diff --git a/ecs/docs/README.md b/ecs/docs/README.md new file mode 100644 index 0000000000000..a94635cbce67b --- /dev/null +++ b/ecs/docs/README.md @@ -0,0 +1,22 @@ +# Wazuh Common Schema + +The Wazuh Common Schema is a derivation of the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) (ECS) providing a common data schema for the different central components of Wazuh. + +- [agent](./agent.md) +- [alerts](alerts.md) +- [command](commands.md) +- [states-fim](states-fim.md) +- [states-inventory-hardware](states-inventory-hardware.md) +- [states-inventory-hotfixes](states-inventory-hotfixes.md) +- [states-inventory-networks](states-inventory-networks.md) +- [states-inventory-packages](states-inventory-packages.md) +- [states-inventory-ports](states-inventory-ports.md) +- [states-inventory-processes](states-inventory-processes.md) +- [states-inventory-system](states-inventory-system.md) +- [states-vulnerabilities](states-vulnerabilities.md) + +--- + +### Useful resources +For more information and additional resources, please refer to the following links: +- [ECS schemas repository](https://github.com/elastic/ecs/tree/main/schemas) diff --git a/ecs/docs/inventory-hardware.md b/ecs/docs/inventory-hardware.md index 75baa484b83d1..29c9f103e3f55 100644 --- a/ecs/docs/inventory-hardware.md +++ b/ecs/docs/inventory-hardware.md @@ -11,6 +11,7 @@ Based on ECS: | | Field name | Data type | Description | Example | | --- | ----------------------------- | --------- | ------------------------------------ | -------------------------- | +| | `agent.*` | object | All the agent fields. | ` | | | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | | | `observer.serial_number` | keyword | Observer serial number. | | | \* | `host.cpu.name` | keyword | Name of the CPU | | @@ -34,8 +35,13 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" observer: fields: serial_number: {} @@ -64,77 +70,10 @@ fields: "template": { "settings": { "index": { - "number_of_replicas": "0", "number_of_shards": "1", - "query.default_field": ["observer.board_serial"], - "refresh_interval": "5s" - } - }, - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - } - }, - "type": "object" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" - } - }, - "type": "object" - } - }, - "type": "object" - } - } - }, - "observer": { - "properties": { - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": ["observer.board_serial"] } } } diff --git a/ecs/docs/inventory-hotfixes.md b/ecs/docs/inventory-hotfixes.md index fadc5377da19c..23ddbf8855fd3 100644 --- a/ecs/docs/inventory-hotfixes.md +++ b/ecs/docs/inventory-hotfixes.md @@ -10,6 +10,7 @@ Based on ECS: | | Field name | Data type | Description | Example | | --- | --------------------- | --------- | --------------------- | -------------------------- | +| | `agent.*` | object | All the agent fields. | ` | | | `@timestamp` | date | Timestamp of the scan | `2016-05-23T08:05:34.853Z` | | \* | `package.hotfix.name` | keyword | Name of the hotfix | | @@ -27,8 +28,13 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" package: fields: hotfix: @@ -40,49 +46,19 @@ fields: ```json { - "index_patterns": ["wazuh-states-inventory-hotfixes*"], + "index_patterns": [ + "wazuh-states-inventory-hotfixes*" + ], "priority": 1, "template": { "settings": { "index": { - "number_of_replicas": "0", "number_of_shards": "1", - "query.default_field": ["package.hotfix.name"], - "refresh_interval": "5s" - } - }, - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "hotfix": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - } - } + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "package.hotfix.name" + ] } } } diff --git a/ecs/docs/inventory-networks.md b/ecs/docs/inventory-networks.md index 6459cde110aac..9a565348e1f05 100644 --- a/ecs/docs/inventory-networks.md +++ b/ecs/docs/inventory-networks.md @@ -12,6 +12,7 @@ Based on ECS: | | Field name | Data type | Description | Example | | --- | ---------------------------------- | --------- | ------------------------------------------------------------------------------ | -------------------------------------- | +| | `agent.*` | object | All the agent fields. | ` | | | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | | | `device.id` | keyword | The unique identifier of a device. | `00000000-54b3-e7c7-0000-000046bffd97` | | | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. | `["192.168.56.11", "10.54.27.1"]` | @@ -51,34 +52,27 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} - destination: - fields: - ip: {} - port: {} - device: - fields: id: {} - file: - fields: - inode: {} + name: {} + type: {} + version: {} + host: + fields: "*" host: + fields: "*" + interface: fields: - ip: {} - mac: {} - network: - fields: - egress: - fields: - bytes: {} - packets: {} - ingress: - fields: - bytes: {} - packets: {} + mtu: {} + state: {} + type: {} network: fields: + broadcast: {} + dhcp: {} + gateway: {} + metric: {} + netmask: {} protocol: {} type: {} observer: @@ -89,27 +83,22 @@ fields: fields: alias: {} name: {} - process: - fields: - name: {} - pid: {} - source: - fields: - ip: {} - port: {} ``` ### Index settings ```json { - "index_patterns": ["wazuh-states-inventory-networks*"], + "index_patterns": [ + "wazuh-states-inventory-networks*" + ], "priority": 1, "template": { "settings": { "index": { - "number_of_replicas": "0", "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", "query.default_field": [ "agent.id", "agent.groups", @@ -119,149 +108,7 @@ fields: "observer.ingress.interface.name", "observer.ingress.interface.alias", "process.name" - ], - "refresh_interval": "5s" - } - }, - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "device": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "inode": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - } - } - } - } - }, - "network": { - "properties": { - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "observer": { - "properties": { - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - } - } - }, - "process": { - "properties": { - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - } - } - }, - "source": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - } + ] } } } diff --git a/ecs/docs/inventory-packages.md b/ecs/docs/inventory-packages.md index 8091da88b85fa..a40ba21b98631 100644 --- a/ecs/docs/inventory-packages.md +++ b/ecs/docs/inventory-packages.md @@ -10,8 +10,8 @@ Based on ECS: | | Field name | Data type | Description | Example | | --- | ---------------------- | --------- | ------------------------------------ | ------- | +| | `agent.*` | object | All the agent fields. | ` | | | `@timestamp` | date | Timestamp of the scan. | | -| | `agent.id` | keyword | Unique identifier of this agent | | | | `package.architecture` | keyword | Package architecture. | | | | `package.description` | keyword | Description of the package. | | | | `package.installed` | date | Time when package was installed. | | @@ -20,7 +20,6 @@ Based on ECS: | | `package.size` | long | Package size in bytes. | | | | `package.type` | keyword | Package type. | | | | `package.version` | keyword | Package version. | | -| \* | `agent.groups` | keyword | List of groups the agent belong to. | | \* Custom field @@ -47,10 +46,16 @@ fields: base: fields: "@timestamp": {} + tags: [] agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" package: fields: architecture: "" @@ -67,24 +72,24 @@ fields: ```json { - "index_patterns": ["wazuh-states-inventory-packages*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "package.architecture" - "package.name", - "package.version", - "package.type" - ] - } - } + "index_patterns": ["wazuh-states-inventory-packages*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "package.architecture", + "package.name", + "package.version", + "package.type" + ] + } } + } } ``` diff --git a/ecs/docs/inventory-ports.md b/ecs/docs/inventory-ports.md index 863d2a000ac41..ae576b9cc90a4 100644 --- a/ecs/docs/inventory-ports.md +++ b/ecs/docs/inventory-ports.md @@ -12,6 +12,7 @@ Based on ECS: | | Field name | Data type | Description | Example | | --- | ---------------------------- | --------- | ---------------------------------------------- | -------------------------------------- | +| | `agent.*` | object | All the agent fields. | ` | | | `@timestamp` | date | Timestamp of the scan. | `2016-05-23T08:05:34.853Z` | | | `destination.ip` | ip | IP address of the destination. | `["192.168.0.100"]` | | | `destination.port` | long | Port of the destination. | | @@ -40,8 +41,13 @@ fields: "@timestamp": {} agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" destination: fields: ip: {} @@ -53,7 +59,7 @@ fields: fields: inode: {} host: - fields: + fields: network: fields: egress: @@ -82,7 +88,9 @@ fields: ```json { - "index_patterns": ["wazuh-states-inventory-ports*"], + "index_patterns": [ + "wazuh-states-inventory-ports*" + ], "priority": 1, "template": { "settings": { diff --git a/ecs/docs/inventory-processes.md b/ecs/docs/inventory-processes.md index 087838f7f9c46..fd6494786a8b5 100644 --- a/ecs/docs/inventory-processes.md +++ b/ecs/docs/inventory-processes.md @@ -10,8 +10,8 @@ Based on ECS: | | Field name | Data type | Description | Examples | Comments | | --- | ------------------------ | --------- | ---------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------- | +| | `agent.*` | object | All the agent fields. | ` | | | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | | -| | `agent.id` | keyword | Unique identifier of this agent. | `8a4f500d` | | | | `process.args` | keyword | Array of process arguments. | `["/usr/bin/ssh", "-l", "user", "10.0.0.16"]` | | | | `process.command_line` | wildcard | process.command_line. | `/usr/bin/ssh -l user 10.0.0.16` | | | | `process.name` | keyword | Process name. | `ssh` | | @@ -26,7 +26,6 @@ Based on ECS: | ! | `process.thread.id` | long | Thread ID. | | `thread.group` is **not part of ECS;** but `thread.id` is. | | ! | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification | | \* | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | | -| \* | `agent.groups` | keyword | List of groups the agent belong to. | | | \* Custom field @@ -66,10 +65,16 @@ fields: base: fields: "@timestamp": {} + tags: [] agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" process: fields: pid: {} @@ -101,7 +106,6 @@ fields: thread: fields: id: "" - tty: {} ``` ### Index settings diff --git a/ecs/docs/inventory-system.md b/ecs/docs/inventory-system.md index 1dbc69ff1139e..42dcec74368c5 100644 --- a/ecs/docs/inventory-system.md +++ b/ecs/docs/inventory-system.md @@ -11,8 +11,8 @@ Based on ECS: | | Field name | Data type | Description | Example | | --- | ------------------- | --------- | ---------------------------------------------------------- | -------------------------- | +| | `agent.*` | object | All the agent fields. | ` | | | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | -| | `agent.id` | keyword | Unique identifier of this agent. | `8a4f500d` | | | `host.architecture` | keyword | Operating system architecture. | `x86_64` | | | `host.hostname` | keyword | Hostname of the host. | | | | `host.os.full` | keyword | Operating system name, including the version or code name. | `Mac OS Mojave` | @@ -21,7 +21,6 @@ Based on ECS: | | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | `darwin` | | | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | `macos` | | | `host.os.version` | keyword | Operating system version as a raw string. | `10.14.1` | -| \* | `agent.groups` | keyword | List of groups the agent belong to. | | \* Custom field @@ -58,23 +57,19 @@ name: wazuh-states-inventory-system fields: base: fields: + tags: [] "@timestamp": {} agent: fields: - id: {} groups: {} - host: - fields: - architecture: {} - hostname: {} + id: {} name: {} - os: - fields: - kernel: {} - full: {} - platform: {} - version: {} - type: {} + type: {} + version: {} + host: + fields: "*" + host: + fields: "*" ``` ### Index settings diff --git a/ecs/docs/states-fim.md b/ecs/docs/states-fim.md index 129fcf9ec94a6..380c71c8d0495 100644 --- a/ecs/docs/states-fim.md +++ b/ecs/docs/states-fim.md @@ -11,8 +11,7 @@ Based on ECS: | | Field | Type | Description | Example | | --- | ------------------ | ------- | ----------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | -| | `agent.id` | keyword | Unique identifier of this agent. | `8a4f500d` | -| \* | \*`agent.groups` | keyword | List of groups the agent belong to. | `["group1", "group2"]` | +| | `agent.*` | object | All the agent fields. | ` | | | `file.attributes` | keyword | Array of file attributes. | `["readonly", "system"]` | | | `file.gid` | keyword | Primary group ID (GID) of the file. | `1001` | | | `file.group` | keyword | Primary group name of the file. | `alice` | @@ -38,12 +37,20 @@ Based on ECS: ```yml --- -name: fim +name: wazuh-states-fim fields: + base: + fields: + tags: [] agent: fields: - id: {} groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" file: fields: attributes: {} diff --git a/ecs/docs/states-vulnerability.md b/ecs/docs/states-vulnerability.md index 61718d1419873..fd560c1134b30 100644 --- a/ecs/docs/states-vulnerability.md +++ b/ecs/docs/states-vulnerability.md @@ -12,18 +12,9 @@ Based on ECS: - [Vulnerability Fields](https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html). | | Field | Type | Description | -| --- | ----------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| | `agent.id` | keyword | Unique identifier of this agent. | -| \* | `agent.groups` | keyword | List of groups the agent belong to. | -| | `agent.name` | keyword | Custom name of the agent. | -| | `agent.type` | keyword | Type of agent. | -| | `agent.version` | keyword | Version of the agent. | -| | `host.os.full` | keyword | Operating system name, including the version or code name. | -| | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | -| | `host.os.name` | keyword | Operating system name, without the version. | -| | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | -| | `host.os.type` | keyword | Use the os.type field to categorize the operating system into one of the broad commercial families. | -| | `host.os.version` | keyword | Operating system version as a raw string. | +| --- | ----------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | +| | `agent.*` | object | All the `agent` fields. | ` | +| | `host.*` | object | All the `host` fields. | | | `package.architecture` | keyword | Package architecture. | | | `package.build_version` | keyword | Additional information about the build version of the installed package. | | | `package.checksum` | keyword | Checksum of the installed package for verification. | @@ -67,25 +58,26 @@ Based on ECS: name: wazuh-states-vulnerabilities fields: base: - tags: [] + fields: + tags: [] agent: - fields: "*" + fields: + groups: {} + id: {} + name: {} + type: {} + version: {} + host: + fields: "*" package: fields: "*" host: - fields: - os: - fields: - full: "" - kernel: "" - name: "" - platform: "" - type: "" - version: "" + fields: "*" vulnerability: fields: "*" wazuh: fields: "*" + ``` ```yml diff --git a/ecs/states-fim/event-generator/event_generator.py b/ecs/states-fim/event-generator/event_generator.py index 9c733c286bd43..5cd14d0b389c2 100644 --- a/ecs/states-fim/event-generator/event_generator.py +++ b/ecs/states-fim/event-generator/event_generator.py @@ -155,7 +155,6 @@ def generate_random_data(number): event_data = { 'agent': generate_random_agent(), 'file': generate_random_file(), - 'host': generate_random_host(), 'registry': generate_random_registry() } data.append(event_data) diff --git a/ecs/states-fim/fields/subset.yml b/ecs/states-fim/fields/subset.yml index a9e6f01ce45b0..7eab78e238a21 100644 --- a/ecs/states-fim/fields/subset.yml +++ b/ecs/states-fim/fields/subset.yml @@ -33,11 +33,7 @@ fields: type: {} uid: {} owner: {} - host: - fields: "*" registry: fields: key: {} value: {} - - diff --git a/ecs/states-inventory-hardware/event-generator/event_generator.py b/ecs/states-inventory-hardware/event-generator/event_generator.py index 779272592da66..680410b72f29b 100644 --- a/ecs/states-inventory-hardware/event-generator/event_generator.py +++ b/ecs/states-inventory-hardware/event-generator/event_generator.py @@ -39,76 +39,93 @@ def generate_random_agent(): 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), 'version': f'v{random.randint(0, 9)}-stable', 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host() + 'host': generate_random_host(False) } return agent -def generate_random_host(): - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'cores': random.randint(1, 16), - 'name': f'CPU{random.randint(1, 999)}', - 'speed': random.randint(1000, 5000), - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) +def generate_random_host(is_root_level=False): + if is_root_level: + host = { + 'cpu': { + 'cores': random.randint(1, 16), + 'name': f'CPU{random.randint(1, 999)}', + 'speed': random.randint(1000, 5000), + 'usage': random.uniform(0, 100) }, - 'write': { - 'bytes': random.randint(1000, 1000000) + 'memory': { + 'free': random.randint(1000, 100000), + 'total': random.randint(1000, 100000), + 'used': { + 'percentage': random.uniform(0, 100) + } } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'memory': { - 'free': random.randint(1000, 100000), - 'total': random.randint(1000, 100000), - 'used': { - 'percentage': random.uniform(0, 100) - } - }, - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) + } + else: + host = { + 'architecture': random.choice(['x86_64', 'arm64']), + 'boot': { + 'id': f'bootid{random.randint(0, 9999)}' }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } + 'cpu': { + 'cores': random.randint(1, 16), + 'name': f'CPU{random.randint(1, 999)}', + 'speed': random.randint(1000, 5000), + 'usage': random.uniform(0, 100) + }, + 'disk': { + 'read': { + 'bytes': random.randint(1000, 1000000) + }, + 'write': { + 'bytes': random.randint(1000, 1000000) + } + }, + 'domain': f'domain{random.randint(0, 1000)}', + 'geo': generate_random_geo(), + 'hostname': f'host{random.randint(0, 1000)}', + 'id': f'id{random.randint(0, 1000)}', + 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', + 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', + 'memory': { + 'free': random.randint(1000, 100000), + 'total': random.randint(1000, 100000), + 'used': { + 'percentage': random.uniform(0, 100) + } + }, + 'name': f'host{random.randint(0, 1000)}', + 'network': { + 'egress': { + 'bytes': random.randint(1000, 1000000), + 'packets': random.randint(100, 10000) + }, + 'ingress': { + 'bytes': random.randint(1000, 1000000), + 'packets': random.randint(100, 10000) + } + }, + 'os': { + 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), + 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', + 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', + 'name': random.choice(['Linux', 'Windows', 'macOS']), + 'platform': random.choice(['platform1', 'platform2']), + 'type': random.choice(['os_type1', 'os_type2']), + 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' + }, + 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', + 'risk': { + 'calculated_level': random.choice(['low', 'medium', 'high']), + 'calculated_score': random.uniform(0, 10), + 'calculated_score_norm': random.uniform(0, 1), + 'static_level': random.choice(['low', 'medium', 'high']), + 'static_score': random.uniform(0, 10), + 'static_score_norm': random.uniform(0, 1) + }, + 'type': random.choice(['type1', 'type2']), + 'uptime': random.randint(1000, 1000000) + } return host @@ -145,7 +162,7 @@ def generate_random_data(number): event_data = { '@timestamp': generate_random_date(), 'agent': generate_random_agent(), - 'host': generate_random_host(), + 'host': generate_random_host(True), 'observer': generate_random_observer() } data.append(event_data) diff --git a/ecs/states-inventory-hardware/fields/subset.yml b/ecs/states-inventory-hardware/fields/subset.yml index da5a194e26ddf..b0c1b22ccb286 100644 --- a/ecs/states-inventory-hardware/fields/subset.yml +++ b/ecs/states-inventory-hardware/fields/subset.yml @@ -18,4 +18,8 @@ fields: fields: serial_number: {} host: - fields: "*" + fields: + memory: + fields: "*" + cpu: + fields: "*" diff --git a/ecs/states-inventory-hotfixes/event-generator/event_generator.py b/ecs/states-inventory-hotfixes/event-generator/event_generator.py index 88cfdd0c76d82..048315afb8313 100644 --- a/ecs/states-inventory-hotfixes/event-generator/event_generator.py +++ b/ecs/states-inventory-hotfixes/event-generator/event_generator.py @@ -137,7 +137,6 @@ def generate_random_data(number): event_data = { '@timestamp': generate_random_date(), 'agent': generate_random_agent(), - 'host': generate_random_host(), 'package': generate_random_package() } data.append(event_data) diff --git a/ecs/states-inventory-hotfixes/fields/subset.yml b/ecs/states-inventory-hotfixes/fields/subset.yml index 7bb4f66950326..3cbf6f38f132f 100644 --- a/ecs/states-inventory-hotfixes/fields/subset.yml +++ b/ecs/states-inventory-hotfixes/fields/subset.yml @@ -14,8 +14,6 @@ fields: version: {} host: fields: "*" - host: - fields: "*" package: fields: hotfix: diff --git a/ecs/states-inventory-networks/event-generator/event_generator.py b/ecs/states-inventory-networks/event-generator/event_generator.py index c9ec2c2fd363f..c22314d4a9860 100644 --- a/ecs/states-inventory-networks/event-generator/event_generator.py +++ b/ecs/states-inventory-networks/event-generator/event_generator.py @@ -39,35 +39,16 @@ def generate_random_agent(): 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), 'version': f'v{random.randint(0, 9)}-stable', 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host() + 'host': generate_random_host(False) } return agent -def generate_random_host(): - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', +def generate_random_host(is_root_level=False): + if is_root_level: + host = { 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', 'network': { 'egress': { 'bytes': random.randint(1000, 1000000), @@ -81,28 +62,67 @@ def generate_random_host(): 'errors': random.randint(0, 100), 'packets': random.randint(100, 10000) } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) + } } + else: + host = { + 'architecture': random.choice(['x86_64', 'arm64']), + 'boot': { + 'id': f'bootid{random.randint(0, 9999)}' + }, + 'cpu': { + 'usage': random.uniform(0, 100) + }, + 'disk': { + 'read': { + 'bytes': random.randint(1000, 1000000) + }, + 'write': { + 'bytes': random.randint(1000, 1000000) + } + }, + 'domain': f'domain{random.randint(0, 1000)}', + 'geo': generate_random_geo(), + 'hostname': f'host{random.randint(0, 1000)}', + 'id': f'id{random.randint(0, 1000)}', + 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', + 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', + 'name': f'host{random.randint(0, 1000)}', + 'network': { + 'egress': { + 'bytes': random.randint(1000, 1000000), + 'drops': random.randint(0, 100), + 'errors': random.randint(0, 100), + 'packets': random.randint(100, 10000) + }, + 'ingress': { + 'bytes': random.randint(1000, 1000000), + 'drops': random.randint(0, 100), + 'errors': random.randint(0, 100), + 'packets': random.randint(100, 10000) + } + }, + 'os': { + 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), + 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', + 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', + 'name': random.choice(['Linux', 'Windows', 'macOS']), + 'platform': random.choice(['platform1', 'platform2']), + 'type': random.choice(['os_type1', 'os_type2']), + 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' + }, + 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', + 'risk': { + 'calculated_level': random.choice(['low', 'medium', 'high']), + 'calculated_score': random.uniform(0, 10), + 'calculated_score_norm': random.uniform(0, 1), + 'static_level': random.choice(['low', 'medium', 'high']), + 'static_score': random.uniform(0, 10), + 'static_score_norm': random.uniform(0, 1) + }, + 'type': random.choice(['type1', 'type2']), + 'uptime': random.randint(1000, 1000000) + } return host @@ -157,7 +177,7 @@ def generate_random_data(number): event_data = { '@timestamp': generate_random_date(), 'agent': generate_random_agent(), - 'host': generate_random_host(), + 'host': generate_random_host(True), 'network': generate_random_network(), 'observer': generate_random_observer() } diff --git a/ecs/states-inventory-packages/event-generator/event_generator.py b/ecs/states-inventory-packages/event-generator/event_generator.py index fda9227d7c826..77034d735931e 100644 --- a/ecs/states-inventory-packages/event-generator/event_generator.py +++ b/ecs/states-inventory-packages/event-generator/event_generator.py @@ -142,7 +142,6 @@ def generate_random_data(number): event_data = { '@timestamp': generate_random_date(), 'agent': generate_random_agent(), - 'host': generate_random_host(), 'package': generate_random_package() } data.append(event_data) diff --git a/ecs/states-inventory-packages/fields/custom/host.yml b/ecs/states-inventory-packages/fields/custom/host.yml index a0356d13da657..919648bc0832f 100644 --- a/ecs/states-inventory-packages/fields/custom/host.yml +++ b/ecs/states-inventory-packages/fields/custom/host.yml @@ -1,6 +1,6 @@ --- - name: host reusable: - top_level: true + top_level: false expected: - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/subset.yml b/ecs/states-inventory-packages/fields/subset.yml index f2fdfb2fad9a0..00ebd0b231be4 100644 --- a/ecs/states-inventory-packages/fields/subset.yml +++ b/ecs/states-inventory-packages/fields/subset.yml @@ -14,8 +14,6 @@ fields: version: {} host: fields: "*" - host: - fields: "*" package: fields: architecture: "" diff --git a/ecs/states-inventory-ports/event-generator/event_generator.py b/ecs/states-inventory-ports/event-generator/event_generator.py index bede09340b104..f8af9c3606d01 100644 --- a/ecs/states-inventory-ports/event-generator/event_generator.py +++ b/ecs/states-inventory-ports/event-generator/event_generator.py @@ -39,68 +39,80 @@ def generate_random_agent(): 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), 'version': f'v{random.randint(0, 9)}-stable', 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host() + 'host': generate_random_host(False) } return agent -def generate_random_host(): - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) +def generate_random_host(is_root_level=False): + if is_root_level: + host = { + 'network': { + 'egress': { + 'queue': random.randint(0, 1000) + }, + 'ingress': { + 'queue': random.randint(0, 1000) + } } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000), - 'queue': random.randint(0, 1000) + } + else: + host = { + 'architecture': random.choice(['x86_64', 'arm64']), + 'boot': { + 'id': f'bootid{random.randint(0, 9999)}' }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000), - 'queue': random.randint(0, 1000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } + 'cpu': { + 'usage': random.uniform(0, 100) + }, + 'disk': { + 'read': { + 'bytes': random.randint(1000, 1000000) + }, + 'write': { + 'bytes': random.randint(1000, 1000000) + } + }, + 'domain': f'domain{random.randint(0, 1000)}', + 'geo': generate_random_geo(), + 'hostname': f'host{random.randint(0, 1000)}', + 'id': f'id{random.randint(0, 1000)}', + 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', + 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', + 'name': f'host{random.randint(0, 1000)}', + 'network': { + 'egress': { + 'bytes': random.randint(1000, 1000000), + 'packets': random.randint(100, 10000), + 'queue': random.randint(0, 1000) + }, + 'ingress': { + 'bytes': random.randint(1000, 1000000), + 'packets': random.randint(100, 10000), + 'queue': random.randint(0, 1000) + } + }, + 'os': { + 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), + 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', + 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', + 'name': random.choice(['Linux', 'Windows', 'macOS']), + 'platform': random.choice(['platform1', 'platform2']), + 'type': random.choice(['os_type1', 'os_type2']), + 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' + }, + 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', + 'risk': { + 'calculated_level': random.choice(['low', 'medium', 'high']), + 'calculated_score': random.uniform(0, 10), + 'calculated_score_norm': random.uniform(0, 1), + 'static_level': random.choice(['low', 'medium', 'high']), + 'static_score': random.uniform(0, 10), + 'static_score_norm': random.uniform(0, 1) + }, + 'type': random.choice(['type1', 'type2']), + 'uptime': random.randint(1000, 1000000) + } return host @@ -171,7 +183,7 @@ def generate_random_data(number): 'destination': generate_random_destination(), 'device': generate_random_device(), 'file': generate_random_file(), - 'host': generate_random_host(), + 'host': generate_random_host(True), 'network': { 'protocol': random.choice(['TCP', 'UDP', 'ICMP']) }, diff --git a/ecs/states-inventory-ports/fields/subset.yml b/ecs/states-inventory-ports/fields/subset.yml index 549917083aaa8..422989cd48019 100644 --- a/ecs/states-inventory-ports/fields/subset.yml +++ b/ecs/states-inventory-ports/fields/subset.yml @@ -25,7 +25,15 @@ fields: fields: inode: {} host: - fields: "*" + fields: + network: + fields: + egress: + fields: + queue: {} + ingress: + fields: + queue: {} network: fields: protocol: {} diff --git a/ecs/states-inventory-processes/event-generator/event_generator.py b/ecs/states-inventory-processes/event-generator/event_generator.py index 3395616d104c9..3da0e29cd07a2 100644 --- a/ecs/states-inventory-processes/event-generator/event_generator.py +++ b/ecs/states-inventory-processes/event-generator/event_generator.py @@ -163,7 +163,6 @@ def generate_random_data(number): event_data = { '@timestamp': generate_random_date(), 'agent': generate_random_agent(), - 'host': generate_random_host(), 'process': generate_random_process() } data.append(event_data) diff --git a/ecs/states-inventory-processes/fields/subset.yml b/ecs/states-inventory-processes/fields/subset.yml index 55693facfee71..16ccccb2dfb9a 100644 --- a/ecs/states-inventory-processes/fields/subset.yml +++ b/ecs/states-inventory-processes/fields/subset.yml @@ -14,8 +14,6 @@ fields: version: {} host: fields: "*" - host: - fields: "*" process: fields: pid: {} diff --git a/ecs/states-inventory-system/event-generator/event_generator.py b/ecs/states-inventory-system/event-generator/event_generator.py index 0eeae886ec8f4..aa3eeba2ecb66 100644 --- a/ecs/states-inventory-system/event-generator/event_generator.py +++ b/ecs/states-inventory-system/event-generator/event_generator.py @@ -39,66 +39,80 @@ def generate_random_agent(): 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), 'version': f'v{random.randint(0, 9)}-stable', 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host() + 'host': generate_random_host(False) } return agent -def generate_random_host(): - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) +def generate_random_host(is_root_level=False): + if is_root_level: + host = { + 'architecture': random.choice(['x86_64', 'arm64']), + 'hostname': f'host{random.randint(0, 1000)}', + 'os': { + 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', + 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', + 'name': random.choice(['Linux', 'Windows', 'macOS']), + 'platform': random.choice(['platform1', 'platform2']), + 'type': random.choice(['os_type1', 'os_type2']), + 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' + } } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) + else: + host = { + 'architecture': random.choice(['x86_64', 'arm64']), + 'boot': { + 'id': f'bootid{random.randint(0, 9999)}' }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } + 'cpu': { + 'usage': random.uniform(0, 100) + }, + 'disk': { + 'read': { + 'bytes': random.randint(1000, 1000000) + }, + 'write': { + 'bytes': random.randint(1000, 1000000) + } + }, + 'domain': f'domain{random.randint(0, 1000)}', + 'geo': generate_random_geo(), + 'hostname': f'host{random.randint(0, 1000)}', + 'id': f'id{random.randint(0, 1000)}', + 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', + 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', + 'name': f'host{random.randint(0, 1000)}', + 'network': { + 'egress': { + 'bytes': random.randint(1000, 1000000), + 'packets': random.randint(100, 10000) + }, + 'ingress': { + 'bytes': random.randint(1000, 1000000), + 'packets': random.randint(100, 10000) + } + }, + 'os': { + 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), + 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', + 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', + 'name': random.choice(['Linux', 'Windows', 'macOS']), + 'platform': random.choice(['platform1', 'platform2']), + 'type': random.choice(['os_type1', 'os_type2']), + 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' + }, + 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', + 'risk': { + 'calculated_level': random.choice(['low', 'medium', 'high']), + 'calculated_score': random.uniform(0, 10), + 'calculated_score_norm': random.uniform(0, 1), + 'static_level': random.choice(['low', 'medium', 'high']), + 'static_score': random.uniform(0, 10), + 'static_score_norm': random.uniform(0, 1) + }, + 'type': random.choice(['type1', 'type2']), + 'uptime': random.randint(1000, 1000000) + } return host @@ -128,7 +142,7 @@ def generate_random_data(number): event_data = { '@timestamp': generate_random_date(), 'agent': generate_random_agent(), - 'host': generate_random_host() + 'host': generate_random_host(True) } data.append(event_data) return data