wazuh/wazuh-indexer-plugins
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-indexer-plugins.git synced 2025-12-10 14:32:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIM indices rework (#509)

Browse Source 
* Add new fields to wazuh-states-fim-files

* Divide wazuh-states-fim-registry and add fields

* Delete references to wazuh-states-fim-registries

* Modify documentation, generators and small fixes

* Add CHANGELOG entry and fix generator

* Fix ECS generator

* Remove the period signs for testing

* Update ECS templates for modified modules: states-fim-files states-fim-registry-keys states-fim-registry-values

* Fix event generators

* Update README.md

Signed-off-by: Álex Ruiz Becerra <alejandro.ruiz.becerra@wazuh.com>

* Changes after review

* Update ECS templates for modified modules: states-fim-files states-fim-registry-keys states-fim-registry-values

* Remove extra new lines at EOF

---------

Signed-off-by: Álex Ruiz Becerra <alejandro.ruiz.becerra@wazuh.com>
Co-authored-by: Wazuh Indexer Bot <github_devel_xdrsiem_indexer@wazuh.com>
Co-authored-by: Álex Ruiz <alejandro.ruiz.becerra@wazuh.com>
Co-authored-by: QU3B1M <kevin.ledesma@wazuh.com>
This commit is contained in:
Jorge Sánchez 2025-06-27 14:13:23 +02:00 committed by GitHub
parent 4c64eb725a
commit c5e00275ae
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
39 changed files with 762 additions and 181 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -23,6 +23,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
- Third-party integrations maintenance [(#478)](https://github.com/wazuh/wazuh-indexer-plugins/pull/478)
- Replace and remove deprecated settings [(#476)](https://github.com/wazuh/wazuh-indexer-plugins/pull/476)
- Migrate WCS changes from 4.x [(#488)](https://github.com/wazuh/wazuh-indexer-plugins/pull/488)
- FIM indices rework [(#509)](https://github.com/wazuh/wazuh-indexer-plugins/pull/509)
### Deprecated
-

3
ecs/scripts/generate-and-push-templates.sh
View File

@ -70,7 +70,8 @@ detect_modified_modules() {
# Mapping section
module_to_file=(
[states-fim-files]="index-template-fim-files.json"
[states-fim-registries]="index-template-fim-registries.json"
[states-fim-registry-keys]="index-template-fim-registry-keys.json"
[states-fim-registry-values]="index-template-fim-registry-values.json"
[states-inventory-groups]="index-template-groups.json"
[states-inventory-hardware]="index-template-hardware.json"
[states-inventory-hotfixes]="index-template-hotfixes.json"

3
ecs/scripts/run-event-generators.sh
View File

@ -13,6 +13,7 @@ MAX_RETRIES=5
IP="127.0.0.1"
PROTOCOL="http"
PORT="${PORT:-9200}"
NUMBER_OF_EVENTS="100"
# === Logging Helpers ===
log() { echo -e "\n\033[1;34m[INFO]\033[0m $*"; }
@ -22,7 +23,7 @@ error() { echo -e "\n\033[1;31m[ERROR]\033[0m $*" >&2; }
# === Usage ===
usage() {
echo "Usage: $0 [--ip <ip>] [--protocol <http|https>] [--amount <n>]"
echo "Defaults: --ip 127.0.0.1, --port 9200, --protocol http -a 100"
echo "Defaults: --ip 127.0.0.1, --port 9200, --protocol http --amount 100"
exit 1
}

53
ecs/states-fim-files/docs/README.md
View File

@ -2,7 +2,9 @@
### Fields summary
The fields are based on https://github.com/wazuh/wazuh/issues/27898
The fields are based on:
- [Global Queries](https://github.com/wazuh/wazuh/issues/27898) (included in 4.13.0).
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2914305496) (included in 5.0.0)
Based on ECS:
@ -13,25 +15,30 @@ The detail of the fields can be found in csv file [States FIM files Fields](fiel
### Transition table
| Field Name | Type | Description | Destination Field | Custom |
|----------------|--------|---------------------------------------------------------------------------|-------------------------|--------|
| agent_id | string | Unique identifier of the agent, e.g., "001". | agent.id | |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name assigned to the agent. | agent.name | |
| agent_version | string | Version of the agent software, e.g., "v4.10.2". | agent.version | |
| arch | string | Registry architecture type, e.g., "[x86]", "[x64]". | agent.host.architecture | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| gid | string | Group ID associated with the entity. | file.gid | |
| group_name | string | Name of the group that owns the entity. | file.group | |
| hash_md5 | string | MD5 hash of the file or registry value content. | file.hash.md5 | |
| hash_sha1 | string | SHA-1 hash of the file or registry value content. | file.hash.sha1 | |
| hash_sha256 | string | SHA-256 hash of the file or registry value content. | file.hash.sha256 | |
| inode | long | Inode number (only applicable for file events). | file.inode | |
| mtime | long | Last modified timestamp of the entity. | file.mtime | |
| path | string | Absolute file path or full registry key path. | file.path | |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| size | long | Size of the file or registry value (in bytes). | file.size | |
| timestamp | long | Timestamp when the event was generated. | timestamp | |
| uid | string | User ID associated with the entity. | file.uid | |
| user_name | string | Name of the owner of the entity (user). | file.owner | |
| Field Name | Type | Description | Destination Field | Custom |
|------------------|--------|---------------------------------------------------------------------------|-------------------------|--------|
| agent_id | string | Unique identifier of the agent, e.g., "001". | agent.id | |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name assigned to the agent. | agent.name | |
| agent_version | string | Version of the agent software, e.g., "v4.10.2". | agent.version | |
| architecture | string | Registry architecture type, e.g., "[x86]", "[x64]". | agent.host.architecture | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| gid | string | Group ID associated with the entity. | file.gid | |
| group_name/group | string | Name of the group that owns the entity. | file.group | |
| hash_md5 | string | MD5 hash of the file or registry value content. | file.hash.md5 | |
| hash_sha1 | string | SHA-1 hash of the file or registry value content. | file.hash.sha1 | |
| hash_sha256 | string | SHA-256 hash of the file or registry value content. | file.hash.sha256 | |
| inode | long | Inode number (only applicable for file events). | file.inode | |
| mtime | long | Last modified timestamp of the entity. | file.mtime | |
| path | string | Absolute file path or full registry key path. | file.path | |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| size | long | Size of the file or registry value (in bytes). | file.size | |
| timestamp | long | Timestamp when the event was generated. | timestamp | |
| uid | string | User ID associated with the entity. | file.uid | |
| user_name/owner | string | Name of the owner of the entity (user). | file.owner | |
| checksum | string | SHA1 hash of the file. | checksum.hash.sha1 | TRUE |
| attributes | string | List of attributes related to the file. | file.attributes | |
| dev/device | string | Device that is the source of the file. | file.device | |
| perm/permissions | string | List of permissions related to the file. | file.permissions | TRUE |

5
ecs/states-fim-files/docs/fields.csv
View File

@ -4,6 +4,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
8.11.0,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
8.11.0,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
8.11.0,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
8.11.0,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
8.11.0,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
@ -13,6 +16,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,file,file.mtime,date,extended,,,Last time the file content was modified.
8.11.0,true,file,file.owner,keyword,extended,,alice,File owner's username.
8.11.0,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
8.11.0,true,file,file.path.text,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
8.11.0,true,file,file.permissions,keyword,custom,array,,List of permissions related to the file.
8.11.0,true,file,file.size,long,extended,,16384,File size in bytes.
8.11.0,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.

1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
4 8.11.0 true agent agent.id keyword core 8a4f500d Unique identifier of this agent.
5 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
6 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
7 8.11.0 true checksum checksum.hash.sha1 keyword custom SHA1 hash used as checksum of the data collected by the agent.
8 8.11.0 true file file.attributes keyword extended array ["readonly", "system"] Array of file attributes.
9 8.11.0 true file file.device keyword extended sda Device that is the source of the file.
10 8.11.0 true file file.gid keyword extended 1001 Primary group ID (GID) of the file.
11 8.11.0 true file file.group keyword extended alice Primary group name of the file.
12 8.11.0 true file file.hash.md5 keyword extended MD5 hash.
16 8.11.0 true file file.mtime date extended Last time the file content was modified.
17 8.11.0 true file file.owner keyword extended alice File owner's username.
18 8.11.0 true file file.path keyword extended /home/alice/example.png Full path to the file, including the file name.
19 8.11.0 true file file.path.text keyword extended /home/alice/example.png Full path to the file, including the file name.
20 8.11.0 true file file.permissions keyword custom array List of permissions related to the file.
21 8.11.0 true file file.size long extended 16384 File size in bytes.
22 8.11.0 true file file.uid keyword extended 1001 The user ID (UID) or security identifier (SID) of the file owner.
23 8.11.0 true wazuh wazuh.cluster.name keyword custom Wazuh cluster name.

20
ecs/states-fim-files/event-generator/event_generator.py
View File

@ -33,6 +33,7 @@ def generate_random_data(number):
"agent": generate_random_agent(),
"file": generate_random_file(),
"wazuh": generate_random_wazuh(),
"checksum": generate_random_checksum(),
}
data.append(event_data)
return data
@ -76,6 +77,25 @@ def generate_random_file():
"path": "/path/to/file",
"size": random.randint(1000, 1000000),
"uid": f"uid{random.randint(0, 1000)}",
"attributes": ",".join(
random.sample(
["hidden", "read_only", "system", "archive", "temporary"],
random.randint(1, 5)
)
),
"device": random.choice(["sda", "sdb", "sdc"]),
"permissions": [
"".join(random.choice(["r", "w", "-"]) for _ in range(9))
],
}
def generate_random_checksum():
return {
"hash": {
"sha1": f"{random.randint(0, 9999)}",
}
}

11
ecs/states-fim-files/fields/custom/checksum.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: checksum
title: Checksum
description: >
Checksum custom fields
fields:
- name: hash.sha1
type: keyword
level: custom
description: >
SHA1 hash used as checksum of the data collected by the agent.

10
ecs/states-fim-files/fields/custom/file.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: file
fields:
- name: permissions
type: keyword
level: custom
description: >
List of permissions related to the file.
normalize:
- array

5
ecs/states-fim-files/fields/subset.yml
View File

@ -14,8 +14,12 @@ fields:
id: {}
name: {}
version: {}
checksum:
fields: "*"
file:
fields:
attributes: {}
device: {}
gid: {}
group: {}
hash:
@ -27,6 +31,7 @@ fields:
mtime: {}
owner: {}
path: {}
permissions: {}
size: {}
uid: {}
wazuh:

4
ecs/states-fim-files/fields/template-settings-legacy.json
View File

@ -13,6 +13,9 @@
"agent.id",
"agent.name",
"agent.version",
"checksum.hash.sha1",
"file.attributes",
"file.device",
"file.gid",
"file.group",
"file.hash.md5",
@ -23,6 +26,7 @@
"file.owner",
"file.path",
"file.path.fields.text",
"file.permissions",
"file.size",
"file.uid",
"wazuh.cluster.name",

4
ecs/states-fim-files/fields/template-settings.json
View File

@ -16,6 +16,9 @@
"agent.id",
"agent.name",
"agent.version",
"checksum.hash.sha1",
"file.attributes",
"file.device",
"file.gid",
"file.group",
"file.hash.md5",
@ -26,6 +29,7 @@
"file.owner",
"file.path",
"file.path.fields.text",
"file.permissions",
"file.size",
"file.uid",
"wazuh.cluster.name",

43
ecs/states-fim-registries/docs/README.md
View File

@ -1,43 +0,0 @@
## `wazuh-states-fim-registries` index data model
### Fields summary
The fields are based on https://github.com/wazuh/wazuh/issues/27898
Based on ECS:
- [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html).
- [Registry Fields](https://www.elastic.co/docs/reference/ecs/ecs-registry).
The detail of the fields can be found in csv file [States FIM registries Fields](fields.csv).
### Transition table
| Field Name | Type | Description | Destination Field | Custom |
| -------------- | ------ | :-------------------------------------------------- | ------------------------- | ------ |
| agent_id | string | Unique identifier of the agent, e.g., "001". | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name assigned to the agent. | agent.name | FALSE |
| agent_version | string | Version of the agent software, e.g., "v4.10.2". | agent.version | FALSE |
| arch | string | Registry architecture type, e.g., "[x86]", "[x64]". | agent.host.architecture | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| | string | Architecture associated with the entity | registry.architecture | TRUE |
| gid | string | Group ID associated with the entity. | registry.gid | TRUE |
| group_name | string | Name of the group that owns the entity. | registry.group | TRUE |
| hash_md5 | string | MD5 hash of the file or registry value content. | registry.data.hash.md5 | TRUE |
| hash_sha1 | string | SHA-1 hash of the file or registry value content. | registry.data.hash.sha1 | TRUE |
| hash_sha256 | string | SHA-256 hash of the file or registry value content. | registry.data.hash.sha256 | TRUE |
| hive | string | Abbreviated name for the hive. | registry.hive | FALSE |
| key | string | Hive-relative path of keys | registry.key | FALSE |
| mtime | long | Last modified timestamp of the entity. | registry.mtime | TRUE |
| path | string | Absolute file path or full registry key path. | registry.path | FALSE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| size | long | Size of the file or registry value (in bytes). | registry.size | TRUE |
| timestamp | long | Timestamp when the event was generated. | timestamp | FALSE |
| type | string | Type of monitored entity, e.g., "registry_key". | event.category | FALSE |
| uid | string | User ID associated with the entity. | registry.uid | TRUE |
| user_name | string | Name of the owner of the entity (user). | registry.owner | TRUE |
| value_name | string | Name of the registry value. | registry.value | FALSE |
| value_type | string | Type of the registry value, e.g., "REG_SZ". | registry.data.type | FALSE |

39
ecs/states-fim-registry-keys/docs/README.md Normal file
View File

@ -0,0 +1,39 @@
## `wazuh-states-fim-registry-keys` index data model
### Fields summary
The fields are based on:
- [Global Queries](https://github.com/wazuh/wazuh/issues/27898) (included in 4.13.0).
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2914305496) (included in 5.0.0)
Based on ECS:
- [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html).
- [Registry Fields](https://www.elastic.co/docs/reference/ecs/ecs-registry).
The detail of the fields can be found in csv file [States FIM registries Fields](fields.csv).
### Transition table
| Field Name | Type | Description | Destination Field | Custom |
| ----------------- | ------ | :-------------------------------------------------- | ------------------------- | ------ |
| agent_id | string | Unique identifier of the agent, e.g., "001". | agent.id | |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name assigned to the agent. | agent.name | |
| agent_version | string | Version of the agent software, e.g., "v4.10.2". | agent.version | |
| architecture | string | Registry architecture type, e.g., "[x86]", "[x64]". | agent.host.architecture | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| architecture | string | Architecture associated with the entity | registry.architecture | TRUE |
| gid | string | Group ID associated with the entity. | registry.gid | TRUE |
| group_name/group | string | Name of the group that owns the entity. | registry.group | TRUE |
| hive | string | Abbreviated name for the hive. | registry.hive | |
| key | string | Hive-relative path of keys | registry.key | |
| mtime | long | Last modified timestamp of the entity. | registry.mtime | TRUE |
| path | string | Absolute file path or full registry key path. | registry.path | |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| uid | string | User ID associated with the entity. | registry.uid | TRUE |
| user_name/owner | string | Name of the owner of the entity (user). | registry.owner | TRUE |
| permissions/perm | string | Permissions associated with the registry key. | registry.permissions | TRUE |
| checksum | string | SHA1 hash of the file. | checksum.hash.sha1 | TRUE |

20
ecs/states-fim-registry-keys/docs/fields.csv Normal file
View File

@ -0,0 +1,20 @@
ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,agent,agent.host.architecture,keyword,core,,x86_64,Operating system architecture.
8.11.0,true,agent,agent.host.ip,ip,core,array,,Host ip addresses.
8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
8.11.0,true,registry,registry.architecture,keyword,custom,,,Architecture associated with the entity
8.11.0,true,registry,registry.gid,keyword,custom,,,Group ID associated with the entity
8.11.0,true,registry,registry.group,keyword,custom,,,Name of the group that owns the entity
8.11.0,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
8.11.0,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
8.11.0,true,registry,registry.mtime,date,custom,,,Last modified timestamp of the entity
8.11.0,true,registry,registry.owner,keyword,custom,,,Name of the owner of the entity (user)
8.11.0,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
8.11.0,true,registry,registry.permissions,keyword,custom,array,,Permissions associated with the registry key.
8.11.0,true,registry,registry.uid,keyword,custom,,,User ID associated with the entity
8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.
1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
2 8.11.0 true agent agent.host.architecture keyword core x86_64 Operating system architecture.
3 8.11.0 true agent agent.host.ip ip core array Host ip addresses.
4 8.11.0 true agent agent.id keyword core 8a4f500d Unique identifier of this agent.
5 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
6 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
7 8.11.0 true checksum checksum.hash.sha1 keyword custom SHA1 hash used as checksum of the data collected by the agent.
8 8.11.0 true registry registry.architecture keyword custom Architecture associated with the entity
9 8.11.0 true registry registry.gid keyword custom Group ID associated with the entity
10 8.11.0 true registry registry.group keyword custom Name of the group that owns the entity
11 8.11.0 true registry registry.hive keyword core HKLM Abbreviated name for the hive.
12 8.11.0 true registry registry.key keyword core SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe Hive-relative path of keys.
13 8.11.0 true registry registry.mtime date custom Last modified timestamp of the entity
14 8.11.0 true registry registry.owner keyword custom Name of the owner of the entity (user)
15 8.11.0 true registry registry.path keyword core HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger Full path, including hive, key and value
16 8.11.0 true registry registry.permissions keyword custom array Permissions associated with the registry key.
17 8.11.0 true registry registry.uid keyword custom User ID associated with the entity
18 8.11.0 true wazuh wazuh.cluster.name keyword custom Wazuh cluster name.
19 8.11.0 true wazuh wazuh.cluster.node keyword custom Wazuh cluster node name.
20 8.11.0 true wazuh wazuh.schema.version keyword custom Wazuh schema version.

174
ecs/states-fim-registry-keys/event-generator/event_generator.py Normal file
View File

@ -0,0 +1,174 @@
#!/bin/python3
import argparse
import datetime
import json
import logging
import random
import requests
import urllib3
# Constants and Configuration
LOG_FILE = "generate_data.log"
GENERATED_DATA_FILE = "generatedData.json"
DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ"
# Default values
INDEX_NAME = "wazuh-states-fim-registry-keys"
USERNAME = "admin"
PASSWORD = "admin"
IP = "127.0.0.1"
PORT = "9200"
# Configure logging
logging.basicConfig(level=logging.INFO)
# Suppress warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def generate_random_data(number):
data = []
for _ in range(number):
event_data = {
"agent": generate_random_agent(),
"registry": generate_random_registry(),
"wazuh": generate_random_wazuh(),
"checksum": generate_random_checksum(),
}
data.append(event_data)
return data
def generate_random_date():
start_date = datetime.datetime.now()
end_date = start_date - datetime.timedelta(days=10)
random_date = start_date + (end_date - start_date) * random.random()
return random_date.strftime(DATE_FORMAT)
def generate_random_unix_timestamp():
start_time = datetime.datetime(2000, 1, 1)
end_time = datetime.datetime.now()
random_time = start_time + datetime.timedelta(
seconds=random.randint(0, int((end_time - start_time).total_seconds()))
)
return int(random_time.timestamp())
def generate_random_agent():
return {
"id": f"{random.randint(0, 99):03d}",
"name": f"Agent{random.randint(0, 99)}",
"version": f"v{random.randint(0, 9)}-stable",
"host": generate_random_host(),
}
def generate_random_host():
return {
"architecture": random.choice(["x86_64", "arm64"]),
"ip": f"{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}",
}
def generate_random_data_stream():
data_stream = {"type": random.choice(["Scheduled", "Realtime"])}
return data_stream
def generate_random_registry():
return {
"architecture": random.choice(["x86", "amd64"]),
"gid": f"gid{random.randint(0, 1000)}",
"group": f"group{random.randint(0, 1000)}",
"hive": "HKLM",
"key": r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe",
"mtime": generate_random_unix_timestamp(),
"owner": f"owner{random.randint(0, 1000)}",
"path": "/path/to/file",
"uid": f"uid{random.randint(0, 1000)}",
"permissions": [
random.sample(["read", "write", "execute", "delete", "change_permissions", "take_ownership"], random.randint(1,6))
],
}
def generate_random_checksum():
return {
"hash": {
"sha1": f"{random.randint(0, 9999)}",
}
}
def inject_events(data, ip, port, username, password, index, protocol):
url = f"{protocol}://{ip}:{port}/{index}/_doc"
session = requests.Session()
session.auth = (username, password)
session.verify = False
headers = {"Content-Type": "application/json"}
try:
for event_data in data:
response = session.post(url, json=event_data, headers=headers)
if response.status_code != 201:
logging.error(f"Error: {response.status_code}")
logging.error(response.text)
break
logging.info("Data injection completed successfully.")
except Exception as e:
logging.error(f"Error: {str(e)}")
def generate_random_wazuh():
return {
"cluster": {
"name": f"wazuh-cluster-{random.randint(0, 10)}",
"node": f"wazuh-cluster-node-{random.randint(0, 10)}",
},
"schema": {"version": "1.7.0"},
}
def main():
parser = argparse.ArgumentParser(
description="Generate and optionally inject documents into a Wazuh Indexer cluster."
)
parser.add_argument(
"--protocol",
choices=['http', 'https'],
default='https',
help="Specify the protocol to use: http or https. Default is 'https'."
)
args = parser.parse_args()
try:
number = int(input("How many events do you want to generate? "))
except ValueError:
logging.error("Invalid input. Please enter a valid number.")
return
logging.info(f"Generating {number} events...")
data = generate_random_data(number)
with open(GENERATED_DATA_FILE, "a") as outfile:
for event_data in data:
json.dump(event_data, outfile)
outfile.write("\n")
logging.info("Data generation completed.")
inject = (
input("Do you want to inject the generated data into your indexer? (y/n) ")
.strip()
.lower()
)
if inject == "y":
ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP
port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT
index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME
username = input(f"Username (default: '{USERNAME}'): ") or USERNAME
password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD
inject_events(data, ip, port, username, password, index, args.protocol)
if __name__ == "__main__":
main()

11
ecs/states-fim-registry-keys/fields/custom/checksum.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: checksum
title: Checksum
description: >
Checksum custom fields
fields:
- name: hash.sha1
type: keyword
level: custom
description: >
SHA1 hash used as checksum of the data collected by the agent.

0
ecs/states-fim-registries/fields/custom/host.yml → ecs/states-fim-registry-keys/fields/custom/host.yml
View File

23
ecs/states-fim-registries/fields/custom/registry.yml → ecs/states-fim-registry-keys/fields/custom/registry.yml
View File

@ -19,21 +19,6 @@
level: custom
description: >
Name of the group that owns the entity
- name: data.hash.md5
type: keyword
level: custom
description: >
MD5 hash of the file or registry value content
- name: data.hash.sha1
type: keyword
level: custom
description: >
SHA-1 hash of the file or registry value content
- name: data.hash.sha256
type: keyword
level: custom
description: >
SHA-256 hash of the file or registry value content
- name: mtime
type: date
level: custom
@ -44,11 +29,13 @@
level: custom
description: >
Name of the owner of the entity (user)
- name: size
type: long
- name: permissions
type: keyword
level: custom
description: >
Size of the file or registry value (in bytes)
Permissions associated with the registry key.
normalize:
- array
- name: uid
type: keyword
level: custom

0
ecs/states-fim-registries/fields/custom/wazuh.yml → ecs/states-fim-registry-keys/fields/custom/wazuh.yml
View File

0
ecs/states-fim-registries/fields/mapping-settings.json → ecs/states-fim-registry-keys/fields/mapping-settings.json
View File

33
ecs/states-fim-registry-keys/fields/subset.yml Normal file
View File

@ -0,0 +1,33 @@
---
name: wazuh-states-fim-registry-keys
fields:
base:
fields:
tags: []
"@timestamp": {}
agent:
fields:
host:
fields:
ip: {}
architecture: {}
id: {}
name: {}
version: {}
checksum:
fields: "*"
registry:
fields:
architecture: {}
gid: {}
group: {}
hive: {}
key: {}
mtime: {}
owner: {}
path: {}
permissions: {}
uid: {}
wazuh:
fields: "*"

33
ecs/states-fim-registry-keys/fields/template-settings-legacy.json Normal file
View File

@ -0,0 +1,33 @@
{
"index_patterns": ["wazuh-states-fim-registry-keys*"],
"order": 1,
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"auto_expand_replicas": "0-1",
"refresh_interval": "5s",
"query.default_field": [
"agent.host.architecture",
"agent.host.ip",
"agent.id",
"agent.name",
"agent.version",
"checksum.hash.sha1",
"registry.architecture",
"registry.gid",
"registry.group",
"registry.hive",
"registry.key",
"registry.mtime",
"registry.owner",
"registry.path",
"registry.permissions",
"registry.uid",
"wazuh.cluster.name",
"wazuh.cluster.node",
"wazuh.schema.version"
]
}
}
}

35
ecs/states-fim-registry-keys/fields/template-settings.json Normal file
View File

@ -0,0 +1,35 @@
{
"index_patterns": ["wazuh-states-fim-registry-keys*"],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"auto_expand_replicas": "0-1",
"refresh_interval": "5s",
"query.default_field": [
"agent.host.architecture",
"agent.host.ip",
"agent.id",
"agent.name",
"agent.version",
"checksum.hash.sha1",
"registry.architecture",
"registry.gid",
"registry.group",
"registry.hive",
"registry.key",
"registry.mtime",
"registry.owner",
"registry.path",
"registry.permissions",
"registry.uid",
"wazuh.cluster.name",
"wazuh.cluster.node",
"wazuh.schema.version"
]
}
}
}
}

39
ecs/states-fim-registry-values/docs/README.md Normal file
View File

@ -0,0 +1,39 @@
## `wazuh-states-fim-registry-values` index data model
### Fields summary
The fields are based on:
- [Global Queries](https://github.com/wazuh/wazuh/issues/27898) (included in 4.13.0).
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2914305496) (included in 5.0.0)
Based on ECS:
- [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html).
- [Registry Fields](https://www.elastic.co/docs/reference/ecs/ecs-registry).
The detail of the fields can be found in csv file [States FIM registries Fields](fields.csv).
### Transition table
| Field Name | Type | Description | Destination Field | Custom |
| ----------------- | ------ | :-------------------------------------------------- | ------------------------- | ------ |
| agent_id | string | Unique identifier of the agent, e.g., "001". | agent.id | |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name assigned to the agent. | agent.name | |
| agent_version | string | Version of the agent software, e.g., "v4.10.2". | agent.version | |
| arch/architecture | string | Registry architecture type, e.g., "[x86]", "[x64]". | agent.host.architecture | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| architecture | string | Architecture associated with the entity | registry.architecture | TRUE |
| hash_md5 | string | MD5 hash of the file or registry value content. | registry.data.hash.md5 | TRUE |
| hash_sha1 | string | SHA-1 hash of the file or registry value content. | registry.data.hash.sha1 | TRUE |
| hash_sha256 | string | SHA-256 hash of the file or registry value content. | registry.data.hash.sha256 | TRUE |
| hive | string | Abbreviated name for the hive. | registry.hive | |
| key | string | Hive-relative path of keys | registry.key | |
| path | string | Absolute file path or full registry key path. | registry.path | |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| size | long | Size of the file or registry value (in bytes). | registry.size | TRUE |
| name/value | string | Name of the registry value. | registry.value | |
| value_type | string | Type of the registry value, e.g., "REG_SZ". | registry.data.type | |
| checksum | string | SHA1 hash of the file. | checksum.hash.sha1 | TRUE |

8
ecs/states-fim-registries/docs/fields.csv → ecs/states-fim-registry-values/docs/fields.csv
View File

@ -4,22 +4,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
8.11.0,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
8.11.0,true,registry,registry.architecture,keyword,custom,,,Architecture associated with the entity
8.11.0,true,registry,registry.data.hash.md5,keyword,custom,,,MD5 hash of the file or registry value content
8.11.0,true,registry,registry.data.hash.sha1,keyword,custom,,,SHA-1 hash of the file or registry value content
8.11.0,true,registry,registry.data.hash.sha256,keyword,custom,,,SHA-256 hash of the file or registry value content
8.11.0,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
8.11.0,true,registry,registry.gid,keyword,custom,,,Group ID associated with the entity
8.11.0,true,registry,registry.group,keyword,custom,,,Name of the group that owns the entity
8.11.0,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
8.11.0,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
8.11.0,true,registry,registry.mtime,date,custom,,,Last modified timestamp of the entity
8.11.0,true,registry,registry.owner,keyword,custom,,,Name of the owner of the entity (user)
8.11.0,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
8.11.0,true,registry,registry.size,long,custom,,,Size of the file or registry value (in bytes)
8.11.0,true,registry,registry.uid,keyword,custom,,,User ID associated with the entity
8.11.0,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
4 8.11.0 true agent agent.id keyword core 8a4f500d Unique identifier of this agent.
5 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
6 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
7 8.11.0 true event checksum event.action checksum.hash.sha1 keyword core custom user-password-change The action captured by the event. SHA1 hash used as checksum of the data collected by the agent.
8.11.0 true event event.category keyword core array authentication Event category. The second categorization field in the hierarchy.
8 8.11.0 true registry registry.architecture keyword custom Architecture associated with the entity
9 8.11.0 true registry registry.data.hash.md5 keyword custom MD5 hash of the file or registry value content
10 8.11.0 true registry registry.data.hash.sha1 keyword custom SHA-1 hash of the file or registry value content
11 8.11.0 true registry registry.data.hash.sha256 keyword custom SHA-256 hash of the file or registry value content
12 8.11.0 true registry registry.data.type keyword core REG_SZ Standard registry type for encoding contents
8.11.0 true registry registry.gid keyword custom Group ID associated with the entity
8.11.0 true registry registry.group keyword custom Name of the group that owns the entity
13 8.11.0 true registry registry.hive keyword core HKLM Abbreviated name for the hive.
14 8.11.0 true registry registry.key keyword core SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe Hive-relative path of keys.
8.11.0 true registry registry.mtime date custom Last modified timestamp of the entity
8.11.0 true registry registry.owner keyword custom Name of the owner of the entity (user)
15 8.11.0 true registry registry.path keyword core HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger Full path, including hive, key and value
16 8.11.0 true registry registry.size long custom Size of the file or registry value (in bytes)
8.11.0 true registry registry.uid keyword custom User ID associated with the entity
17 8.11.0 true registry registry.value keyword core Debugger Name of the value written.
18 8.11.0 true wazuh wazuh.cluster.name keyword custom Wazuh cluster name.
19 8.11.0 true wazuh wazuh.cluster.node keyword custom Wazuh cluster node name.

23
ecs/states-fim-registries/event-generator/event_generator.py → ecs/states-fim-registry-values/event-generator/event_generator.py
View File

@ -13,7 +13,7 @@ LOG_FILE = "generate_data.log"
GENERATED_DATA_FILE = "generatedData.json"
DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ"
# Default values
INDEX_NAME = "wazuh-states-fim-registries"
INDEX_NAME = "wazuh-states-fim-registry-values"
USERNAME = "admin"
PASSWORD = "admin"
IP = "127.0.0.1"
@ -31,9 +31,9 @@ def generate_random_data(number):
for _ in range(number):
event_data = {
"agent": generate_random_agent(),
"event": generate_random_event(),
"registry": generate_random_registry(),
"wazuh": generate_random_wazuh(),
"checksum": generate_random_checksum(),
}
data.append(event_data)
return data
@ -75,13 +75,6 @@ def generate_random_data_stream():
data_stream = {"type": random.choice(["Scheduled", "Realtime"])}
return data_stream
def generate_random_event():
return {
"category": random.choice(["registy_value", "registry_key", "file"]),
}
def generate_random_registry():
return {
"architecture": random.choice(["x86", "amd64"]),
@ -93,18 +86,20 @@ def generate_random_registry():
},
"type": random.choice(["REG_SZ", "REG_DWORD"]),
},
"gid": f"gid{random.randint(0, 1000)}",
"group": f"group{random.randint(0, 1000)}",
"hive": "HKLM",
"key": r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe",
"mtime": generate_random_unix_timestamp(),
"owner": f"owner{random.randint(0, 1000)}",
"path": "/path/to/file",
"size": random.randint(1000, 1000000),
"uid": f"uid{random.randint(0, 1000)}",
"value": f"registry_value{random.randint(0, 1000)}",
}
def generate_random_checksum():
return {
"hash": {
"sha1": f"{random.randint(0, 9999)}",
}
}
def inject_events(data, ip, port, username, password, index, protocol):
url = f"{protocol}://{ip}:{port}/{index}/_doc"

11
ecs/states-fim-registry-values/fields/custom/checksum.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: checksum
title: Checksum
description: >
Checksum custom fields
fields:
- name: hash.sha1
type: keyword
level: custom
description: >
SHA1 hash used as checksum of the data collected by the agent.

6
ecs/states-fim-registry-values/fields/custom/host.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: host
reusable:
top_level: true
expected:
- { at: agent, as: host }

32
ecs/states-fim-registry-values/fields/custom/registry.yml Normal file
View File

@ -0,0 +1,32 @@
---
- name: registry
title: Registry
description: >
Fields related to Windows Registry operations.
fields:
- name: architecture
type: keyword
level: custom
description: >
Architecture associated with the entity
- name: data.hash.md5
type: keyword
level: custom
description: >
MD5 hash of the file or registry value content
- name: data.hash.sha1
type: keyword
level: custom
description: >
SHA-1 hash of the file or registry value content
- name: data.hash.sha256
type: keyword
level: custom
description: >
SHA-256 hash of the file or registry value content
- name: size
type: long
level: custom
description: >
Size of the file or registry value (in bytes)

21
ecs/states-fim-registry-values/fields/custom/wazuh.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: wazuh
title: Wazuh
description: >
Wazuh Inc. custom fields
fields:
- name: cluster.name
type: keyword
level: custom
description: >
Wazuh cluster name.
- name: cluster.node
type: keyword
level: custom
description: >
Wazuh cluster node name.
- name: schema.version
type: keyword
level: custom
description: >
Wazuh schema version.

4
ecs/states-fim-registry-values/fields/mapping-settings.json Normal file
View File

@ -0,0 +1,4 @@
{
"dynamic": "strict",
"date_detection": false
}

13
ecs/states-fim-registries/fields/subset.yml → ecs/states-fim-registry-values/fields/subset.yml
View File

@ -1,5 +1,5 @@
---
name: wazuh-states-fim-registries
name: wazuh-states-fim-registry-values
fields:
base:
fields:
@ -14,10 +14,8 @@ fields:
id: {}
name: {}
version: {}
event:
fields:
action: {}
category: {}
checksum:
fields: "*"
registry:
fields:
architecture: {}
@ -29,15 +27,10 @@ fields:
md5: {}
sha1: {}
sha256: {}
gid: {}
group: {}
hive: {}
key: {}
mtime: {}
owner: {}
path: {}
size: {}
uid: {}
value: {}
wazuh:
fields: "*"

10
ecs/states-fim-registries/fields/template-settings-legacy.json → ecs/states-fim-registry-values/fields/template-settings-legacy.json
View File

@ -1,5 +1,5 @@
{
"index_patterns": ["wazuh-states-fim-registries*"],
"index_patterns": ["wazuh-states-fim-registry-values*"],
"order": 1,
"settings": {
"index": {
@ -13,22 +13,16 @@
"agent.id",
"agent.name",
"agent.version",
"event.action",
"event.category",
"checksum.hash.sha1",
"registry.architecture",
"registry.data.hash.md5",
"registry.data.hash.sha1",
"registry.data.hash.sha256",
"registry.data.type",
"registry.gid",
"registry.group",
"registry.hive",
"registry.key",
"registry.mtime",
"registry.owner",
"registry.path",
"registry.size",
"registry.uid",
"registry.value",
"wazuh.cluster.name",
"wazuh.cluster.node",

10
ecs/states-fim-registries/fields/template-settings.json → ecs/states-fim-registry-values/fields/template-settings.json
View File

@ -1,5 +1,5 @@
{
"index_patterns": ["wazuh-states-fim-registries*"],
"index_patterns": ["wazuh-states-fim-registry-values*"],
"priority": 1,
"template": {
"settings": {
@ -14,22 +14,16 @@
"agent.id",
"agent.name",
"agent.version",
"event.action",
"event.category",
"checksum.hash.sha1",
"registry.architecture",
"registry.data.hash.md5",
"registry.data.hash.sha1",
"registry.data.hash.sha256",
"registry.data.type",
"registry.gid",
"registry.group",
"registry.hive",
"registry.key",
"registry.mtime",
"registry.owner",
"registry.path",
"registry.size",
"registry.uid",
"registry.value",
"wazuh.cluster.name",
"wazuh.cluster.node",

2
ecs/states-inventory-users/event-generator/event_generator.py
View File

@ -27,7 +27,7 @@ urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def generate_random_user():
now = datetime.datetime.now(datetime.UTC)
now = datetime.datetime.now(datetime.timezone.utc)
timestamp = now.strftime(DATE_FORMAT)
return {

3
plugins/setup/src/main/java/com/wazuh/setup/SetupPlugin.java
View File

@ -78,7 +78,8 @@ public class SetupPlugin extends Plugin implements ClusterPlugin {
this.indices.add(new StreamIndex("wazuh-archives-5.x-000001", "index-template-archives", "wazuh-archives"));
// State indices
this.indices.add(new StateIndex("wazuh-states-fim-files", "index-template-fim-files"));
this.indices.add(new StateIndex("wazuh-states-fim-registries", "index-template-fim-registries"));
this.indices.add(new StateIndex("wazuh-states-fim-registry-keys", "index-template-fim-registry-keys"));
this.indices.add(new StateIndex("wazuh-states-fim-registry-values", "index-template-fim-registry-values"));
this.indices.add(new StateIndex("wazuh-states-inventory-groups", "index-template-groups"));
this.indices.add(new StateIndex("wazuh-states-inventory-hardware", "index-template-hardware"));
this.indices.add(new StateIndex("wazuh-states-inventory-hotfixes", "index-template-hotfixes"));

36
plugins/setup/src/main/resources/index-template-fim-files.json
View File

@ -6,9 +6,6 @@
"date_detection": false,
"dynamic": "strict",
"properties": {
"@timestamp": {
"type": "date"
},
"agent": {
"properties": {
"host": {
@ -36,8 +33,28 @@
}
}
},
"checksum": {
"properties": {
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"file": {
"properties": {
"attributes": {
"ignore_above": 1024,
"type": "keyword"
},
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"gid": {
"ignore_above": 1024,
"type": "keyword"
@ -74,11 +91,10 @@
"type": "keyword"
},
"path": {
"fields": {
"text": {
"type": "keyword"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"permissions": {
"ignore_above": 1024,
"type": "keyword"
},
@ -129,6 +145,9 @@
"agent.id",
"agent.name",
"agent.version",
"checksum.hash.sha1",
"file.attributes",
"file.device",
"file.gid",
"file.group",
"file.hash.md5",
@ -139,6 +158,7 @@
"file.owner",
"file.path",
"file.path.fields.text",
"file.permissions",
"file.size",
"file.uid",
"wazuh.cluster.name",

147
plugins/setup/src/main/resources/index-template-fim-registry-keys.json Normal file
View File

@ -0,0 +1,147 @@
{
"index_patterns": [
"wazuh-states-fim-registry-keys*"
],
"mappings": {
"date_detection": false,
"dynamic": "strict",
"properties": {
"agent": {
"properties": {
"host": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"checksum": {
"properties": {
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"registry": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"gid": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"hive": {
"ignore_above": 1024,
"type": "keyword"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
},
"mtime": {
"type": "date"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"permissions": {
"ignore_above": 1024,
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"wazuh": {
"properties": {
"cluster": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"node": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"schema": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"order": 1,
"settings": {
"index": {
"auto_expand_replicas": "0-1",
"number_of_replicas": "0",
"number_of_shards": "1",
"query.default_field": [
"agent.host.architecture",
"agent.host.ip",
"agent.id",
"agent.name",
"agent.version",
"checksum.hash.sha1",
"registry.architecture",
"registry.gid",
"registry.group",
"registry.hive",
"registry.key",
"registry.mtime",
"registry.owner",
"registry.path",
"registry.permissions",
"registry.uid",
"wazuh.cluster.name",
"wazuh.cluster.node",
"wazuh.schema.version"
],
"refresh_interval": "5s"
}
}
}

48
plugins/setup/src/main/resources/index-template-fim-registries.json → plugins/setup/src/main/resources/index-template-fim-registry-values.json
View File

@ -1,14 +1,11 @@
{
"index_patterns": [
"wazuh-states-fim-registries*"
"wazuh-states-fim-registry-values*"
],
"mappings": {
"date_detection": false,
"dynamic": "strict",
"properties": {
"@timestamp": {
"type": "date"
},
"agent": {
"properties": {
"host": {
@ -36,15 +33,15 @@
}
}
},
"event": {
"checksum": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
@ -78,14 +75,6 @@
}
}
},
"gid": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"hive": {
"ignore_above": 1024,
"type": "keyword"
@ -94,13 +83,6 @@
"ignore_above": 1024,
"type": "keyword"
},
"mtime": {
"type": "date"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
@ -108,10 +90,6 @@
"size": {
"type": "long"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
@ -156,22 +134,16 @@
"agent.id",
"agent.name",
"agent.version",
"event.action",
"event.category",
"checksum.hash.sha1",
"registry.architecture",
"registry.data.hash.md5",
"registry.data.hash.sha1",
"registry.data.hash.sha256",
"registry.data.type",
"registry.gid",
"registry.group",
"registry.hive",
"registry.key",
"registry.mtime",
"registry.owner",
"registry.path",
"registry.size",
"registry.uid",
"registry.value",
"wazuh.cluster.name",
"wazuh.cluster.node",