diff --git a/CHANGELOG.md b/CHANGELOG.md index 024c92ee..bd0cada8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - Third-party integrations maintenance [(#478)](https://github.com/wazuh/wazuh-indexer-plugins/pull/478) - Replace and remove deprecated settings [(#476)](https://github.com/wazuh/wazuh-indexer-plugins/pull/476) - Migrate WCS changes from 4.x [(#488)](https://github.com/wazuh/wazuh-indexer-plugins/pull/488) +- FIM indices rework [(#509)](https://github.com/wazuh/wazuh-indexer-plugins/pull/509) ### Deprecated - diff --git a/ecs/scripts/generate-and-push-templates.sh b/ecs/scripts/generate-and-push-templates.sh index df31d6c5..a7ca6465 100644 --- a/ecs/scripts/generate-and-push-templates.sh +++ b/ecs/scripts/generate-and-push-templates.sh @@ -70,7 +70,8 @@ detect_modified_modules() { # Mapping section module_to_file=( [states-fim-files]="index-template-fim-files.json" - [states-fim-registries]="index-template-fim-registries.json" + [states-fim-registry-keys]="index-template-fim-registry-keys.json" + [states-fim-registry-values]="index-template-fim-registry-values.json" [states-inventory-groups]="index-template-groups.json" [states-inventory-hardware]="index-template-hardware.json" [states-inventory-hotfixes]="index-template-hotfixes.json" diff --git a/ecs/scripts/run-event-generators.sh b/ecs/scripts/run-event-generators.sh index a7a2fa56..fce0bb85 100644 --- a/ecs/scripts/run-event-generators.sh +++ b/ecs/scripts/run-event-generators.sh @@ -13,6 +13,7 @@ MAX_RETRIES=5 IP="127.0.0.1" PROTOCOL="http" PORT="${PORT:-9200}" +NUMBER_OF_EVENTS="100" # === Logging Helpers === log() { echo -e "\n\033[1;34m[INFO]\033[0m $*"; } @@ -22,7 +23,7 @@ error() { echo -e "\n\033[1;31m[ERROR]\033[0m $*" >&2; } # === Usage === usage() { echo "Usage: $0 [--ip ] [--protocol ] [--amount ]" - echo "Defaults: --ip 127.0.0.1, --port 9200, --protocol http -a 100" + echo "Defaults: --ip 127.0.0.1, --port 9200, --protocol http --amount 100" exit 1 } diff --git a/ecs/states-fim-files/docs/README.md b/ecs/states-fim-files/docs/README.md index c71bb62d..6cba5c18 100644 --- a/ecs/states-fim-files/docs/README.md +++ b/ecs/states-fim-files/docs/README.md @@ -2,7 +2,9 @@ ### Fields summary -The fields are based on https://github.com/wazuh/wazuh/issues/27898 +The fields are based on: +- [Global Queries](https://github.com/wazuh/wazuh/issues/27898) (included in 4.13.0). +- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2914305496) (included in 5.0.0) Based on ECS: @@ -13,25 +15,30 @@ The detail of the fields can be found in csv file [States FIM files Fields](fiel ### Transition table -| Field Name | Type | Description | Destination Field | Custom | -|----------------|--------|---------------------------------------------------------------------------|-------------------------|--------| -| agent_id | string | Unique identifier of the agent, e.g., "001". | agent.id | | -| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE | -| agent_name | string | Name assigned to the agent. | agent.name | | -| agent_version | string | Version of the agent software, e.g., "v4.10.2". | agent.version | | -| arch | string | Registry architecture type, e.g., "[x86]", "[x64]". | agent.host.architecture | TRUE | -| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE | -| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE | -| gid | string | Group ID associated with the entity. | file.gid | | -| group_name | string | Name of the group that owns the entity. | file.group | | -| hash_md5 | string | MD5 hash of the file or registry value content. | file.hash.md5 | | -| hash_sha1 | string | SHA-1 hash of the file or registry value content. | file.hash.sha1 | | -| hash_sha256 | string | SHA-256 hash of the file or registry value content. | file.hash.sha256 | | -| inode | long | Inode number (only applicable for file events). | file.inode | | -| mtime | long | Last modified timestamp of the entity. | file.mtime | | -| path | string | Absolute file path or full registry key path. | file.path | | -| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE | -| size | long | Size of the file or registry value (in bytes). | file.size | | -| timestamp | long | Timestamp when the event was generated. | timestamp | | -| uid | string | User ID associated with the entity. | file.uid | | -| user_name | string | Name of the owner of the entity (user). | file.owner | | +| Field Name | Type | Description | Destination Field | Custom | +|------------------|--------|---------------------------------------------------------------------------|-------------------------|--------| +| agent_id | string | Unique identifier of the agent, e.g., "001". | agent.id | | +| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE | +| agent_name | string | Name assigned to the agent. | agent.name | | +| agent_version | string | Version of the agent software, e.g., "v4.10.2". | agent.version | | +| architecture | string | Registry architecture type, e.g., "[x86]", "[x64]". | agent.host.architecture | TRUE | +| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE | +| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE | +| gid | string | Group ID associated with the entity. | file.gid | | +| group_name/group | string | Name of the group that owns the entity. | file.group | | +| hash_md5 | string | MD5 hash of the file or registry value content. | file.hash.md5 | | +| hash_sha1 | string | SHA-1 hash of the file or registry value content. | file.hash.sha1 | | +| hash_sha256 | string | SHA-256 hash of the file or registry value content. | file.hash.sha256 | | +| inode | long | Inode number (only applicable for file events). | file.inode | | +| mtime | long | Last modified timestamp of the entity. | file.mtime | | +| path | string | Absolute file path or full registry key path. | file.path | | +| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE | +| size | long | Size of the file or registry value (in bytes). | file.size | | +| timestamp | long | Timestamp when the event was generated. | timestamp | | +| uid | string | User ID associated with the entity. | file.uid | | +| user_name/owner | string | Name of the owner of the entity (user). | file.owner | | +| checksum | string | SHA1 hash of the file. | checksum.hash.sha1 | TRUE | +| attributes | string | List of attributes related to the file. | file.attributes | | +| dev/device | string | Device that is the source of the file. | file.device | | +| perm/permissions | string | List of permissions related to the file. | file.permissions | TRUE | + diff --git a/ecs/states-fim-files/docs/fields.csv b/ecs/states-fim-files/docs/fields.csv index 40eca2ae..1f871f42 100644 --- a/ecs/states-fim-files/docs/fields.csv +++ b/ecs/states-fim-files/docs/fields.csv @@ -4,6 +4,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. 8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. 8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent. +8.11.0,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +8.11.0,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. 8.11.0,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.11.0,true,file,file.group,keyword,extended,,alice,Primary group name of the file. 8.11.0,true,file,file.hash.md5,keyword,extended,,,MD5 hash. @@ -13,6 +16,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,file,file.mtime,date,extended,,,Last time the file content was modified. 8.11.0,true,file,file.owner,keyword,extended,,alice,File owner's username. 8.11.0,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +8.11.0,true,file,file.path.text,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +8.11.0,true,file,file.permissions,keyword,custom,array,,List of permissions related to the file. 8.11.0,true,file,file.size,long,extended,,16384,File size in bytes. 8.11.0,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. diff --git a/ecs/states-fim-files/event-generator/event_generator.py b/ecs/states-fim-files/event-generator/event_generator.py index 08b04b29..7150e8d3 100644 --- a/ecs/states-fim-files/event-generator/event_generator.py +++ b/ecs/states-fim-files/event-generator/event_generator.py @@ -33,6 +33,7 @@ def generate_random_data(number): "agent": generate_random_agent(), "file": generate_random_file(), "wazuh": generate_random_wazuh(), + "checksum": generate_random_checksum(), } data.append(event_data) return data @@ -76,6 +77,25 @@ def generate_random_file(): "path": "/path/to/file", "size": random.randint(1000, 1000000), "uid": f"uid{random.randint(0, 1000)}", + "attributes": ",".join( + random.sample( + ["hidden", "read_only", "system", "archive", "temporary"], + random.randint(1, 5) + ) + ), + "device": random.choice(["sda", "sdb", "sdc"]), + "permissions": [ + "".join(random.choice(["r", "w", "-"]) for _ in range(9)) + ], + + + } + +def generate_random_checksum(): + return { + "hash": { + "sha1": f"{random.randint(0, 9999)}", + } } diff --git a/ecs/states-fim-files/fields/custom/checksum.yml b/ecs/states-fim-files/fields/custom/checksum.yml new file mode 100644 index 00000000..b0b673d7 --- /dev/null +++ b/ecs/states-fim-files/fields/custom/checksum.yml @@ -0,0 +1,11 @@ +--- +- name: checksum + title: Checksum + description: > + Checksum custom fields + fields: + - name: hash.sha1 + type: keyword + level: custom + description: > + SHA1 hash used as checksum of the data collected by the agent. diff --git a/ecs/states-fim-files/fields/custom/file.yml b/ecs/states-fim-files/fields/custom/file.yml new file mode 100644 index 00000000..dbc75373 --- /dev/null +++ b/ecs/states-fim-files/fields/custom/file.yml @@ -0,0 +1,10 @@ +--- +- name: file + fields: + - name: permissions + type: keyword + level: custom + description: > + List of permissions related to the file. + normalize: + - array diff --git a/ecs/states-fim-files/fields/subset.yml b/ecs/states-fim-files/fields/subset.yml index 5c979ca2..43b24e5e 100644 --- a/ecs/states-fim-files/fields/subset.yml +++ b/ecs/states-fim-files/fields/subset.yml @@ -14,8 +14,12 @@ fields: id: {} name: {} version: {} + checksum: + fields: "*" file: fields: + attributes: {} + device: {} gid: {} group: {} hash: @@ -27,6 +31,7 @@ fields: mtime: {} owner: {} path: {} + permissions: {} size: {} uid: {} wazuh: diff --git a/ecs/states-fim-files/fields/template-settings-legacy.json b/ecs/states-fim-files/fields/template-settings-legacy.json index e86d526b..9c53f315 100644 --- a/ecs/states-fim-files/fields/template-settings-legacy.json +++ b/ecs/states-fim-files/fields/template-settings-legacy.json @@ -13,6 +13,9 @@ "agent.id", "agent.name", "agent.version", + "checksum.hash.sha1", + "file.attributes", + "file.device", "file.gid", "file.group", "file.hash.md5", @@ -23,6 +26,7 @@ "file.owner", "file.path", "file.path.fields.text", + "file.permissions", "file.size", "file.uid", "wazuh.cluster.name", diff --git a/ecs/states-fim-files/fields/template-settings.json b/ecs/states-fim-files/fields/template-settings.json index d88fc3f6..9cfe7aea 100644 --- a/ecs/states-fim-files/fields/template-settings.json +++ b/ecs/states-fim-files/fields/template-settings.json @@ -16,6 +16,9 @@ "agent.id", "agent.name", "agent.version", + "checksum.hash.sha1", + "file.attributes", + "file.device", "file.gid", "file.group", "file.hash.md5", @@ -26,6 +29,7 @@ "file.owner", "file.path", "file.path.fields.text", + "file.permissions", "file.size", "file.uid", "wazuh.cluster.name", diff --git a/ecs/states-fim-registries/docs/README.md b/ecs/states-fim-registries/docs/README.md deleted file mode 100644 index bfe9b0cf..00000000 --- a/ecs/states-fim-registries/docs/README.md +++ /dev/null @@ -1,43 +0,0 @@ -## `wazuh-states-fim-registries` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh/issues/27898 - -Based on ECS: - -- [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). -- [Registry Fields](https://www.elastic.co/docs/reference/ecs/ecs-registry). - -The detail of the fields can be found in csv file [States FIM registries Fields](fields.csv). - -### Transition table - - -| Field Name | Type | Description | Destination Field | Custom | -| -------------- | ------ | :-------------------------------------------------- | ------------------------- | ------ | -| agent_id | string | Unique identifier of the agent, e.g., "001". | agent.id | FALSE | -| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE | -| agent_name | string | Name assigned to the agent. | agent.name | FALSE | -| agent_version | string | Version of the agent software, e.g., "v4.10.2". | agent.version | FALSE | -| arch | string | Registry architecture type, e.g., "[x86]", "[x64]". | agent.host.architecture | TRUE | -| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE | -| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE | -| | string | Architecture associated with the entity | registry.architecture | TRUE | -| gid | string | Group ID associated with the entity. | registry.gid | TRUE | -| group_name | string | Name of the group that owns the entity. | registry.group | TRUE | -| hash_md5 | string | MD5 hash of the file or registry value content. | registry.data.hash.md5 | TRUE | -| hash_sha1 | string | SHA-1 hash of the file or registry value content. | registry.data.hash.sha1 | TRUE | -| hash_sha256 | string | SHA-256 hash of the file or registry value content. | registry.data.hash.sha256 | TRUE | -| hive | string | Abbreviated name for the hive. | registry.hive | FALSE | -| key | string | Hive-relative path of keys | registry.key | FALSE | -| mtime | long | Last modified timestamp of the entity. | registry.mtime | TRUE | -| path | string | Absolute file path or full registry key path. | registry.path | FALSE | -| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE | -| size | long | Size of the file or registry value (in bytes). | registry.size | TRUE | -| timestamp | long | Timestamp when the event was generated. | timestamp | FALSE | -| type | string | Type of monitored entity, e.g., "registry_key". | event.category | FALSE | -| uid | string | User ID associated with the entity. | registry.uid | TRUE | -| user_name | string | Name of the owner of the entity (user). | registry.owner | TRUE | -| value_name | string | Name of the registry value. | registry.value | FALSE | -| value_type | string | Type of the registry value, e.g., "REG_SZ". | registry.data.type | FALSE | diff --git a/ecs/states-fim-registry-keys/docs/README.md b/ecs/states-fim-registry-keys/docs/README.md new file mode 100644 index 00000000..6cdb82f6 --- /dev/null +++ b/ecs/states-fim-registry-keys/docs/README.md @@ -0,0 +1,39 @@ +## `wazuh-states-fim-registry-keys` index data model + +### Fields summary + +The fields are based on: +- [Global Queries](https://github.com/wazuh/wazuh/issues/27898) (included in 4.13.0). +- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2914305496) (included in 5.0.0) + +Based on ECS: + +- [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). +- [Registry Fields](https://www.elastic.co/docs/reference/ecs/ecs-registry). + +The detail of the fields can be found in csv file [States FIM registries Fields](fields.csv). + +### Transition table + + +| Field Name | Type | Description | Destination Field | Custom | +| ----------------- | ------ | :-------------------------------------------------- | ------------------------- | ------ | +| agent_id | string | Unique identifier of the agent, e.g., "001". | agent.id | | +| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE | +| agent_name | string | Name assigned to the agent. | agent.name | | +| agent_version | string | Version of the agent software, e.g., "v4.10.2". | agent.version | | +| architecture | string | Registry architecture type, e.g., "[x86]", "[x64]". | agent.host.architecture | TRUE | +| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE | +| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE | +| architecture | string | Architecture associated with the entity | registry.architecture | TRUE | +| gid | string | Group ID associated with the entity. | registry.gid | TRUE | +| group_name/group | string | Name of the group that owns the entity. | registry.group | TRUE | +| hive | string | Abbreviated name for the hive. | registry.hive | | +| key | string | Hive-relative path of keys | registry.key | | +| mtime | long | Last modified timestamp of the entity. | registry.mtime | TRUE | +| path | string | Absolute file path or full registry key path. | registry.path | | +| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE | +| uid | string | User ID associated with the entity. | registry.uid | TRUE | +| user_name/owner | string | Name of the owner of the entity (user). | registry.owner | TRUE | +| permissions/perm | string | Permissions associated with the registry key. | registry.permissions | TRUE | +| checksum | string | SHA1 hash of the file. | checksum.hash.sha1 | TRUE | diff --git a/ecs/states-fim-registry-keys/docs/fields.csv b/ecs/states-fim-registry-keys/docs/fields.csv new file mode 100644 index 00000000..e9232581 --- /dev/null +++ b/ecs/states-fim-registry-keys/docs/fields.csv @@ -0,0 +1,20 @@ +ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description +8.11.0,true,agent,agent.host.architecture,keyword,core,,x86_64,Operating system architecture. +8.11.0,true,agent,agent.host.ip,ip,core,array,,Host ip addresses. +8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent. +8.11.0,true,registry,registry.architecture,keyword,custom,,,Architecture associated with the entity +8.11.0,true,registry,registry.gid,keyword,custom,,,Group ID associated with the entity +8.11.0,true,registry,registry.group,keyword,custom,,,Name of the group that owns the entity +8.11.0,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +8.11.0,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +8.11.0,true,registry,registry.mtime,date,custom,,,Last modified timestamp of the entity +8.11.0,true,registry,registry.owner,keyword,custom,,,Name of the owner of the entity (user) +8.11.0,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +8.11.0,true,registry,registry.permissions,keyword,custom,array,,Permissions associated with the registry key. +8.11.0,true,registry,registry.uid,keyword,custom,,,User ID associated with the entity +8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. +8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name. +8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version. diff --git a/ecs/states-fim-registry-keys/event-generator/event_generator.py b/ecs/states-fim-registry-keys/event-generator/event_generator.py new file mode 100644 index 00000000..c2381faf --- /dev/null +++ b/ecs/states-fim-registry-keys/event-generator/event_generator.py @@ -0,0 +1,174 @@ +#!/bin/python3 + +import argparse +import datetime +import json +import logging +import random +import requests +import urllib3 + +# Constants and Configuration +LOG_FILE = "generate_data.log" +GENERATED_DATA_FILE = "generatedData.json" +DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" +# Default values +INDEX_NAME = "wazuh-states-fim-registry-keys" +USERNAME = "admin" +PASSWORD = "admin" +IP = "127.0.0.1" +PORT = "9200" + +# Configure logging +logging.basicConfig(level=logging.INFO) + +# Suppress warnings +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + + +def generate_random_data(number): + data = [] + for _ in range(number): + event_data = { + "agent": generate_random_agent(), + "registry": generate_random_registry(), + "wazuh": generate_random_wazuh(), + "checksum": generate_random_checksum(), + } + data.append(event_data) + return data + + +def generate_random_date(): + start_date = datetime.datetime.now() + end_date = start_date - datetime.timedelta(days=10) + random_date = start_date + (end_date - start_date) * random.random() + return random_date.strftime(DATE_FORMAT) + + +def generate_random_unix_timestamp(): + start_time = datetime.datetime(2000, 1, 1) + end_time = datetime.datetime.now() + random_time = start_time + datetime.timedelta( + seconds=random.randint(0, int((end_time - start_time).total_seconds())) + ) + return int(random_time.timestamp()) + + +def generate_random_agent(): + return { + "id": f"{random.randint(0, 99):03d}", + "name": f"Agent{random.randint(0, 99)}", + "version": f"v{random.randint(0, 9)}-stable", + "host": generate_random_host(), + } + + +def generate_random_host(): + return { + "architecture": random.choice(["x86_64", "arm64"]), + "ip": f"{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}", + } + + +def generate_random_data_stream(): + data_stream = {"type": random.choice(["Scheduled", "Realtime"])} + return data_stream + +def generate_random_registry(): + return { + "architecture": random.choice(["x86", "amd64"]), + "gid": f"gid{random.randint(0, 1000)}", + "group": f"group{random.randint(0, 1000)}", + "hive": "HKLM", + "key": r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe", + "mtime": generate_random_unix_timestamp(), + "owner": f"owner{random.randint(0, 1000)}", + "path": "/path/to/file", + "uid": f"uid{random.randint(0, 1000)}", + "permissions": [ + random.sample(["read", "write", "execute", "delete", "change_permissions", "take_ownership"], random.randint(1,6)) + ], + + } + +def generate_random_checksum(): + return { + "hash": { + "sha1": f"{random.randint(0, 9999)}", + } + } + +def inject_events(data, ip, port, username, password, index, protocol): + url = f"{protocol}://{ip}:{port}/{index}/_doc" + session = requests.Session() + session.auth = (username, password) + session.verify = False + headers = {"Content-Type": "application/json"} + + try: + for event_data in data: + response = session.post(url, json=event_data, headers=headers) + if response.status_code != 201: + logging.error(f"Error: {response.status_code}") + logging.error(response.text) + break + logging.info("Data injection completed successfully.") + except Exception as e: + logging.error(f"Error: {str(e)}") + + +def generate_random_wazuh(): + return { + "cluster": { + "name": f"wazuh-cluster-{random.randint(0, 10)}", + "node": f"wazuh-cluster-node-{random.randint(0, 10)}", + }, + "schema": {"version": "1.7.0"}, + } + + +def main(): + parser = argparse.ArgumentParser( + description="Generate and optionally inject documents into a Wazuh Indexer cluster." + ) + parser.add_argument( + "--protocol", + choices=['http', 'https'], + default='https', + help="Specify the protocol to use: http or https. Default is 'https'." + ) + args = parser.parse_args() + + try: + number = int(input("How many events do you want to generate? ")) + except ValueError: + logging.error("Invalid input. Please enter a valid number.") + return + + logging.info(f"Generating {number} events...") + data = generate_random_data(number) + + with open(GENERATED_DATA_FILE, "a") as outfile: + for event_data in data: + json.dump(event_data, outfile) + outfile.write("\n") + + logging.info("Data generation completed.") + + inject = ( + input("Do you want to inject the generated data into your indexer? (y/n) ") + .strip() + .lower() + ) + if inject == "y": + ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP + port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT + index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME + username = input(f"Username (default: '{USERNAME}'): ") or USERNAME + password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD + inject_events(data, ip, port, username, password, index, args.protocol) + + +if __name__ == "__main__": + main() diff --git a/ecs/states-fim-registry-keys/fields/custom/checksum.yml b/ecs/states-fim-registry-keys/fields/custom/checksum.yml new file mode 100644 index 00000000..b0b673d7 --- /dev/null +++ b/ecs/states-fim-registry-keys/fields/custom/checksum.yml @@ -0,0 +1,11 @@ +--- +- name: checksum + title: Checksum + description: > + Checksum custom fields + fields: + - name: hash.sha1 + type: keyword + level: custom + description: > + SHA1 hash used as checksum of the data collected by the agent. diff --git a/ecs/states-fim-registries/fields/custom/host.yml b/ecs/states-fim-registry-keys/fields/custom/host.yml similarity index 100% rename from ecs/states-fim-registries/fields/custom/host.yml rename to ecs/states-fim-registry-keys/fields/custom/host.yml diff --git a/ecs/states-fim-registries/fields/custom/registry.yml b/ecs/states-fim-registry-keys/fields/custom/registry.yml similarity index 64% rename from ecs/states-fim-registries/fields/custom/registry.yml rename to ecs/states-fim-registry-keys/fields/custom/registry.yml index ffb69030..0a5b2924 100644 --- a/ecs/states-fim-registries/fields/custom/registry.yml +++ b/ecs/states-fim-registry-keys/fields/custom/registry.yml @@ -19,21 +19,6 @@ level: custom description: > Name of the group that owns the entity - - name: data.hash.md5 - type: keyword - level: custom - description: > - MD5 hash of the file or registry value content - - name: data.hash.sha1 - type: keyword - level: custom - description: > - SHA-1 hash of the file or registry value content - - name: data.hash.sha256 - type: keyword - level: custom - description: > - SHA-256 hash of the file or registry value content - name: mtime type: date level: custom @@ -44,11 +29,13 @@ level: custom description: > Name of the owner of the entity (user) - - name: size - type: long + - name: permissions + type: keyword level: custom description: > - Size of the file or registry value (in bytes) + Permissions associated with the registry key. + normalize: + - array - name: uid type: keyword level: custom diff --git a/ecs/states-fim-registries/fields/custom/wazuh.yml b/ecs/states-fim-registry-keys/fields/custom/wazuh.yml similarity index 100% rename from ecs/states-fim-registries/fields/custom/wazuh.yml rename to ecs/states-fim-registry-keys/fields/custom/wazuh.yml diff --git a/ecs/states-fim-registries/fields/mapping-settings.json b/ecs/states-fim-registry-keys/fields/mapping-settings.json similarity index 100% rename from ecs/states-fim-registries/fields/mapping-settings.json rename to ecs/states-fim-registry-keys/fields/mapping-settings.json diff --git a/ecs/states-fim-registry-keys/fields/subset.yml b/ecs/states-fim-registry-keys/fields/subset.yml new file mode 100644 index 00000000..9a4d7b0c --- /dev/null +++ b/ecs/states-fim-registry-keys/fields/subset.yml @@ -0,0 +1,33 @@ +--- +name: wazuh-states-fim-registry-keys +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + host: + fields: + ip: {} + architecture: {} + id: {} + name: {} + version: {} + checksum: + fields: "*" + registry: + fields: + architecture: {} + gid: {} + group: {} + hive: {} + key: {} + mtime: {} + owner: {} + path: {} + permissions: {} + uid: {} + wazuh: + fields: "*" + diff --git a/ecs/states-fim-registry-keys/fields/template-settings-legacy.json b/ecs/states-fim-registry-keys/fields/template-settings-legacy.json new file mode 100644 index 00000000..9443a845 --- /dev/null +++ b/ecs/states-fim-registry-keys/fields/template-settings-legacy.json @@ -0,0 +1,33 @@ +{ + "index_patterns": ["wazuh-states-fim-registry-keys*"], + "order": 1, + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "auto_expand_replicas": "0-1", + "refresh_interval": "5s", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "checksum.hash.sha1", + "registry.architecture", + "registry.gid", + "registry.group", + "registry.hive", + "registry.key", + "registry.mtime", + "registry.owner", + "registry.path", + "registry.permissions", + "registry.uid", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ] + } + } +} diff --git a/ecs/states-fim-registry-keys/fields/template-settings.json b/ecs/states-fim-registry-keys/fields/template-settings.json new file mode 100644 index 00000000..71521705 --- /dev/null +++ b/ecs/states-fim-registry-keys/fields/template-settings.json @@ -0,0 +1,35 @@ +{ + "index_patterns": ["wazuh-states-fim-registry-keys*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "auto_expand_replicas": "0-1", + "refresh_interval": "5s", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "checksum.hash.sha1", + "registry.architecture", + "registry.gid", + "registry.group", + "registry.hive", + "registry.key", + "registry.mtime", + "registry.owner", + "registry.path", + "registry.permissions", + "registry.uid", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ] + } + } + } +} diff --git a/ecs/states-fim-registry-values/docs/README.md b/ecs/states-fim-registry-values/docs/README.md new file mode 100644 index 00000000..6f481a4a --- /dev/null +++ b/ecs/states-fim-registry-values/docs/README.md @@ -0,0 +1,39 @@ +## `wazuh-states-fim-registry-values` index data model + +### Fields summary + +The fields are based on: +- [Global Queries](https://github.com/wazuh/wazuh/issues/27898) (included in 4.13.0). +- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2914305496) (included in 5.0.0) + +Based on ECS: + +- [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). +- [Registry Fields](https://www.elastic.co/docs/reference/ecs/ecs-registry). + +The detail of the fields can be found in csv file [States FIM registries Fields](fields.csv). + +### Transition table + + +| Field Name | Type | Description | Destination Field | Custom | +| ----------------- | ------ | :-------------------------------------------------- | ------------------------- | ------ | +| agent_id | string | Unique identifier of the agent, e.g., "001". | agent.id | | +| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE | +| agent_name | string | Name assigned to the agent. | agent.name | | +| agent_version | string | Version of the agent software, e.g., "v4.10.2". | agent.version | | +| arch/architecture | string | Registry architecture type, e.g., "[x86]", "[x64]". | agent.host.architecture | TRUE | +| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE | +| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE | +| architecture | string | Architecture associated with the entity | registry.architecture | TRUE | +| hash_md5 | string | MD5 hash of the file or registry value content. | registry.data.hash.md5 | TRUE | +| hash_sha1 | string | SHA-1 hash of the file or registry value content. | registry.data.hash.sha1 | TRUE | +| hash_sha256 | string | SHA-256 hash of the file or registry value content. | registry.data.hash.sha256 | TRUE | +| hive | string | Abbreviated name for the hive. | registry.hive | | +| key | string | Hive-relative path of keys | registry.key | | +| path | string | Absolute file path or full registry key path. | registry.path | | +| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE | +| size | long | Size of the file or registry value (in bytes). | registry.size | TRUE | +| name/value | string | Name of the registry value. | registry.value | | +| value_type | string | Type of the registry value, e.g., "REG_SZ". | registry.data.type | | +| checksum | string | SHA1 hash of the file. | checksum.hash.sha1 | TRUE | diff --git a/ecs/states-fim-registries/docs/fields.csv b/ecs/states-fim-registry-values/docs/fields.csv similarity index 73% rename from ecs/states-fim-registries/docs/fields.csv rename to ecs/states-fim-registry-values/docs/fields.csv index 37f064d3..56d2691b 100644 --- a/ecs/states-fim-registries/docs/fields.csv +++ b/ecs/states-fim-registry-values/docs/fields.csv @@ -4,22 +4,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. 8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. 8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -8.11.0,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -8.11.0,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent. 8.11.0,true,registry,registry.architecture,keyword,custom,,,Architecture associated with the entity 8.11.0,true,registry,registry.data.hash.md5,keyword,custom,,,MD5 hash of the file or registry value content 8.11.0,true,registry,registry.data.hash.sha1,keyword,custom,,,SHA-1 hash of the file or registry value content 8.11.0,true,registry,registry.data.hash.sha256,keyword,custom,,,SHA-256 hash of the file or registry value content 8.11.0,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -8.11.0,true,registry,registry.gid,keyword,custom,,,Group ID associated with the entity -8.11.0,true,registry,registry.group,keyword,custom,,,Name of the group that owns the entity 8.11.0,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. 8.11.0,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -8.11.0,true,registry,registry.mtime,date,custom,,,Last modified timestamp of the entity -8.11.0,true,registry,registry.owner,keyword,custom,,,Name of the owner of the entity (user) 8.11.0,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" 8.11.0,true,registry,registry.size,long,custom,,,Size of the file or registry value (in bytes) -8.11.0,true,registry,registry.uid,keyword,custom,,,User ID associated with the entity 8.11.0,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name. diff --git a/ecs/states-fim-registries/event-generator/event_generator.py b/ecs/states-fim-registry-values/event-generator/event_generator.py similarity index 91% rename from ecs/states-fim-registries/event-generator/event_generator.py rename to ecs/states-fim-registry-values/event-generator/event_generator.py index a5be5744..739a6331 100644 --- a/ecs/states-fim-registries/event-generator/event_generator.py +++ b/ecs/states-fim-registry-values/event-generator/event_generator.py @@ -13,7 +13,7 @@ LOG_FILE = "generate_data.log" GENERATED_DATA_FILE = "generatedData.json" DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" # Default values -INDEX_NAME = "wazuh-states-fim-registries" +INDEX_NAME = "wazuh-states-fim-registry-values" USERNAME = "admin" PASSWORD = "admin" IP = "127.0.0.1" @@ -31,9 +31,9 @@ def generate_random_data(number): for _ in range(number): event_data = { "agent": generate_random_agent(), - "event": generate_random_event(), "registry": generate_random_registry(), "wazuh": generate_random_wazuh(), + "checksum": generate_random_checksum(), } data.append(event_data) return data @@ -75,13 +75,6 @@ def generate_random_data_stream(): data_stream = {"type": random.choice(["Scheduled", "Realtime"])} return data_stream - -def generate_random_event(): - return { - "category": random.choice(["registy_value", "registry_key", "file"]), - } - - def generate_random_registry(): return { "architecture": random.choice(["x86", "amd64"]), @@ -93,18 +86,20 @@ def generate_random_registry(): }, "type": random.choice(["REG_SZ", "REG_DWORD"]), }, - "gid": f"gid{random.randint(0, 1000)}", - "group": f"group{random.randint(0, 1000)}", "hive": "HKLM", "key": r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe", - "mtime": generate_random_unix_timestamp(), - "owner": f"owner{random.randint(0, 1000)}", "path": "/path/to/file", "size": random.randint(1000, 1000000), - "uid": f"uid{random.randint(0, 1000)}", "value": f"registry_value{random.randint(0, 1000)}", } +def generate_random_checksum(): + return { + "hash": { + "sha1": f"{random.randint(0, 9999)}", + } + } + def inject_events(data, ip, port, username, password, index, protocol): url = f"{protocol}://{ip}:{port}/{index}/_doc" diff --git a/ecs/states-fim-registry-values/fields/custom/checksum.yml b/ecs/states-fim-registry-values/fields/custom/checksum.yml new file mode 100644 index 00000000..b0b673d7 --- /dev/null +++ b/ecs/states-fim-registry-values/fields/custom/checksum.yml @@ -0,0 +1,11 @@ +--- +- name: checksum + title: Checksum + description: > + Checksum custom fields + fields: + - name: hash.sha1 + type: keyword + level: custom + description: > + SHA1 hash used as checksum of the data collected by the agent. diff --git a/ecs/states-fim-registry-values/fields/custom/host.yml b/ecs/states-fim-registry-values/fields/custom/host.yml new file mode 100644 index 00000000..a0356d13 --- /dev/null +++ b/ecs/states-fim-registry-values/fields/custom/host.yml @@ -0,0 +1,6 @@ +--- +- name: host + reusable: + top_level: true + expected: + - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-fim-registry-values/fields/custom/registry.yml b/ecs/states-fim-registry-values/fields/custom/registry.yml new file mode 100644 index 00000000..37b4b4a0 --- /dev/null +++ b/ecs/states-fim-registry-values/fields/custom/registry.yml @@ -0,0 +1,32 @@ +--- +- name: registry + title: Registry + description: > + Fields related to Windows Registry operations. + fields: + - name: architecture + type: keyword + level: custom + description: > + Architecture associated with the entity + - name: data.hash.md5 + type: keyword + level: custom + description: > + MD5 hash of the file or registry value content + - name: data.hash.sha1 + type: keyword + level: custom + description: > + SHA-1 hash of the file or registry value content + - name: data.hash.sha256 + type: keyword + level: custom + description: > + SHA-256 hash of the file or registry value content + - name: size + type: long + level: custom + description: > + Size of the file or registry value (in bytes) + diff --git a/ecs/states-fim-registry-values/fields/custom/wazuh.yml b/ecs/states-fim-registry-values/fields/custom/wazuh.yml new file mode 100644 index 00000000..cbc1a38f --- /dev/null +++ b/ecs/states-fim-registry-values/fields/custom/wazuh.yml @@ -0,0 +1,21 @@ +--- +- name: wazuh + title: Wazuh + description: > + Wazuh Inc. custom fields + fields: + - name: cluster.name + type: keyword + level: custom + description: > + Wazuh cluster name. + - name: cluster.node + type: keyword + level: custom + description: > + Wazuh cluster node name. + - name: schema.version + type: keyword + level: custom + description: > + Wazuh schema version. diff --git a/ecs/states-fim-registry-values/fields/mapping-settings.json b/ecs/states-fim-registry-values/fields/mapping-settings.json new file mode 100644 index 00000000..43be8693 --- /dev/null +++ b/ecs/states-fim-registry-values/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} diff --git a/ecs/states-fim-registries/fields/subset.yml b/ecs/states-fim-registry-values/fields/subset.yml similarity index 75% rename from ecs/states-fim-registries/fields/subset.yml rename to ecs/states-fim-registry-values/fields/subset.yml index aa5344c7..c5d6afc7 100644 --- a/ecs/states-fim-registries/fields/subset.yml +++ b/ecs/states-fim-registry-values/fields/subset.yml @@ -1,5 +1,5 @@ --- -name: wazuh-states-fim-registries +name: wazuh-states-fim-registry-values fields: base: fields: @@ -14,10 +14,8 @@ fields: id: {} name: {} version: {} - event: - fields: - action: {} - category: {} + checksum: + fields: "*" registry: fields: architecture: {} @@ -29,15 +27,10 @@ fields: md5: {} sha1: {} sha256: {} - gid: {} - group: {} hive: {} key: {} - mtime: {} - owner: {} path: {} size: {} - uid: {} value: {} wazuh: fields: "*" diff --git a/ecs/states-fim-registries/fields/template-settings-legacy.json b/ecs/states-fim-registry-values/fields/template-settings-legacy.json similarity index 76% rename from ecs/states-fim-registries/fields/template-settings-legacy.json rename to ecs/states-fim-registry-values/fields/template-settings-legacy.json index b2b4857a..e71074e5 100644 --- a/ecs/states-fim-registries/fields/template-settings-legacy.json +++ b/ecs/states-fim-registry-values/fields/template-settings-legacy.json @@ -1,5 +1,5 @@ { - "index_patterns": ["wazuh-states-fim-registries*"], + "index_patterns": ["wazuh-states-fim-registry-values*"], "order": 1, "settings": { "index": { @@ -13,22 +13,16 @@ "agent.id", "agent.name", "agent.version", - "event.action", - "event.category", + "checksum.hash.sha1", "registry.architecture", "registry.data.hash.md5", "registry.data.hash.sha1", "registry.data.hash.sha256", "registry.data.type", - "registry.gid", - "registry.group", "registry.hive", "registry.key", - "registry.mtime", - "registry.owner", "registry.path", "registry.size", - "registry.uid", "registry.value", "wazuh.cluster.name", "wazuh.cluster.node", diff --git a/ecs/states-fim-registries/fields/template-settings.json b/ecs/states-fim-registry-values/fields/template-settings.json similarity index 77% rename from ecs/states-fim-registries/fields/template-settings.json rename to ecs/states-fim-registry-values/fields/template-settings.json index e926a7ec..9a1c524c 100644 --- a/ecs/states-fim-registries/fields/template-settings.json +++ b/ecs/states-fim-registry-values/fields/template-settings.json @@ -1,5 +1,5 @@ { - "index_patterns": ["wazuh-states-fim-registries*"], + "index_patterns": ["wazuh-states-fim-registry-values*"], "priority": 1, "template": { "settings": { @@ -14,22 +14,16 @@ "agent.id", "agent.name", "agent.version", - "event.action", - "event.category", + "checksum.hash.sha1", "registry.architecture", "registry.data.hash.md5", "registry.data.hash.sha1", "registry.data.hash.sha256", "registry.data.type", - "registry.gid", - "registry.group", "registry.hive", "registry.key", - "registry.mtime", - "registry.owner", "registry.path", "registry.size", - "registry.uid", "registry.value", "wazuh.cluster.name", "wazuh.cluster.node", diff --git a/ecs/states-inventory-users/event-generator/event_generator.py b/ecs/states-inventory-users/event-generator/event_generator.py index aaf6b516..483674e7 100644 --- a/ecs/states-inventory-users/event-generator/event_generator.py +++ b/ecs/states-inventory-users/event-generator/event_generator.py @@ -27,7 +27,7 @@ urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def generate_random_user(): - now = datetime.datetime.now(datetime.UTC) + now = datetime.datetime.now(datetime.timezone.utc) timestamp = now.strftime(DATE_FORMAT) return { diff --git a/plugins/setup/src/main/java/com/wazuh/setup/SetupPlugin.java b/plugins/setup/src/main/java/com/wazuh/setup/SetupPlugin.java index 7e43074d..a04183a2 100644 --- a/plugins/setup/src/main/java/com/wazuh/setup/SetupPlugin.java +++ b/plugins/setup/src/main/java/com/wazuh/setup/SetupPlugin.java @@ -78,7 +78,8 @@ public class SetupPlugin extends Plugin implements ClusterPlugin { this.indices.add(new StreamIndex("wazuh-archives-5.x-000001", "index-template-archives", "wazuh-archives")); // State indices this.indices.add(new StateIndex("wazuh-states-fim-files", "index-template-fim-files")); - this.indices.add(new StateIndex("wazuh-states-fim-registries", "index-template-fim-registries")); + this.indices.add(new StateIndex("wazuh-states-fim-registry-keys", "index-template-fim-registry-keys")); + this.indices.add(new StateIndex("wazuh-states-fim-registry-values", "index-template-fim-registry-values")); this.indices.add(new StateIndex("wazuh-states-inventory-groups", "index-template-groups")); this.indices.add(new StateIndex("wazuh-states-inventory-hardware", "index-template-hardware")); this.indices.add(new StateIndex("wazuh-states-inventory-hotfixes", "index-template-hotfixes")); diff --git a/plugins/setup/src/main/resources/index-template-fim-files.json b/plugins/setup/src/main/resources/index-template-fim-files.json index bef19d39..9eca790f 100644 --- a/plugins/setup/src/main/resources/index-template-fim-files.json +++ b/plugins/setup/src/main/resources/index-template-fim-files.json @@ -6,9 +6,6 @@ "date_detection": false, "dynamic": "strict", "properties": { - "@timestamp": { - "type": "date" - }, "agent": { "properties": { "host": { @@ -36,8 +33,28 @@ } } }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "file": { "properties": { + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" @@ -74,11 +91,10 @@ "type": "keyword" }, "path": { - "fields": { - "text": { - "type": "keyword" - } - }, + "ignore_above": 1024, + "type": "keyword" + }, + "permissions": { "ignore_above": 1024, "type": "keyword" }, @@ -129,6 +145,9 @@ "agent.id", "agent.name", "agent.version", + "checksum.hash.sha1", + "file.attributes", + "file.device", "file.gid", "file.group", "file.hash.md5", @@ -139,6 +158,7 @@ "file.owner", "file.path", "file.path.fields.text", + "file.permissions", "file.size", "file.uid", "wazuh.cluster.name", diff --git a/plugins/setup/src/main/resources/index-template-fim-registry-keys.json b/plugins/setup/src/main/resources/index-template-fim-registry-keys.json new file mode 100644 index 00000000..ed125b4f --- /dev/null +++ b/plugins/setup/src/main/resources/index-template-fim-registry-keys.json @@ -0,0 +1,147 @@ +{ + "index_patterns": [ + "wazuh-states-fim-registry-keys*" + ], + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "registry": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "permissions": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "order": 1, + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "checksum.hash.sha1", + "registry.architecture", + "registry.gid", + "registry.group", + "registry.hive", + "registry.key", + "registry.mtime", + "registry.owner", + "registry.path", + "registry.permissions", + "registry.uid", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "5s" + } + } +} diff --git a/plugins/setup/src/main/resources/index-template-fim-registries.json b/plugins/setup/src/main/resources/index-template-fim-registry-values.json similarity index 78% rename from plugins/setup/src/main/resources/index-template-fim-registries.json rename to plugins/setup/src/main/resources/index-template-fim-registry-values.json index b802b86f..c643e70f 100644 --- a/plugins/setup/src/main/resources/index-template-fim-registries.json +++ b/plugins/setup/src/main/resources/index-template-fim-registry-values.json @@ -1,14 +1,11 @@ { "index_patterns": [ - "wazuh-states-fim-registries*" + "wazuh-states-fim-registry-values*" ], "mappings": { "date_detection": false, "dynamic": "strict", "properties": { - "@timestamp": { - "type": "date" - }, "agent": { "properties": { "host": { @@ -36,15 +33,15 @@ } } }, - "event": { + "checksum": { "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -78,14 +75,6 @@ } } }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, "hive": { "ignore_above": 1024, "type": "keyword" @@ -94,13 +83,6 @@ "ignore_above": 1024, "type": "keyword" }, - "mtime": { - "type": "date" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, "path": { "ignore_above": 1024, "type": "keyword" @@ -108,10 +90,6 @@ "size": { "type": "long" }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, "value": { "ignore_above": 1024, "type": "keyword" @@ -156,22 +134,16 @@ "agent.id", "agent.name", "agent.version", - "event.action", - "event.category", + "checksum.hash.sha1", "registry.architecture", "registry.data.hash.md5", "registry.data.hash.sha1", "registry.data.hash.sha256", "registry.data.type", - "registry.gid", - "registry.group", "registry.hive", "registry.key", - "registry.mtime", - "registry.owner", "registry.path", "registry.size", - "registry.uid", "registry.value", "wazuh.cluster.name", "wazuh.cluster.node",