wazuh/wazuh-indexer-plugins
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-indexer-plugins.git synced 2025-12-10 14:32:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Remove ECS fields from gcp's custom fields definition (#675)

Browse Source 
* Remove clour.instance.name, service.type and dns.answers from gcp's custom fields definition

* Update the Wazuh Common Schema

* Update CHANGELOG.md

* Update push_schema.sh to commit everything under the docs/ folder

* Update the Wazuh Common Schema

---------

Co-authored-by: Wazuh Indexer Bot <github_devel_xdrsiem_indexer@wazuh.com>
Co-authored-by: Alex Ruiz <alejandro.ruiz.becerra@wazuh.com>
This commit is contained in:
Fede Galland 2025-12-01 12:46:38 -03:00 committed by GitHub
parent 4b03675dfc
commit 3e58e4188a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 35 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -79,6 +79,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
- Update `DEVELOPER_GUIDE.md` to use JDK 21 [(#538)](https://github.com/wazuh/wazuh-indexer-plugins/pull/538) - Update `DEVELOPER_GUIDE.md` to use JDK 21 [(#538)](https://github.com/wazuh/wazuh-indexer-plugins/pull/538)
- Fix WCS generator modules detection issues [(#620)](https://github.com/wazuh/wazuh-indexer-plugins/pull/620) - Fix WCS generator modules detection issues [(#620)](https://github.com/wazuh/wazuh-indexer-plugins/pull/620)
- Fix verify_integrations script to read the integrations from module_list.txt [(#640)](https://github.com/wazuh/wazuh-indexer-plugins/pull/640) - Fix verify_integrations script to read the integrations from module_list.txt [(#640)](https://github.com/wazuh/wazuh-indexer-plugins/pull/640)
- Remove ECS fields from gcp's custom fields definition [(#675)](https://github.com/wazuh/wazuh-indexer-plugins/pull/675)
### Security ### Security
- Reduce risk of GITHUB_TOKEN exposure [(#484)](https://github.com/wazuh/wazuh-indexer-plugins/pull/484) - Reduce risk of GITHUB_TOKEN exposure [(#484)](https://github.com/wazuh/wazuh-indexer-plugins/pull/484)

2
ecs/generator/push_schema.sh
View File

@ -62,7 +62,7 @@ function push_changes() {
echo echo
echo "---> Pushing changes to the repository..." echo "---> Pushing changes to the repository..."
git add plugins/setup/src/main/resources/*.json git add plugins/setup/src/main/resources/*.json
git add ecs/**/docs/fields.csv git add ecs/**/docs/*
git add ecs/module_list.txt git add ecs/module_list.txt
if [[ $(git status --porcelain --untracked-files=no | wc -l) -gt 0 ]]; then if [[ $(git status --porcelain --untracked-files=no | wc -l) -gt 0 ]]; then
git status --short --untracked-files=no git status --short --untracked-files=no

46
ecs/stateless/cloud-services/gcp/docs/ecs_flat.yml
View File

@ -1511,16 +1511,13 @@ cloud.instance.id:
type: keyword type: keyword
cloud.instance.name: cloud.instance.name:
dashed_name: cloud-instance-name dashed_name: cloud-instance-name
description: Provides the normalized instance name derived by removing any leading description: Instance name of the host machine.
segments from the VM instance name
example: example-name
flat_name: cloud.instance.name flat_name: cloud.instance.name
ignore_above: 1024 ignore_above: 1024
level: custom level: extended
name: cloud.instance.name name: instance.name
normalize: [] normalize: []
short: Provides the normalized instance name derived by removing any leading segments short: Instance name of the host machine.
from the VM instance name
type: keyword type: keyword
cloud.machine.type: cloud.machine.type:
dashed_name: cloud-machine-type dashed_name: cloud-machine-type
@ -3326,14 +3323,23 @@ dll.pe.sections.virtual_size:
type: long type: long
dns.answers: dns.answers:
dashed_name: dns-answers dashed_name: dns-answers
description: The DNS class of the resource record description: 'An array containing an object for each answer section returned by
the server.
The main keys that should be present in these objects are defined by ECS. Records
that have more information may contain more keys than what ECS defines.
Not all DNS data sources give all details about DNS answers. At minimum, answer
objects must contain the `data` key. If more information is available, map as
much of it to ECS as possible, and add any additional fields to the answer objects
as custom fields.'
flat_name: dns.answers flat_name: dns.answers
level: custom level: extended
name: dns.answers name: answers
normalize: normalize:
- array - array
short: The DNS class of the resource record short: Array of DNS answers.
type: nested type: object
dns.answers.class: dns.answers.class:
dashed_name: dns-answers-class dashed_name: dns-answers-class
description: The class of DNS data contained in this resource record. description: The class of DNS data contained in this resource record.
@ -19465,14 +19471,20 @@ service.target.version:
type: keyword type: keyword
service.type: service.type:
dashed_name: service-type dashed_name: service-type
description: Indicates the type of service that generated the event description: 'The type of the service data is collected from.
example: example-type
The type can be used to group and correlate logs and metrics from one service
type.
Example: If logs or metrics are collected from Elasticsearch, `service.type` would
be `elasticsearch`.'
example: elasticsearch
flat_name: service.type flat_name: service.type
ignore_above: 1024 ignore_above: 1024
level: custom level: core
name: service.type name: type
normalize: [] normalize: []
short: Indicates the type of service that generated the event short: The type of the service.
type: keyword type: keyword
service.version: service.version:
dashed_name: service-version dashed_name: service-version

6
ecs/stateless/cloud-services/gcp/docs/fields.csv
View File

@ -116,7 +116,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.1.0,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. 9.1.0,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
9.1.0,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." 9.1.0,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
9.1.0,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. 9.1.0,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
9.1.0,true,cloud,cloud.instance.name,keyword,custom,,example-name,Provides the normalized instance name derived by removing any leading segments from the VM instance name 9.1.0,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
9.1.0,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. 9.1.0,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
9.1.0,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id. 9.1.0,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
9.1.0,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name. 9.1.0,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
@ -255,7 +255,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.1.0,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size. 9.1.0,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
9.1.0,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. 9.1.0,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
9.1.0,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. 9.1.0,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
9.1.0,true,dns,dns.answers,nested,custom,array,,The DNS class of the resource record 9.1.0,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
9.1.0,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. 9.1.0,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
9.1.0,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. 9.1.0,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
9.1.0,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. 9.1.0,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
@ -1501,7 +1501,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.1.0,true,service,service.target.state,keyword,core,,,Current state of the service. 9.1.0,true,service,service.target.state,keyword,core,,,Current state of the service.
9.1.0,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service. 9.1.0,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
9.1.0,true,service,service.target.version,keyword,core,,3.2.4,Version of the service. 9.1.0,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
9.1.0,true,service,service.type,keyword,custom,,example-type,Indicates the type of service that generated the event 9.1.0,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
9.1.0,true,service,service.version,keyword,core,,3.2.4,Version of the service. 9.1.0,true,service,service.version,keyword,core,,3.2.4,Version of the service.
9.1.0,true,source,source.address,keyword,extended,,,Source network address. 9.1.0,true,source,source.address,keyword,extended,,,Source network address.
9.1.0,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. 9.1.0,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.

1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
116 9.1.0 true cloud cloud.account.name keyword extended elastic-dev The cloud account name.
117 9.1.0 true cloud cloud.availability_zone keyword extended us-east-1c Availability zone in which this host, resource, or service is located.
118 9.1.0 true cloud cloud.instance.id keyword extended i-1234567890abcdef0 Instance ID of the host machine.
119 9.1.0 true cloud cloud.instance.name keyword custom extended example-name Provides the normalized instance name derived by removing any leading segments from the VM instance name Instance name of the host machine.
120 9.1.0 true cloud cloud.machine.type keyword extended t2.medium Machine type of the host machine.
121 9.1.0 true cloud cloud.origin.account.id keyword extended 666777888999 The cloud account or organization id.
122 9.1.0 true cloud cloud.origin.account.name keyword extended elastic-dev The cloud account name.
255 9.1.0 true dll dll.pe.sections.physical_size long extended PE Section List physical size.
256 9.1.0 true dll dll.pe.sections.var_entropy long extended Variance for Shannon entropy calculation from the section.
257 9.1.0 true dll dll.pe.sections.virtual_size long extended PE Section List virtual size. This is always the same as `physical_size`.
258 9.1.0 true dns dns.answers nested object custom extended array The DNS class of the resource record Array of DNS answers.
259 9.1.0 true dns dns.answers.class keyword extended IN The class of DNS data contained in this resource record.
260 9.1.0 true dns dns.answers.data keyword extended 10.10.10.10 The data describing the resource.
261 9.1.0 true dns dns.answers.name keyword extended www.example.com The domain name to which this resource record pertains.
1501 9.1.0 true service service.target.state keyword core Current state of the service.
1502 9.1.0 true service service.target.type keyword core elasticsearch The type of the service.
1503 9.1.0 true service service.target.version keyword core 3.2.4 Version of the service.
1504 9.1.0 true service service.type keyword custom core example-type elasticsearch Indicates the type of service that generated the event The type of the service.
1505 9.1.0 true service service.version keyword core 3.2.4 Version of the service.
1506 9.1.0 true source source.address keyword extended Source network address.
1507 9.1.0 true source source.as.number long extended 15169 Unique number allocated to the autonomous system.

18
ecs/stateless/cloud-services/gcp/fields/custom/gcp.yml
View File

@ -856,13 +856,6 @@
description: Contains the original virtual machine instance name prior to any description: Contains the original virtual machine instance name prior to any
normalization normalization
example: example-vminstancename example: example-vminstancename
- name: cloud.instance.name
type: keyword
level: custom
description: >-
Provides the normalized instance name derived by removing any leading segments
from the VM instance name
example: example-name
- name: gcp_dns.vmprojectid - name: gcp_dns.vmprojectid
type: keyword type: keyword
level: custom level: custom
@ -891,11 +884,6 @@
description: Indicates whether the DNS query was authenticated based on the authAnswer description: Indicates whether the DNS query was authenticated based on the authAnswer
flag flag
example: true example: true
- name: service.type
type: keyword
level: custom
description: Indicates the type of service that generated the event
example: example-type
- name: metricset.name - name: metricset.name
type: keyword type: keyword
level: custom level: custom
@ -1131,12 +1119,6 @@
description: Name of the destination Virtual Private Cloud network where traffic description: Name of the destination Virtual Private Cloud network where traffic
is received is received
example: example-vpc_name example: example-vpc_name
- name: dns.answers
type: nested
level: custom
description: The DNS class of the resource record
normalize:
- array
- name: gcp_audit.event_provider - name: gcp_audit.event_provider
type: keyword type: keyword
level: custom level: custom

2
plugins/setup/src/main/resources/templates/streams/cloud-services-gcp.json
View File

@ -1280,7 +1280,7 @@
"type": "keyword" "type": "keyword"
} }
}, },
"type": "nested" "type": "object"
}, },
"header_flags": { "header_flags": {
"ignore_above": 1024, "ignore_above": 1024,