Remove ECS object from WCS definitions (#612)

* Remove ECS object from WCS definitions

* Update the Wazuh Common Schema

* Update CHANGELOG

* Update stateless and cloud index templates

---------

Co-authored-by: Wazuh Indexer Bot <github_devel_xdrsiem_indexer@wazuh.com>

CHANGELOG.md

@@ -44,6 +44,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Bump WCS to ECS v9.1.0 [(#600)](https://github.com/wazuh/wazuh-indexer-plugins/pull/600)
 - Replace genai.* nested fields with keyword array [(#608)](https://github.com/wazuh/wazuh-indexer-plugins/pull/608)
 - Check GitHub actions with dependabot [(#601)](https://github.com/wazuh/wazuh-indexer-plugins/pull/601)
+- Remove ECS object from WCS definitions [(#612)](https://github.com/wazuh/wazuh-indexer-plugins/pull/612)
 
 ### Deprecated
 -

ecs/stateless-access-management/docs/fields.csv

@@ -275,7 +275,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
 9.1.0,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
 9.1.0,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-9.1.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
 9.1.0,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
 9.1.0,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
 9.1.0,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.

ecs/stateless-access-management/fields/subset.yml

@@ -83,8 +83,6 @@ fields:
     fields: "*"
   dns:
     fields: "*"
-  ecs:
-    fields: "*"
   elf:
     fields: "*"
   email:

ecs/stateless-applications/docs/fields.csv

@@ -409,7 +409,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
 9.1.0,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
 9.1.0,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-9.1.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
 9.1.0,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
 9.1.0,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
 9.1.0,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.

ecs/stateless-applications/fields/subset.yml

@@ -83,8 +83,6 @@ fields:
     fields: "*"
   dns:
     fields: "*"
-  ecs:
-    fields: "*"
   elf:
     fields: "*"
   email:

ecs/stateless-cloud-services-aws/docs/fields.csv

@@ -956,7 +956,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
 9.1.0,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
 9.1.0,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-9.1.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
 9.1.0,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
 9.1.0,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
 9.1.0,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
@@ -1178,17 +1177,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,gen_ai,gen_ai.operation.name,keyword,extended,,chat; text_completion; embeddings,The name of the operation being performed.
 9.1.0,true,gen_ai,gen_ai.output.type,keyword,extended,,text; json; image,Represents the content type requested by the client.
 9.1.0,true,gen_ai,gen_ai.request.choice.count,integer,extended,,3,The target number of candidate completions to return.
-9.1.0,true,gen_ai,gen_ai.request.encoding_formats,nested,extended,,"[""float"", ""binary""]","The encoding formats requested in an embeddings operation, if specified."
+9.1.0,true,gen_ai,gen_ai.request.encoding_formats,keyword,extended,array,"[""float"", ""binary""]","The encoding formats requested in an embeddings operation, if specified."
 9.1.0,true,gen_ai,gen_ai.request.frequency_penalty,double,extended,,0.1,The frequency penalty setting for the GenAI request.
 9.1.0,true,gen_ai,gen_ai.request.max_tokens,integer,extended,,100,The maximum number of tokens the model generates for a request.
 9.1.0,true,gen_ai,gen_ai.request.model,keyword,extended,,gpt-4,The name of the GenAI model a request is being made to.
 9.1.0,true,gen_ai,gen_ai.request.presence_penalty,double,extended,,0.1,The presence penalty setting for the GenAI request.
 9.1.0,true,gen_ai,gen_ai.request.seed,integer,extended,,100,Requests with same seed value more likely to return same result.
-9.1.0,true,gen_ai,gen_ai.request.stop_sequences,nested,extended,,"[""forest"", ""lived""]",List of sequences that the model will use to stop generating further tokens.
+9.1.0,true,gen_ai,gen_ai.request.stop_sequences,keyword,extended,array,"[""forest"", ""lived""]",List of sequences that the model will use to stop generating further tokens.
 9.1.0,true,gen_ai,gen_ai.request.temperature,double,extended,,0.0,The temperature setting for the GenAI request.
 9.1.0,true,gen_ai,gen_ai.request.top_k,double,extended,,1.0,The top_k sampling setting for the GenAI request.
 9.1.0,true,gen_ai,gen_ai.request.top_p,double,extended,,1.0,The top_p sampling setting for the GenAI request.
-9.1.0,true,gen_ai,gen_ai.response.finish_reasons,nested,extended,,"[""stop"", ""length""]","Array of reasons the model stopped generating tokens, corresponding to each generation received."
+9.1.0,true,gen_ai,gen_ai.response.finish_reasons,keyword,extended,array,"[""stop"", ""length""]","Array of reasons the model stopped generating tokens, corresponding to each generation received."
 9.1.0,true,gen_ai,gen_ai.response.id,keyword,extended,,chatcmpl-123,The unique identifier for the completion.
 9.1.0,true,gen_ai,gen_ai.response.model,keyword,extended,,gpt-4-0613,The name of the model that generated the response.
 9.1.0,true,gen_ai,gen_ai.system,keyword,extended,,openai,The Generative AI product as identified by the client or server instrumentation.

ecs/stateless-cloud-services-aws/fields/subset.yml

@@ -83,8 +83,6 @@ fields:
     fields: "*"
   dns:
     fields: "*"
-  ecs:
-    fields: "*"
   elf:
     fields: "*"
   email:

ecs/stateless-cloud-services-azure/docs/fields.csv

@@ -763,7 +763,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
 9.1.0,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
 9.1.0,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-9.1.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
 9.1.0,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
 9.1.0,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
 9.1.0,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.

ecs/stateless-cloud-services-azure/fields/subset.yml

@@ -83,8 +83,6 @@ fields:
     fields: "*"
   dns:
     fields: "*"
-  ecs:
-    fields: "*"
   elf:
     fields: "*"
   email:

ecs/stateless-cloud-services-gcp/docs/fields.csv

@@ -275,7 +275,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
 9.1.0,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
 9.1.0,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-9.1.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
 9.1.0,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
 9.1.0,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
 9.1.0,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.

ecs/stateless-cloud-services-gcp/fields/subset.yml

@@ -83,8 +83,6 @@ fields:
     fields: "*"
   dns:
     fields: "*"
-  ecs:
-    fields: "*"
   elf:
     fields: "*"
   email:

ecs/stateless-cloud-services/docs/fields.csv

@@ -312,7 +312,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
 9.1.0,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
 9.1.0,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-9.1.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
 9.1.0,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
 9.1.0,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
 9.1.0,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.

ecs/stateless-cloud-services/fields/subset.yml

@@ -83,8 +83,6 @@ fields:
     fields: "*"
   dns:
     fields: "*"
-  ecs:
-    fields: "*"
   elf:
     fields: "*"
   email:

ecs/stateless-network-activity/docs/fields.csv

@@ -627,7 +627,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
 9.1.0,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
 9.1.0,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-9.1.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
 9.1.0,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
 9.1.0,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
 9.1.0,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.

ecs/stateless-network-activity/fields/subset.yml

@@ -83,8 +83,6 @@ fields:
     fields: "*"
   dns:
     fields: "*"
-  ecs:
-    fields: "*"
   elf:
     fields: "*"
   email:

ecs/stateless-other/docs/fields.csv

@@ -275,7 +275,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
 9.1.0,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
 9.1.0,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-9.1.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
 9.1.0,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
 9.1.0,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
 9.1.0,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.

ecs/stateless-other/fields/subset.yml

@@ -83,8 +83,6 @@ fields:
     fields: "*"
   dns:
     fields: "*"
-  ecs:
-    fields: "*"
   elf:
     fields: "*"
   email:

ecs/stateless-security/docs/fields.csv

@@ -275,7 +275,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
 9.1.0,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
 9.1.0,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-9.1.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
 9.1.0,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
 9.1.0,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
 9.1.0,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.

ecs/stateless-security/fields/subset.yml

@@ -83,8 +83,6 @@ fields:
     fields: "*"
   dns:
     fields: "*"
-  ecs:
-    fields: "*"
   elf:
     fields: "*"
   email:

ecs/stateless-system-activity/docs/fields.csv

@@ -404,7 +404,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
 9.1.0,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
 9.1.0,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-9.1.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
 9.1.0,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
 9.1.0,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
 9.1.0,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.

ecs/stateless-system-activity/fields/subset.yml

@@ -83,8 +83,6 @@ fields:
     fields: "*"
   dns:
     fields: "*"
-  ecs:
-    fields: "*"
   elf:
     fields: "*"
   email:

ecs/stateless-template/docs/fields.csv

@@ -276,7 +276,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
 9.1.0,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
 9.1.0,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-9.1.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
 9.1.0,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
 9.1.0,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
 9.1.0,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.

ecs/stateless-template/fields/subset.yml

@@ -83,8 +83,6 @@ fields:
     fields: "*"
   dns:
     fields: "*"
-  ecs:
-    fields: "*"
   elf:
     fields: "*"
   email:

ecs/stateless/docs/fields.csv

@@ -275,7 +275,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
 9.1.0,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
 9.1.0,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-9.1.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
 9.1.0,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
 9.1.0,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
 9.1.0,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.

ecs/stateless/fields/subset.yml

@@ -83,8 +83,6 @@ fields:
     fields: "*"
   dns:
     fields: "*"
-  ecs:
-    fields: "*"
   elf:
     fields: "*"
   email:

plugins/setup/src/main/resources/index-template-access-management.json

@@ -1302,14 +1302,6 @@
           }
         }
       },
-      "ecs": {
-        "properties": {
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
       "email": {
         "properties": {
           "attachments": {

plugins/setup/src/main/resources/index-template-alerts.json

@@ -1302,14 +1302,6 @@
           }
         }
       },
-      "ecs": {
-        "properties": {
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
       "email": {
         "properties": {
           "attachments": {

plugins/setup/src/main/resources/index-template-applications.json

@@ -2094,14 +2094,6 @@
           }
         }
       },
-      "ecs": {
-        "properties": {
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
       "email": {
         "properties": {
           "attachments": {

plugins/setup/src/main/resources/index-template-archives.json

@@ -1302,14 +1302,6 @@
           }
         }
       },
-      "ecs": {
-        "properties": {
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
       "email": {
         "properties": {
           "attachments": {

plugins/setup/src/main/resources/index-template-cloud-services-aws.json

@@ -4540,14 +4540,6 @@
           }
         }
       },
-      "ecs": {
-        "properties": {
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
       "email": {
         "properties": {
           "attachments": {
@@ -5485,7 +5477,7 @@
                 }
               },
               "encoding_formats": {
-                "type": "nested"
+                "type": "keyword"
               },
               "frequency_penalty": {
                 "type": "double"
@@ -5504,7 +5496,7 @@
                 "type": "integer"
               },
               "stop_sequences": {
-                "type": "nested"
+                "type": "keyword"
               },
               "temperature": {
                 "type": "double"
@@ -5520,7 +5512,7 @@
           "response": {
             "properties": {
               "finish_reasons": {
-                "type": "nested"
+                "type": "keyword"
               },
               "id": {
                 "ignore_above": 1024,

plugins/setup/src/main/resources/index-template-cloud-services-azure.json

@@ -3570,14 +3570,6 @@
           }
         }
       },
-      "ecs": {
-        "properties": {
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
       "email": {
         "properties": {
           "attachments": {

plugins/setup/src/main/resources/index-template-cloud-services-gcp.json

@@ -1302,14 +1302,6 @@
           }
         }
       },
-      "ecs": {
-        "properties": {
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
       "email": {
         "properties": {
           "attachments": {

plugins/setup/src/main/resources/index-template-cloud-services.json

@@ -1458,14 +1458,6 @@
           }
         }
       },
-      "ecs": {
-        "properties": {
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
       "email": {
         "properties": {
           "attachments": {

plugins/setup/src/main/resources/index-template-network-activity.json

@@ -2682,14 +2682,6 @@
           }
         }
       },
-      "ecs": {
-        "properties": {
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
       "email": {
         "properties": {
           "attachments": {

plugins/setup/src/main/resources/index-template-other.json

@@ -1302,14 +1302,6 @@
           }
         }
       },
-      "ecs": {
-        "properties": {
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
       "email": {
         "properties": {
           "attachments": {

plugins/setup/src/main/resources/index-template-security.json

@@ -1302,14 +1302,6 @@
           }
         }
       },
-      "ecs": {
-        "properties": {
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
       "email": {
         "properties": {
           "attachments": {

plugins/setup/src/main/resources/index-template-system-activity.json

@@ -1812,14 +1812,6 @@
           }
         }
       },
-      "ecs": {
-        "properties": {
-          "version": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
       "email": {
         "properties": {
           "attachments": {