From 32ac663fbfee822b271bd62d1d7283df448ffecd Mon Sep 17 00:00:00 2001
From: f-galland <federico.galland@wazuh.com>
Date: Tue, 12 Nov 2024 09:09:03 -0300
Subject: [PATCH 1/3] Add host schema to agent object

---
 ecs/agent/fields/custom/host.yml        | 18 ++++++++++++++++++
 ecs/agent/fields/custom/wazuh-agent.yml | 15 +++++++++++++--
 ecs/agent/fields/subset.yml             | 15 ++++++++-------
 3 files changed, 39 insertions(+), 9 deletions(-)
 create mode 100644 ecs/agent/fields/custom/host.yml

diff --git a/ecs/agent/fields/custom/host.yml b/ecs/agent/fields/custom/host.yml
new file mode 100644
index 0000000000000..cd61165caff0a
--- /dev/null
+++ b/ecs/agent/fields/custom/host.yml
@@ -0,0 +1,18 @@
+---
+- name: host
+  title: Wazuh Agents
+  short: Wazuh Inc. custom fields.
+  level: core
+  type: group
+  group: 0
+  reusable:
+    top_level: false
+    expected:
+      - agent
+  fields:
+    - name: os
+      title: Operating system
+      level: custom
+      type: keyword
+      description: >
+        Agent's operating system
\ No newline at end of file
diff --git a/ecs/agent/fields/custom/wazuh-agent.yml b/ecs/agent/fields/custom/wazuh-agent.yml
index 0492778271095..e8e7e53e849ae 100644
--- a/ecs/agent/fields/custom/wazuh-agent.yml
+++ b/ecs/agent/fields/custom/wazuh-agent.yml
@@ -20,8 +20,19 @@
       level: custom
       description: >
         The agent's last login.
-    - name: is_connected
-      type: boolean
+    - name: status
+      type: keyword
+      level: custom
+      description: >
+        Agents' interpreted connection status depending on `agent.last_login`.
+      allowed_values:
+        - name: active
+          description: Active agent status
+        - name: disconnected
+          description: Disconnected agent status
+    - name: host
+      type: group
       level: custom
       description: >
         Agents' interpreted connection status depending on `agent.last_login`.
+      fields: "*"
\ No newline at end of file
diff --git a/ecs/agent/fields/subset.yml b/ecs/agent/fields/subset.yml
index 2d24cd20429f2..650d0652fafba 100644
--- a/ecs/agent/fields/subset.yml
+++ b/ecs/agent/fields/subset.yml
@@ -13,10 +13,11 @@ fields:
       groups: {}
       key: {}
       last_login: {}
-      is_connected: {}
-  host:
-    fields:
-      ip: {}
-      os:
-        fields:
-          full: {}
\ No newline at end of file
+      status: {}
+      host:
+        fields: "*"
+#        fields: "*"
+#      ip: {}
+#      os:
+#        fields:
+#          full: {}
\ No newline at end of file

From 9fcdbf36e54ed4374bf42106e392310bb2a4b364 Mon Sep 17 00:00:00 2001
From: f-galland <federico.galland@wazuh.com>
Date: Tue, 12 Nov 2024 09:33:52 -0300
Subject: [PATCH 2/3] Remove unneeded lines

---
 ecs/agent/fields/custom/host.yml        | 14 +-------------
 ecs/agent/fields/custom/wazuh-agent.yml |  8 +-------
 ecs/agent/fields/subset.yml             |  7 +------
 3 files changed, 3 insertions(+), 26 deletions(-)

diff --git a/ecs/agent/fields/custom/host.yml b/ecs/agent/fields/custom/host.yml
index cd61165caff0a..4398a5d791e6a 100644
--- a/ecs/agent/fields/custom/host.yml
+++ b/ecs/agent/fields/custom/host.yml
@@ -1,18 +1,6 @@
 ---
 - name: host
-  title: Wazuh Agents
-  short: Wazuh Inc. custom fields.
-  level: core
-  type: group
-  group: 0
   reusable:
     top_level: false
     expected:
-      - agent
-  fields:
-    - name: os
-      title: Operating system
-      level: custom
-      type: keyword
-      description: >
-        Agent's operating system
\ No newline at end of file
+      - agent
\ No newline at end of file
diff --git a/ecs/agent/fields/custom/wazuh-agent.yml b/ecs/agent/fields/custom/wazuh-agent.yml
index e8e7e53e849ae..7ad791f023672 100644
--- a/ecs/agent/fields/custom/wazuh-agent.yml
+++ b/ecs/agent/fields/custom/wazuh-agent.yml
@@ -29,10 +29,4 @@
         - name: active
           description: Active agent status
         - name: disconnected
-          description: Disconnected agent status
-    - name: host
-      type: group
-      level: custom
-      description: >
-        Agents' interpreted connection status depending on `agent.last_login`.
-      fields: "*"
\ No newline at end of file
+          description: Disconnected agent status
\ No newline at end of file
diff --git a/ecs/agent/fields/subset.yml b/ecs/agent/fields/subset.yml
index 650d0652fafba..93442c30b420c 100644
--- a/ecs/agent/fields/subset.yml
+++ b/ecs/agent/fields/subset.yml
@@ -15,9 +15,4 @@ fields:
       last_login: {}
       status: {}
       host:
-        fields: "*"
-#        fields: "*"
-#      ip: {}
-#      os:
-#        fields:
-#          full: {}
\ No newline at end of file
+        fields: "*"
\ No newline at end of file

From e0c23fbae501eb47806bf1f62e19a5cc4f622ea3 Mon Sep 17 00:00:00 2001
From: f-galland <federico.galland@wazuh.com>
Date: Tue, 12 Nov 2024 10:25:20 -0300
Subject: [PATCH 3/3] Add agent.host.os and agent.host.risk missing fields

---
 ecs/agent/fields/custom/os.yml   | 6 ++++++
 ecs/agent/fields/custom/risk.yml | 6 ++++++
 2 files changed, 12 insertions(+)
 create mode 100644 ecs/agent/fields/custom/os.yml
 create mode 100644 ecs/agent/fields/custom/risk.yml

diff --git a/ecs/agent/fields/custom/os.yml b/ecs/agent/fields/custom/os.yml
new file mode 100644
index 0000000000000..952c2d6e93a40
--- /dev/null
+++ b/ecs/agent/fields/custom/os.yml
@@ -0,0 +1,6 @@
+---
+- name: os
+  reusable:
+    top_level: false
+    expected:
+      - agent.host
\ No newline at end of file
diff --git a/ecs/agent/fields/custom/risk.yml b/ecs/agent/fields/custom/risk.yml
new file mode 100644
index 0000000000000..1c06213bc6205
--- /dev/null
+++ b/ecs/agent/fields/custom/risk.yml
@@ -0,0 +1,6 @@
+---
+- name: risk
+  reusable:
+    top_level: false
+    expected:
+      - agent.host
\ No newline at end of file