Add cloud services subcategories (#595)

* Add subcategories

Fixes missing changes to aliases on the templates

* Fix index template priority not being used

* Update WCS documentation

* Add changelog entry

Fix test failure

CHANGELOG.md

@@ -21,6 +21,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Categorize WCS stateless indices [(#588)](https://github.com/wazuh/wazuh-indexer-plugins/pull/588)
 - Add major version to index aliases [(#592)](https://github.com/wazuh/wazuh-indexer-plugins/pull/592)
 - Increase max_docvalue_fields_search to 200 [(#594)](https://github.com/wazuh/wazuh-indexer-plugins/pull/594)
+- Add cloud services subcategories [(#595)](https://github.com/wazuh/wazuh-indexer-plugins/pull/595)
 
 ### Dependencies
 -

docs/ref/modules/setup/schema.md

@@ -6,6 +6,8 @@ The Wazuh Common Schema (WCS) is a standardized structure for organizing and cat
 
 The Wazuh Common Schema categorizes events into several key areas to streamline data management and analysis.
 
+The index mappings and settings for subcategories take precedence over those from the main category. In OpenSearch, index templates are applied in order of their "priority" value: templates with a lower priority are applied first, and those with a higher priority are applied afterward, allowing them to override previous settings. This means the index template for the main category is applied first (priority=1), and then the subcategory template (priority=10) is applied on top of it, so subcategory-specific settings override the main category defaults.
+
 #### Access Management
 
 None yet.
@@ -39,9 +41,9 @@ None yet.
 | Azure Functions      | Azure       | Cloud Services |
 | Azure Metrics        | Azure       | Cloud Services |
 | Azure OpenAI         | Azure       | Cloud Services |
-| Cisco Umbrella       | Cisco       | Cloud Services |
-| GCP                  | Google      | Cloud Services |
-| Google SCC           | Google      | Cloud Services |
+| Cisco Umbrella       | -           | Cloud Services |
+| GCP                  | GCP         | Cloud Services |
+| Google SCC           | GCP         | Cloud Services |
 
 #### Network Activity
 
@@ -90,10 +92,13 @@ None yet.
 wazuh-events-5.x-access-management-000001
 wazuh-events-5.x-applications-000001
 wazuh-events-5.x-cloud-services-000001
+wazuh-events-5.x-cloud-services-aws-000001
+wazuh-events-5.x-cloud-services-azure-000001
+wazuh-events-5.x-cloud-services-gcp-000001
 wazuh-events-5.x-network-activity-000001
+wazuh-events-5.x-other-000001
 wazuh-events-5.x-security-000001
 wazuh-events-5.x-system-activity-000001
-wazuh-events-5.x-other-000001
 ```
 
 ### Aliases
@@ -102,8 +107,11 @@ wazuh-events-5.x-other-000001
 wazuh-events-5.x-access-management
 wazuh-events-5.x-applications
 wazuh-events-5.x-cloud-services
+wazuh-events-5.x-cloud-services-aws
+wazuh-events-5.x-cloud-services-azure
+wazuh-events-5.x-cloud-services-gcp
 wazuh-events-5.x-network-activity
+wazuh-events-5.x-other
 wazuh-events-5.x-security
 wazuh-events-5.x-system-activity
-wazuh-events-5.x-other
 ```

ecs/generate_wcs_integrations.py

@@ -58,11 +58,13 @@ class WCSIntegrationsGenerator:
 
                 # Determine log category (default to 'other' if empty)
                 log_category = row.get('Category', '').strip() or 'other'
+                log_subcategory = row.get('Subcategory', '').strip() or ''
 
                 # Store integration data using normalized name
                 if integration_name not in self.integrations_data:
                     self.integrations_data[integration_name] = {
-                        'log_category': log_category,
+                        'log_category': f"{log_category}-{log_subcategory}" if log_subcategory else log_category,
+                        'log_subcategory': log_subcategory,
                         'original_name': integration,
                         'fields': []
                     }
@@ -182,7 +184,7 @@ class WCSIntegrationsGenerator:
 
         return subset_content
 
-    def generate_template_settings(self, log_category):
+    def generate_template_settings(self, log_category, log_subcategory):
         """Generate template-settings.json for an integration."""
         template_settings_path = self.template_path / "fields" / "template-settings.json"
 
@@ -191,11 +193,12 @@ class WCSIntegrationsGenerator:
 
         # Update index patterns and settings
         settings['index_patterns'] = [f"wazuh-events-5.x-{log_category}-*"]
-        settings['template']['settings']['plugins.index_state_management.rollover_alias'] = f"wazuh-events-{log_category}"
+        settings['template']['settings']['plugins.index_state_management.rollover_alias'] = f"wazuh-events-5.x-{log_category}"
+        settings['priority'] = 10  if log_subcategory else 1
 
         return settings
 
-    def generate_template_settings_legacy(self, log_category):
+    def generate_template_settings_legacy(self, log_category, log_subcategory):
         """Generate template-settings-legacy.json for an integration."""
         template_settings_path = self.template_path / "fields" / "template-settings-legacy.json"
 
@@ -204,7 +207,8 @@ class WCSIntegrationsGenerator:
 
         # Update index patterns and settings
         settings['index_patterns'] = [f"wazuh-events-5.x-{log_category}-*"]
-        settings['settings']['plugins.index_state_management.rollover_alias'] = f"wazuh-events-{log_category}"
+        settings['settings']['plugins.index_state_management.rollover_alias'] = f"wazuh-events-5.x-{log_category}"
+        settings['order'] = 10  if log_subcategory else 1
 
         return settings
 
@@ -249,6 +253,7 @@ The **{log_category}** log category provides specialized fields for processing e
     def write_files_for_integration(self, integration, integration_data):
         """Write all files for a specific integration."""
         log_category = integration_data['log_category']
+        log_subcategory = integration_data['log_subcategory']
         folder_name = f"stateless-{log_category}"
         base_path = self.ecs_base_path / folder_name
 
@@ -272,14 +277,14 @@ The **{log_category}** log category provides specialized fields for processing e
             f.write(subset_content)
 
         # 3. Generate template-settings.json
-        template_settings = self.generate_template_settings(log_category)
+        template_settings = self.generate_template_settings(log_category, log_subcategory)
         template_settings_path = base_path / "fields" / "template-settings.json"
 
         with open(template_settings_path, 'w') as f:
             json.dump(template_settings, f, indent=2)
 
         # 4. Generate template-settings-legacy.json
-        template_settings_legacy = self.generate_template_settings_legacy(log_category)
+        template_settings_legacy = self.generate_template_settings_legacy(log_category, log_subcategory)
         template_settings_legacy_path = base_path / "fields" / "template-settings-legacy.json"
 
         with open(template_settings_legacy_path, 'w') as f:

ecs/module_list.txt

@@ -20,11 +20,14 @@ module_to_file=(
   [states-fim-files]=index-template-fim-files.json
   [states-inventory-users]=index-template-inventory-users.json
   # Third-party stateless modules
+  [stateless-cloud-services-gcp]=index-template-cloud-services-gcp.json
   [stateless-system-activity]=index-template-system-activity.json
+  [stateless-cloud-services-aws]=index-template-cloud-services-aws.json
   [stateless-other]=index-template-other.json
   [stateless-cloud-services]=index-template-cloud-services.json
   [stateless-network-activity]=index-template-network-activity.json
   [stateless-security]=index-template-security.json
+  [stateless-cloud-services-azure]=index-template-cloud-services-azure.json
   [stateless-access-management]=index-template-access-management.json
   [stateless-applications]=index-template-applications.json
 )

ecs/stateless-access-management/fields/template-settings-legacy.json

@@ -4,7 +4,7 @@
   ],
   "order": 1,
   "settings": {
-    "plugins.index_state_management.rollover_alias": "wazuh-events-access-management",
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-access-management",
     "mapping.total_fields.limit": 10000,
     "mapping.nested_fields.limit": 100,
     "index": {

ecs/stateless-access-management/fields/template-settings.json

@@ -5,7 +5,7 @@
   "priority": 1,
   "template": {
     "settings": {
-      "plugins.index_state_management.rollover_alias": "wazuh-events-access-management",
+      "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-access-management",
       "mapping.total_fields.limit": 10000,
       "mapping.nested_fields.limit": 100,
       "index": {

ecs/stateless-applications/fields/template-settings-legacy.json

@@ -4,7 +4,7 @@
   ],
   "order": 1,
   "settings": {
-    "plugins.index_state_management.rollover_alias": "wazuh-events-applications",
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-applications",
     "mapping.total_fields.limit": 10000,
     "mapping.nested_fields.limit": 100,
     "index": {

ecs/stateless-applications/fields/template-settings.json

@@ -5,7 +5,7 @@
   "priority": 1,
   "template": {
     "settings": {
-      "plugins.index_state_management.rollover_alias": "wazuh-events-applications",
+      "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-applications",
       "mapping.total_fields.limit": 10000,
       "mapping.nested_fields.limit": 100,
       "index": {

ecs/stateless-cloud-services-aws/docs/README.md

@@ -0,0 +1,21 @@
+## `wazuh-events-5.x-cloud-services-aws` time series index
+
+The `wazuh-events-5.x-cloud-services-aws` indices store events received from monitored endpoints through the relevant integrations.
+
+This is a time-based (stateless) index. The index includes the WCS fields and the fields of the corresponding cloud-services-aws integrations.
+
+### Fields summary
+
+For this stage, we are using all the fields of the WCS. Dynamic mode is temporarily set to `false` to avoid the creation of new fields while allowing the indexing of events containing fields not in the schema. These fields can be retrieved from the original event (`_source`).
+
+- [WCS main mappings](../../stateless/docs/fields.csv)
+
+The detail of the fields can be found in csv file [Stateless Cloud-Services-Aws Fields](fields.csv).
+
+### Integrations:
+
+The **cloud-services-aws** log category provides specialized fields for processing events in the Wazuh security platform coming from these integrations:
+- amazon-security-lake
+- aws
+- aws-firehose
+- aws-logs

ecs/stateless-cloud-services-aws/fields/mapping-settings.json

@@ -0,0 +1,4 @@
+{
+  "dynamic": "false",
+  "date_detection": false
+}

ecs/stateless-cloud-services-aws/fields/subset.yml

@@ -0,0 +1,279 @@
+---
+name: wazuh-events-cloud-services-aws
+fields:
+  base:
+    fields: "*"
+  agent:
+    fields: "*"
+  as:
+    fields: "*"
+  client:
+    fields:
+      address: {}
+      as:
+        fields: "*"
+      bytes: {}
+      domain: {}
+      geo:
+        fields: "*"
+      ip: {}
+      mac: {}
+      nat:
+        fields:
+          ip: {}
+          port: {}
+      packets: {}
+      port: {}
+      subdomain: {}
+      registered_domain: {}
+      top_level_domain: {}
+      user:
+        fields:
+          domain: {}
+          email: {}
+          full_name: {}
+          group:
+            fields: "*"
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+  cloud:
+    fields: "*"
+  code_signature:
+    fields: "*"
+  container:
+    fields: "*"
+  data_stream:
+    fields: "*"
+  destination:
+    fields:
+      address: {}
+      as:
+        fields: "*"
+      bytes: {}
+      domain: {}
+      geo:
+        fields: "*"
+      ip: {}
+      mac: {}
+      nat:
+        fields:
+          ip: {}
+          port: {}
+      packets: {}
+      port: {}
+      subdomain: {}
+      registered_domain: {}
+      top_level_domain: {}
+      user:
+        fields:
+          domain: {}
+          email: {}
+          full_name: {}
+          group:
+            fields: "*"
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+  device:
+    fields: "*"
+  dll:
+    fields: "*"
+  dns:
+    fields: "*"
+  ecs:
+    fields: "*"
+  elf:
+    fields: "*"
+  email:
+    fields: "*"
+  error:
+    fields: "*"
+  event:
+    fields: "*"
+  faas:
+    fields: "*"
+  file:
+    fields: "*"
+  geo:
+    fields: "*"
+  group:
+    fields: "*"
+  hash:
+    fields: "*"
+  host:
+    fields: "*"
+  http:
+    fields: "*"
+  interface:
+    fields: "*"
+  log:
+    fields: "*"
+  macho:
+    fields: "*"
+  network:
+    fields: "*"
+  observer:
+    fields: "*"
+  orchestrator:
+    fields: "*"
+  organization:
+    fields: "*"
+  os:
+    fields: "*"
+  package:
+    fields: "*"
+  pe:
+    fields: "*"
+  process:
+    fields: "*"
+  registry:
+    fields: "*"
+  related:
+    fields: "*"
+  risk:
+    fields: "*"
+  rule:
+    fields: "*"
+  server:
+    fields:
+      address: {}
+      as:
+        fields: "*"
+      bytes: {}
+      domain: {}
+      geo:
+        fields: "*"
+      ip: {}
+      mac: {}
+      nat:
+        fields:
+          ip: {}
+          port: {}
+      packets: {}
+      port: {}
+      subdomain: {}
+      registered_domain: {}
+      top_level_domain: {}
+      user:
+        fields:
+          domain: {}
+          email: {}
+          full_name: {}
+          group:
+            fields: "*"
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+  service:
+    fields: "*"
+  source:
+    fields:
+      address: {}
+      as:
+        fields: "*"
+      bytes: {}
+      domain: {}
+      geo:
+        fields: "*"
+      ip: {}
+      mac: {}
+      nat:
+        fields:
+          ip: {}
+          port: {}
+      packets: {}
+      port: {}
+      subdomain: {}
+      registered_domain: {}
+      top_level_domain: {}
+      user:
+        fields:
+          domain: {}
+          email: {}
+          full_name: {}
+          group:
+            fields: "*"
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+  threat:
+    fields: "*"
+  tls:
+    fields: "*"
+  tracing:
+    fields: "*"
+  url:
+    fields: "*"
+  user_agent:
+    fields: "*"
+  user:
+    fields:
+      changes:
+        fields:
+          domain: {}
+          email: {}
+          group:
+            fields: "*"
+          full_name: {}
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+      domain: {}
+      effective:
+        fields:
+          domain: {}
+          email: {}
+          group:
+            fields: "*"
+          full_name: {}
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+      email: {}
+      group:
+        fields: "*"
+      full_name: {}
+      hash: {}
+      id: {}
+      name: {}
+      risk:
+        fields: "*"
+      roles: {}
+      target:
+        fields:
+          domain: {}
+          email: {}
+          group:
+            fields: "*"
+          full_name: {}
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+  vlan:
+    fields: "*"
+  vulnerability:
+    fields: "*"
+  x509:
+    fields: "*"
+  wazuh:
+    fields: "*"
+  check:
+    fields: "*"
+  policy:
+    fields: "*"
+  amazon-security-lake:
+    fields: "*"
+  aws:
+    fields: "*"
+  aws-firehose:
+    fields: "*"
+  aws-logs:
+    fields: "*"

ecs/stateless-cloud-services-aws/fields/template-settings-legacy.json

@@ -0,0 +1,28 @@
+{
+  "index_patterns": [
+    "wazuh-events-5.x-cloud-services-aws-*"
+  ],
+  "order": 10,
+  "settings": {
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-cloud-services-aws",
+    "mapping.total_fields.limit": 10000,
+    "mapping.nested_fields.limit": 250,
+    "index": {
+      "number_of_shards": "3",
+      "number_of_replicas": "0",
+      "auto_expand_replicas": "0-1",
+      "refresh_interval": "2s",
+      "query.default_field": [
+        "agent.host.architecture",
+        "agent.host.ip",
+        "agent.id",
+        "agent.name",
+        "agent.version",
+        "wazuh.cluster.name",
+        "wazuh.cluster.node",
+        "wazuh.schema.version"
+      ],
+      "max_docvalue_fields_search": 200
+    }
+  }
+}

ecs/stateless-cloud-services-aws/fields/template-settings.json

@@ -0,0 +1,30 @@
+{
+  "index_patterns": [
+    "wazuh-events-5.x-cloud-services-aws-*"
+  ],
+  "priority": 10,
+  "template": {
+    "settings": {
+      "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-cloud-services-aws",
+      "mapping.total_fields.limit": 10000,
+      "mapping.nested_fields.limit": 250,
+      "index": {
+        "number_of_shards": "3",
+        "number_of_replicas": "0",
+        "auto_expand_replicas": "0-1",
+        "refresh_interval": "2s",
+        "query.default_field": [
+          "agent.host.architecture",
+          "agent.host.ip",
+          "agent.id",
+          "agent.name",
+          "agent.version",
+          "wazuh.cluster.name",
+          "wazuh.cluster.node",
+          "wazuh.schema.version"
+        ],
+        "max_docvalue_fields_search": 200
+      }
+    }
+  }
+}

ecs/stateless-cloud-services-azure/docs/README.md

@@ -0,0 +1,23 @@
+## `wazuh-events-5.x-cloud-services-azure` time series index
+
+The `wazuh-events-5.x-cloud-services-azure` indices store events received from monitored endpoints through the relevant integrations.
+
+This is a time-based (stateless) index. The index includes the WCS fields and the fields of the corresponding cloud-services-azure integrations.
+
+### Fields summary
+
+For this stage, we are using all the fields of the WCS. Dynamic mode is temporarily set to `false` to avoid the creation of new fields while allowing the indexing of events containing fields not in the schema. These fields can be retrieved from the original event (`_source`).
+
+- [WCS main mappings](../../stateless/docs/fields.csv)
+
+The detail of the fields can be found in csv file [Stateless Cloud-Services-Azure Fields](fields.csv).
+
+### Integrations:
+
+The **cloud-services-azure** log category provides specialized fields for processing events in the Wazuh security platform coming from these integrations:
+- azure
+- azure-app-service
+- azure-blob-storage
+- azure-functions
+- azure-metrics
+- azure-openai

ecs/stateless-cloud-services-azure/fields/mapping-settings.json

@@ -0,0 +1,4 @@
+{
+  "dynamic": "false",
+  "date_detection": false
+}

ecs/stateless-cloud-services-azure/fields/subset.yml

@@ -0,0 +1,283 @@
+---
+name: wazuh-events-cloud-services-azure
+fields:
+  base:
+    fields: "*"
+  agent:
+    fields: "*"
+  as:
+    fields: "*"
+  client:
+    fields:
+      address: {}
+      as:
+        fields: "*"
+      bytes: {}
+      domain: {}
+      geo:
+        fields: "*"
+      ip: {}
+      mac: {}
+      nat:
+        fields:
+          ip: {}
+          port: {}
+      packets: {}
+      port: {}
+      subdomain: {}
+      registered_domain: {}
+      top_level_domain: {}
+      user:
+        fields:
+          domain: {}
+          email: {}
+          full_name: {}
+          group:
+            fields: "*"
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+  cloud:
+    fields: "*"
+  code_signature:
+    fields: "*"
+  container:
+    fields: "*"
+  data_stream:
+    fields: "*"
+  destination:
+    fields:
+      address: {}
+      as:
+        fields: "*"
+      bytes: {}
+      domain: {}
+      geo:
+        fields: "*"
+      ip: {}
+      mac: {}
+      nat:
+        fields:
+          ip: {}
+          port: {}
+      packets: {}
+      port: {}
+      subdomain: {}
+      registered_domain: {}
+      top_level_domain: {}
+      user:
+        fields:
+          domain: {}
+          email: {}
+          full_name: {}
+          group:
+            fields: "*"
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+  device:
+    fields: "*"
+  dll:
+    fields: "*"
+  dns:
+    fields: "*"
+  ecs:
+    fields: "*"
+  elf:
+    fields: "*"
+  email:
+    fields: "*"
+  error:
+    fields: "*"
+  event:
+    fields: "*"
+  faas:
+    fields: "*"
+  file:
+    fields: "*"
+  geo:
+    fields: "*"
+  group:
+    fields: "*"
+  hash:
+    fields: "*"
+  host:
+    fields: "*"
+  http:
+    fields: "*"
+  interface:
+    fields: "*"
+  log:
+    fields: "*"
+  macho:
+    fields: "*"
+  network:
+    fields: "*"
+  observer:
+    fields: "*"
+  orchestrator:
+    fields: "*"
+  organization:
+    fields: "*"
+  os:
+    fields: "*"
+  package:
+    fields: "*"
+  pe:
+    fields: "*"
+  process:
+    fields: "*"
+  registry:
+    fields: "*"
+  related:
+    fields: "*"
+  risk:
+    fields: "*"
+  rule:
+    fields: "*"
+  server:
+    fields:
+      address: {}
+      as:
+        fields: "*"
+      bytes: {}
+      domain: {}
+      geo:
+        fields: "*"
+      ip: {}
+      mac: {}
+      nat:
+        fields:
+          ip: {}
+          port: {}
+      packets: {}
+      port: {}
+      subdomain: {}
+      registered_domain: {}
+      top_level_domain: {}
+      user:
+        fields:
+          domain: {}
+          email: {}
+          full_name: {}
+          group:
+            fields: "*"
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+  service:
+    fields: "*"
+  source:
+    fields:
+      address: {}
+      as:
+        fields: "*"
+      bytes: {}
+      domain: {}
+      geo:
+        fields: "*"
+      ip: {}
+      mac: {}
+      nat:
+        fields:
+          ip: {}
+          port: {}
+      packets: {}
+      port: {}
+      subdomain: {}
+      registered_domain: {}
+      top_level_domain: {}
+      user:
+        fields:
+          domain: {}
+          email: {}
+          full_name: {}
+          group:
+            fields: "*"
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+  threat:
+    fields: "*"
+  tls:
+    fields: "*"
+  tracing:
+    fields: "*"
+  url:
+    fields: "*"
+  user_agent:
+    fields: "*"
+  user:
+    fields:
+      changes:
+        fields:
+          domain: {}
+          email: {}
+          group:
+            fields: "*"
+          full_name: {}
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+      domain: {}
+      effective:
+        fields:
+          domain: {}
+          email: {}
+          group:
+            fields: "*"
+          full_name: {}
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+      email: {}
+      group:
+        fields: "*"
+      full_name: {}
+      hash: {}
+      id: {}
+      name: {}
+      risk:
+        fields: "*"
+      roles: {}
+      target:
+        fields:
+          domain: {}
+          email: {}
+          group:
+            fields: "*"
+          full_name: {}
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+  vlan:
+    fields: "*"
+  vulnerability:
+    fields: "*"
+  x509:
+    fields: "*"
+  wazuh:
+    fields: "*"
+  check:
+    fields: "*"
+  policy:
+    fields: "*"
+  azure:
+    fields: "*"
+  azure-app-service:
+    fields: "*"
+  azure-blob-storage:
+    fields: "*"
+  azure-functions:
+    fields: "*"
+  azure-metrics:
+    fields: "*"
+  azure-openai:
+    fields: "*"

ecs/stateless-cloud-services-azure/fields/template-settings-legacy.json

@@ -0,0 +1,28 @@
+{
+  "index_patterns": [
+    "wazuh-events-5.x-cloud-services-azure-*"
+  ],
+  "order": 10,
+  "settings": {
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-cloud-services-azure",
+    "mapping.total_fields.limit": 10000,
+    "mapping.nested_fields.limit": 100,
+    "index": {
+      "number_of_shards": "3",
+      "number_of_replicas": "0",
+      "auto_expand_replicas": "0-1",
+      "refresh_interval": "2s",
+      "query.default_field": [
+        "agent.host.architecture",
+        "agent.host.ip",
+        "agent.id",
+        "agent.name",
+        "agent.version",
+        "wazuh.cluster.name",
+        "wazuh.cluster.node",
+        "wazuh.schema.version"
+      ],
+      "max_docvalue_fields_search": 200
+    }
+  }
+}

ecs/stateless-cloud-services-azure/fields/template-settings.json

@@ -0,0 +1,30 @@
+{
+  "index_patterns": [
+    "wazuh-events-5.x-cloud-services-azure-*"
+  ],
+  "priority": 10,
+  "template": {
+    "settings": {
+      "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-cloud-services-azure",
+      "mapping.total_fields.limit": 10000,
+      "mapping.nested_fields.limit": 100,
+      "index": {
+        "number_of_shards": "3",
+        "number_of_replicas": "0",
+        "auto_expand_replicas": "0-1",
+        "refresh_interval": "2s",
+        "query.default_field": [
+          "agent.host.architecture",
+          "agent.host.ip",
+          "agent.id",
+          "agent.name",
+          "agent.version",
+          "wazuh.cluster.name",
+          "wazuh.cluster.node",
+          "wazuh.schema.version"
+        ],
+        "max_docvalue_fields_search": 200
+      }
+    }
+  }
+}

ecs/stateless-cloud-services-gcp/docs/README.md

@@ -0,0 +1,19 @@
+## `wazuh-events-5.x-cloud-services-gcp` time series index
+
+The `wazuh-events-5.x-cloud-services-gcp` indices store events received from monitored endpoints through the relevant integrations.
+
+This is a time-based (stateless) index. The index includes the WCS fields and the fields of the corresponding cloud-services-gcp integrations.
+
+### Fields summary
+
+For this stage, we are using all the fields of the WCS. Dynamic mode is temporarily set to `false` to avoid the creation of new fields while allowing the indexing of events containing fields not in the schema. These fields can be retrieved from the original event (`_source`).
+
+- [WCS main mappings](../../stateless/docs/fields.csv)
+
+The detail of the fields can be found in csv file [Stateless Cloud-Services-Gcp Fields](fields.csv).
+
+### Integrations:
+
+The **cloud-services-gcp** log category provides specialized fields for processing events in the Wazuh security platform coming from these integrations:
+- gcp
+- google-scc

ecs/stateless-cloud-services-gcp/fields/mapping-settings.json

@@ -0,0 +1,4 @@
+{
+  "dynamic": "false",
+  "date_detection": false
+}

ecs/stateless-cloud-services-gcp/fields/subset.yml

@@ -0,0 +1,275 @@
+---
+name: wazuh-events-cloud-services-gcp
+fields:
+  base:
+    fields: "*"
+  agent:
+    fields: "*"
+  as:
+    fields: "*"
+  client:
+    fields:
+      address: {}
+      as:
+        fields: "*"
+      bytes: {}
+      domain: {}
+      geo:
+        fields: "*"
+      ip: {}
+      mac: {}
+      nat:
+        fields:
+          ip: {}
+          port: {}
+      packets: {}
+      port: {}
+      subdomain: {}
+      registered_domain: {}
+      top_level_domain: {}
+      user:
+        fields:
+          domain: {}
+          email: {}
+          full_name: {}
+          group:
+            fields: "*"
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+  cloud:
+    fields: "*"
+  code_signature:
+    fields: "*"
+  container:
+    fields: "*"
+  data_stream:
+    fields: "*"
+  destination:
+    fields:
+      address: {}
+      as:
+        fields: "*"
+      bytes: {}
+      domain: {}
+      geo:
+        fields: "*"
+      ip: {}
+      mac: {}
+      nat:
+        fields:
+          ip: {}
+          port: {}
+      packets: {}
+      port: {}
+      subdomain: {}
+      registered_domain: {}
+      top_level_domain: {}
+      user:
+        fields:
+          domain: {}
+          email: {}
+          full_name: {}
+          group:
+            fields: "*"
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+  device:
+    fields: "*"
+  dll:
+    fields: "*"
+  dns:
+    fields: "*"
+  ecs:
+    fields: "*"
+  elf:
+    fields: "*"
+  email:
+    fields: "*"
+  error:
+    fields: "*"
+  event:
+    fields: "*"
+  faas:
+    fields: "*"
+  file:
+    fields: "*"
+  geo:
+    fields: "*"
+  group:
+    fields: "*"
+  hash:
+    fields: "*"
+  host:
+    fields: "*"
+  http:
+    fields: "*"
+  interface:
+    fields: "*"
+  log:
+    fields: "*"
+  macho:
+    fields: "*"
+  network:
+    fields: "*"
+  observer:
+    fields: "*"
+  orchestrator:
+    fields: "*"
+  organization:
+    fields: "*"
+  os:
+    fields: "*"
+  package:
+    fields: "*"
+  pe:
+    fields: "*"
+  process:
+    fields: "*"
+  registry:
+    fields: "*"
+  related:
+    fields: "*"
+  risk:
+    fields: "*"
+  rule:
+    fields: "*"
+  server:
+    fields:
+      address: {}
+      as:
+        fields: "*"
+      bytes: {}
+      domain: {}
+      geo:
+        fields: "*"
+      ip: {}
+      mac: {}
+      nat:
+        fields:
+          ip: {}
+          port: {}
+      packets: {}
+      port: {}
+      subdomain: {}
+      registered_domain: {}
+      top_level_domain: {}
+      user:
+        fields:
+          domain: {}
+          email: {}
+          full_name: {}
+          group:
+            fields: "*"
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+  service:
+    fields: "*"
+  source:
+    fields:
+      address: {}
+      as:
+        fields: "*"
+      bytes: {}
+      domain: {}
+      geo:
+        fields: "*"
+      ip: {}
+      mac: {}
+      nat:
+        fields:
+          ip: {}
+          port: {}
+      packets: {}
+      port: {}
+      subdomain: {}
+      registered_domain: {}
+      top_level_domain: {}
+      user:
+        fields:
+          domain: {}
+          email: {}
+          full_name: {}
+          group:
+            fields: "*"
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+  threat:
+    fields: "*"
+  tls:
+    fields: "*"
+  tracing:
+    fields: "*"
+  url:
+    fields: "*"
+  user_agent:
+    fields: "*"
+  user:
+    fields:
+      changes:
+        fields:
+          domain: {}
+          email: {}
+          group:
+            fields: "*"
+          full_name: {}
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+      domain: {}
+      effective:
+        fields:
+          domain: {}
+          email: {}
+          group:
+            fields: "*"
+          full_name: {}
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+      email: {}
+      group:
+        fields: "*"
+      full_name: {}
+      hash: {}
+      id: {}
+      name: {}
+      risk:
+        fields: "*"
+      roles: {}
+      target:
+        fields:
+          domain: {}
+          email: {}
+          group:
+            fields: "*"
+          full_name: {}
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+  vlan:
+    fields: "*"
+  vulnerability:
+    fields: "*"
+  x509:
+    fields: "*"
+  wazuh:
+    fields: "*"
+  check:
+    fields: "*"
+  policy:
+    fields: "*"
+  gcp:
+    fields: "*"
+  google-scc:
+    fields: "*"

ecs/stateless-cloud-services-gcp/fields/template-settings-legacy.json

@@ -0,0 +1,28 @@
+{
+  "index_patterns": [
+    "wazuh-events-5.x-cloud-services-gcp-*"
+  ],
+  "order": 10,
+  "settings": {
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-cloud-services-gcp",
+    "mapping.total_fields.limit": 10000,
+    "mapping.nested_fields.limit": 100,
+    "index": {
+      "number_of_shards": "3",
+      "number_of_replicas": "0",
+      "auto_expand_replicas": "0-1",
+      "refresh_interval": "2s",
+      "query.default_field": [
+        "agent.host.architecture",
+        "agent.host.ip",
+        "agent.id",
+        "agent.name",
+        "agent.version",
+        "wazuh.cluster.name",
+        "wazuh.cluster.node",
+        "wazuh.schema.version"
+      ],
+      "max_docvalue_fields_search": 200
+    }
+  }
+}

ecs/stateless-cloud-services-gcp/fields/template-settings.json

@@ -0,0 +1,30 @@
+{
+  "index_patterns": [
+    "wazuh-events-5.x-cloud-services-gcp-*"
+  ],
+  "priority": 10,
+  "template": {
+    "settings": {
+      "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-cloud-services-gcp",
+      "mapping.total_fields.limit": 10000,
+      "mapping.nested_fields.limit": 100,
+      "index": {
+        "number_of_shards": "3",
+        "number_of_replicas": "0",
+        "auto_expand_replicas": "0-1",
+        "refresh_interval": "2s",
+        "query.default_field": [
+          "agent.host.architecture",
+          "agent.host.ip",
+          "agent.id",
+          "agent.name",
+          "agent.version",
+          "wazuh.cluster.name",
+          "wazuh.cluster.node",
+          "wazuh.schema.version"
+        ],
+        "max_docvalue_fields_search": 200
+      }
+    }
+  }
+}

ecs/stateless-cloud-services/docs/README.md

@@ -15,16 +15,4 @@ The detail of the fields can be found in csv file [Stateless Cloud-Services Fiel
 ### Integrations:
 
 The **cloud-services** log category provides specialized fields for processing events in the Wazuh security platform coming from these integrations:
-- amazon-security-lake
-- aws
-- aws-firehose
-- aws-logs
-- azure
-- azure-app-service
-- azure-blob-storage
-- azure-functions
-- azure-metrics
-- azure-openai
 - cisco-umbrella
-- gcp
-- google-scc

ecs/stateless-cloud-services/fields/subset.yml

@@ -269,29 +269,5 @@ fields:
     fields: "*"
   policy:
     fields: "*"
-  amazon-security-lake:
-    fields: "*"
-  aws:
-    fields: "*"
-  aws-firehose:
-    fields: "*"
-  aws-logs:
-    fields: "*"
-  azure:
-    fields: "*"
-  azure-app-service:
-    fields: "*"
-  azure-blob-storage:
-    fields: "*"
-  azure-functions:
-    fields: "*"
-  azure-metrics:
-    fields: "*"
-  azure-openai:
-    fields: "*"
   cisco-umbrella:
     fields: "*"
-  gcp:
-    fields: "*"
-  google-scc:
-    fields: "*"

ecs/stateless-cloud-services/fields/template-settings-legacy.json

@@ -4,9 +4,9 @@
   ],
   "order": 1,
   "settings": {
-    "plugins.index_state_management.rollover_alias": "wazuh-events-cloud-services",
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-cloud-services",
     "mapping.total_fields.limit": 10000,
-    "mapping.nested_fields.limit": 300,
+    "mapping.nested_fields.limit": 100,
     "index": {
       "number_of_shards": "3",
       "number_of_replicas": "0",

ecs/stateless-cloud-services/fields/template-settings.json

@@ -5,9 +5,9 @@
   "priority": 1,
   "template": {
     "settings": {
-      "plugins.index_state_management.rollover_alias": "wazuh-events-cloud-services",
+      "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-cloud-services",
       "mapping.total_fields.limit": 10000,
-      "mapping.nested_fields.limit": 300,
+      "mapping.nested_fields.limit": 100,
       "index": {
         "number_of_shards": "3",
         "number_of_replicas": "0",

ecs/stateless-network-activity/fields/template-settings-legacy.json

@@ -4,7 +4,7 @@
   ],
   "order": 1,
   "settings": {
-    "plugins.index_state_management.rollover_alias": "wazuh-events-network-activity",
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-network-activity",
     "mapping.total_fields.limit": 10000,
     "mapping.nested_fields.limit": 100,
     "index": {

ecs/stateless-network-activity/fields/template-settings.json

@@ -5,7 +5,7 @@
   "priority": 1,
   "template": {
     "settings": {
-      "plugins.index_state_management.rollover_alias": "wazuh-events-network-activity",
+      "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-network-activity",
       "mapping.total_fields.limit": 10000,
       "mapping.nested_fields.limit": 100,
       "index": {

ecs/stateless-other/fields/template-settings-legacy.json

@@ -4,7 +4,7 @@
   ],
   "order": 1,
   "settings": {
-    "plugins.index_state_management.rollover_alias": "wazuh-events-other",
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-other",
     "mapping.total_fields.limit": 10000,
     "mapping.nested_fields.limit": 100,
     "index": {

ecs/stateless-other/fields/template-settings.json

@@ -5,7 +5,7 @@
   "priority": 1,
   "template": {
     "settings": {
-      "plugins.index_state_management.rollover_alias": "wazuh-events-other",
+      "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-other",
       "mapping.total_fields.limit": 10000,
       "mapping.nested_fields.limit": 100,
       "index": {

ecs/stateless-security/fields/template-settings-legacy.json

@@ -4,7 +4,7 @@
   ],
   "order": 1,
   "settings": {
-    "plugins.index_state_management.rollover_alias": "wazuh-events-security",
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-security",
     "mapping.total_fields.limit": 10000,
     "mapping.nested_fields.limit": 100,
     "index": {

ecs/stateless-security/fields/template-settings.json

@@ -5,7 +5,7 @@
   "priority": 1,
   "template": {
     "settings": {
-      "plugins.index_state_management.rollover_alias": "wazuh-events-security",
+      "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-security",
       "mapping.total_fields.limit": 10000,
       "mapping.nested_fields.limit": 100,
       "index": {

ecs/stateless-system-activity/fields/template-settings-legacy.json

@@ -4,7 +4,7 @@
   ],
   "order": 1,
   "settings": {
-    "plugins.index_state_management.rollover_alias": "wazuh-events-system-activity",
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-system-activity",
     "mapping.total_fields.limit": 10000,
     "mapping.nested_fields.limit": 100,
     "index": {

ecs/stateless-system-activity/fields/template-settings.json

@@ -5,7 +5,7 @@
   "priority": 1,
   "template": {
     "settings": {
-      "plugins.index_state_management.rollover_alias": "wazuh-events-system-activity",
+      "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-system-activity",
       "mapping.total_fields.limit": 10000,
       "mapping.nested_fields.limit": 100,
       "index": {

ecs/stateless-template/fields/template-settings-legacy.json

@@ -1,8 +1,8 @@
 {
   "index_patterns": ["wazuh-events-5.x-<integration-name>-*"],
-  "order": 1,
+  "order": "<priority>",
   "settings": {
-    "plugins.index_state_management.rollover_alias": "wazuh-events-<integration-name>",
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-<integration-name>",
     "mapping.total_fields.limit": 10000,
     "mapping.nested_fields.limit": 100,
     "index": {

ecs/stateless-template/fields/template-settings.json

@@ -1,9 +1,9 @@
 {
   "index_patterns": ["wazuh-events-5.x-<integration-name>-*"],
-  "priority": 1,
+  "priority": "<priority>",
   "template": {
     "settings": {
-      "plugins.index_state_management.rollover_alias": "wazuh-events-<integration-name>",
+      "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-<integration-name>",
       "mapping.total_fields.limit": 10000,
       "mapping.nested_fields.limit": 100,
       "index": {

plugins/setup/src/main/java/com/wazuh/setup/SetupPlugin.java

@@ -57,6 +57,9 @@ public class SetupPlugin extends Plugin implements ClusterPlugin {
         "access-management", // No integration in this category yet
         "applications",
         "cloud-services",
+        "cloud-services-aws",
+        "cloud-services-azure",
+        "cloud-services-gcp",
         "network-activity",
         "security",
         "system-activity",

plugins/setup/src/main/java/com/wazuh/setup/index/Index.java

@@ -155,6 +155,7 @@ public abstract class Index implements IndexInitializer {
                     new PutIndexTemplateRequest()
                             .mapping(this.indexUtils.get(templateFile, "mappings"))
                             .settings(this.indexUtils.get(templateFile, "settings"))
+                            .order((int) templateFile.getOrDefault("order", 0))
                             .name(template)
                             .patterns((List<String>) templateFile.get("index_patterns"));
 

plugins/setup/src/main/resources/index-template-access-management.json

@@ -19503,6 +19503,6 @@
     },
     "mapping.nested_fields.limit": 100,
     "mapping.total_fields.limit": 10000,
-    "plugins.index_state_management.rollover_alias": "wazuh-events-access-management"
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-access-management"
   }
 }

plugins/setup/src/main/resources/index-template-applications.json

@@ -21501,6 +21501,6 @@
     },
     "mapping.nested_fields.limit": 100,
     "mapping.total_fields.limit": 10000,
-    "plugins.index_state_management.rollover_alias": "wazuh-events-applications"
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-applications"
   }
 }

plugins/setup/src/main/resources/index-template-network-activity.json

@@ -24993,6 +24993,6 @@
     },
     "mapping.nested_fields.limit": 100,
     "mapping.total_fields.limit": 10000,
-    "plugins.index_state_management.rollover_alias": "wazuh-events-network-activity"
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-network-activity"
   }
 }

plugins/setup/src/main/resources/index-template-other.json

@@ -19503,6 +19503,6 @@
     },
     "mapping.nested_fields.limit": 100,
     "mapping.total_fields.limit": 10000,
-    "plugins.index_state_management.rollover_alias": "wazuh-events-other"
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-other"
   }
 }

plugins/setup/src/main/resources/index-template-security.json

@@ -21430,6 +21430,6 @@
     },
     "mapping.nested_fields.limit": 100,
     "mapping.total_fields.limit": 10000,
-    "plugins.index_state_management.rollover_alias": "wazuh-events-security"
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-security"
   }
 }

plugins/setup/src/main/resources/index-template-system-activity.json

@@ -21286,6 +21286,6 @@
     },
     "mapping.nested_fields.limit": 100,
     "mapping.total_fields.limit": 10000,
-    "plugins.index_state_management.rollover_alias": "wazuh-events-system-activity"
+    "plugins.index_state_management.rollover_alias": "wazuh-events-5.x-system-activity"
   }
 }