internal_key | \*`agent.key` | keyword | Agent's registration key |
| type | `agent.type` | keyword | Type of agent |
| version | `agent.version` | keyword | Agent's version |
| connection_status | \*`agent.is_connected` | boolean | Agents' interpreted connection status depending on `agent.last_login` |
| last_keepalive | \*`agent.last_login` | date | Agent's last login |
| ip | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. |
| os\_\* | `host.os.full` | keyword | Operating system name, including the version or code name. |

\* Custom field

### ECS mapping

```yml
---
name: agent
fields:
base:
fields:
tags: []
agent:
fields:
id: {}
name: {}
type: {}
version: {}
groups: {}
key: {}
last_login: {}
is_connected: {}
host:
fields:
ip: {}
os:
fields:
full: {}
```

```yml
---
---
- name: agent
title: Wazuh Agents
short: Wazuh Inc. custom fields.
type: group
group: 2
fields:
- name: groups
type: keyword
level: custom
description: >
The groups the agent belongs to.
- name: key
type: keyword
level: custom
description: >
The agent's registration key.
- name: last_login
type: date
level: custom
description: >
The agent's last login.
- name: is_connected
type: boolean
level: custom
description: >
Agents' interpreted connection status depending on `agent.last_login`.

```

### Index settings

```json
{
"index_patterns": [".agents*"],
"priority": 1,
"template": {
"settings": {
"index": {
"hidden": true,
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"agent.id",
"agent.groups",
"agent.name",
"agent.type",
"agent.version",
"agent.name",
"host.os.full",
"host.ip"
]
}
}
}
}
```
Loading