Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ECS docs #462

Closed
wants to merge 35 commits into from
Closed

Add ECS docs #462

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
8891e75
Add ECS docs
AlexRuiz7 Oct 15, 2024
eb10ddd
Fix somes titles from ECS docs
AlexRuiz7 Oct 15, 2024
fc22c80
Merge 4.10.2 into master (#475)
AlexRuiz7 Oct 18, 2024
7420623
Fix tar packages plugin bundling (#466)
f-galland Oct 18, 2024
0310567
Implement Vagrantfile for generic testing environment (#474)
QU3B1M Oct 18, 2024
7918036
Fix pre-start.sh script for Vagrant environment (#479)
QU3B1M Oct 21, 2024
54cda64
Remove tailing hyphen from the states-vulnerabilities index pattern
AlexRuiz7 Oct 22, 2024
d8934c6
Use latest version of the states-vulnerabilities index template
AlexRuiz7 Oct 22, 2024
bf276c1
Merge branch 'master' into 270-add-ecs-index-templates
AlexRuiz7 Oct 22, 2024
7a9feb4
Merge branch 'master' into 270-add-ecs-index-templates
AlexRuiz7 Oct 22, 2024
0200822
Update states-vulnerability doc fixing groups field naming
QU3B1M Oct 23, 2024
528ee41
Merge branch 'master' into 270-add-ecs-index-templates
AlexRuiz7 Nov 5, 2024
3336994
Add documentation for network fields mappings
f-galland Nov 6, 2024
db57564
Set the right types for network fields
f-galland Nov 6, 2024
713c223
Fix remaining pending fields
f-galland Nov 6, 2024
7371312
Add states-inventory-networks mappings and template
f-galland Nov 7, 2024
a1084f5
Remove event.id from custom fields
f-galland Nov 7, 2024
21c938b
Add states-inventory-hardware mapping files
f-galland Nov 7, 2024
db78863
Add hotfixes template files
f-galland Nov 7, 2024
e83b2b5
Moving hardware specs from device to host
f-galland Nov 7, 2024
45a8f39
Add custom level flag to custom hardware fields
f-galland Nov 7, 2024
ec73406
Fix custom fields in hotfixes template
f-galland Nov 7, 2024
284a6b3
Fix nested custom fields
f-galland Nov 8, 2024
979d5b7
Switch nested objects to dotted notation
f-galland Nov 8, 2024
a9606b0
Used dotted notation for hotfixes
f-galland Nov 8, 2024
1f668f7
Add agent object
f-galland Nov 8, 2024
af58561
Fix doc files
f-galland Nov 8, 2024
e22b417
Split ports to its own index
f-galland Nov 11, 2024
0b6ae82
Add ports docs
f-galland Nov 11, 2024
4731cd0
Add ports docs
f-galland Nov 11, 2024
3a93c10
Remove port fields off networks table
f-galland Nov 11, 2024
a55f688
Update networks index subset
f-galland Nov 11, 2024
e7eeb81
Update networks index custom fields
f-galland Nov 11, 2024
73776e6
Update ecs/docs/inventory-4.x.md
AlexRuiz7 Nov 11, 2024
76fd1a5
Merge branch 'master-2.16.0' into 270-add-ecs-index-templates
AlexRuiz7 Nov 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions ecs/docs/inventory-hardware.md
View file
Open in desktop
f-galland marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
## `wazuh-states-inventory-hardware` index data model

### Fields summary

The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612

Based on ECS:

- [Device Fields](https://www.elastic.co/guide/en/ecs/current/ecs-device.html).
- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-device.html).

| | Field name | ECS field name | Data type | Description |
| --- | ------------ | ----------------------------- | --------- | -------------------------------- |
| | scan_time | @timestamp | date | Timestamp of the scan |
| | board_serial | observer.serial_number | keyword | Serial number of the motherboard |
| * | cpu_name | device.cpu.name | keyword | Name of the CPU |
| * | cpu_cores | device.cpu.cores | long | Number of CPU cores |
| * | cpu_mhz | device.cpu.speed | long | Speed of the CPU in MHz |
| * | ram_total | device.memory.total | long | Total RAM in the system |
| * | ram_free | device.memory.free | long | Free RAM in the system |
| * | ram_usage | device.memory.used.percentage | long | RAM usage as a percentage |

\* Custom fields

### ECS mapping

```yml
---
name: wazuh-states-inventory-hardware
fields:
base:
fields:
tags: []
"@timestamp": {}
observer:
fields:
serial_number: {}
```

### Index settings

```json
{
"index_patterns": [
"wazuh-states-inventory-hardware*"
],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"observer.board_serial"
]
}
}
}
}
```
12 changes: 12 additions & 0 deletions ecs/states-inventory-hardware/fields/custom/agent.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
- name: agent
title: Wazuh Agents
short: Wazuh Inc. custom fields.
type: group
group: 2
fields:
- name: groups
type: keyword
level: custom
description: >
The groups the agent belongs to.
50 changes: 50 additions & 0 deletions ecs/states-inventory-hardware/fields/custom/device.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
- name: device
title: Device
type: group
group: 2
description: >
Device related data.
fields:
- name: cpu
type: group
group: 2
description: >
CPU related data.
fields:
- name: name
type: keyword
description: >
Name of the CPU.
- name: cores
type: long
description: >
Number of CPU cores.
- name: speed
type: long
description: >
Speed of the CPU in MHz.
- name: memory
type: group
group: 2
description: >
Memory related data.
fields:
- name: total
type: long
description: >
Total RAM in the system.
- name: free
type: long
description: >
Free RAM in the system.
- name: used
type: group
group: 2
description: >
Used memory data.
fields:
- name: percentage
type: long
description: >
Used RAM as a percentage.
4 changes: 4 additions & 0 deletions ecs/states-inventory-hardware/fields/mapping-settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"dynamic": "strict",
"date_detection": false
}
10 changes: 10 additions & 0 deletions ecs/states-inventory-hardware/fields/subset.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
name: wazuh-states-inventory-hardware
fields:
base:
fields:
tags: []
"@timestamp": {}
observer:
fields:
serial_number: {}
14 changes: 14 additions & 0 deletions ecs/states-inventory-hardware/fields/template-settings-legacy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"index_patterns": ["wazuh-states-inventory-hardware*"],
"order": 1,
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"observer.board_serial"
]
}
}
}
18 changes: 18 additions & 0 deletions ecs/states-inventory-hardware/fields/template-settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"index_patterns": [
"wazuh-states-inventory-hardware*"
],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"observer.board_serial"
]
}
}
}
}