Migrate WCS changes from the wazuh-indexer repository (#568)

* Migrate WCS changes from the wazuh-indexer repository Fortnight #17 - https://github.com/wazuh/wazuh-indexer/issues/1114 * Clean up * Simplify usage of state fields in subset.yml files * Add 'state.modified_at' field to services and browser extensions inventory indices * Remove scan_time from inventory indices transition tables * Update ECS templates for modified modules: states-fim-files states-fim-registry-keys states-fim-registry-values states-inventory-browser-extensions states-inventory-groups states-inventory-hardware states-inventory-hotfixes states-inventory-interfaces states-inventory-networks states-inventory-packages states-inventory-ports states-inventory-processes states-inventory-protocols states-inventory-services states-inventory-system states-inventory-users states-sca states-vulnerabilities * Exclude checking links from https://osquery.io * Add changelog entry * Create browser-extensions and services state indices at start * Fix states-inventory-services event_generator Signed-off-by: Kevin Ledesma <kevin.ledesma@wazuh.com> * Fix browser extensions and services event generators --------- Signed-off-by: Kevin Ledesma <kevin.ledesma@wazuh.com> Co-authored-by: Wazuh Indexer Bot <github_devel_xdrsiem_indexer@wazuh.com> Co-authored-by: Kevin Ledesma <kevin.ledesma@wazuh.com>
2025-12-11 02:29:20 -06:00 · 2025-09-05 14:31:46 +02:00 · 2025-09-05 14:31:46 +02:00 · 6c8c600ff8
commit 6c8c600ff8
parent 56758d75dc
103 changed files with 1802 additions and 137 deletions
--- a/.github/workflows/5_codequality_links.yml
+++ b/.github/workflows/5_codequality_links.yml
@ -13,7 +13,7 @@ jobs:
        id: lychee
        uses: lycheeverse/lychee-action@v2
        with:
-          args: --accept=200,403,429  "./**/*.md" "./**/*.txt" --exclude-all-private --insecure --exclude "https://www.gnu.org/licenses"
+          args: --accept=200,403,429  "./**/*.md" "./**/*.txt" --exclude-all-private --insecure --exclude "https://www.gnu.org/licenses" --exclude "https://osquery.io"
        env:
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
      - name: Fail if there were link errors
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -26,7 +26,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Adapt setup plugin for 5.x [(#450)](https://github.com/wazuh/wazuh-indexer-plugins/pull/450)
 - Third-party integrations maintenance [(#478)](https://github.com/wazuh/wazuh-indexer-plugins/pull/478) [(#540)](https://github.com/wazuh/wazuh-indexer-plugins/pull/540) [(#548)](https://github.com/wazuh/wazuh-indexer-plugins/pull/548) [(#566)](https://github.com/wazuh/wazuh-indexer-plugins/pull/566)
 - Replace and remove deprecated settings [(#476)](https://github.com/wazuh/wazuh-indexer-plugins/pull/476)
- Migrate WCS changes from 4.x [(#488)](https://github.com/wazuh/wazuh-indexer-plugins/pull/488) [(#552)](https://github.com/wazuh/wazuh-indexer-plugins/pull/552)
+- Migrate WCS changes from 4.x [(#488)](https://github.com/wazuh/wazuh-indexer-plugins/pull/488) [(#552)](https://github.com/wazuh/wazuh-indexer-plugins/pull/552) [(#568)](https://github.com/wazuh/wazuh-indexer-plugins/pull/568)
 - Implement checksum fields into stateful ECS mappings [(#519)](https://github.com/wazuh/wazuh-indexer-plugins/pull/519)
 - FIM indices rework [(#509)](https://github.com/wazuh/wazuh-indexer-plugins/pull/509)
 - Add state.modified_at to stateful indexes [(#561)](https://github.com/wazuh/wazuh-indexer-plugins/pull/561)
--- a/ecs/generator/images/generator.sh
+++ b/ecs/generator/images/generator.sh
@ -37,12 +37,16 @@ remove_multi_fields() {
    .mappings.properties.agent.properties.host.properties.os.properties.name.fields,
    .mappings.properties.host.properties.os.properties.full.fields,
    .mappings.properties.host.properties.os.properties.name.fields,
+    .mappings.properties.vulnerability.properties.description.fields,
    .mappings.properties.process.properties.command_line.fields,
    .mappings.properties.process.properties.name.fields,
    .mappings.properties.vulnerability.properties.description.fields,
    .mappings.properties.file.properties.path.fields,
    .mappings.properties.user.properties.name.fields,
-    .mappings.properties.user.properties.full_name.fields
+    .mappings.properties.user.properties.full_name.fields,
+    .mappings.properties.process.properties.user.properties.name.fields,
+    .mappings.properties.process.properties.executable.fields,
+    .mappings.properties.process.properties.working_directory.fields
  )' "$in_file" > "$out_file"
 }

--- a/ecs/scripts/generate-and-push-templates.sh
+++ b/ecs/scripts/generate-and-push-templates.sh
@ -73,6 +73,7 @@ detect_modified_modules() {
        [states-fim-files]="index-template-fim-files.json"
        [states-fim-registry-keys]="index-template-fim-registry-keys.json"
        [states-fim-registry-values]="index-template-fim-registry-values.json"
+        [states-inventory-browser-extensions]="index-template-browser-extensions.json"
        [states-inventory-groups]="index-template-groups.json"
        [states-inventory-hardware]="index-template-hardware.json"
        [states-inventory-hotfixes]="index-template-hotfixes.json"
@ -82,6 +83,7 @@ detect_modified_modules() {
        [states-inventory-ports]="index-template-ports.json"
        [states-inventory-processes]="index-template-processes.json"
        [states-inventory-protocols]="index-template-protocols.json"
+        [states-inventory-services]="index-template-services.json"
        [states-inventory-system]="index-template-system.json"
        [states-inventory-users]="index-template-users.json"
        [states-sca]="index-template-sca.json"
--- a/ecs/states-fim-files/docs/README.md
+++ b/ecs/states-fim-files/docs/README.md
@ -41,5 +41,4 @@ The detail of the fields can be found in csv file [States FIM files Fields](fiel
 | attributes       | string | List of attributes related to the file.                                   | file.attributes         |        |
 | dev/device       | string | Device that is the source of the file.                                    | file.device             |        |
 | perm/permissions | string | List of permissions related to the file.                                  | file.permissions        | TRUE   |
-| scan_time        | date   | Date/time when the state was last modified.                                      | state.modified_at       | TRUE   |
 
--- a/ecs/states-fim-files/fields/subset.yml
+++ b/ecs/states-fim-files/fields/subset.yml
@ -35,7 +35,6 @@ fields:
      size: {}
      uid: {}
  state:
-    fields:
-      modified_at: {}
+    fields: "*"
  wazuh:
    fields: "*"
--- a/ecs/states-fim-files/fields/template-settings-legacy.json
+++ b/ecs/states-fim-files/fields/template-settings-legacy.json
@ -5,7 +5,6 @@
    "index": {
      "number_of_shards": "1",
      "number_of_replicas": "0",
-      "auto_expand_replicas": "0-1",
      "refresh_interval": "2s",
      "query.default_field": [
        "agent.host.architecture",
--- a/ecs/states-fim-files/fields/template-settings.json
+++ b/ecs/states-fim-files/fields/template-settings.json
@ -6,34 +6,33 @@
      "index": {
        "number_of_shards": "1",
        "number_of_replicas": "0",
-        "auto_expand_replicas": "0-1",
        "refresh_interval": "2s",
        "query.default_field": [
-          "agent.host.architecture",
-          "agent.host.ip",
-          "agent.id",
-          "agent.name",
-          "agent.version",
-          "checksum.hash.sha1",
-          "file.attributes",
-          "file.device",
-          "file.gid",
-          "file.group",
-          "file.hash.md5",
-          "file.hash.sha1",
-          "file.hash.sha256",
-          "file.inode",
-          "file.mtime",
-          "file.owner",
-          "file.path",
-          "file.path.fields.text",
-          "file.permissions",
-          "file.size",
-          "file.uid",
-          "state.modified_at",
-          "wazuh.cluster.name",
-          "wazuh.cluster.node",
-          "wazuh.schema.version"
+            "agent.host.architecture",
+            "agent.host.ip",
+            "agent.id",
+            "agent.name",
+            "agent.version",
+            "checksum.hash.sha1",
+            "file.attributes",
+            "file.device",
+            "file.gid",
+            "file.group",
+            "file.hash.md5",
+            "file.hash.sha1",
+            "file.hash.sha256",
+            "file.inode",
+            "file.mtime",
+            "file.owner",
+            "file.path",
+            "file.path.fields.text",
+            "file.permissions",
+            "file.size",
+            "file.uid",
+            "state.modified_at",
+            "wazuh.cluster.name",
+            "wazuh.cluster.node",
+            "wazuh.schema.version"
        ]
      }
    }
--- a/ecs/states-fim-registry-keys/docs/README.md
+++ b/ecs/states-fim-registry-keys/docs/README.md
@ -37,4 +37,3 @@ The detail of the fields can be found in csv file [States FIM registries Fields]
 | user_name/owner   | string | Name of the owner of the entity (user).             | registry.owner            | TRUE   |
 | permissions/perm  | string | Permissions associated with the registry key.       | registry.permissions      | TRUE   |
 | checksum          | string | SHA1 hash of the file.                              | checksum.hash.sha1        | TRUE   |
-| scan_time         | date   | Date/time when the state was last modified.                | state.modified_at         | TRUE   |
--- a/ecs/states-fim-registry-keys/fields/subset.yml
+++ b/ecs/states-fim-registry-keys/fields/subset.yml
@ -29,8 +29,7 @@ fields:
      permissions: {}
      uid: {}
  state:
-    fields:
-      modified_at: {}
+    fields: "*"
  wazuh:
    fields: "*"

--- a/ecs/states-fim-registry-keys/fields/template-settings-legacy.json
+++ b/ecs/states-fim-registry-keys/fields/template-settings-legacy.json
@ -5,7 +5,6 @@
    "index": {
      "number_of_shards": "1",
      "number_of_replicas": "0",
-      "auto_expand_replicas": "0-1",
      "refresh_interval": "2s",
      "query.default_field": [
        "agent.host.architecture",
--- a/ecs/states-fim-registry-keys/fields/template-settings.json
+++ b/ecs/states-fim-registry-keys/fields/template-settings.json
@ -6,7 +6,6 @@
      "index": {
        "number_of_shards": "1",
        "number_of_replicas": "0",
-        "auto_expand_replicas": "0-1",
        "refresh_interval": "2s",
        "query.default_field": [
          "agent.host.architecture",
--- a/ecs/states-fim-registry-values/docs/README.md
+++ b/ecs/states-fim-registry-values/docs/README.md
@ -37,4 +37,3 @@ The detail of the fields can be found in csv file [States FIM registries Fields]
 | name/value        | string | Name of the registry value.                         | registry.value            |        |
 | value_type        | string | Type of the registry value, e.g., "REG_SZ".         | registry.data.type        |        |
 | checksum          | string | SHA1 hash of the file.                              | checksum.hash.sha1        | TRUE   |
-| scan_time         | date   | Date/time when the state was last modified.                | state.modified_at         | TRUE   |
--- a/ecs/states-fim-registry-values/fields/subset.yml
+++ b/ecs/states-fim-registry-values/fields/subset.yml
@ -33,7 +33,6 @@ fields:
      size: {}
      value: {}
  state:
-    fields:
-      modified_at: {}
+    fields: "*"
  wazuh:
    fields: "*"
--- a/ecs/states-fim-registry-values/fields/template-settings-legacy.json
+++ b/ecs/states-fim-registry-values/fields/template-settings-legacy.json
@ -5,7 +5,6 @@
    "index": {
      "number_of_shards": "1",
      "number_of_replicas": "0",
-      "auto_expand_replicas": "0-1",
      "refresh_interval": "2s",
      "query.default_field": [
        "agent.host.architecture",
--- a/ecs/states-fim-registry-values/fields/template-settings.json
+++ b/ecs/states-fim-registry-values/fields/template-settings.json
@ -6,7 +6,6 @@
      "index": {
        "number_of_shards": "1",
        "number_of_replicas": "0",
-        "auto_expand_replicas": "0-1",
        "refresh_interval": "2s",
        "query.default_field": [
          "agent.host.architecture",
--- a/ecs/states-inventory-browser-extensions/docs/README.md
+++ b/ecs/states-inventory-browser-extensions/docs/README.md
@ -0,0 +1,45 @@
+## `wazuh-states-inventory-browser-extensions` index data model
+
+### Fields summary
+
+The fields are based on:
+- [Inventory - Browser Extensions mappings](https://github.com/wazuh/wazuh-agent/issues/805#issuecomment-3050200310) (included in 4.14.0)
+- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2937251736) (included in 5.0.0)
+
+Based on osquery and ECS:
+
+- [chrome extensions table](https://osquery.io/schema/5.16.0/#chrome_extensions).
+- [firefox addons table](https://osquery.io/schema/5.16.0/#firefox_addons).
+- [ie extensions table](https://osquery.io/schema/5.16.0/#ie_extensions).
+- [safari extensions table](https://osquery.io/schema/5.16.0/#safari_extensions).
+- [Package fields](https://www.elastic.co/docs/reference/ecs/ecs-package).
+
+The detail of the fields can be found in csv file [Inventory Browser Extensions Fields](fields.csv).
+
+### Transition table
+
+| #   | Custom | ECS Field Name               | Type        | Source(s)                                                 | Browser / OS            | Description                                             |
+| --- | ------ | ---------------------------- | ----------- | --------------------------------------------------------- | ----------------------- | ------------------------------------------------------- |
+| 1   | 1      | `browser.name`               | `keyword`   | `chrome_extensions.browser_type`                          | All                     | Browser name: `chrome`, `firefox`, `safari`, `ie`, etc. |
+| 2   | 0      | `user.id`                    | `keyword`   | `*_extensions.uid` or `firefox_addons.uid`                | All except IE           | Local user who owns the extension                       |
+| 3   | 0      | `package.name`               | `keyword`   | `name` (all tables)                                       | All                     | Display name of the extension                           |
+| 4   | 1      | `package.id`                 | `keyword`   | `identifier`, `referenced_identifier`, `registry_path`    | All                     | Unique identifier of the extension                      |
+| 5   | 0      | `package.version`            | `keyword`   | `version`, `bundle_version`                               | All                     | Extension version                                       |
+| 6   | 0      | `package.description`        | `keyword`   | `description`                                             | All                     | Optional description                                    |
+| 7   | 1      | `package.vendor`             | `keyword`   | `author`, `creator`, `copyright`                          | Chrome, Firefox, Safari | Author or creator                                       |
+| 8   | 0      | `package.build_version`      | `keyword`   | `safari_extensions.sdk`                                   | Safari                  | Bundle SDK used to compile the extension                |
+| 9   | 0      | `package.path`               | `keyword`   | `path`                                                    | All                     | Path to extension files or manifest                     |
+| 10  | 1      | `browser.profile.name`       | `keyword`   | `chrome_extensions.profile`                               | Chrome                  | Chrome profile name                                     |
+| 11  | 1      | `browser.profile.path`       | `keyword`   | `chrome_extensions.profile_path`                          | Chrome                  | File system path to the Chrome profile                  |
+| 12  | 0      | `package.reference`          | `keyword`   | `chrome_extensions.update_url`                            | Chrome                  | Update URL for the extension                            |
+| 13  | 1      | `package.permissions`        | `keyword[]` | `permissions`, `permissions_json`, `optional_permissions` | Chrome                  | Required or optional permissions                        |
+| 14  | 0      | `package.reference`          | `keyword`   | `firefox_addons.source_url`                               | Firefox                 | URL that installed the addon                            |
+| 15  | 0      | `package.type`               | `keyword`   | `firefox_addons.type`                                     | Firefox                 | Type of addon: `extension`, `webapp`, etc.              |
+| 16  | 1      | `package.enabled`            | `boolean`   | `state`, `active`, `disabled`, `visible`                  | Chrome, Firefox         | Whether the extension is enabled.                       |
+| 17  | 1      | `package.visible`            | `boolean`   | `firefox_addons.visible`                                  | Firefox                 | Whether the addon is visible in the toolbar             |
+| 18  | 1      | `package.autoupdate`         | `boolean`   | `firefox_addons.autoupdate`                               | Firefox                 | If the addon uses background updates                    |
+| 19  | 1      | `package.persistent`         | `boolean`   | `chrome_extensions.persistent`                            | Chrome                  | Persistent across tabs (1 or 0)                         |
+| 20  | 1      | `package.from_webstore`      | `boolean`   | `chrome_extensions.from_webstore`                         | Chrome                  | Installed from webstore                                 |
+| 21  | 1      | `browser.profile.referenced` | `boolean`   | `chrome_extensions.referenced`                            | Chrome                  | Referenced by Chrome Preferences                        |
+| 22  | 0      | `package.installed`          | `date`      | `install_time` / `install_timestamp`                      | Chrome                  | Install time (epoch)                                    |
+| 23  | 0      | `file.hash.sha256`           | `keyword`   | `manifest_hash`                                           | Chrome                  | SHA256 of manifest.json                                 |
--- a/ecs/states-inventory-browser-extensions/docs/fields.csv
+++ b/ecs/states-inventory-browser-extensions/docs/fields.csv
@ -0,0 +1,32 @@
+ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
+8.11.0,true,agent,agent.host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.11.0,true,agent,agent.host.ip,ip,core,array,,Host ip addresses.
+8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.11.0,true,browser,browser.name,keyword,custom,,chrome,"Name of the browser. Valid values: chrome, chromium, opera, yandex, brave, edge, edge_beta."
+8.11.0,true,browser,browser.profile.name,keyword,custom,,default,Name of the browser profile.
+8.11.0,true,browser,browser.profile.path,keyword,custom,,/home/user/.config/google-chrome/Default,Path to the browser profile.
+8.11.0,true,browser,browser.profile.referenced,boolean,custom,,True,Indicates if the extension is referenced by the Preferences file of the browser profile.
+8.11.0,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.11.0,true,package,package.autoupdate,boolean,custom,,True,Indicates if the browser extension is set to auto-update.
+8.11.0,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.11.0,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.11.0,true,package,package.enabled,boolean,custom,,True,Indicates if the browser extension is enabled.
+8.11.0,true,package,package.from_webstore,boolean,custom,,True,Indicates if the browser extension was installed from a webstore.
+8.11.0,true,package,package.id,keyword,custom,,com.example.extension,Unique identifier for the browser extension.
+8.11.0,true,package,package.installed,date,extended,,,Time when package was installed.
+8.11.0,true,package,package.name,keyword,extended,,go,Package name
+8.11.0,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.11.0,true,package,package.permissions,keyword,custom,array,"[""tabs"", ""storage""]",Permissions required by the browser extension.
+8.11.0,true,package,package.persistent,boolean,custom,,True,Indicates if the browser extension is persistent accross tabs.
+8.11.0,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.11.0,true,package,package.type,keyword,extended,,rpm,Package type
+8.11.0,true,package,package.vendor,keyword,custom,,Example Inc.,"Vendor, author or creator of the browser extension."
+8.11.0,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.11.0,true,package,package.visible,boolean,custom,,True,Indicates if the browser extension is visible in the toolbar.
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
+8.11.0,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
+8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
+8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.
--- a/ecs/states-inventory-browser-extensions/event-generator/event_generator.py
+++ b/ecs/states-inventory-browser-extensions/event-generator/event_generator.py
@ -0,0 +1,229 @@
+#!/bin/python3
+
+import argparse
+import datetime
+import json
+import logging
+import random
+import requests
+import urllib3
+import random
+import string
+import time
+
+# Constants and Configuration
+LOG_FILE = "generate_data.log"
+GENERATED_DATA_FILE = "generatedData.json"
+DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ"
+# Default values
+INDEX_NAME = "wazuh-states-inventory-browser-extensions"
+USERNAME = "admin"
+PASSWORD = "admin"
+IP = "127.0.0.1"
+PORT = "9200"
+
+# Configure logging
+logging.basicConfig(filename=LOG_FILE, level=logging.INFO)
+
+# Suppress warnings
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+
+def random_string(length=8):
+    return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))
+
+
+def generate_random_date():
+    start_date = datetime.datetime.now()
+    end_date = start_date - datetime.timedelta(days=10)
+    random_date = start_date + (end_date - start_date) * random.random()
+    return random_date.strftime(DATE_FORMAT)
+
+
+def random_sha256():
+    return ''.join(random.choices('0123456789abcdef', k=64))
+
+
+def random_permissions():
+    return random.sample(
+        ["tabs", "storage", "cookies", "history", "bookmarks", "notifications"],
+        k=random.randint(1, 3)
+    )
+
+
+def random_browser():
+    return random.choice(["chrome", "firefox", "safari", "ie"])
+
+
+def generate_browser_extension():
+    browser = random_browser()
+    is_chrome = browser == "chrome"
+    is_firefox = browser == "firefox"
+    is_safari = browser == "safari"
+    is_ie = browser == "ie"
+
+    # ID and user name
+    user_id = f"user{random.randint(1,10)}" if not is_ie else None
+
+    # Name and ID of the extension
+    ext_name = random.choice(["Adblock Plus", "LastPass", "Grammarly", "Honey", "Dark Reader"])
+    ext_id = random_string(32) if is_chrome else random_string(16)
+
+    # Common fields
+    extension_data = {
+        "browser": {
+            "name": browser,
+            "profile": {}
+        },
+        "user": {
+            "id": user_id
+        },
+        "package": {
+            "name": ext_name,
+            "id": ext_id,
+            "version": f"{random.randint(1,5)}.{random.randint(0,9)}.{random.randint(0,9)}",
+            "description": f"{ext_name} browser extension",
+            "vendor": random.choice(["Google", "Mozilla", "Microsoft", "Independent Dev"]),
+            "build_version": "SafariSDK-602" if is_safari else None,
+            "path": None,
+            "reference": None,
+            "permissions": None,
+            "type": None,
+            "enabled": random.choice([True, False]),
+            "autoupdate": random.choice([True, False]) if is_firefox else None,
+            "persistent": random.choice([True, False]) if is_chrome else None,
+            "from_webstore": random.choice([True, False]) if is_chrome else None,
+            "installed": int(time.time()) - random.randint(1000, 1000000),
+        },
+        "file": {
+            "hash": {
+                "sha256": random_sha256() if is_chrome else None
+            }
+        }
+    }
+
+    # Browser-specific fields
+    if is_chrome:
+        extension_data["browser"]["profile"] = {
+            "name": random.choice(["Default", "Profile 1", "Work"]),
+            "path": f"/home/{user_id}/.config/google-chrome/Profile {random.randint(1,3)}",
+            "referenced": random.choice([True, False])
+        }
+        extension_data["package"]["path"] = f"/home/{user_id}/.config/google-chrome/Profile 1/Extensions/{ext_id}"
+        extension_data["package"]["reference"] = "https://clients2.google.com/service/update2/crx"
+        extension_data["package"]["permissions"] = random_permissions()
+
+    elif is_firefox:
+        extension_data["package"]["type"] = random.choice(["extension", "webapp"])
+        extension_data["package"]["path"] = f"/home/{user_id}/.mozilla/firefox/{random_string(8)}.default/extensions/{ext_id}.xpi"
+        extension_data["package"]["reference"] = f"https://addons.mozilla.org/firefox/downloads/file/{random.randint(1000,9999)}/"
+        extension_data["package"]["visible"] = random.choice([True, False])
+
+    elif is_safari:
+        extension_data["package"]["path"] = f"/Users/{user_id}/Library/Safari/Extensions/{ext_name}.safariextz"
+
+    elif is_ie:
+        extension_data["package"]["path"] = f"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\{ext_id}"
+
+    return extension_data
+
+
+def generate_agent():
+    return {
+        "host": {
+            "architecture": random.choice(["x86_64", "arm64"]),
+            "ip": f"192.168.{random.randint(0, 255)}.{random.randint(1, 254)}"
+        },
+        "id": random_string(8),
+        "name": f"agent-{random.randint(1, 100)}",
+        "version": f"{random.randint(1,5)}.{random.randint(0,9)}.{random.randint(0,9)}"
+    }
+
+
+def generate_wazuh():
+    return {
+        "cluster": {
+            "name": random.choice(["cluster-alpha", "cluster-beta"]),
+            "node": random.choice(["node-1", "node-2", "node-3"])
+        },
+        "schema": {
+            "version": f"{random.randint(1,3)}.{random.randint(0,9)}"
+        }
+    }
+
+
+def generate_random_data(number):
+    data = []
+    for _ in range(number):
+        event_data = generate_browser_extension()
+        # Add agent and Wazuh data
+        event_data["agent"] = generate_agent()
+        event_data["wazuh"] = generate_wazuh()
+        event_data["state"] = {
+            "modified_at": generate_random_date()
+        }
+
+        data.append(event_data)
+    return data
+
+
+def inject_events(ip, port, index, username, password, data, protocol):
+    url = f"{protocol}://{ip}:{port}/{index}/_doc"
+    session = requests.Session()
+    session.auth = (username, password)
+    session.verify = False
+    headers = {"Content-Type": "application/json"}
+
+    for event_data in data:
+        response = session.post(url, json=event_data, headers=headers)
+        if response.status_code != 201:
+            logging.error(f"Error: {response.status_code}")
+            logging.error(response.text)
+            break
+    logging.info("Data injection completed successfully.")
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Generate and optionally inject documents into a Wazuh Indexer cluster."
+    )
+    parser.add_argument(
+        "--protocol",
+        choices=['http', 'https'],
+        default='https',
+        help="Specify the protocol to use: http or https. Default is 'https'."
+    )
+    args = parser.parse_args()
+
+    try:
+        number = int(input("How many events do you want to generate? "))
+    except ValueError:
+        logging.error("Invalid input. Please enter a number.")
+        return
+
+    logging.info(f"Generating {number} events...")
+    data = generate_random_data(number)
+
+    with open(GENERATED_DATA_FILE, "a") as outfile:
+        for event_data in data:
+            json.dump(event_data, outfile)
+            outfile.write("\n")
+
+    logging.info("User data generation completed.")
+
+    inject = input(
+        "Inject the generated data into the indexer? (y/n) ").strip().lower()
+    if inject == "y":
+        ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP
+        port = input(
+            f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT
+        index = input(
+            f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME
+        username = input(f"Username (default: '{USERNAME}'): ") or USERNAME
+        password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD
+        inject_events(ip, port, index, username, password, data, args.protocol)
+
+
+if __name__ == "__main__":
+    main()
+
--- a/ecs/states-inventory-browser-extensions/fields/custom/browser.yml
+++ b/ecs/states-inventory-browser-extensions/fields/custom/browser.yml
@ -0,0 +1,30 @@
+---
+- name: browser
+  title: browser
+  description: > 
+    Fields for browser extensions in Wazuh states inventory.
+  fields:
+    - name: name
+      type: keyword
+      level: custom
+      description: >
+        Name of the browser. Valid values: chrome, chromium, opera, yandex, brave, edge, edge_beta.
+      example: chrome
+    - name: profile.name
+      type: keyword
+      level: custom
+      description: >
+        Name of the browser profile.
+      example: default
+    - name: profile.path
+      type: keyword
+      level: custom
+      description: >
+        Path to the browser profile.
+      example: /home/user/.config/google-chrome/Default
+    - name: profile.referenced
+      type: boolean
+      level: custom
+      description: >
+        Indicates if the extension is referenced by the Preferences file of the browser profile.
+      example: true
--- a/ecs/states-inventory-browser-extensions/fields/custom/host.yml
+++ b/ecs/states-inventory-browser-extensions/fields/custom/host.yml
@ -0,0 +1,6 @@
+---
+- name: host
+  reusable:
+    top_level: true
+    expected:
+      - { at: agent, as: host }
--- a/ecs/states-inventory-browser-extensions/fields/custom/package.yml
+++ b/ecs/states-inventory-browser-extensions/fields/custom/package.yml
@ -0,0 +1,54 @@
+---
+- name: package
+  title: package
+  fields:
+    - name: id
+      type: keyword
+      level: custom
+      description: >
+        Unique identifier for the browser extension.
+      example: com.example.extension
+    - name: vendor
+      type: keyword
+      level: custom
+      description: >
+        Vendor, author or creator of the browser extension.
+      example: Example Inc.
+    - name: permissions
+      type: keyword
+      normalize: 
+       - array
+      level: custom
+      description: >
+        Permissions required by the browser extension.
+      example: '["tabs", "storage"]'
+    - name: enabled
+      type: boolean
+      level: custom
+      description: >
+        Indicates if the browser extension is enabled.
+      example: true
+    - name: visible
+      type: boolean
+      level: custom
+      description: >
+        Indicates if the browser extension is visible in the toolbar.
+      example: true
+    - name: autoupdate
+      type: boolean
+      level: custom
+      description: >
+        Indicates if the browser extension is set to auto-update.
+      example: true
+    - name: persistent
+      type: boolean
+      level: custom
+      description: >
+        Indicates if the browser extension is persistent accross tabs.
+      example: true
+    - name: from_webstore
+      type: boolean
+      level: custom
+      description: >
+        Indicates if the browser extension was installed from a webstore.
+      example: true
--- a/ecs/states-inventory-browser-extensions/fields/custom/state.yml
+++ b/ecs/states-inventory-browser-extensions/fields/custom/state.yml
@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.
--- a/ecs/states-inventory-browser-extensions/fields/custom/wazuh.yml
+++ b/ecs/states-inventory-browser-extensions/fields/custom/wazuh.yml
@ -0,0 +1,21 @@
+---
+- name: wazuh
+  title: Wazuh
+  description: >
+    Wazuh Inc. custom fields
+  fields:
+    - name: cluster.name
+      type: keyword
+      level: custom
+      description: >
+        Wazuh cluster name.
+    - name: cluster.node
+      type: keyword
+      level: custom
+      description: >
+        Wazuh cluster node name.
+    - name: schema.version
+      type: keyword
+      level: custom
+      description: >
+        Wazuh schema version.
--- a/ecs/states-inventory-browser-extensions/fields/mapping-settings.json
+++ b/ecs/states-inventory-browser-extensions/fields/mapping-settings.json
@ -0,0 +1,4 @@
+{
+    "dynamic": "strict",
+    "date_detection": false
+}
--- a/ecs/states-inventory-browser-extensions/fields/subset.yml
+++ b/ecs/states-inventory-browser-extensions/fields/subset.yml
@ -0,0 +1,48 @@
+---
+name: wazuh-states-inventory-browser-extensions
+fields:
+  base:
+    fields:
+      tags: []
+  agent:
+    fields:
+      id: {}
+      name: {}
+      version: {}
+      host:
+        fields:
+          architecture: {}
+          ip: {}
+  browser:
+    fields: "*"
+  package:
+    fields:
+      name: {}
+      id: {}
+      version: {}
+      description: {}
+      vendor: {}
+      build_version: {}
+      path: {}
+      reference: {}
+      permissions: {}
+      type: {}
+      enabled: {}
+      autoupdate: {}
+      persistent: {}
+      from_webstore: {}
+      installed: {}
+      visible: {}
+  file:
+    fields:
+      hash:
+        fields:
+          sha256: {}
+  user:
+    fields:
+      id: {}
+  state:
+    fields: "*"
+  wazuh:
+    fields: "*"
+
--- a/ecs/states-inventory-browser-extensions/fields/template-settings-legacy.json
+++ b/ecs/states-inventory-browser-extensions/fields/template-settings-legacy.json
@ -0,0 +1,29 @@
+{
+  "index_patterns": ["wazuh-states-inventory-browser-extensions*"],
+  "order": 1,
+  "settings": {
+    "index": {
+      "number_of_shards": "1",
+      "number_of_replicas": "0",
+      "refresh_interval": "2s",
+      "query.default_field": [
+        "agent.host.architecture",
+        "agent.host.ip",
+        "agent.id",
+        "agent.name",
+        "agent.version",
+        "browser.name",
+        "user.id",
+        "package.name",
+        "package.id",
+        "package.version",
+        "package.vendor",
+        "package.type",
+        "state.modified_at",
+        "wazuh.cluster.name",
+        "wazuh.cluster.node",
+        "wazuh.schema.version"
+      ]
+    }
+  }
+}
--- a/ecs/states-inventory-browser-extensions/fields/template-settings.json
+++ b/ecs/states-inventory-browser-extensions/fields/template-settings.json
@ -0,0 +1,33 @@
+{
+    "index_patterns": [
+        "wazuh-states-inventory-browser-extensions*"
+    ],
+    "priority": 1,
+    "template": {
+        "settings": {
+            "index": {
+                "number_of_shards": "1",
+                "number_of_replicas": "0",
+                "refresh_interval": "2s",
+                "query.default_field": [
+                    "agent.host.architecture",
+                    "agent.host.ip",
+                    "agent.id",
+                    "agent.name",
+                    "agent.version",
+                    "browser.name",
+                    "user.id",
+                    "package.name",
+                    "package.id",
+                    "package.version",
+                    "package.vendor",
+                    "package.type",
+                    "state.modified_at",
+                    "wazuh.cluster.name",
+                    "wazuh.cluster.node",
+                    "wazuh.schema.version"
+                ]
+            }
+        }
+    }
+}
--- a/ecs/states-inventory-groups/fields/subset.yml
+++ b/ecs/states-inventory-groups/fields/subset.yml
@ -26,8 +26,7 @@ fields:
      is_hidden: {}
      users: {}
  state:
-    fields:
-      modified_at: {}
+    fields: "*"
  wazuh:
    fields: "*"

--- a/ecs/states-inventory-groups/fields/template-settings-legacy.json
+++ b/ecs/states-inventory-groups/fields/template-settings-legacy.json
@ -7,8 +7,7 @@
        "index": {
            "number_of_shards": "1",
            "number_of_replicas": "0",
-            "auto_expand_replicas": "0-1",
-            "refresh_interval": "5s",
+            "refresh_interval": "2s",
            "query.default_field": [
                "group.name",
                "group.description",
--- a/ecs/states-inventory-groups/fields/template-settings.json
+++ b/ecs/states-inventory-groups/fields/template-settings.json
@ -8,8 +8,7 @@
            "index": {
                "number_of_shards": "1",
                "number_of_replicas": "0",
-                "auto_expand_replicas": "0-1",
-                "refresh_interval": "5s",
+                "refresh_interval": "2s",
                "query.default_field": [
                    "group.name",
                    "group.description",
--- a/ecs/states-inventory-hardware/docs/README.md
+++ b/ecs/states-inventory-hardware/docs/README.md
@ -33,4 +33,3 @@ The detail of the fields can be found in csv file [States inventory hardware Fie
 | cluster_node    | string       | Wazuh cluster node                                             | wazuh.cluster.node   | TRUE   |
 | schema_version  | string       | Wazuh schema version                                           | wazuh.schema.version | TRUE   |
 | checksum        | keyword      | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1   | TRUE   |
-| scan_time       | date         | Date/time when the state was last modified.                           | state.modified_at    | TRUE   |
--- a/ecs/states-inventory-hardware/fields/subset.yml
+++ b/ecs/states-inventory-hardware/fields/subset.yml
@ -27,7 +27,6 @@ fields:
          speed: {}
      serial_number: {}
  state:
-    fields:
-      modified_at: {}
+    fields: "*"
  wazuh:
    fields: "*"
--- a/ecs/states-inventory-hardware/fields/template-settings-legacy.json
+++ b/ecs/states-inventory-hardware/fields/template-settings-legacy.json
@ -5,7 +5,6 @@
    "index": {
      "number_of_shards": "1",
      "number_of_replicas": "0",
-      "auto_expand_replicas": "0-1",
      "refresh_interval": "2s",
      "query.default_field": [
        "agent.host.architecture",
--- a/ecs/states-inventory-hardware/fields/template-settings.json
+++ b/ecs/states-inventory-hardware/fields/template-settings.json
@ -8,7 +8,6 @@
      "index": {
        "number_of_shards": "1",
        "number_of_replicas": "0",
-        "auto_expand_replicas": "0-1",
        "refresh_interval": "2s",
        "query.default_field": [
          "agent.host.architecture",
--- a/ecs/states-inventory-hotfixes/docs/README.md
+++ b/ecs/states-inventory-hotfixes/docs/README.md
@ -30,4 +30,3 @@ The detail of the fields can be found in csv file [States inventory hotfixes Fie
 | cluster_node   | string  | Wazuh cluster node                                             | wazuh.cluster.node      | TRUE   |
 | schema_version | string  | Wazuh schema version                                           | wazuh.schema.version    | TRUE   |
 | checksum       | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1      | TRUE   |
-| scan_time      | date    | Date/time when the state was last modified.                           | state.modified_at       | TRUE   |
--- a/ecs/states-inventory-hotfixes/fields/subset.yml
+++ b/ecs/states-inventory-hotfixes/fields/subset.yml
@ -22,7 +22,6 @@ fields:
        fields:
          name: {}
  state:
-    fields:
-      modified_at: {}
+    fields: "*"
  wazuh:
    fields: "*"
--- a/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json
+++ b/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json
@ -5,7 +5,6 @@
    "index": {
      "number_of_shards": "1",
      "number_of_replicas": "0",
-      "auto_expand_replicas": "0-1",
      "refresh_interval": "2s",
      "query.default_field": [
        "agent.host.architecture",
--- a/ecs/states-inventory-hotfixes/fields/template-settings.json
+++ b/ecs/states-inventory-hotfixes/fields/template-settings.json
@ -8,19 +8,18 @@
      "index": {
        "number_of_shards": "1",
        "number_of_replicas": "0",
-        "auto_expand_replicas": "0-1",
        "refresh_interval": "2s",
        "query.default_field": [
-        "agent.host.architecture",
-        "agent.host.ip",
-        "agent.id",
-        "agent.name",
-        "agent.version",
-        "package.hotfix.name",
-        "state.modified_at",
-        "wazuh.cluster.name",
-        "wazuh.cluster.node",
-        "wazuh.schema.version"
+          "agent.host.architecture",
+          "agent.host.ip",
+          "agent.id",
+          "agent.name",
+          "agent.version",
+          "package.hotfix.name",
+          "state.modified_at",
+          "wazuh.cluster.name",
+          "wazuh.cluster.node",
+          "wazuh.schema.version"
        ]
      }
    }
--- a/ecs/states-inventory-interfaces/docs/README.md
+++ b/ecs/states-inventory-interfaces/docs/README.md
@ -40,4 +40,3 @@ The detail of the fields can be found in csv file [States inventory interfaces F
 | cluster_node   | string  | Wazuh cluster node                                             | wazuh.cluster.node           | TRUE   |
 | schema_version | string  | Wazuh schema version                                           | wazuh.schema.version         | TRUE   |
 | checksum       | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1           | TRUE   |
-| scan_time      | date    | Date/time when the state was last modified.                           | state.modified_at            | TRUE   |
--- a/ecs/states-inventory-interfaces/fields/subset.yml
+++ b/ecs/states-inventory-interfaces/fields/subset.yml
@ -41,7 +41,6 @@ fields:
      state: {}
      type: {}
  state:
-    fields:
-      modified_at: {}
+    fields: "*"
  wazuh:
    fields: "*"
--- a/ecs/states-inventory-interfaces/fields/template-settings-legacy.json
+++ b/ecs/states-inventory-interfaces/fields/template-settings-legacy.json
@ -5,7 +5,6 @@
    "index": {
      "number_of_shards": "1",
      "number_of_replicas": "0",
-      "auto_expand_replicas": "0-1",
      "refresh_interval": "2s",
      "query.default_field": [
        "agent.id",
--- a/ecs/states-inventory-interfaces/fields/template-settings.json
+++ b/ecs/states-inventory-interfaces/fields/template-settings.json
@ -8,7 +8,6 @@
      "index": {
        "number_of_shards": "1",
        "number_of_replicas": "0",
-        "auto_expand_replicas": "0-1",
        "refresh_interval": "2s",
        "query.default_field": [
          "agent.id",
--- a/ecs/states-inventory-networks/docs/README.md
+++ b/ecs/states-inventory-networks/docs/README.md
@ -34,4 +34,3 @@ The detail of the fields can be found in csv file [States inventory networks Fie
 | cluster_node   | string  | Wazuh cluster node                                               | wazuh.cluster.node   | TRUE   |
 | schema_version | string  | Wazuh schema version                                             | wazuh.schema.version | TRUE   |
 | checksum       | keyword | SHA1 hash used as checksum of the data collected by the agent.   | checksum.hash.sha1   | TRUE   |
-| scan_time      | date    | Date/time when the state was last modified.                             | state.modified_at    | TRUE   |
--- a/ecs/states-inventory-networks/fields/subset.yml
+++ b/ecs/states-inventory-networks/fields/subset.yml
@ -28,7 +28,6 @@ fields:
      netmask: {}
      type: {}
  state:
-    fields:
-      modified_at: {}
+    fields: "*"
  wazuh:
    fields: "*"
--- a/ecs/states-inventory-networks/fields/template-settings-legacy.json
+++ b/ecs/states-inventory-networks/fields/template-settings-legacy.json
@ -5,7 +5,6 @@
    "index": {
      "number_of_shards": "1",
      "number_of_replicas": "0",
-      "auto_expand_replicas": "0-1",
      "refresh_interval": "2s",
      "query.default_field": [
        "agent.id",
--- a/ecs/states-inventory-networks/fields/template-settings.json
+++ b/ecs/states-inventory-networks/fields/template-settings.json
@ -8,7 +8,6 @@
      "index": {
        "number_of_shards": "1",
        "number_of_replicas": "0",
-        "auto_expand_replicas": "0-1",
        "refresh_interval": "2s",
        "query.default_field": [
          "agent.id",
--- a/ecs/states-inventory-packages/docs/README.md
+++ b/ecs/states-inventory-packages/docs/README.md
@ -38,4 +38,3 @@ The detail of the fields can be found in csv file [States inventory packages Fie
 | cluster_node   | string  | Wazuh cluster node                                             | wazuh.cluster.node   | TRUE   |
 | schema_version | string  | Wazuh schema version                                           | wazuh.schema.version | TRUE   |
 | checksum       | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1   | TRUE   |
-| scan_time      | date    | Date/time when the state was last modified.                           | state.modified_at    | TRUE   |
--- a/ecs/states-inventory-packages/fields/subset.yml
+++ b/ecs/states-inventory-packages/fields/subset.yml
@ -32,7 +32,6 @@ fields:
      vendor: {}
      version: {}
  state:
-    fields:
-      modified_at: {}
+    fields: "*"
  wazuh:
    fields: "*"
--- a/ecs/states-inventory-packages/fields/template-settings-legacy.json
+++ b/ecs/states-inventory-packages/fields/template-settings-legacy.json
@ -5,7 +5,6 @@
    "index": {
      "number_of_shards": "1",
      "number_of_replicas": "0",
-      "auto_expand_replicas": "0-1",
      "refresh_interval": "2s",
      "query.default_field": [
        "agent.host.architecture",
--- a/ecs/states-inventory-packages/fields/template-settings.json
+++ b/ecs/states-inventory-packages/fields/template-settings.json
@ -6,7 +6,6 @@
      "index": {
        "number_of_shards": "1",
        "number_of_replicas": "0",
-        "auto_expand_replicas": "0-1",
        "refresh_interval": "2s",
        "query.default_field": [
          "agent.host.architecture",
--- a/ecs/states-inventory-ports/docs/README.md
+++ b/ecs/states-inventory-ports/docs/README.md
@ -41,4 +41,3 @@ The detail of the fields can be found in csv file [States inventory ports Fields
 | cluster_node   | string  | Wazuh cluster node                                             | wazuh.cluster.node         | TRUE   |
 | schema_version | string  | Wazuh schema version                                           | wazuh.schema.version       | TRUE   |
 | checksum       | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1         | TRUE   |
-| scan_time      | date    | Date/time when the state was last modified.                           | state.modified_at    | TRUE   |
--- a/ecs/states-inventory-ports/fields/subset.yml
+++ b/ecs/states-inventory-ports/fields/subset.yml
@ -48,7 +48,6 @@ fields:
      ip: {}
      port: {}
  state:
-    fields:
-      modified_at: {}
+    fields: "*"
  wazuh:
    fields: "*"
--- a/ecs/states-inventory-ports/fields/template-settings-legacy.json
+++ b/ecs/states-inventory-ports/fields/template-settings-legacy.json
@ -5,7 +5,6 @@
    "index": {
      "number_of_shards": "1",
      "number_of_replicas": "0",
-      "auto_expand_replicas": "0-1",
      "refresh_interval": "2s",
      "query.default_field": [
        "agent.host.architecture",
--- a/ecs/states-inventory-ports/fields/template-settings.json
+++ b/ecs/states-inventory-ports/fields/template-settings.json
@ -8,7 +8,6 @@
      "index": {
        "number_of_shards": "1",
        "number_of_replicas": "0",
-        "auto_expand_replicas": "0-1",
        "refresh_interval": "2s",
        "query.default_field": [
          "agent.host.architecture",
--- a/ecs/states-inventory-processes/docs/README.md
+++ b/ecs/states-inventory-processes/docs/README.md
@ -35,4 +35,3 @@ The detail of the fields can be found in csv file [States inventory processes Fi
 |                | date    | The time the process started                                   | process.start        | FALSE  |
 |                | long    | Length of the process.args array.                              | process.args_count   | FALSE  |
 | checksum       | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1   | TRUE   |
-| scan_time      | date    | Date/time when the state was last modified.                           | state.modified_at    | TRUE   |
--- a/ecs/states-inventory-processes/fields/subset.yml
+++ b/ecs/states-inventory-processes/fields/subset.yml
@ -31,7 +31,6 @@ fields:
      stime: {}
      utime: {}
  state:
-    fields:
-      modified_at: {}
+    fields: "*"
  wazuh:
    fields: "*"
--- a/ecs/states-inventory-processes/fields/template-settings-legacy.json
+++ b/ecs/states-inventory-processes/fields/template-settings-legacy.json
@ -5,7 +5,6 @@
    "index": {
      "number_of_shards": "1",
      "number_of_replicas": "0",
-      "auto_expand_replicas": "0-1",
      "refresh_interval": "2s",
      "query.default_field": [
        "agent.host.architecture",
--- a/ecs/states-inventory-processes/fields/template-settings.json
+++ b/ecs/states-inventory-processes/fields/template-settings.json
@ -6,7 +6,6 @@
      "index": {
        "number_of_shards": "1",
        "number_of_replicas": "0",
-        "auto_expand_replicas": "0-1",
        "refresh_interval": "2s",
        "query.default_field": [
          "agent.host.architecture",
--- a/ecs/states-inventory-protocols/docs/README.md
+++ b/ecs/states-inventory-protocols/docs/README.md
@ -31,4 +31,3 @@ The detail of the fields can be found in csv file [States inventory protocols Fi
 | cluster_node   | string  | Wazuh cluster node                                             | wazuh.cluster.node   | TRUE   |
 | schema_version | string  | Wazuh schema version                                           | wazuh.schema.version | TRUE   |
 | checksum       | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1   | TRUE   |
-| scan_time      | date    | Date/time when the state was last modified.                           | state.modified_at    | TRUE   |
--- a/ecs/states-inventory-protocols/fields/subset.yml
+++ b/ecs/states-inventory-protocols/fields/subset.yml
@ -26,7 +26,6 @@ fields:
    fields:
      name: {}
  state:
-    fields:
-      modified_at: {}
+    fields: "*"
  wazuh:
    fields: "*"
--- a/ecs/states-inventory-protocols/fields/template-settings-legacy.json
+++ b/ecs/states-inventory-protocols/fields/template-settings-legacy.json
@ -5,7 +5,6 @@
    "index": {
      "number_of_shards": "1",
      "number_of_replicas": "0",
-      "auto_expand_replicas": "0-1",
      "refresh_interval": "2s",
      "query.default_field": [
        "agent.host.architecture",
--- a/ecs/states-inventory-protocols/fields/template-settings.json
+++ b/ecs/states-inventory-protocols/fields/template-settings.json
@ -8,7 +8,6 @@
      "index": {
        "number_of_shards": "1",
        "number_of_replicas": "0",
-        "auto_expand_replicas": "0-1",
        "refresh_interval": "2s",
        "query.default_field": [
          "agent.host.architecture",
--- a/ecs/states-inventory-services/docs/README.md
+++ b/ecs/states-inventory-services/docs/README.md
@ -0,0 +1,53 @@
+## `wazuh-states-inventory-services` index data model
+
+### Fields summary
+
+The fields are based on:
+- [Inventory - Services mappings](https://github.com/wazuh/wazuh-agent/issues/807#issuecomment-3212090933) (included in 4.14.0)
+- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2937251736) (included in 5.0.0)
+
+Based on osquery and ECS:
+
+- [services table (Windows)](https://osquery.io/schema/5.16.0/#services).
+- [systemd_units table (Linux)](https://osquery.io/schema/5.16.0/#systemd_units).
+- [launchd table (macOS)](https://osquery.io/schema/5.16.0/#launchd)
+- [Service fields](https://www.elastic.co/docs/reference/ecs/ecs-service).
+
+The detail of the fields can be found in csv file [Inventory Services Fields](fields.csv).
+
+### Transition table
+
+| #   | Custom | ECS Field Name                          | Type      | Source                                                      | OS Availability         | Description                                                              |
+| --- | ------ | --------------------------------------- | --------- | ----------------------------------------------------------- | ----------------------- | ------------------------------------------------------------------------ |
+| 1   | 0      | `service.id`                            | `text`    | `services.name` / `systemd_units.id` / `label`              | Windows / Linux / macOS | Service/job unique identifier (Windows name, systemd id, launchd label). |
+| 2   | 0      | `service.name`                          | `text`    | `services.display_name` / `name`                            | Windows / macOS         | Display name (Windows) or plist filename (macOS).                        |
+| 3   | 1      | `service.description`                   | `text`    | `services.description` / `systemd_units.description`        | Windows / Linux         | Description of the service/unit.                                         |
+| 4   | 0      | `service.type`                          | `text`    | `services.service_type` / `process_type`                    | Windows / macOS         | Type of service: OWN\_PROCESS, driver, intended process type.            |
+| 5   | 0      | `service.state`                         | `text`    | `services.status` / `systemd_units.active_state` / runtime  | Windows / Linux / macOS | Current state: RUNNING, STOPPED, active, running, etc.                   |
+| 6   | 1      | `service.sub_state`                     | `text`    | `systemd_units.sub_state`                                   | Linux                   | Low-level systemd substate.                                              |
+| 7   | 1      | `service.enabled`                       | `text`    | `systemd_units.unit_file_state` / `disabled` (invert)       | Linux / macOS           | Whether the unit/job is enabled.                                         |
+| 8   | 1      | `service.start_type`                    | `text`    | `services.start_type` / `run_at_load`                       | Windows / macOS         | Start type: AUTO\_START, DEMAND\_START, or run\_at\_load.                |
+| 9   | 1      | `service.restart`                       | `text`    | `keep_alive`                                                | macOS                   | Restart policy: always / on-failure / never.                             |
+| 10  | 1      | `service.frequency`                     | `long`    | `start_interval`                                            | macOS                   | Run frequency in seconds.                                                |
+| 11  | 1      | `service.starts.on_mount`               | `boolean` | `start_on_mount`                                            | macOS                   | Launches every time a filesystem is mounted.                             |
+| 12  | 1      | `service.starts.on_path_modified`       | `text[]`  | `watch_paths`                                               | macOS                   | Launches on path modification.                                           |
+| 13  | 1      | `service.starts.on_not_empty_directory` | `text[]`  | `queue_directories`                                         | macOS                   | Launches when directories become non-empty.                              |
+| 14  | 1      | `service.inetd_compatibility`           | `boolean` | `inetd_compatibility`                                       | macOS                   | Run job as if launched from inetd.                                       |
+| 15  | 0      | `process.pid`                           | `long`    | `services.pid` / runtime                                    | Windows / macOS         | Process ID of the running service/job.                                   |
+| 16  | 0      | `process.executable`                    | `text`    | `services.path` / `systemd_units.fragment_path` / `program` | Windows / Linux / macOS | Path to the service executable or unit definition.                       |
+| 17  | 0      | `process.args`                          | `text[]`  | `program_arguments`                                         | macOS                   | Command line arguments for the service/job.                              |
+| 18  | 0      | `process.user.name`                     | `text`    | `services.user_account` / `systemd_units.user` / `username` | Windows / Linux / macOS | User account running the service/job.                                    |
+| 19  | 0      | `process.group.name`                    | `text`    | `groupname`                                                 | macOS                   | Group account running the job.                                           |
+| 20  | 0      | `process.working_directory`             | `text`    | `working_directory`                                         | macOS                   | Working directory of the job.                                            |
+| 21  | 1      | `process.root_directory`                | `text`    | `root_directory`                                            | macOS                   | Chroot directory before execution.                                       |
+| 22  | 0      | `file.path`                             | `text`    | `systemd_units.source_path` / `path`                        | Linux / macOS           | Path to the generated unit or `.plist` definition file.                  |
+| 23  | 0      | `service.address`                       | `text`    | `services.module_path`                                      | Windows                 | Path to the service DLL (ServiceDll).                                    |
+| 24  | 1      | `log.file.path`                         | `text`    | `stdout_path`                                               | macOS                   | Redirect stdout to a file/pipe.                                          |
+| 25  | 1      | `error.log.file.path`                   | `text`    | `stderr_path`                                               | macOS                   | Redirect stderr to a file/pipe.                                          |
+| 26  | 1      | `service.exit_code`                     | `integer` | `services.service_exit_code`                                | Windows                 | Service-specific exit code on failure.                                   |
+| 27  | 1      | `service.win32_exit_code`               | `integer` | `services.win32_exit_code`                                  | Windows                 | Win32 exit code on start/stop.                                           |
+| 28  | 1      | `service.following`                     | `text`    | `systemd_units.following`                                   | Linux                   | Unit followed by this unit in systemd.                                   |
+| 29  | 1      | `service.object_path`                   | `text`    | `systemd_units.object_path`                                 | Linux                   | D-Bus object path of the unit.                                           |
+| 30  | 0      | `service.target.ephemeral_id`           | `long`    | `systemd_units.job_id`                                      | Linux                   | Job ID assigned by systemd.                                              |
+| 31  | 0      | `service.target.type`                   | `text`    | `systemd_units.job_type`                                    | Linux                   | Type of systemd job.                                                     |
+| 32  | 0      | `service.target.address`                | `text`    | `systemd_units.job_path`                                    | Linux                   | Path to job object.                                                      |
--- a/ecs/states-inventory-services/docs/fields.csv
+++ b/ecs/states-inventory-services/docs/fields.csv
@ -0,0 +1,46 @@
+ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
+8.11.0,true,agent,agent.host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.11.0,true,agent,agent.host.ip,ip,core,array,,Host ip addresses.
+8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.11.0,true,error,error.log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.11.0,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.11.0,true,file,file.path.text,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.11.0,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.11.0,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.11.0,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0,true,process,process.executable.text,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0,true,process,process.group.name,keyword,extended,,,Name of the group.
+8.11.0,true,process,process.pid,long,core,,4242,Process id.
+8.11.0,true,process,process.root_directory,keyword,custom,,,Chroot directory before execution.
+8.11.0,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0,true,process,process.user.name.text,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.11.0,true,process,process.working_directory.text,keyword,extended,,/home/alice,The working directory of the process.
+8.11.0,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.11.0,true,service,service.description,keyword,custom,,Apache HTTP Server,Description of the service.
+8.11.0,true,service,service.enabled,keyword,custom,,enabled,"Whether the unit file is enabled, e.g. `enabled`, `masked`, `disabled`, etc."
+8.11.0,true,service,service.exit_code,integer,custom,,0,Service-specific exit code on failure.
+8.11.0,true,service,service.following,keyword,custom,,apache2.service,The name of another unit that this unit follows in state.
+8.11.0,true,service,service.frequency,long,custom,,3600,Frequency in seconds at which the service is run.
+8.11.0,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.11.0,true,service,service.inetd_compatibility,boolean,custom,,False,Run job as if launched from inetd.
+8.11.0,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.11.0,true,service,service.object_path,keyword,custom,,/org/freedesktop/systemd1/unit/apache2_2eservice,D-Bus object path of the service.
+8.11.0,true,service,service.restart,keyword,custom,,on-failure,"Restart policy for the service, e.g. `always`, `on-failure`, `never`."
+8.11.0,true,service,service.start_type,keyword,custom,,AUTO_START,"Service start type: BOOT_START, SYSTEM_START, AUTO_START, DEMAND_START, DISABLED."
+8.11.0,true,service,service.starts.on_mount,boolean,custom,,True,Launches every time a filesystem is mounted.
+8.11.0,true,service,service.starts.on_not_empty_directory,keyword,custom,array,"['/var/spool/mail', '/tmp/uploads']",Launches when directories become non-empty.
+8.11.0,true,service,service.starts.on_path_modified,keyword,custom,array,"['/var/log', '/etc/config']",Launches on path modification.
+8.11.0,true,service,service.state,keyword,core,,,Current state of the service.
+8.11.0,true,service,service.sub_state,keyword,custom,,running,"The low-level unit activation state, values depend on unit type."
+8.11.0,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.11.0,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.11.0,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.11.0,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.11.0,true,service,service.win32_exit_code,integer,custom,,0,Win32 exit code on start/stop.
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
+8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
+8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
+8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.
--- a/ecs/states-inventory-services/event-generator/event_generator.py
+++ b/ecs/states-inventory-services/event-generator/event_generator.py
@ -0,0 +1,294 @@
+#!/bin/python3
+
+import argparse
+import datetime
+import json
+import logging
+import random
+import requests
+import urllib3
+import random
+import string
+from enum import Enum
+
+# Constants and Configuration
+LOG_FILE = "generate_data.log"
+GENERATED_DATA_FILE = "generatedData.json"
+DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ"
+# Default values
+INDEX_NAME = "wazuh-states-inventory-services"
+USERNAME = "admin"
+PASSWORD = "admin"
+IP = "127.0.0.1"
+PORT = "9200"
+class OS(Enum):
+    LINUX = "Linux"
+    WINDOWS = "Windows"
+    MACOS = "macOS"
+
+# Configure logging
+logging.basicConfig(filename=LOG_FILE, level=logging.INFO)
+
+# Suppress warnings
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+
+def random_string(length=6):
+    return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))
+
+
+def generate_random_date():
+    start_date = datetime.datetime.now()
+    end_date = start_date - datetime.timedelta(days=10)
+    random_date = start_date + (end_date - start_date) * random.random()
+    return random_date.strftime(DATE_FORMAT)
+
+
+def generate_agent():
+    return {
+        "host": {
+            "architecture": random.choice(["x86_64", "arm64"]),
+            "ip": f"192.168.{random.randint(0, 255)}.{random.randint(1, 254)}"
+        },
+        "id": random_string(8),
+        "name": f"agent-{random.randint(1, 100)}",
+        "version": f"{random.randint(1,5)}.{random.randint(0,9)}.{random.randint(0,9)}"
+    }
+
+
+def generate_file(os_type=OS.LINUX):
+    if os_type == OS.LINUX:
+        return {
+            "path": f"/usr/lib/systemd/system/{random.choice(['nginx.service', 'sshd.service', 'cron.service'])}"
+        }
+    elif os_type == OS.MACOS:
+        return {
+            "path": f"/Applications/{random.choice(['App.app', 'Service.app'])}"
+        }
+
+
+def generate_process(os_type=OS.LINUX, state="running"):
+    pid = random.randint(1000, 5000) if state.lower() in ["running", "active"] else 0
+    if os_type == OS.WINDOWS:
+        executable = random.choice(["C:\\Program Files\\App\\app.exe", "C:\\Windows\\System32\\svchost.exe"])
+    elif os_type == OS.LINUX:
+        executable = random.choice(["/usr/bin/python3", "/usr/sbin/sshd", "/usr/sbin/nginx"])
+    else:
+        executable = random.choice(["/Applications/App.app/Contents/MacOS/App", "/usr/bin/terminal"])
+
+    if os_type == OS.WINDOWS:
+        return {
+            "executable": executable,
+            "pid": pid,
+            "user.name": random.choice(["root", "admin", "user"])
+        }
+    elif os_type == OS.LINUX:
+        return {
+            "executable": executable,
+            "user.name": random.choice(["root", "admin", "user"])
+        }
+    else:
+        return {
+            "executable": executable,
+            "pid": pid,
+            "args": [f"--option{random.randint(1, 5)}={random_string(4)}"],
+            "user.name": random.choice(["root", "admin", "user"]),
+            "group.name": random.choice(["root", "admin", "users"]),
+            "working_directory": f"/home/{random.choice(['user1', 'user2', 'user3'])}",
+            "root_directory": f"/home/{random.choice(['user1', 'user2', 'user3'])}"
+        }
+
+
+def generate_service(os_type=OS.LINUX):
+    # State and substate depending on the OS
+    if os_type == OS.LINUX:
+        state = random.choice(["active", "inactive", "failed"])
+        sub_state = random.choice(["running", "dead", "exited"])
+    elif os_type == OS.WINDOWS:
+        state = random.choice(["RUNNING", "STOPPED"])
+    else:  
+        state = random.choice(["running", "stopped"])
+    
+    if os_type == OS.LINUX:
+        name = random.choice(["nginx", "sshd", "cron"])
+        service_data = {
+            "id": name,                      # Matches ECS/osquery
+            "description": f"{name} service",
+            "state": state,
+            "sub_state": sub_state,
+            "enabled": (
+                random.choice(["enabled", "disabled", "static"])
+            ),
+            "following": (
+                random.choice(["none", "multi-user.target"])
+            ),
+            "object_path": (
+                f"/org/freedesktop/{name}"
+            ),
+            "target": {
+                "ephemeral_id": str(random.randint(1000, 9999)),
+                "type": random.choice(["start", "stop"]),
+                "address": (
+                    f"/systemd/job/{name}"
+                )
+            }
+        }
+    elif os_type == OS.WINDOWS:
+        name = random.choice(["wuauserv", "bits", "wscsvc"])
+        service_data = {
+            "id": name,
+            "name": random.choice(["Windows Update", "Background Intelligent Transfer Service", "Windows Security Center"]),
+            "description": f"{name} service",
+            "state": state,
+            "start_type": random.choice(["AUTO_START", "DEMAND_START"]),
+            "type": "OWN_PROCESS",
+            "exit_code": random.choice([0, 1, 2]),
+            "win32_exit_code": random.choice([0, 1, 2]),
+            "address": f"\\\\{random.choice(['localhost', 'remotehost'])}"
+        }
+
+    else:
+        service_data = {
+            "id": random.choice(["com.apple.mdnamed", "com.apple.sshd"]),
+            "name": random.choice(["MDNSResponder", "SSHD"]),
+            "state": random.choice(["active", "stopped", "failed"]),
+            "start_type": random.choice(["AUTO_START", "DEMAND_START"]),
+            "type": "OWN_PROCESS",
+            "enabled": random.choice(["enabled", "disabled"]),
+            "restart": random.choice(["always", "on-failure", "never"]),
+            "frequency": random.randint(10, 3600),
+            "starts": {
+                "on_mount": random.choice([True, False]),
+                "on_path_modified": ["/usr/local", "/etc"],
+                "on_not_empty_directory": ["/var/log"],
+            },
+            "inetd_compatibility": random.choice([True, False]),
+        }
+    return service_data
+
+
+def generate_wazuh():
+    return {
+        "cluster": {
+            "name": random.choice(["cluster-alpha", "cluster-beta"]),
+            "node": random.choice(["node-1", "node-2", "node-3"])
+        },
+        "schema": {
+            "version": f"{random.randint(1,3)}.{random.randint(0,9)}"
+        }
+    }
+
+
+def generate_log(os_type=OS.LINUX):
+    if os_type == OS.MACOS:
+        return {
+            "file": {
+                "path": random.choice([
+                    "/var/log/system.log",
+                    "/var/log/install.log",
+                    "/var/log/secure.log"
+                ]),
+            }
+        }
+
+
+def generate_error(os_type=OS.LINUX):
+    if os_type == OS.MACOS:
+        return {
+            "log": {
+                "file": {
+                    "path": random.choice([
+                        "/var/log/system.log",
+                        "/var/log/install.log",
+                        "/var/log/secure.log"
+                    ]),
+                }
+            }
+        }
+
+
+def generate_random_data(number):
+    data = []
+    for _ in range(number):
+        os_choice = random.choice(list(OS))
+        service_data = generate_service(os_type=os_choice)
+        event_data = {
+            "agent": generate_agent(),
+            "process": generate_process(os_type=os_choice, state=service_data["state"]),
+            "service": service_data,
+            "wazuh": generate_wazuh(),
+            "state": {
+                "modified_at": generate_random_date()
+            },
+        }
+
+        if os_choice == OS.MACOS:
+            event_data["log"] = generate_log(os_type=os_choice)
+            event_data["error"] = generate_error(os_type=os_choice)
+
+        if os_choice == OS.LINUX:
+            event_data["file"] = generate_file(os_type=os_choice)
+
+        data.append(event_data)
+    return data
+
+
+def inject_events(ip, port, index, username, password, data, protocol):
+    url = f"{protocol}://{ip}:{port}/{index}/_doc"
+    session = requests.Session()
+    session.auth = (username, password)
+    session.verify = False
+    headers = {"Content-Type": "application/json"}
+
+    for event_data in data:
+        response = session.post(url, json=event_data, headers=headers)
+        if response.status_code != 201:
+            logging.error(f"Error: {response.status_code}")
+            logging.error(response.text)
+            break
+    logging.info("Data injection completed successfully.")
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Generate and optionally inject documents into a Wazuh Indexer cluster."
+    )
+    parser.add_argument(
+        "--protocol",
+        choices=['http', 'https'],
+        default='https',
+        help="Specify the protocol to use: http or https. Default is 'https'."
+    )
+    args = parser.parse_args()
+
+    try:
+        number = int(input("How many events do you want to generate? "))
+    except ValueError:
+        logging.error("Invalid input. Please enter a number.")
+        return
+
+    logging.info(f"Generating {number} events...")
+    data = generate_random_data(number)
+
+    with open(GENERATED_DATA_FILE, "a") as outfile:
+        for event_data in data:
+            json.dump(event_data, outfile)
+            outfile.write("\n")
+
+    logging.info("User data generation completed.")
+
+    inject = input(
+        "Inject the generated data into the indexer? (y/n) ").strip().lower()
+    if inject == "y":
+        ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP
+        port = input(
+            f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT
+        index = input(
+            f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME
+        username = input(f"Username (default: '{USERNAME}'): ") or USERNAME
+        password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD
+        inject_events(ip, port, index, username, password, data, args.protocol)
+
+
+if __name__ == "__main__":
+    main()
+
--- a/ecs/states-inventory-services/fields/custom/host.yml
+++ b/ecs/states-inventory-services/fields/custom/host.yml
@ -0,0 +1,6 @@
+---
+- name: host
+  reusable:
+    top_level: true
+    expected:
+      - { at: agent, as: host }
--- a/ecs/states-inventory-services/fields/custom/log.yml
+++ b/ecs/states-inventory-services/fields/custom/log.yml
@ -0,0 +1,6 @@
+---
+- name: log
+  reusable:
+    top_level: true
+    expected:
+      - { at: error, as: log }
--- a/ecs/states-inventory-services/fields/custom/process.yml
+++ b/ecs/states-inventory-services/fields/custom/process.yml
@ -0,0 +1,11 @@
+---
+- name: process
+  title: process
+  description: >
+    Process information related to the service.
+  fields:
+    - name: root_directory
+      type: keyword
+      level: custom
+      description: >
+        Chroot directory before execution.
--- a/ecs/states-inventory-services/fields/custom/service.yml
+++ b/ecs/states-inventory-services/fields/custom/service.yml
@ -0,0 +1,94 @@
+---
+- name: service
+  title: service
+  description: >
+    The service for or from which the data was collected
+  fields:
+    - name: description
+      type: keyword
+      level: custom
+      description: >
+        Description of the service.
+      example: 'Apache HTTP Server'
+    - name: sub_state
+      type: keyword
+      level: custom
+      description: >
+        The low-level unit activation state, values depend on unit type.
+      example: 'running'
+    - name: start_type
+      type: keyword
+      level: custom
+      description: >
+        Service start type: BOOT_START, SYSTEM_START, AUTO_START, DEMAND_START, DISABLED.
+      example: 'AUTO_START'
+    - name: exit_code
+      type: integer
+      level: custom
+      description: >
+        Service-specific exit code on failure.
+      example: 0
+    - name: win32_exit_code
+      type: integer
+      level: custom
+      description: >
+        Win32 exit code on start/stop.
+      example: 0
+    - name: enabled
+      type: keyword
+      level: custom
+      description: >
+        Whether the unit file is enabled, e.g. `enabled`, `masked`, `disabled`, etc.
+      example: 'enabled'
+    - name: following
+      type: keyword
+      level: custom
+      description: >
+        The name of another unit that this unit follows in state.
+      example: 'apache2.service'
+    - name: object_path
+      type: keyword
+      level: custom
+      description: >
+        D-Bus object path of the service.
+      example: '/org/freedesktop/systemd1/unit/apache2_2eservice'
+    - name: restart
+      type: keyword
+      level: custom
+      description: >
+        Restart policy for the service, e.g. `always`, `on-failure`, `never`.
+      example: 'on-failure'
+    - name: frequency
+      type: long
+      level: custom
+      description: >
+        Frequency in seconds at which the service is run.
+      example: 3600
+    - name: starts.on_mount
+      type: boolean
+      level: custom
+      description: >
+        Launches every time a filesystem is mounted.
+      example: true
+    - name: starts.on_path_modified
+      type: keyword
+      level: custom
+      description: >
+        Launches on path modification.
+      normalize:
+        - array
+      example: "['/var/log', '/etc/config']"
+    - name: starts.on_not_empty_directory
+      type: keyword
+      level: custom
+      description: >
+        Launches when directories become non-empty.
+      normalize:
+        - array
+      example: "['/var/spool/mail', '/tmp/uploads']"
+    - name: inetd_compatibility
+      type: boolean
+      level: custom
+      description: >
+        Run job as if launched from inetd.
+      example: false
--- a/ecs/states-inventory-services/fields/custom/state.yml
+++ b/ecs/states-inventory-services/fields/custom/state.yml
@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.
--- a/ecs/states-inventory-services/fields/custom/wazuh.yml
+++ b/ecs/states-inventory-services/fields/custom/wazuh.yml
@ -0,0 +1,21 @@
+---
+- name: wazuh
+  title: Wazuh
+  description: >
+    Wazuh Inc. custom fields
+  fields:
+    - name: cluster.name
+      type: keyword
+      level: custom
+      description: >
+        Wazuh cluster name.
+    - name: cluster.node
+      type: keyword
+      level: custom
+      description: >
+        Wazuh cluster node name.
+    - name: schema.version
+      type: keyword
+      level: custom
+      description: >
+        Wazuh schema version.
--- a/ecs/states-inventory-services/fields/mapping-settings.json
+++ b/ecs/states-inventory-services/fields/mapping-settings.json
@ -0,0 +1,4 @@
+{
+    "dynamic": "strict",
+    "date_detection": false
+}
--- a/ecs/states-inventory-services/fields/subset.yml
+++ b/ecs/states-inventory-services/fields/subset.yml
@ -0,0 +1,75 @@
+---
+name: wazuh-states-inventory-services
+fields:
+  base:
+    fields:
+      tags: []
+  agent:
+    fields:
+      id: {}
+      name: {}
+      version: {}
+      host:
+        fields:
+          architecture: {}
+          ip: {}
+  service:
+    fields:
+      id: {}
+      name: {}
+      description: {}
+      state: {}
+      sub_state: {}
+      start_type: {}
+      type: {}
+      exit_code: {}
+      win32_exit_code: {}
+      address: {}
+      enabled: {}
+      following: {}
+      object_path: {}
+      restart: {}
+      frequency: {}
+      inetd_compatibility: {}
+      target:
+        fields:
+          ephemeral_id: {}
+          type: {}
+          address: {}
+      starts:
+        fields:
+          on_mount: {}
+          on_path_modified: {}
+          on_not_empty_directory: {}
+  log:
+    fields:
+      file:
+        fields:
+          path: {}
+  error:
+    fields:
+      log:
+        fields:
+          file:
+            fields:
+              path: {}
+  process:
+    fields:
+      pid: {}
+      executable: {}
+      args: {}
+      working_directory: {}
+      root_directory: {}
+      user:
+        fields:
+          name: {}
+      group:
+        fields:
+          name: {}
+  file:
+    fields:
+      path: {}
+  state:
+    fields: "*"
+  wazuh:
+    fields: "*"
--- a/ecs/states-inventory-services/fields/template-settings-legacy.json
+++ b/ecs/states-inventory-services/fields/template-settings-legacy.json
@ -0,0 +1,41 @@
+{
+    "index_patterns": [
+        "wazuh-states-inventory-services*"
+    ],
+    "order": 1,
+    "settings": {
+        "index": {
+            "number_of_shards": "1",
+            "number_of_replicas": "0",
+            "refresh_interval": "2s",
+            "query.default_field": [
+                "agent.host.architecture",
+                "agent.host.ip",
+                "agent.id",
+                "agent.name",
+                "agent.version",
+                "service.name",
+                "service.id",
+                "service.description",
+                "service.enabled",
+                "service.restart",
+                "service.state",
+                "service.sub_state",
+                "service.type",
+                "service.start_type",
+                "process.executable",
+                "file.path",
+                "log.file.path",
+                "error.log.file.path",
+                "process.args",
+                "process.user.name",
+                "process.group.name",
+                "service.address",
+                "state.modified_at",
+                "wazuh.cluster.name",
+                "wazuh.cluster.node",
+                "wazuh.schema.version"
+            ]
+        }
+    }
+}
--- a/ecs/states-inventory-services/fields/template-settings.json
+++ b/ecs/states-inventory-services/fields/template-settings.json
@ -0,0 +1,43 @@
+{
+    "index_patterns": [
+        "wazuh-states-inventory-services*"
+    ],
+    "priority": 1,
+    "template": {
+        "settings": {
+            "index": {
+                "number_of_shards": "1",
+                "number_of_replicas": "0",
+                "refresh_interval": "2s",
+                "query.default_field": [
+                    "agent.host.architecture",
+                    "agent.host.ip",
+                    "agent.id",
+                    "agent.name",
+                    "agent.version",
+                    "service.name",
+                    "service.id",
+                    "service.description",
+                    "service.enabled",
+                    "service.restart",
+                    "service.state",
+                    "service.sub_state",
+                    "service.type",
+                    "service.start_type",
+                    "process.executable",
+                    "file.path",
+                    "log.file.path",
+                    "error.log.file.path",
+                    "process.args",
+                    "process.user.name",
+                    "process.group.name",
+                    "service.address",
+                    "state.modified_at",
+                    "wazuh.cluster.name",
+                    "wazuh.cluster.node",
+                    "wazuh.schema.version"
+                ]
+            }
+        }
+    }
+}
--- a/ecs/states-inventory-system/docs/README.md
+++ b/ecs/states-inventory-system/docs/README.md
@ -42,4 +42,3 @@ The detail of the fields can be found in csv file [States inventory system Field
 | schema_version     | string  | Wazuh schema version                                                              | wazuh.schema.version         | TRUE   |
 |                    | string  | Which commercial OS family (one of: linux, macos, unix, windows, ios or android). | host.os.type                 | FALSE  |
 | checksum           | keyword | SHA1 hash used as checksum of the data collected by the agent.                    | checksum.hash.sha1           | TRUE   |
-| scan_time          | date    | Date/time when the state was last modified.                                              | state.modified_at            | TRUE   |
--- a/ecs/states-inventory-system/fields/subset.yml
+++ b/ecs/states-inventory-system/fields/subset.yml
@ -41,7 +41,6 @@ fields:
          type: {}
          version: {}
  state:
-    fields:
-      modified_at: {}
+    fields: "*"
  wazuh:
    fields: "*"
--- a/ecs/states-inventory-system/fields/template-settings-legacy.json
+++ b/ecs/states-inventory-system/fields/template-settings-legacy.json
@ -5,7 +5,6 @@
    "index": {
      "number_of_shards": "1",
      "number_of_replicas": "0",
-      "auto_expand_replicas": "0-1",
      "refresh_interval": "2s",
      "query.default_field": [
        "agent.host.architecture",
--- a/ecs/states-inventory-system/fields/template-settings.json
+++ b/ecs/states-inventory-system/fields/template-settings.json
@ -8,7 +8,6 @@
      "index": {
        "number_of_shards": "1",
        "number_of_replicas": "0",
-        "auto_expand_replicas": "0-1",
        "refresh_interval": "2s",
        "query.default_field": [
          "agent.host.architecture",
--- a/ecs/states-inventory-users/fields/subset.yml
+++ b/ecs/states-inventory-users/fields/subset.yml
@ -63,7 +63,6 @@ fields:
      type: {}
      tty: {}
  state:
-    fields:
-      modified_at: {}
+    fields: "*"
  wazuh:
    fields: "*"
--- a/ecs/states-inventory-users/fields/template-settings-legacy.json
+++ b/ecs/states-inventory-users/fields/template-settings-legacy.json
@ -7,8 +7,7 @@
        "index": {
            "number_of_shards": "1",
            "number_of_replicas": "0",
-            "auto_expand_replicas": "0-1",
-            "refresh_interval": "5s",
+            "refresh_interval": "2s",
            "query.default_field": [
                "user.id",
                "user.name",
@ -26,12 +25,14 @@
                "user.password.status",
                "user.password.last_change",
                "user.password.expiration_date",
-                "user.password.last_set_time",
                "user.roles",
                "user.last_login",
                "process.pid",
                "host.ip",
-                "state.modified_at"
+                "state.modified_at",
+                "wazuh.cluster.name",
+                "wazuh.cluster.node",
+                "wazuh.schema.version"
            ]
        }
    }
--- a/ecs/states-inventory-users/fields/template-settings.json
+++ b/ecs/states-inventory-users/fields/template-settings.json
@ -8,8 +8,7 @@
            "index": {
                "number_of_shards": "1",
                "number_of_replicas": "0",
-                "auto_expand_replicas": "0-1",
-                "refresh_interval": "5s",
+                "refresh_interval": "2s",
                "query.default_field": [
                    "user.id",
                    "user.name",
@ -27,12 +26,14 @@
                    "user.password.status",
                    "user.password.last_change",
                    "user.password.expiration_date",
-                    "user.password.last_set_time",
                    "user.roles",
                    "user.last_login",
                    "process.pid",
                    "host.ip",
-                    "state.modified_at"
+                    "state.modified_at",
+                    "wazuh.cluster.name",
+                    "wazuh.cluster.node",
+                    "wazuh.schema.version"
                ]
            }
        }
--- a/ecs/states-sca/fields/subset.yml
+++ b/ecs/states-sca/fields/subset.yml
@ -20,7 +20,6 @@ fields:
  policy:
    fields: "*"
  state:
-    fields:
-      modified_at: {}
+    fields: "*"
  wazuh:
    fields: "*"
--- a/ecs/states-vulnerabilities/docs/README.md
+++ b/ecs/states-vulnerabilities/docs/README.md
@ -71,4 +71,3 @@ The detail of the fields can be found in csv file [States vulnerabilities Fields
 | wazuh.cluster.node                | keyword | Wazuh cluster node name.                                                                                            | wazuh.cluster.node                | TRUE   |
 | wazuh.schema.version              | keyword | Wazuh schema version.                                                                                               | wazuh.schema.version              | TRUE   |
 | checksum                          | keyword | SHA1 hash used as checksum of the data collected by the agent.                                                      | checksum.hash.sha1                | TRUE   |
-| scan_time                         | date    | Date/time when the state was last modified.                                                                         | state.modified_at                 | TRUE   |
--- a/ecs/states-vulnerabilities/fields/subset.yml
+++ b/ecs/states-vulnerabilities/fields/subset.yml
@ -23,7 +23,6 @@ fields:
  vulnerability:
    fields: "*"
  state:
-    fields:
-      modified_at: {}
+    fields: "*"
  wazuh:
    fields: "*"
--- a/plugins/setup/src/main/java/com/wazuh/setup/SetupPlugin.java
+++ b/plugins/setup/src/main/java/com/wazuh/setup/SetupPlugin.java
@ -80,6 +80,7 @@ public class SetupPlugin extends Plugin implements ClusterPlugin {
        this.indices.add(new StateIndex("wazuh-states-fim-files", "index-template-fim-files"));
        this.indices.add(new StateIndex("wazuh-states-fim-registry-keys", "index-template-fim-registry-keys"));
        this.indices.add(new StateIndex("wazuh-states-fim-registry-values", "index-template-fim-registry-values"));
+        this.indices.add(new StateIndex("wazuh-states-inventory-browser-extensions", "index-template-browser-extensions"));
        this.indices.add(new StateIndex("wazuh-states-inventory-groups", "index-template-groups"));
        this.indices.add(new StateIndex("wazuh-states-inventory-hardware", "index-template-hardware"));
        this.indices.add(new StateIndex("wazuh-states-inventory-hotfixes", "index-template-hotfixes"));
@ -90,6 +91,7 @@ public class SetupPlugin extends Plugin implements ClusterPlugin {
        this.indices.add(new StateIndex("wazuh-states-inventory-ports", "index-template-ports"));
        this.indices.add(new StateIndex("wazuh-states-inventory-processes", "index-template-processes"));
        this.indices.add(new StateIndex("wazuh-states-inventory-protocols", "index-template-protocols"));
+        this.indices.add(new StateIndex("wazuh-states-inventory-services", "index-template-services"));
        this.indices.add(new StateIndex("wazuh-states-inventory-system", "index-template-system"));
        this.indices.add(new StateIndex("wazuh-states-inventory-users", "index-template-users"));
        this.indices.add(new StateIndex("wazuh-states-vulnerabilities", "index-template-vulnerabilities"));
--- a/plugins/setup/src/main/resources/index-template-browser-extensions.json
+++ b/plugins/setup/src/main/resources/index-template-browser-extensions.json
@ -0,0 +1,200 @@
+{
+  "index_patterns": [
+    "wazuh-states-inventory-browser-extensions*"
+  ],
+  "mappings": {
+    "date_detection": false,
+    "dynamic": "strict",
+    "properties": {
+      "agent": {
+        "properties": {
+          "host": {
+            "properties": {
+              "architecture": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ip": {
+                "type": "ip"
+              }
+            }
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "browser": {
+        "properties": {
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "profile": {
+            "properties": {
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "path": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "referenced": {
+                "type": "boolean"
+              }
+            }
+          }
+        }
+      },
+      "file": {
+        "properties": {
+          "hash": {
+            "properties": {
+              "sha256": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "package": {
+        "properties": {
+          "autoupdate": {
+            "type": "boolean"
+          },
+          "build_version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "description": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "enabled": {
+            "type": "boolean"
+          },
+          "from_webstore": {
+            "type": "boolean"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "installed": {
+            "type": "date"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "path": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "permissions": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "persistent": {
+            "type": "boolean"
+          },
+          "reference": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "vendor": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "visible": {
+            "type": "boolean"
+          }
+        }
+      },
+      "state": {
+        "properties": {
+          "modified_at": {
+            "type": "date"
+          }
+        }
+      },
+      "user": {
+        "properties": {
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "wazuh": {
+        "properties": {
+          "cluster": {
+            "properties": {
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "node": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "schema": {
+            "properties": {
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      }
+    }
+  },
+  "order": 1,
+  "settings": {
+    "index": {
+      "number_of_replicas": "0",
+      "number_of_shards": "1",
+      "query.default_field": [
+        "agent.host.architecture",
+        "agent.host.ip",
+        "agent.id",
+        "agent.name",
+        "agent.version",
+        "browser.name",
+        "user.id",
+        "package.name",
+        "package.id",
+        "package.version",
+        "package.vendor",
+        "package.type",
+        "state.modified_at",
+        "wazuh.cluster.name",
+        "wazuh.cluster.node",
+        "wazuh.schema.version"
+      ],
+      "refresh_interval": "2s"
+    }
+  }
+}
--- a/plugins/setup/src/main/resources/index-template-fim-files.json
+++ b/plugins/setup/src/main/resources/index-template-fim-files.json
@ -143,7 +143,6 @@
  "order": 1,
  "settings": {
    "index": {
-      "auto_expand_replicas": "0-1",
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
--- a/plugins/setup/src/main/resources/index-template-fim-registry-keys.json
+++ b/plugins/setup/src/main/resources/index-template-fim-registry-keys.json
@ -124,7 +124,6 @@
  "order": 1,
  "settings": {
    "index": {
-      "auto_expand_replicas": "0-1",
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
--- a/plugins/setup/src/main/resources/index-template-fim-registry-values.json
+++ b/plugins/setup/src/main/resources/index-template-fim-registry-values.json
@ -132,7 +132,6 @@
  "order": 1,
  "settings": {
    "index": {
-      "auto_expand_replicas": "0-1",
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
--- a/plugins/setup/src/main/resources/index-template-groups.json
+++ b/plugins/setup/src/main/resources/index-template-groups.json
@ -109,7 +109,6 @@
  "order": 1,
  "settings": {
    "index": {
-      "auto_expand_replicas": "0-1",
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
@ -120,7 +119,7 @@
        "group.users",
        "state.modified_at"
      ],
-      "refresh_interval": "5s"
+      "refresh_interval": "2s"
    }
  }
 }
--- a/plugins/setup/src/main/resources/index-template-hardware.json
+++ b/plugins/setup/src/main/resources/index-template-hardware.json
@ -120,7 +120,6 @@
  "order": 1,
  "settings": {
    "index": {
-      "auto_expand_replicas": "0-1",
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
--- a/plugins/setup/src/main/resources/index-template-hotfixes.json
+++ b/plugins/setup/src/main/resources/index-template-hotfixes.json
@ -94,7 +94,6 @@
  "order": 1,
  "settings": {
    "index": {
-      "auto_expand_replicas": "0-1",
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
--- a/plugins/setup/src/main/resources/index-template-interfaces.json
+++ b/plugins/setup/src/main/resources/index-template-interfaces.json
@ -148,7 +148,6 @@
  "order": 1,
  "settings": {
    "index": {
-      "auto_expand_replicas": "0-1",
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
--- a/plugins/setup/src/main/resources/index-template-networks.json
+++ b/plugins/setup/src/main/resources/index-template-networks.json
@ -112,7 +112,6 @@
  "order": 1,
  "settings": {
    "index": {
-      "auto_expand_replicas": "0-1",
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
--- a/plugins/setup/src/main/resources/index-template-packages.json
+++ b/plugins/setup/src/main/resources/index-template-packages.json
@ -135,7 +135,6 @@
  "order": 1,
  "settings": {
    "index": {
-      "auto_expand_replicas": "0-1",
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
--- a/plugins/setup/src/main/resources/index-template-ports.json
+++ b/plugins/setup/src/main/resources/index-template-ports.json
@ -158,7 +158,6 @@
  "order": 1,
  "settings": {
    "index": {
-      "auto_expand_replicas": "0-1",
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
--- a/plugins/setup/src/main/resources/index-template-processes.json
+++ b/plugins/setup/src/main/resources/index-template-processes.json
@ -122,7 +122,6 @@
  "order": 1,
  "settings": {
    "index": {
-      "auto_expand_replicas": "0-1",
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
--- a/plugins/setup/src/main/resources/index-template-protocols.json
+++ b/plugins/setup/src/main/resources/index-template-protocols.json
@ -106,7 +106,6 @@
  "order": 1,
  "settings": {
    "index": {
-      "auto_expand_replicas": "0-1",
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
--- a/Show More
+++ b/Show More