Add checksum fields to the Inventory Enrichment tier 2 indices (#569)

* Add checksum fields to the Inventory Enrichment tier 2 indices * Add missing files * Update ECS templates for modified modules: states-inventory-browser-extensions states-inventory-services * Add changelog entry --------- Co-authored-by: Wazuh Indexer Bot <github_devel_xdrsiem_indexer@wazuh.com>
2025-12-11 02:29:20 -06:00 · 2025-09-10 11:42:56 +02:00 · 2025-09-10 11:42:56 +02:00 · 5c779d2a57
commit 5c779d2a57
parent 6c8c600ff8
11 changed files with 71 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -27,7 +27,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Third-party integrations maintenance [(#478)](https://github.com/wazuh/wazuh-indexer-plugins/pull/478) [(#540)](https://github.com/wazuh/wazuh-indexer-plugins/pull/540) [(#548)](https://github.com/wazuh/wazuh-indexer-plugins/pull/548) [(#566)](https://github.com/wazuh/wazuh-indexer-plugins/pull/566)
 - Replace and remove deprecated settings [(#476)](https://github.com/wazuh/wazuh-indexer-plugins/pull/476)
 - Migrate WCS changes from 4.x [(#488)](https://github.com/wazuh/wazuh-indexer-plugins/pull/488) [(#552)](https://github.com/wazuh/wazuh-indexer-plugins/pull/552) [(#568)](https://github.com/wazuh/wazuh-indexer-plugins/pull/568)
- Implement checksum fields into stateful ECS mappings [(#519)](https://github.com/wazuh/wazuh-indexer-plugins/pull/519)
+- Implement checksum fields into stateful ECS mappings [(#519)](https://github.com/wazuh/wazuh-indexer-plugins/pull/519) [(#569)](https://github.com/wazuh/wazuh-indexer-plugins/pull/569)
 - FIM indices rework [(#509)](https://github.com/wazuh/wazuh-indexer-plugins/pull/509)
 - Add state.modified_at to stateful indexes [(#561)](https://github.com/wazuh/wazuh-indexer-plugins/pull/561)

--- a/ecs/states-inventory-browser-extensions/docs/fields.csv
+++ b/ecs/states-inventory-browser-extensions/docs/fields.csv
@ -8,6 +8,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,browser,browser.profile.name,keyword,custom,,default,Name of the browser profile.
 8.11.0,true,browser,browser.profile.path,keyword,custom,,/home/user/.config/google-chrome/Default,Path to the browser profile.
 8.11.0,true,browser,browser.profile.referenced,boolean,custom,,True,Indicates if the extension is referenced by the Preferences file of the browser profile.
+8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
 8.11.0,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
 8.11.0,true,package,package.autoupdate,boolean,custom,,True,Indicates if the browser extension is set to auto-update.
 8.11.0,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
--- a/ecs/states-inventory-browser-extensions/event-generator/event_generator.py
+++ b/ecs/states-inventory-browser-extensions/event-generator/event_generator.py
@ -40,6 +40,14 @@ def generate_random_date():
    return random_date.strftime(DATE_FORMAT)


+def generate_random_checksum():
+    return {
+        'hash': {
+            'sha1': ''.join(random.choices("ABCDEF0123456789", k=40)),
+        }
+    }
+
+
 def random_sha256():
    return ''.join(random.choices('0123456789abcdef', k=64))

@ -158,6 +166,7 @@ def generate_random_data(number):
        event_data = generate_browser_extension()
        # Add agent and Wazuh data
        event_data["agent"] = generate_agent()
+        event_data["checksum"] = generate_random_checksum(),
        event_data["wazuh"] = generate_wazuh()
        event_data["state"] = {
            "modified_at": generate_random_date()
--- a/ecs/states-inventory-browser-extensions/fields/custom/checksum.yml
+++ b/ecs/states-inventory-browser-extensions/fields/custom/checksum.yml
@ -0,0 +1,11 @@
+---
+- name: checksum
+  title: Checksum
+  description: >
+    Checksum custom fields
+  fields:
+    - name: hash.sha1
+      type: keyword
+      level: custom
+      description: >
+        SHA1 hash used as checksum of the data collected by the agent.
--- a/ecs/states-inventory-browser-extensions/fields/subset.yml
+++ b/ecs/states-inventory-browser-extensions/fields/subset.yml
@ -13,6 +13,8 @@ fields:
        fields:
          architecture: {}
          ip: {}
+  checksum:
+    fields: "*"
  browser:
    fields: "*"
  package:
--- a/ecs/states-inventory-services/docs/fields.csv
+++ b/ecs/states-inventory-services/docs/fields.csv
@ -4,6 +4,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
 8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
 8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
 8.11.0,true,error,error.log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
 8.11.0,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
 8.11.0,true,file,file.path.text,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
--- a/ecs/states-inventory-services/event-generator/event_generator.py
+++ b/ecs/states-inventory-services/event-generator/event_generator.py
@ -56,6 +56,14 @@ def generate_agent():
    }


+def generate_random_checksum():
+    return {
+        'hash': {
+            'sha1': ''.join(random.choices("ABCDEF0123456789", k=40)),
+        }
+    }
+
+
 def generate_file(os_type=OS.LINUX):
    if os_type == OS.LINUX:
        return {
@ -214,6 +222,7 @@ def generate_random_data(number):
        service_data = generate_service(os_type=os_choice)
        event_data = {
            "agent": generate_agent(),
+            "checksum": generate_random_checksum(),
            "process": generate_process(os_type=os_choice, state=service_data["state"]),
            "service": service_data,
            "wazuh": generate_wazuh(),
--- a/ecs/states-inventory-services/fields/custom/checksum.yml
+++ b/ecs/states-inventory-services/fields/custom/checksum.yml
@ -0,0 +1,11 @@
+---
+- name: checksum
+  title: Checksum
+  description: >
+    Checksum custom fields
+  fields:
+    - name: hash.sha1
+      type: keyword
+      level: custom
+      description: >
+        SHA1 hash used as checksum of the data collected by the agent.
--- a/ecs/states-inventory-services/fields/subset.yml
+++ b/ecs/states-inventory-services/fields/subset.yml
@ -13,6 +13,8 @@ fields:
        fields:
          architecture: {}
          ip: {}
+  checksum:
+    fields: "*"
  service:
    fields:
      id: {}
--- a/plugins/setup/src/main/resources/index-template-browser-extensions.json
+++ b/plugins/setup/src/main/resources/index-template-browser-extensions.json
@ -56,6 +56,18 @@
          }
        }
      },
+      "checksum": {
+        "properties": {
+          "hash": {
+            "properties": {
+              "sha1": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
      "file": {
        "properties": {
          "hash": {
--- a/plugins/setup/src/main/resources/index-template-services.json
+++ b/plugins/setup/src/main/resources/index-template-services.json
@ -33,6 +33,18 @@
          }
        }
      },
+      "checksum": {
+        "properties": {
+          "hash": {
+            "properties": {
+              "sha1": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
      "error": {
        "properties": {
          "log": {