wazuh/wazuh-indexer-plugins
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-indexer-plugins.git synced 2025-12-10 14:32:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Implement checksum fields into stateful ECS mappings (#519)

Browse Source 
* Implement checksum custom fields to stateful indices mappings

* Update ECS templates for modified modules: states-inventory-groups states-inventory-hardware states-inventory-hotfixes states-inventory-interfaces states-inventory-networks states-inventory-packages states-inventory-ports states-inventory-processes states-inventory-protocols states-inventory-system states-inventory-users states-vulnerabilities

* Update documentation

* Update event generators

* Update sha1 field description

* Update ECS templates for modified modules: states-inventory-groups states-inventory-hardware states-inventory-hotfixes states-inventory-interfaces states-inventory-networks states-inventory-packages states-inventory-ports states-inventory-processes states-inventory-protocols states-inventory-system states-inventory-users states-vulnerabilities

* Simplify checksum fields definition on subset.yml

* Fix transition table typo

* Fix typo on vulnerabilities mappingsd settings

* Update ECS templates for modified modules: states-inventory-groups states-inventory-hardware states-inventory-hotfixes states-inventory-interfaces states-inventory-networks states-inventory-packages states-inventory-ports states-inventory-processes states-inventory-protocols states-inventory-system states-inventory-users states-vulnerabilities

* Remove unnecesary print

* Remove extra log message

* Update ECS documentation

* Update documentation links

* Update ecs/states-inventory-groups/docs/README.md

Signed-off-by: Álex Ruiz Becerra <alex-r-b@hotmail.com>

---------

Signed-off-by: Álex Ruiz Becerra <alejandro.ruiz.becerra@wazuh.com>
Signed-off-by: Álex Ruiz Becerra <alex-r-b@hotmail.com>
Co-authored-by: QU3B1M <kevin.ledesma@wazuh.com>
Co-authored-by: Álex Ruiz Becerra <alejandro.ruiz.becerra@wazuh.com>
This commit is contained in:
Wazuh Indexer Bot 2025-07-01 11:36:21 +02:00 committed by GitHub
parent 6860677000
commit cbe095404c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
78 changed files with 697 additions and 213 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -23,6 +23,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
- Third-party integrations maintenance [(#478)](https://github.com/wazuh/wazuh-indexer-plugins/pull/478)
- Replace and remove deprecated settings [(#476)](https://github.com/wazuh/wazuh-indexer-plugins/pull/476)
- Migrate WCS changes from 4.x [(#488)](https://github.com/wazuh/wazuh-indexer-plugins/pull/488)
- Implement checksum fields into stateful ECS mappings [(#519)](https://github.com/wazuh/wazuh-indexer-plugins/pull/519)
- FIM indices rework [(#509)](https://github.com/wazuh/wazuh-indexer-plugins/pull/509)
### Deprecated

13
ecs/scripts/run-event-generators.sh
View File

@ -13,7 +13,7 @@ MAX_RETRIES=5
IP="127.0.0.1"
PROTOCOL="http"
PORT="${PORT:-9200}"
NUMBER_OF_EVENTS="100"
NUMBER_OF_EVENTS="${NUMBER_OF_EVENTS:-100}"
# === Logging Helpers ===
log() { echo -e "\n\033[1;34m[INFO]\033[0m $*"; }
@ -22,9 +22,14 @@ error() { echo -e "\n\033[1;31m[ERROR]\033[0m $*" >&2; }
# === Usage ===
usage() {
echo "Usage: $0 [--ip <ip>] [--protocol <http|https>] [--amount <n>]"
echo "Defaults: --ip 127.0.0.1, --port 9200, --protocol http --amount 100"
exit 1
echo "Usage: $0 [--ip <ip>] [--port <port>] [--protocol <http|https>] [--amount <n>] [-h|--help]"
echo -e "\nOptions:"
echo -e " --ip <IP> Set the IP address (default: $IP)"
echo -e " --port <PORT> Set the port (default: $PORT)"
echo -e " --protocol <PROTOCOL> Set the protocol (default: $PROTOCOL)"
echo -e " --amount <NUMBER> Number of events to generate (default: $NUMBER_OF_EVENTS)"
echo -e " -h, --help Show this help message"
exit 0
}
# === Parse Optional Arguments ===

2
ecs/states-fim-files/event-generator/event_generator.py
View File

@ -108,9 +108,7 @@ def inject_events(data, ip, port, username, password, index, protocol):
try:
for event_data in data:
print(f"Injecting event: {event_data}")
response = session.post(url, json=event_data, headers=headers)
logging.info(f"Response: {response.status_code} - {response.text}")
if response.status_code != 201:
logging.error(f"Error: {response.status_code}")
logging.error(response.text)

4
ecs/states-inventory-groups/docs/README.md
View File

@ -2,7 +2,9 @@
### Fields summary
The fields are based on https://github.com/wazuh/wazuh-indexer/issues/889#issuecomment-2923017753
The fields are based on:
- [Inventory enrichment tier 1](https://github.com/wazuh/wazuh-indexer/issues/889#issuecomment-2923017753) (included in 4.14.0)
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2937251736) (included in 5.0.0)
Based on ECS:

1
ecs/states-inventory-groups/docs/fields.csv
View File

@ -4,6 +4,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
8.11.0,true,group,group.description,keyword,custom,,,Description of the group.
8.11.0,true,group,group.id,unsigned_long,custom,,,Unsigned int64 group ID.
8.11.0,true,group,group.id_signed,long,custom,,,A signed int64 version of the group's ID.

1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
4 8.11.0 true agent agent.id keyword core 8a4f500d Unique identifier of this agent.
5 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
6 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
7 8.11.0 true checksum checksum.hash.sha1 keyword custom SHA1 hash used as checksum of the data collected by the agent.
8 8.11.0 true group group.description keyword custom Description of the group.
9 8.11.0 true group group.id unsigned_long custom Unsigned int64 group ID.
10 8.11.0 true group group.id_signed long custom A signed int64 version of the group's ID.

9
ecs/states-inventory-groups/event-generator/event_generator.py
View File

@ -27,6 +27,7 @@ urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def generate_random_group():
return {
"agent": generate_random_agent(),
"checksum": generate_random_checksum(),
"group": {
"id": str(random.randint(1000, 9999)),
"id_signed": random.randint(-9999, -1000),
@ -57,6 +58,14 @@ def generate_random_agent():
}
def generate_random_checksum():
return {
'hash': {
'sha1': ''.join(random.choices("ABCDEF0123456789", k=40)),
}
}
def generate_random_host():
return {
"architecture": random.choice(["x86_64", "arm64"]),

11
ecs/states-inventory-groups/fields/custom/checksum.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: checksum
title: Checksum
description: >
Checksum custom fields
fields:
- name: hash.sha1
type: keyword
level: custom
description: >
SHA1 hash used as checksum of the data collected by the agent.

2
ecs/states-inventory-groups/fields/subset.yml
View File

@ -14,6 +14,8 @@ fields:
fields:
architecture: {}
ip: {}
checksum:
fields: "*"
group:
fields:
id: {}

39
ecs/states-inventory-hardware/docs/README.md
View File

@ -2,7 +2,9 @@
### Fields summary
The fields are based on https://github.com/wazuh/wazuh/issues/27898
The fields are based on:
- [Global Queries](https://github.com/wazuh/wazuh/issues/27898) (included in 4.13.0).
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2937251736) (included in 5.0.0)
Based on ECS:
@ -13,20 +15,21 @@ The detail of the fields can be found in csv file [States inventory hardware Fie
### Transition table
| Field Name | Type | Description | Destination Field | Custom |
| -------------- | ------------ | ------------------------------------- | -------------------- | ------ |
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| board_serial | string | Serial Number of the device. | host.serial_number | TRUE |
| cpu_name | string | Name/model of the CPU. | host.cpu.name | TRUE |
| cpu_cores | long | Number of CPU cores. | host.cpu.cores | TRUE |
| cpu_mhz | double | CPU clock speed in MHz. | host.cpu.speed | TRUE |
| ram_total | long | Total memory, in Bytes. | host.memory.total | TRUE |
| ram_free | long | Free memory, in Bytes. | host.memory.free | TRUE |
| - | long | Used memory, in Bytes. | host.memory.used | TRUE |
| ram_usage | scaled_float | Percent memory used, between 0 and 1. | host.memory.usage | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| Field Name | Type | Description | Destination Field | Custom |
|-----------------|--------------|----------------------------------------------------------------|----------------------|--------|
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| board_serial | string | Serial Number of the device. | host.serial_number | TRUE |
| cpu_name | string | Name/model of the CPU. | host.cpu.name | TRUE |
| cpu_cores | long | Number of CPU cores. | host.cpu.cores | TRUE |
| cpu_mhz | double | CPU clock speed in MHz. | host.cpu.speed | TRUE |
| ram_total | long | Total memory, in Bytes. | host.memory.total | TRUE |
| ram_free | long | Free memory, in Bytes. | host.memory.free | TRUE |
| - | long | Used memory, in Bytes. | host.memory.used | TRUE |
| ram_usage | scaled_float | Percent memory used, between 0 and 1. | host.memory.usage | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE |

1
ecs/states-inventory-hardware/docs/fields.csv
View File

@ -4,6 +4,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
8.11.0,true,host,host.cpu.cores,short,custom,,8,Number of CPU cores.
8.11.0,true,host,host.cpu.name,keyword,custom,,Intel(R) Core(TM) i7-9700K CPU @ 3.60GHz,Name/model of the CPU.
8.11.0,true,host,host.cpu.speed,long,custom,,3600,CPU clock speed in MHz.

1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
4 8.11.0 true agent agent.id keyword core 8a4f500d Unique identifier of this agent.
5 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
6 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
7 8.11.0 true checksum checksum.hash.sha1 keyword custom SHA1 hash used as checksum of the data collected by the agent.
8 8.11.0 true host host.cpu.cores short custom 8 Number of CPU cores.
9 8.11.0 true host host.cpu.name keyword custom Intel(R) Core(TM) i7-9700K CPU @ 3.60GHz Name/model of the CPU.
10 8.11.0 true host host.cpu.speed long custom 3600 CPU clock speed in MHz.

9
ecs/states-inventory-hardware/event-generator/event_generator.py
View File

@ -31,6 +31,7 @@ def generate_random_data(number):
for _ in range(number):
event_data = {
"agent": generate_random_agent(),
"checksum": generate_random_checksum(),
"host": generate_random_host(True),
"wazuh": generate_random_wazuh(),
}
@ -54,6 +55,14 @@ def generate_random_agent():
}
def generate_random_checksum():
return {
'hash': {
'sha1': ''.join(random.choices("ABCDEF0123456789", k=40)),
}
}
def generate_random_host(is_root_level=False):
if is_root_level:
return {

11
ecs/states-inventory-hardware/fields/custom/checksum.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: checksum
title: Checksum
description: >
Checksum custom fields
fields:
- name: hash.sha1
type: keyword
level: custom
description: >
SHA1 hash used as checksum of the data collected by the agent.

2
ecs/states-inventory-hardware/fields/subset.yml
View File

@ -14,6 +14,8 @@ fields:
fields:
architecture: {}
ip: {}
checksum:
fields: "*"
host:
fields:
memory:

35
ecs/states-inventory-hotfixes/docs/README.md
View File

@ -2,7 +2,9 @@
### Fields summary
The fields are based on https://github.com/wazuh/wazuh/issues/27898
The fields are based on:
- [Global Queries](https://github.com/wazuh/wazuh/issues/27898) (included in 4.13.0).
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2937251736) (included in 5.0.0)
Based on ECS:
@ -12,18 +14,19 @@ The detail of the fields can be found in csv file [States inventory hotfixes Fie
### Transition table
| Field Name | Type | Description | Destination Field | Custom |
|----------------|--------|-----------------------------------------------------|-------------------------|--------|
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| arch | string | Registry architecture type, e.g., "[x86]", "[x64]". | agent.host.architecture | TRUE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_id | string | Unique identifier of the agent, e.g., "001". | agent.id | FALSE |
| agent_name | string | Name assigned to the agent. | agent.name | FALSE |
| agent_version | string | Version of the agent software, e.g., "v4.10.2". | agent.version | FALSE |
| hotfix | string | Name or identifier of the applied hotfix. | package.hotfix.name | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| Field Name | Type | Description | Destination Field | Custom |
|----------------|---------|----------------------------------------------------------------|-------------------------|--------|
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| arch | string | Registry architecture type, e.g., "[x86]", "[x64]". | agent.host.architecture | TRUE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_id | string | Unique identifier of the agent, e.g., "001". | agent.id | FALSE |
| agent_name | string | Name assigned to the agent. | agent.name | FALSE |
| agent_version | string | Version of the agent software, e.g., "v4.10.2". | agent.version | FALSE |
| hotfix | string | Name or identifier of the applied hotfix. | package.hotfix.name | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE |

1
ecs/states-inventory-hotfixes/docs/fields.csv
View File

@ -4,6 +4,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
8.11.0,true,package,package.hotfix,object,custom,,,Hotfix related data.
8.11.0,true,package,package.hotfix.name,keyword,custom,,,Name of the Hotfix.
8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.

1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
4 8.11.0 true agent agent.id keyword core 8a4f500d Unique identifier of this agent.
5 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
6 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
7 8.11.0 true checksum checksum.hash.sha1 keyword custom SHA1 hash used as checksum of the data collected by the agent.
8 8.11.0 true package package.hotfix object custom Hotfix related data.
9 8.11.0 true package package.hotfix.name keyword custom Name of the Hotfix.
10 8.11.0 true wazuh wazuh.cluster.name keyword custom Wazuh cluster name.

9
ecs/states-inventory-hotfixes/event-generator/event_generator.py
View File

@ -31,6 +31,7 @@ def generate_random_data(number):
for _ in range(number):
event_data = {
"agent": generate_random_agent(),
"checksum": generate_random_checksum(),
"package": generate_random_package(),
"wazuh": generate_random_wazuh(),
}
@ -55,6 +56,14 @@ def generate_random_agent():
return agent
def generate_random_checksum():
return {
'hash': {
'sha1': ''.join(random.choices("ABCDEF0123456789", k=40)),
}
}
def generate_random_host():
return {
"architecture": random.choice(["x86_64", "arm64"]),

11
ecs/states-inventory-hotfixes/fields/custom/checksum.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: checksum
title: Checksum
description: >
Checksum custom fields
fields:
- name: hash.sha1
type: keyword
level: custom
description: >
SHA1 hash used as checksum of the data collected by the agent.

2
ecs/states-inventory-hotfixes/fields/subset.yml
View File

@ -14,6 +14,8 @@ fields:
id: {}
name: {}
version: {}
checksum:
fields: "*"
package:
fields:
hotfix:

51
ecs/states-inventory-interfaces/docs/README.md
View File

@ -2,7 +2,9 @@
### Fields summary
The fields are based on https://github.com/wazuh/wazuh/issues/27898
The fields are based on:
- [Global Queries](https://github.com/wazuh/wazuh/issues/27898) (included in 4.13.0).
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2937251736) (included in 5.0.0)
Based on ECS:
@ -14,26 +16,27 @@ The detail of the fields can be found in csv file [States inventory interfaces F
### Transition table
| Field Name | Type | Description | Destination Field | Custom |
| -------------- | ------ | ------------------------------------ | ---------------------------- | ------ |
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| name | string | Interface name. | interface.name | FALSE |
| adapter | string | Adapter type (e.g., Ethernet, WiFi). | interface.alias | FALSE |
| type | string | Network interface type. | interface.type | TRUE |
| state | string | Current state (e.g., up, down). | interface.state | TRUE |
| mtu | long | Maximum Transmission Unit (MTU). | interface.mtu | TRUE |
| mac | string | MAC address of the interface. | host.mac | FALSE |
| tx_packets | long | Number of transmitted packets. | host.network.egress.packets | FALSE |
| rx_packets | long | Number of received packets. | host.network.ingress.packets | FALSE |
| tx_bytes | long | Number of bytes transmitted. | host.network.egress.bytes | FALSE |
| rx_bytes | long | Number of bytes received. | host.network.ingress.bytes | FALSE |
| tx_errors | long | Number of transmission errors. | host.network.egress.errors | TRUE |
| rx_errors | long | Number of reception errors. | host.network.ingress.errors | TRUE |
| tx_dropped | long | Number of dropped outgoing packets. | host.network.egress.drops | TRUE |
| rx_dropped | long | Number of dropped incoming packets. | host.network.ingress.drops | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| Field Name | Type | Description | Destination Field | Custom |
|----------------|---------|----------------------------------------------------------------|------------------------------|--------|
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| name | string | Interface name. | interface.name | FALSE |
| adapter | string | Adapter type (e.g., Ethernet, WiFi). | interface.alias | FALSE |
| type | string | Network interface type. | interface.type | TRUE |
| state | string | Current state (e.g., up, down). | interface.state | TRUE |
| mtu | long | Maximum Transmission Unit (MTU). | interface.mtu | TRUE |
| mac | string | MAC address of the interface. | host.mac | FALSE |
| tx_packets | long | Number of transmitted packets. | host.network.egress.packets | FALSE |
| rx_packets | long | Number of received packets. | host.network.ingress.packets | FALSE |
| tx_bytes | long | Number of bytes transmitted. | host.network.egress.bytes | FALSE |
| rx_bytes | long | Number of bytes received. | host.network.ingress.bytes | FALSE |
| tx_errors | long | Number of transmission errors. | host.network.egress.errors | TRUE |
| rx_errors | long | Number of reception errors. | host.network.ingress.errors | TRUE |
| tx_dropped | long | Number of dropped outgoing packets. | host.network.egress.drops | TRUE |
| rx_dropped | long | Number of dropped incoming packets. | host.network.ingress.drops | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE |

1
ecs/states-inventory-interfaces/docs/fields.csv
View File

@ -4,6 +4,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
8.11.0,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
8.11.0,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
8.11.0,true,host,host.network.egress.drops,long,custom,,,Number of dropped transmitted packets.

1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
4 8.11.0 true agent agent.id keyword core 8a4f500d Unique identifier of this agent.
5 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
6 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
7 8.11.0 true checksum checksum.hash.sha1 keyword custom SHA1 hash used as checksum of the data collected by the agent.
8 8.11.0 true host host.mac keyword core array ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] Host MAC addresses.
9 8.11.0 true host host.network.egress.bytes long extended The number of bytes sent on all network interfaces.
10 8.11.0 true host host.network.egress.drops long custom Number of dropped transmitted packets.

9
ecs/states-inventory-interfaces/event-generator/event_generator.py
View File

@ -31,6 +31,7 @@ def generate_random_data(number):
for _ in range(number):
event_data = {
"agent": generate_random_agent(),
"checksum": generate_random_checksum(),
"host": generate_random_host(True),
"interface": generate_random_interface(),
"wazuh": generate_random_wazuh(),
@ -55,6 +56,14 @@ def generate_random_agent():
}
def generate_random_checksum():
return {
'hash': {
'sha1': ''.join(random.choices("ABCDEF0123456789", k=40)),
}
}
def generate_random_host(is_root_level_level=False):
if is_root_level_level:
return {

11
ecs/states-inventory-interfaces/fields/custom/checksum.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: checksum
title: Checksum
description: >
Checksum custom fields
fields:
- name: hash.sha1
type: keyword
level: custom
description: >
SHA1 hash used as checksum of the data collected by the agent.

2
ecs/states-inventory-interfaces/fields/subset.yml
View File

@ -14,6 +14,8 @@ fields:
fields:
ip: {}
architecture: {}
checksum:
fields: "*"
host:
fields:
mac: {}

39
ecs/states-inventory-networks/docs/README.md
View File

@ -2,7 +2,9 @@
### Fields summary
The fields are based on https://github.com/wazuh/wazuh/issues/27898
The fields are based on:
- [Global Queries](https://github.com/wazuh/wazuh/issues/27898) (included in 4.13.0).
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2937251736) (included in 5.0.0)
Based on ECS:
@ -14,20 +16,21 @@ The detail of the fields can be found in csv file [States inventory networks Fie
### Transition table
| Field Name | Type | Description | Destination Field | Custom |
| -------------- | ------ | ---------------------------------------------------------------- | -------------------- | ------ |
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| iface | string | Network interface name. | interface.name | FALSE |
| proto | long | Protocol type (e.g., IPv4, IPv6). | network.type | FALSE |
| address | string | Assigned IP address. | network.ip | FALSE |
| netmask | string | Subnet mask of the interface. | network.netmask | TRUE |
| broadcast | string | Broadcast address. | network.broadcast | TRUE |
| metric | string | Interface metric for routing decisions. | network.metric | TRUE |
| dhcp | bool | Indicates whether DHCP is enabled (yes/no). | network.dhcp | TRUE |
| operation | string | Type of operation performed (e.g., INSERTED, MODIFIED, DELETED). | operation.name | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| Field Name | Type | Description | Destination Field | Custom |
|----------------|---------|------------------------------------------------------------------|----------------------|--------|
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| iface | string | Network interface name. | interface.name | FALSE |
| proto | long | Protocol type (e.g., IPv4, IPv6). | network.type | FALSE |
| address | string | Assigned IP address. | network.ip | FALSE |
| netmask | string | Subnet mask of the interface. | network.netmask | TRUE |
| broadcast | string | Broadcast address. | network.broadcast | TRUE |
| metric | string | Interface metric for routing decisions. | network.metric | TRUE |
| dhcp | bool | Indicates whether DHCP is enabled (yes/no). | network.dhcp | TRUE |
| operation | string | Type of operation performed (e.g., INSERTED, MODIFIED, DELETED). | operation.name | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE |

1
ecs/states-inventory-networks/docs/fields.csv
View File

@ -4,6 +4,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
8.11.0,true,interface,interface.name,keyword,extended,,eth0,Interface name
8.11.0,true,network,network.broadcast,ip,custom,,,Broadcast address
8.11.0,true,network,network.dhcp,boolean,custom,,,DHCP enabled

1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
4 8.11.0 true agent agent.id keyword core 8a4f500d Unique identifier of this agent.
5 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
6 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
7 8.11.0 true checksum checksum.hash.sha1 keyword custom SHA1 hash used as checksum of the data collected by the agent.
8 8.11.0 true interface interface.name keyword extended eth0 Interface name
9 8.11.0 true network network.broadcast ip custom Broadcast address
10 8.11.0 true network network.dhcp boolean custom DHCP enabled

9
ecs/states-inventory-networks/event-generator/event_generator.py
View File

@ -31,6 +31,7 @@ def generate_random_data(number):
for _ in range(number):
event_data = {
"agent": generate_random_agent(),
"checksum": generate_random_checksum(),
"interface": generate_random_interface(),
"network": generate_random_network(),
"wazuh": generate_random_wazuh()
@ -55,6 +56,14 @@ def generate_random_agent():
}
def generate_random_checksum():
return {
'hash': {
'sha1': ''.join(random.choices("ABCDEF0123456789", k=40)),
}
}
def generate_random_host(is_root_level_level=False):
if is_root_level_level:
return {

11
ecs/states-inventory-networks/fields/custom/checksum.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: checksum
title: Checksum
description: >
Checksum custom fields
fields:
- name: hash.sha1
type: keyword
level: custom
description: >
SHA1 hash used as checksum of the data collected by the agent.

2
ecs/states-inventory-networks/fields/subset.yml
View File

@ -14,6 +14,8 @@ fields:
fields:
architecture: {}
ip: {}
checksum:
fields: "*"
interface:
fields:
name: {}

49
ecs/states-inventory-packages/docs/README.md
View File

@ -2,7 +2,9 @@
### Fields summary
The fields are based on https://github.com/wazuh/wazuh/issues/27898
The fields are based on:
- [Global Queries](https://github.com/wazuh/wazuh/issues/27898) (included in 4.13.0).
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2937251736) (included in 5.0.0)
Based on ECS:
@ -13,25 +15,26 @@ The detail of the fields can be found in csv file [States inventory packages Fie
### Transition table
| Field Name | Type | Description | Destination Field | Custom |
| -------------- | ------ | ----------------------------------------------- | -------------------- | ------ |
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| architecture | string | Package architecture. | package.architecture | FALSE |
| description | string | Description of the package. | package.description | FALSE |
| groups | string | Package category or group. | package.category | TRUE |
| install_time | string | Installation timestamp. | package.installed | FALSE |
| name | string | Package name. | package.name | FALSE |
| location | string | Path where the package is installed. | package.path | FALSE |
| vendor | string | Vendor or maintainer of the package. | package.vendor | TRUE |
| version | string | Package version. | package.version | FALSE |
| | string | Whether the package is built for a foreign arch | package.multiarch | TRUE |
| | string | Package priority | package.priority | TRUE |
| | string | Package size | package.size | FALSE |
| | string | Package source | package.source | TRUE |
| | string | Package type | package.type | FALSE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| Field Name | Type | Description | Destination Field | Custom |
|----------------|---------|----------------------------------------------------------------|----------------------|--------|
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| architecture | string | Package architecture. | package.architecture | FALSE |
| description | string | Description of the package. | package.description | FALSE |
| groups | string | Package category or group. | package.category | TRUE |
| install_time | string | Installation timestamp. | package.installed | FALSE |
| name | string | Package name. | package.name | FALSE |
| location | string | Path where the package is installed. | package.path | FALSE |
| vendor | string | Vendor or maintainer of the package. | package.vendor | TRUE |
| version | string | Package version. | package.version | FALSE |
| | string | Whether the package is built for a foreign arch | package.multiarch | TRUE |
| | string | Package priority | package.priority | TRUE |
| | string | Package size | package.size | FALSE |
| | string | Package source | package.source | TRUE |
| | string | Package type | package.type | FALSE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE |

1
ecs/states-inventory-packages/docs/fields.csv
View File

@ -4,6 +4,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
8.11.0,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
8.11.0,true,package,package.category,keyword,custom,,,Package category or group
8.11.0,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.

1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
4 8.11.0 true agent agent.id keyword core 8a4f500d Unique identifier of this agent.
5 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
6 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
7 8.11.0 true checksum checksum.hash.sha1 keyword custom SHA1 hash used as checksum of the data collected by the agent.
8 8.11.0 true package package.architecture keyword extended x86_64 Package architecture.
9 8.11.0 true package package.category keyword custom Package category or group
10 8.11.0 true package package.description keyword extended Open source programming language to build simple/reliable/efficient software. Description of the package.

9
ecs/states-inventory-packages/event-generator/event_generator.py
View File

@ -31,6 +31,7 @@ def generate_random_data(number):
for _ in range(number):
event_data = {
"agent": generate_random_agent(),
"checksum": generate_random_checksum(),
"package": generate_random_package(),
"wazuh": generate_random_wazuh(),
}
@ -54,6 +55,14 @@ def generate_random_agent():
}
def generate_random_checksum():
return {
'hash': {
'sha1': ''.join(random.choices("ABCDEF0123456789", k=40)),
}
}
def generate_random_host():
return {
"architecture": random.choice(["x86_64", "arm64"]),

11
ecs/states-inventory-packages/fields/custom/checksum.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: checksum
title: Checksum
description: >
Checksum custom fields
fields:
- name: hash.sha1
type: keyword
level: custom
description: >
SHA1 hash used as checksum of the data collected by the agent.

2
ecs/states-inventory-packages/fields/subset.yml
View File

@ -14,6 +14,8 @@ fields:
fields:
architecture: {}
ip: {}
checksum:
fields: "*"
package:
fields:
architecture: {}

45
ecs/states-inventory-ports/docs/README.md
View File

@ -2,7 +2,9 @@
### Fields summary
The fields are based on https://github.com/wazuh/wazuh/issues/27898
The fields are based on:
- [Global Queries](https://github.com/wazuh/wazuh/issues/27898) (included in 4.13.0).
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2937251736) (included in 5.0.0)
Based on ECS:
@ -18,23 +20,24 @@ The detail of the fields can be found in csv file [States inventory ports Fields
### Transition table
| Field Name | Type | Description | Destination Field | Custom |
|----------------|--------|-----------------------------------------------|----------------------------|--------|
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| local_ip | string | Local IP address. | destination.ip | FALSE |
| local_port | long | Local port number. | destination.port | FALSE |
| inode | long | Inode associated with the connection. | file.inode | FALSE |
| tx_queue | long | Transmit queue length. | host.network.egress.queue | TRUE |
| rx_queue | long | Receive queue length. | host.network.ingress.queue | FALSE |
| state | string | Connection state (e.g., LISTEN, ESTABLISHED). | interface.state | TRUE |
| protocol | string | Transport protocol (TCP/UDP). | network.transport | FALSE |
| process | string | Name of the process using the port. | process.name | FALSE |
| pid | long | Process ID using the port. | process.pid | FALSE |
| remote_ip | string | Remote IP address. | source.ip | FALSE |
| remote_port | long | Remote port number. | source.port | FALSE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| Field Name | Type | Description | Destination Field | Custom |
|----------------|---------|----------------------------------------------------------------|----------------------------|--------|
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| local_ip | string | Local IP address. | destination.ip | FALSE |
| local_port | long | Local port number. | destination.port | FALSE |
| inode | long | Inode associated with the connection. | file.inode | FALSE |
| tx_queue | long | Transmit queue length. | host.network.egress.queue | TRUE |
| rx_queue | long | Receive queue length. | host.network.ingress.queue | FALSE |
| state | string | Connection state (e.g., LISTEN, ESTABLISHED). | interface.state | TRUE |
| protocol | string | Transport protocol (TCP/UDP). | network.transport | FALSE |
| process | string | Name of the process using the port. | process.name | FALSE |
| pid | long | Process ID using the port. | process.pid | FALSE |
| remote_ip | string | Remote IP address. | source.ip | FALSE |
| remote_port | long | Remote port number. | source.port | FALSE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE |

2
ecs/states-inventory-ports/docs/fields.csv
View File

@ -4,6 +4,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
8.11.0,true,destination,destination.ip,ip,core,,,IP address of the destination.
8.11.0,true,destination,destination.port,long,core,,,Port of the destination.
8.11.0,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
@ -12,6 +13,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,interface,interface.state,keyword,custom,,,State of the network interface.
8.11.0,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
8.11.0,true,process,process.name,keyword,extended,,ssh,Process name.
8.11.0,true,process,process.name.text,keyword,extended,,ssh,Process name.
8.11.0,true,process,process.pid,long,core,,4242,Process id.
8.11.0,true,source,source.ip,ip,core,,,IP address of the source.
8.11.0,true,source,source.port,long,core,,,Port of the source.

1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
4 8.11.0 true agent agent.id keyword core 8a4f500d Unique identifier of this agent.
5 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
6 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
7 8.11.0 true checksum checksum.hash.sha1 keyword custom SHA1 hash used as checksum of the data collected by the agent.
8 8.11.0 true destination destination.ip ip core IP address of the destination.
9 8.11.0 true destination destination.port long core Port of the destination.
10 8.11.0 true file file.inode keyword extended 256383 Inode representing the file in the filesystem.
13 8.11.0 true interface interface.state keyword custom State of the network interface.
14 8.11.0 true network network.transport keyword core tcp Protocol Name corresponding to the field `iana_number`.
15 8.11.0 true process process.name keyword extended ssh Process name.
16 8.11.0 true process process.name.text keyword extended ssh Process name.
17 8.11.0 true process process.pid long core 4242 Process id.
18 8.11.0 true source source.ip ip core IP address of the source.
19 8.11.0 true source source.port long core Port of the source.

9
ecs/states-inventory-ports/event-generator/event_generator.py
View File

@ -31,6 +31,7 @@ def generate_random_data(number):
for _ in range(number):
event_data = {
"agent": generate_random_agent(),
"checksum": generate_random_checksum(),
"destination": generate_random_destination(),
"file": generate_random_file(),
"host": generate_random_host(True),
@ -60,6 +61,14 @@ def generate_random_agent():
}
def generate_random_checksum():
return {
'hash': {
'sha1': ''.join(random.choices("ABCDEF0123456789", k=40)),
}
}
def generate_random_host(is_root_level=False):
if is_root_level:
return {

11
ecs/states-inventory-ports/fields/custom/checksum.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: checksum
title: Checksum
description: >
Checksum custom fields
fields:
- name: hash.sha1
type: keyword
level: custom
description: >
SHA1 hash used as checksum of the data collected by the agent.

2
ecs/states-inventory-ports/fields/subset.yml
View File

@ -14,6 +14,8 @@ fields:
fields:
architecture: {}
ip: {}
checksum:
fields: "*"
destination:
fields:
ip: {}

43
ecs/states-inventory-processes/docs/README.md
View File

@ -2,7 +2,9 @@
### Fields summary
The fields are based on https://github.com/wazuh/wazuh/issues/27898
The fields are based on:
- [Global Queries](https://github.com/wazuh/wazuh/issues/27898) (included in 4.13.0).
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2937251736) (included in 5.0.0)
Based on ECS:
@ -13,22 +15,23 @@ The detail of the fields can be found in csv file [States inventory processes Fi
### Transition table
| Field Name | Type | Description | Destination Field | Custom |
| -------------- | ------ | --------------------------------- | -------------------- | ------ |
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| argvs | string | Arguments passed to the process. | process.args | FALSE |
| cmd | string | Command executed by the process. | process.command_line | FALSE |
| name | string | Process name. | process.name | FALSE |
| ppid | long | Parent process ID. | process.parent.pid | FALSE |
| pid | string | Process ID. | process.pid | FALSE |
| state | string | Current process state. | process.state | TRUE |
| stime | long | System mode CPU time used. | process.stime | TRUE |
| utime | long | User mode CPU time used. | process.utime | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| | date | The time the process started | process.start | FALSE |
| | long | Length of the process.args array. | process.args_count | FALSE |
| Field Name | Type | Description | Destination Field | Custom |
|----------------|---------|----------------------------------------------------------------|----------------------|--------|
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| argvs | string | Arguments passed to the process. | process.args | FALSE |
| cmd | string | Command executed by the process. | process.command_line | FALSE |
| name | string | Process name. | process.name | FALSE |
| ppid | long | Parent process ID. | process.parent.pid | FALSE |
| pid | string | Process ID. | process.pid | FALSE |
| state | string | Current process state. | process.state | TRUE |
| stime | long | System mode CPU time used. | process.stime | TRUE |
| utime | long | User mode CPU time used. | process.utime | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| | date | The time the process started | process.start | FALSE |
| | long | Length of the process.args array. | process.args_count | FALSE |
| checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE |

3
ecs/states-inventory-processes/docs/fields.csv
View File

@ -4,10 +4,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
8.11.0,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
8.11.0,true,process,process.args_count,long,extended,,4,Length of the process.args array.
8.11.0,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
8.11.0,true,process,process.command_line.text,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
8.11.0,true,process,process.name,keyword,extended,,ssh,Process name.
8.11.0,true,process,process.name.text,keyword,extended,,ssh,Process name.
8.11.0,true,process,process.parent.pid,long,core,,4242,Process id.
8.11.0,true,process,process.pid,long,core,,4242,Process id.
8.11.0,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.

1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
4 8.11.0 true agent agent.id keyword core 8a4f500d Unique identifier of this agent.
5 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
6 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
7 8.11.0 true checksum checksum.hash.sha1 keyword custom SHA1 hash used as checksum of the data collected by the agent.
8 8.11.0 true process process.args keyword extended array ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] Array of process arguments.
9 8.11.0 true process process.args_count long extended 4 Length of the process.args array.
10 8.11.0 true process process.command_line keyword extended /usr/bin/ssh -l user 10.0.0.16 Full command line that started the process.
11 8.11.0 true process process.command_line.text keyword extended /usr/bin/ssh -l user 10.0.0.16 Full command line that started the process.
12 8.11.0 true process process.name keyword extended ssh Process name.
13 8.11.0 true process process.name.text keyword extended ssh Process name.
14 8.11.0 true process process.parent.pid long core 4242 Process id.
15 8.11.0 true process process.pid long core 4242 Process id.
16 8.11.0 true process process.start date extended 2016-05-23T08:05:34.853Z The time the process started.

9
ecs/states-inventory-processes/event-generator/event_generator.py
View File

@ -31,6 +31,7 @@ def generate_random_data(number):
for _ in range(number):
event_data = {
"agent": generate_random_agent(),
"checksum": generate_random_checksum(),
"process": generate_random_process(),
"wazuh": generate_random_wazuh(),
}
@ -54,6 +55,14 @@ def generate_random_agent():
}
def generate_random_checksum():
return {
'hash': {
'sha1': ''.join(random.choices("ABCDEF0123456789", k=40)),
}
}
def generate_random_host():
return {
"architecture": random.choice(["x86_64", "arm64"]),

11
ecs/states-inventory-processes/fields/custom/checksum.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: checksum
title: Checksum
description: >
Checksum custom fields
fields:
- name: hash.sha1
type: keyword
level: custom
description: >
SHA1 hash used as checksum of the data collected by the agent.

2
ecs/states-inventory-processes/fields/subset.yml
View File

@ -14,6 +14,8 @@ fields:
fields:
architecture: {}
ip: {}
checksum:
fields: "*"
process:
fields:
args: {}

33
ecs/states-inventory-protocols/docs/README.md
View File

@ -2,7 +2,9 @@
### Fields summary
The fields are based on https://github.com/wazuh/wazuh/issues/27898
The fields are based on:
- [Global Queries](https://github.com/wazuh/wazuh/issues/27898) (included in 4.13.0).
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2937251736) (included in 5.0.0)
Based on ECS:
@ -14,17 +16,18 @@ The detail of the fields can be found in csv file [States inventory protocols Fi
### Transition table
| Field Name | Type | Description | Destination Field | Custom |
| -------------- | ------ | -------------------------------------- | -------------------- | ------ |
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| iface | string | Interface name. | interface.name | FALSE |
| type | string | Protocol type (e.g., static, dynamic). | network.type | FALSE |
| gateway | string | Default gateway address. | network.gateway | TRUE |
| dhcp | bool | Indicates if DHCP is used (yes/no). | network.dhcp | TRUE |
| metric | string | Routing metric value. | network.metric | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| Field Name | Type | Description | Destination Field | Custom |
|----------------|---------|----------------------------------------------------------------|----------------------|--------|
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| iface | string | Interface name. | interface.name | FALSE |
| type | string | Protocol type (e.g., static, dynamic). | network.type | FALSE |
| gateway | string | Default gateway address. | network.gateway | TRUE |
| dhcp | bool | Indicates if DHCP is used (yes/no). | network.dhcp | TRUE |
| metric | string | Routing metric value. | network.metric | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE |

1
ecs/states-inventory-protocols/docs/fields.csv
View File

@ -4,6 +4,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
8.11.0,true,interface,interface.name,keyword,extended,,eth0,Interface name
8.11.0,true,network,network.dhcp,boolean,custom,,,DHCP enabled
8.11.0,true,network,network.gateway,ip,custom,,,Gateway address

1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
4 8.11.0 true agent agent.id keyword core 8a4f500d Unique identifier of this agent.
5 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
6 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
7 8.11.0 true checksum checksum.hash.sha1 keyword custom SHA1 hash used as checksum of the data collected by the agent.
8 8.11.0 true interface interface.name keyword extended eth0 Interface name
9 8.11.0 true network network.dhcp boolean custom DHCP enabled
10 8.11.0 true network network.gateway ip custom Gateway address

9
ecs/states-inventory-protocols/event-generator/event_generator.py
View File

@ -31,6 +31,7 @@ def generate_random_data(number):
for _ in range(number):
event_data = {
"agent": generate_random_agent(),
"checksum": generate_random_checksum(),
"network": generate_random_network(),
"wazuh": generate_random_wazuh(),
}
@ -54,6 +55,14 @@ def generate_random_agent():
}
def generate_random_checksum():
return {
'hash': {
'sha1': ''.join(random.choices("ABCDEF0123456789", k=40)),
}
}
def generate_random_host(is_root_level_level=False):
return {
"architecture": random.choice(["x86_64", "arm64"]),

11
ecs/states-inventory-protocols/fields/custom/checksum.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: checksum
title: Checksum
description: >
Checksum custom fields
fields:
- name: hash.sha1
type: keyword
level: custom
description: >
SHA1 hash used as checksum of the data collected by the agent.

2
ecs/states-inventory-protocols/fields/subset.yml
View File

@ -14,6 +14,8 @@ fields:
fields:
architecture: {}
ip: {}
checksum:
fields: "*"
network:
fields:
dhcp: {}

55
ecs/states-inventory-system/docs/README.md
View File

@ -2,7 +2,9 @@
### Fields summary
The fields are based on https://github.com/wazuh/wazuh/issues/27898
The fields are based on:
- [Global Queries](https://github.com/wazuh/wazuh/issues/27898) (included in 4.13.0).
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2937251736) (included in 5.0.0)
Based on ECS:
@ -14,28 +16,29 @@ The detail of the fields can be found in csv file [States inventory system Field
### Transition table
| Field Name | Type | Description | Destination Field | Custom |
| ------------------ | ------ | --------------------------------------------------------------------------------- | ---------------------------- | ------ |
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| hostname | string | System hostname. | host.hostname | FALSE |
| architecture | string | CPU architecture (e.g., x86_64, ARM). | host.architecture | FALSE |
| os_name | string | Operating system name. | host.os.name | FALSE |
| os_version | string | Full OS version. | host.os.version | FALSE |
| os_platform | string | Platform name (e.g., Debian, RedHat). | host.os.platform | FALSE |
| os_display_version | string | Human-readable OS version. | host.os.full | FALSE |
| os_codename | string | OS codename (if applicable). | host.os.codename | TRUE |
| os_major | string | Major version number. | host.os.major | TRUE |
| os_minor | string | Minor version number. | host.os.minor | TRUE |
| os_patch | string | Patch level of the OS. | host.os.patch | TRUE |
| os_build | string | Build number of the OS. | host.os.build | TRUE |
| sysname | string | System kernel name. | host.os.kernel.name | TRUE |
| release | string | Kernel release version. | host.os.kernel.release | TRUE |
| version | string | Kernel version. | host.os.kernel.version | TRUE |
| os_release | string | Distribution-specific release information. | host.os.distribution.release | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| | string | Which commercial OS family (one of: linux, macos, unix, windows, ios or android). | host.os.type | FALSE |
| Field Name | Type | Description | Destination Field | Custom |
|--------------------|---------|-----------------------------------------------------------------------------------|------------------------------|--------|
| agent_id | string | Unique ID of the agent. | agent.id | FALSE |
| agent_ip | string | IP address of the agent. | agent.host.ip | TRUE |
| agent_name | string | Name of the agent. | agent.name | FALSE |
| agent_version | string | Agent version. | agent.version | FALSE |
| hostname | string | System hostname. | host.hostname | FALSE |
| architecture | string | CPU architecture (e.g., x86_64, ARM). | host.architecture | FALSE |
| os_name | string | Operating system name. | host.os.name | FALSE |
| os_version | string | Full OS version. | host.os.version | FALSE |
| os_platform | string | Platform name (e.g., Debian, RedHat). | host.os.platform | FALSE |
| os_display_version | string | Human-readable OS version. | host.os.full | FALSE |
| os_codename | string | OS codename (if applicable). | host.os.codename | TRUE |
| os_major | string | Major version number. | host.os.major | TRUE |
| os_minor | string | Minor version number. | host.os.minor | TRUE |
| os_patch | string | Patch level of the OS. | host.os.patch | TRUE |
| os_build | string | Build number of the OS. | host.os.build | TRUE |
| sysname | string | System kernel name. | host.os.kernel.name | TRUE |
| release | string | Kernel release version. | host.os.kernel.release | TRUE |
| version | string | Kernel version. | host.os.kernel.version | TRUE |
| os_release | string | Distribution-specific release information. | host.os.distribution.release | TRUE |
| cluster_name | string | Wazuh cluster name | wazuh.cluster.name | TRUE |
| cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE |
| schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE |
| | string | Which commercial OS family (one of: linux, macos, unix, windows, ios or android). | host.os.type | FALSE |
| checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE |

3
ecs/states-inventory-system/docs/fields.csv
View File

@ -4,18 +4,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
8.11.0,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
8.11.0,true,host,host.hostname,keyword,core,,,Hostname of the host.
8.11.0,true,host,host.os.build,keyword,custom,,,Build number of the OS
8.11.0,true,host,host.os.codename,keyword,custom,,,OS codename
8.11.0,true,host,host.os.distribution.release,keyword,custom,,,Distribution-specific release information
8.11.0,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
8.11.0,true,host,host.os.full.text,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
8.11.0,true,host,host.os.kernel.name,keyword,custom,,,System kernel name
8.11.0,true,host,host.os.kernel.release,keyword,custom,,,Kernel release version
8.11.0,true,host,host.os.kernel.version,keyword,custom,,,Kernel version
8.11.0,true,host,host.os.major,keyword,custom,,,Major version number
8.11.0,true,host,host.os.minor,keyword,custom,,,Minor version number
8.11.0,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
8.11.0,true,host,host.os.name.text,keyword,extended,,Mac OS X,"Operating system name, without the version."
8.11.0,true,host,host.os.patch,keyword,custom,,,Patch level of the OS
8.11.0,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
8.11.0,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."

1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
4 8.11.0 true agent agent.id keyword core 8a4f500d Unique identifier of this agent.
5 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
6 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
7 8.11.0 true checksum checksum.hash.sha1 keyword custom SHA1 hash used as checksum of the data collected by the agent.
8 8.11.0 true host host.architecture keyword core x86_64 Operating system architecture.
9 8.11.0 true host host.hostname keyword core Hostname of the host.
10 8.11.0 true host host.os.build keyword custom Build number of the OS
11 8.11.0 true host host.os.codename keyword custom OS codename
12 8.11.0 true host host.os.distribution.release keyword custom Distribution-specific release information
13 8.11.0 true host host.os.full keyword extended Mac OS Mojave Operating system name, including the version or code name.
14 8.11.0 true host host.os.full.text keyword extended Mac OS Mojave Operating system name, including the version or code name.
15 8.11.0 true host host.os.kernel.name keyword custom System kernel name
16 8.11.0 true host host.os.kernel.release keyword custom Kernel release version
17 8.11.0 true host host.os.kernel.version keyword custom Kernel version
18 8.11.0 true host host.os.major keyword custom Major version number
19 8.11.0 true host host.os.minor keyword custom Minor version number
20 8.11.0 true host host.os.name keyword extended Mac OS X Operating system name, without the version.
21 8.11.0 true host host.os.name.text keyword extended Mac OS X Operating system name, without the version.
22 8.11.0 true host host.os.patch keyword custom Patch level of the OS
23 8.11.0 true host host.os.platform keyword extended darwin Operating system platform (such centos, ubuntu, windows).
24 8.11.0 true host host.os.type keyword extended macos Which commercial OS family (one of: linux, macos, unix, windows, ios or android).

9
ecs/states-inventory-system/event-generator/event_generator.py
View File

@ -31,6 +31,7 @@ def generate_random_data(number):
for _ in range(number):
event_data = {
"agent": generate_random_agent(),
"checksum": generate_random_checksum(),
"host": generate_random_host(True),
"wazuh": generate_random_wazuh(),
}
@ -54,6 +55,14 @@ def generate_random_agent():
}
def generate_random_checksum():
return {
'hash': {
'sha1': ''.join(random.choices("ABCDEF0123456789", k=40)),
}
}
def generate_random_host(is_root_level=False):
if is_root_level:
return {

11
ecs/states-inventory-system/fields/custom/checksum.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: checksum
title: Checksum
description: >
Checksum custom fields
fields:
- name: hash.sha1
type: keyword
level: custom
description: >
SHA1 hash used as checksum of the data collected by the agent.

2
ecs/states-inventory-system/fields/subset.yml
View File

@ -14,6 +14,8 @@ fields:
fields:
architecture: {}
ip: {}
checksum:
fields: "*"
host:
fields:
architecture: {}

4
ecs/states-inventory-users/docs/README.md
View File

@ -2,7 +2,9 @@
### Fields summary
The fields are based on https://github.com/wazuh/wazuh-indexer/issues/889#issuecomment-2923017753
The fields are based on:
- [Inventory - User & Groups mappings](https://github.com/wazuh/wazuh-indexer/issues/889#issuecomment-2923017753) (included in 4.14.0)
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2937251736) (included in 5.0.0)
Based on ECS:

1
ecs/states-inventory-users/docs/fields.csv
View File

@ -4,6 +4,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
8.11.0,true,host,host.ip,ip,core,array,,Host ip addresses.
8.11.0,true,login,login.status,boolean,custom,,,Whether the login was successful or the user is currently logged in.
8.11.0,true,login,login.tty,keyword,custom,,,"Terminal associated with the login session (e.g., pts/1)."

1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
4 8.11.0 true agent agent.id keyword core 8a4f500d Unique identifier of this agent.
5 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
6 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
7 8.11.0 true checksum checksum.hash.sha1 keyword custom SHA1 hash used as checksum of the data collected by the agent.
8 8.11.0 true host host.ip ip core array Host ip addresses.
9 8.11.0 true login login.status boolean custom Whether the login was successful or the user is currently logged in.
10 8.11.0 true login login.tty keyword custom Terminal associated with the login session (e.g., pts/1).

9
ecs/states-inventory-users/event-generator/event_generator.py
View File

@ -32,6 +32,7 @@ def generate_random_user():
return {
"agent": generate_random_agent(),
"checksum": generate_random_checksum(),
"user": {
"id": random.randint(1000, 9999),
"name": ''.join(random.choices(string.ascii_lowercase, k=6)),
@ -91,6 +92,14 @@ def generate_random_agent():
}
def generate_random_checksum():
return {
'hash': {
'sha1': ''.join(random.choices("ABCDEF0123456789", k=40)),
}
}
def generate_random_host():
return {
"architecture": random.choice(["x86_64", "arm64"]),

11
ecs/states-inventory-users/fields/custom/checksum.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: checksum
title: Checksum
description: >
Checksum custom fields
fields:
- name: hash.sha1
type: keyword
level: custom
description: >
SHA1 hash used as checksum of the data collected by the agent.

2
ecs/states-inventory-users/fields/subset.yml
View File

@ -14,6 +14,8 @@ fields:
fields:
architecture: {}
ip: {}
checksum:
fields: "*"
user:
fields:
id: {}

2
ecs/states-sca/docs/README.md
View File

@ -4,6 +4,6 @@
The fields are based on:
- [SCA refactor tier 1](https://github.com/wazuh/wazuh-indexer-plugins/issues/351#issue-2956934075) (included in 6.0.0).
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2914305496) (included in 5.0.0)
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2937251736) (included in 5.0.0)
The detail of the fields can be found in csv file [SCA Fields](fields.csv).

5
ecs/states-vulnerabilities/docs/README.md
View File

@ -2,7 +2,9 @@
### Fields summary
The fields are based on https://github.com/wazuh/wazuh/issues/27898
The fields are based on:
- [Global Queries](https://github.com/wazuh/wazuh/issues/27898) (included in 4.13.0).
- [States Persistence](https://github.com/wazuh/wazuh/issues/29840#issuecomment-2937251736) (included in 5.0.0)
Based on ECS:
@ -68,3 +70,4 @@ The detail of the fields can be found in csv file [States vulnerabilities Fields
| wazuh.cluster.name | keyword | Wazuh cluster name. | wazuh.cluster.name | TRUE |
| wazuh.cluster.node | keyword | Wazuh cluster node name. | wazuh.cluster.node | TRUE |
| wazuh.schema.version | keyword | Wazuh schema version. | wazuh.schema.version | TRUE |
| checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE |

1
ecs/states-vulnerabilities/docs/fields.csv
View File

@ -5,6 +5,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
8.11.0,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
8.11.0,true,host,host.os.full.text,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
8.11.0,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.

1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
5 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
6 8.11.0 true agent agent.type keyword core filebeat Type of the agent.
7 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
8 8.11.0 true checksum checksum.hash.sha1 keyword custom SHA1 hash used as checksum of the data collected by the agent.
9 8.11.0 true host host.os.full keyword extended Mac OS Mojave Operating system name, including the version or code name.
10 8.11.0 true host host.os.full.text keyword extended Mac OS Mojave Operating system name, including the version or code name.
11 8.11.0 true host host.os.kernel keyword extended 4.4.0-112-generic Operating system kernel version as a raw string.

9
ecs/states-vulnerabilities/event-generator/event_generator.py
View File

@ -55,6 +55,14 @@ def generate_random_agent():
return agent
def generate_random_checksum():
return {
'hash': {
'sha1': ''.join(random.choices("ABCDEF0123456789", k=40)),
}
}
def generate_random_event():
event = {
"action": random.choice(
@ -366,6 +374,7 @@ def generate_random_data(number):
for _ in range(number):
event_data = {
"agent": generate_random_agent(),
"checksum": generate_random_checksum(),
"host": generate_random_host(),
"package": generate_random_package(),
"vulnerability": generate_random_vulnerability(),

11
ecs/states-vulnerabilities/fields/custom/checksum.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: checksum
title: Checksum
description: >
Checksum custom fields
fields:
- name: hash.sha1
type: keyword
level: custom
description: >
SHA1 hash used as checksum of the data collected by the agent.

2
ecs/states-vulnerabilities/fields/subset.yml
View File

@ -6,6 +6,8 @@ fields:
tags: []
agent:
fields: "*"
checksum:
fields: "*"
package:
fields: "*"
host:

2
ecs/states-vulnerabilities/fields/template-settings-legacy.json
View File

@ -1,5 +1,5 @@
{
"index_patterns": ["wazuh-states-vulnerabilities-*"],
"index_patterns": ["wazuh-states-vulnerabilities*"],
"order": 1,
"settings": {
"index": {

2
ecs/states-vulnerabilities/fields/template-settings.json
View File

@ -1,5 +1,5 @@
{
"index_patterns": ["wazuh-states-vulnerabilities-*"],
"index_patterns": ["wazuh-states-vulnerabilities*"],
"priority": 1,
"template": {
"settings": {

12
plugins/setup/src/main/resources/index-template-groups.json
View File

@ -33,6 +33,18 @@
}
}
},
"checksum": {
"properties": {
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"group": {
"properties": {
"description": {

12
plugins/setup/src/main/resources/index-template-hardware.json
View File

@ -33,6 +33,18 @@
}
}
},
"checksum": {
"properties": {
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"host": {
"properties": {
"cpu": {

25
plugins/setup/src/main/resources/index-template-hotfixes.json
View File

@ -6,9 +6,6 @@
"date_detection": false,
"dynamic": "strict",
"properties": {
"@timestamp": {
"type": "date"
},
"agent": {
"properties": {
"host": {
@ -36,6 +33,18 @@
}
}
},
"checksum": {
"properties": {
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"package": {
"properties": {
"hotfix": {
@ -82,7 +91,15 @@
"number_of_replicas": "0",
"number_of_shards": "1",
"query.default_field": [
"package.hotfix.name"
"agent.host.architecture",
"agent.host.ip",
"agent.id",
"agent.name",
"agent.version",
"package.hotfix.name",
"wazuh.cluster.name",
"wazuh.cluster.node",
"wazuh.schema.version"
],
"refresh_interval": "5s"
}

12
plugins/setup/src/main/resources/index-template-interfaces.json
View File

@ -33,6 +33,18 @@
}
}
},
"checksum": {
"properties": {
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"host": {
"properties": {
"mac": {

12
plugins/setup/src/main/resources/index-template-networks.json
View File

@ -33,6 +33,18 @@
}
}
},
"checksum": {
"properties": {
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"interface": {
"properties": {
"name": {

15
plugins/setup/src/main/resources/index-template-packages.json
View File

@ -6,9 +6,6 @@
"date_detection": false,
"dynamic": "strict",
"properties": {
"@timestamp": {
"type": "date"
},
"agent": {
"properties": {
"host": {
@ -36,6 +33,18 @@
}
}
},
"checksum": {
"properties": {
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"package": {
"properties": {
"architecture": {

30
plugins/setup/src/main/resources/index-template-ports.json
View File

@ -6,9 +6,6 @@
"date_detection": false,
"dynamic": "strict",
"properties": {
"@timestamp": {
"type": "date"
},
"agent": {
"properties": {
"host": {
@ -36,6 +33,18 @@
}
}
},
"checksum": {
"properties": {
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"destination": {
"properties": {
"ip": {
@ -146,10 +155,23 @@
"number_of_replicas": "0",
"number_of_shards": "1",
"query.default_field": [
"agent.host.architecture",
"agent.host.ip",
"agent.id",
"agent.name",
"agent.version",
"host.network.egress.queue",
"host.network.ingress.queue",
"file.inode",
"interface.state",
"network.transport",
"process.name",
"process.pid",
"source.ip",
"destination.ip"
"destination.ip",
"wazuh.cluster.name",
"wazuh.cluster.node",
"wazuh.schema.version"
],
"refresh_interval": "5s"
}

15
plugins/setup/src/main/resources/index-template-processes.json
View File

@ -6,9 +6,6 @@
"date_detection": false,
"dynamic": "strict",
"properties": {
"@timestamp": {
"type": "date"
},
"agent": {
"properties": {
"host": {
@ -36,6 +33,18 @@
}
}
},
"checksum": {
"properties": {
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"process": {
"properties": {
"args": {

12
plugins/setup/src/main/resources/index-template-protocols.json
View File

@ -33,6 +33,18 @@
}
}
},
"checksum": {
"properties": {
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"interface": {
"properties": {
"name": {

15
plugins/setup/src/main/resources/index-template-system.json
View File

@ -6,9 +6,6 @@
"date_detection": false,
"dynamic": "strict",
"properties": {
"@timestamp": {
"type": "date"
},
"agent": {
"properties": {
"host": {
@ -36,6 +33,18 @@
}
}
},
"checksum": {
"properties": {
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"host": {
"properties": {
"architecture": {

12
plugins/setup/src/main/resources/index-template-users.json
View File

@ -33,6 +33,18 @@
}
}
},
"checksum": {
"properties": {
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"host": {
"properties": {
"ip": {

33
plugins/setup/src/main/resources/index-template-vulnerabilities.json
View File

@ -38,6 +38,18 @@
}
}
},
"checksum": {
"properties": {
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"host": {
"properties": {
"os": {
@ -240,15 +252,30 @@
"number_of_replicas": "0",
"number_of_shards": "1",
"query.default_field": [
"agent.host.architecture",
"agent.host.ip",
"agent.id",
"host.os.full",
"host.os.version",
"agent.name",
"agent.version",
"package.architecture",
"package.category",
"package.description",
"package.installed",
"package.multiarch",
"package.name",
"package.path",
"package.priority",
"package.size",
"package.source",
"package.type",
"package.vendor",
"package.version",
"vulnerability.id",
"vulnerability.description",
"vulnerability.severity",
"wazuh.cluster.name"
"wazuh.cluster.name",
"wazuh.cluster.node",
"wazuh.schema.version"
],
"refresh_interval": "5s"
}