Add state.modified_at to stateful indexes (#561)

* Add state.modified_at to stateful indexes

* Apply changes from code review

* Update CHANGELOG.md

CHANGELOG.md

@@ -29,6 +29,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Migrate WCS changes from 4.x [(#488)](https://github.com/wazuh/wazuh-indexer-plugins/pull/488) [(#552)](https://github.com/wazuh/wazuh-indexer-plugins/pull/552)
 - Implement checksum fields into stateful ECS mappings [(#519)](https://github.com/wazuh/wazuh-indexer-plugins/pull/519)
 - FIM indices rework [(#509)](https://github.com/wazuh/wazuh-indexer-plugins/pull/509)
+- Add state.modified_at to stateful indexes [(#561)](https://github.com/wazuh/wazuh-indexer-plugins/pull/561)
 
 ### Deprecated
 -

ecs/states-fim-files/docs/README.md

@@ -41,4 +41,5 @@ The detail of the fields can be found in csv file [States FIM files Fields](fiel
 | attributes       | string | List of attributes related to the file.                                   | file.attributes         |        |
 | dev/device       | string | Device that is the source of the file.                                    | file.device             |        |
 | perm/permissions | string | List of permissions related to the file.                                  | file.permissions        | TRUE   |
+| scan_time        | date   | Date/time when the state was last modified.                                      | state.modified_at       | TRUE   |
  

ecs/states-fim-files/docs/fields.csv

@@ -20,6 +20,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,file,file.permissions,keyword,custom,array,,List of permissions related to the file.
 8.11.0,true,file,file.size,long,extended,,16384,File size in bytes.
 8.11.0,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.

ecs/states-fim-files/event-generator/event_generator.py

@@ -34,6 +34,9 @@ def generate_random_data(number):
             "file": generate_random_file(),
             "wazuh": generate_random_wazuh(),
             "checksum": generate_random_checksum(),
+            "state": {
+                "modified_at": generate_random_date()
+            }
         }
         data.append(event_data)
     return data

ecs/states-fim-files/fields/custom/state.yml

@@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.

ecs/states-fim-files/fields/subset.yml

@@ -34,5 +34,8 @@ fields:
       permissions: {}
       size: {}
       uid: {}
+  state:
+    fields:
+      modified_at: {}
   wazuh:
     fields: "*"

ecs/states-fim-files/fields/template-settings-legacy.json

@@ -29,6 +29,7 @@
         "file.permissions",
         "file.size",
         "file.uid",
+        "state.modified_at",
         "wazuh.cluster.name",
         "wazuh.cluster.node",
         "wazuh.schema.version"

ecs/states-fim-files/fields/template-settings.json

@@ -30,6 +30,7 @@
           "file.permissions",
           "file.size",
           "file.uid",
+          "state.modified_at",
           "wazuh.cluster.name",
           "wazuh.cluster.node",
           "wazuh.schema.version"

ecs/states-fim-registry-keys/docs/README.md

@@ -37,3 +37,4 @@ The detail of the fields can be found in csv file [States FIM registries Fields]
 | user_name/owner   | string | Name of the owner of the entity (user).             | registry.owner            | TRUE   |
 | permissions/perm  | string | Permissions associated with the registry key.       | registry.permissions      | TRUE   |
 | checksum          | string | SHA1 hash of the file.                              | checksum.hash.sha1        | TRUE   |
+| scan_time         | date   | Date/time when the state was last modified.                | state.modified_at         | TRUE   |

ecs/states-fim-registry-keys/docs/fields.csv

@@ -15,6 +15,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
 8.11.0,true,registry,registry.permissions,keyword,custom,array,,Permissions associated with the registry key.
 8.11.0,true,registry,registry.uid,keyword,custom,,,User ID associated with the entity
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.

ecs/states-fim-registry-keys/event-generator/event_generator.py

@@ -34,6 +34,9 @@ def generate_random_data(number):
             "registry": generate_random_registry(),
             "wazuh": generate_random_wazuh(),
             "checksum": generate_random_checksum(),
+            "state": {
+                "modified_at": generate_random_date()
+            }
         }
         data.append(event_data)
     return data

ecs/states-fim-registry-keys/fields/custom/state.yml

@@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.

ecs/states-fim-registry-keys/fields/subset.yml

@@ -28,6 +28,9 @@ fields:
       path: {}
       permissions: {}
       uid: {}
+  state:
+    fields:
+      modified_at: {}
   wazuh:
     fields: "*"
 

ecs/states-fim-registry-keys/fields/template-settings-legacy.json

@@ -24,6 +24,7 @@
         "registry.path",
         "registry.permissions",
         "registry.uid",
+        "state.modified_at",
         "wazuh.cluster.name",
         "wazuh.cluster.node",
         "wazuh.schema.version"

ecs/states-fim-registry-keys/fields/template-settings.json

@@ -25,6 +25,7 @@
           "registry.path",
           "registry.permissions",
           "registry.uid",
+          "state.modified_at",
           "wazuh.cluster.name",
           "wazuh.cluster.node",
           "wazuh.schema.version"

ecs/states-fim-registry-values/docs/README.md

@@ -37,3 +37,4 @@ The detail of the fields can be found in csv file [States FIM registries Fields]
 | name/value        | string | Name of the registry value.                         | registry.value            |        |
 | value_type        | string | Type of the registry value, e.g., "REG_SZ".         | registry.data.type        |        |
 | checksum          | string | SHA1 hash of the file.                              | checksum.hash.sha1        | TRUE   |
+| scan_time         | date   | Date/time when the state was last modified.                | state.modified_at         | TRUE   |

ecs/states-fim-registry-values/docs/fields.csv

@@ -15,6 +15,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
 8.11.0,true,registry,registry.size,long,custom,,,Size of the file or registry value (in bytes)
 8.11.0,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.

ecs/states-fim-registry-values/event-generator/event_generator.py

@@ -34,6 +34,9 @@ def generate_random_data(number):
             "registry": generate_random_registry(),
             "wazuh": generate_random_wazuh(),
             "checksum": generate_random_checksum(),
+            "state": {
+                "modified_at": generate_random_date()
+            }
         }
         data.append(event_data)
     return data

ecs/states-fim-registry-values/fields/custom/state.yml

@@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.

ecs/states-fim-registry-values/fields/subset.yml

@@ -32,5 +32,8 @@ fields:
       path: {}
       size: {}
       value: {}
+  state:
+    fields:
+      modified_at: {}
   wazuh:
     fields: "*"

ecs/states-fim-registry-values/fields/template-settings-legacy.json

@@ -24,6 +24,7 @@
         "registry.path",
         "registry.size",
         "registry.value",
+        "state.modified_at",
         "wazuh.cluster.name",
         "wazuh.cluster.node",
         "wazuh.schema.version"

ecs/states-fim-registry-values/fields/template-settings.json

@@ -25,6 +25,7 @@
           "registry.path",
           "registry.size",
           "registry.value",
+          "state.modified_at",
           "wazuh.cluster.name",
           "wazuh.cluster.node",
           "wazuh.schema.version"

ecs/states-inventory-groups/docs/fields.csv

@@ -12,6 +12,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,group,group.name,keyword,extended,,,Name of the group.
 8.11.0,true,group,group.users,keyword,custom,array,,List of users that belong to the group.
 8.11.0,true,group,group.uuid,keyword,custom,,,Unique group ID.
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.

ecs/states-inventory-groups/event-generator/event_generator.py

@@ -46,8 +46,16 @@ def generate_random_group():
             "uuid": ''.join(random.choices("ABCDEF0123456789", k=32))
         },
         "wazuh": generate_random_wazuh(),
+        "state": {
+            "modified_at": generate_random_date()
+        }
     }
 
+def generate_random_date():
+    start_date = datetime.datetime.now()
+    end_date = start_date - datetime.timedelta(days=10)
+    random_date = start_date + (end_date - start_date) * random.random()
+    return random_date.strftime(DATE_FORMAT)
 
 def generate_random_agent():
     return {

ecs/states-inventory-groups/fields/custom/state.yml

@@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.

ecs/states-inventory-groups/fields/subset.yml

@@ -25,6 +25,9 @@ fields:
       uuid: {}
       is_hidden: {}
       users: {}
+  state:
+    fields:
+      modified_at: {}
   wazuh:
     fields: "*"
 

ecs/states-inventory-groups/fields/template-settings-legacy.json

@@ -14,7 +14,8 @@
                 "group.description",
                 "group.id_signed",
                 "group.uuid",
-                "group.users"
+                "group.users",
+                "state.modified_at"
             ]
         }
     }

ecs/states-inventory-groups/fields/template-settings.json

@@ -15,7 +15,8 @@
                     "group.description",
                     "group.id_signed",
                     "group.uuid",
-                    "group.users"
+                    "group.users",
+                    "state.modified_at"
                 ]
             }
         }

ecs/states-inventory-hardware/docs/README.md

@@ -33,3 +33,4 @@ The detail of the fields can be found in csv file [States inventory hardware Fie
 | cluster_node    | string       | Wazuh cluster node                                             | wazuh.cluster.node   | TRUE   |
 | schema_version  | string       | Wazuh schema version                                           | wazuh.schema.version | TRUE   |
 | checksum        | keyword      | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1   | TRUE   |
+| scan_time       | date         | Date/time when the state was last modified.                           | state.modified_at    | TRUE   |

ecs/states-inventory-hardware/docs/fields.csv

@@ -13,6 +13,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,host,host.memory.usage,scaled_float,custom,,0.75,"Percent memory used, between 0 and 1."
 8.11.0,true,host,host.memory.used,long,custom,,123456,"Used memory, in Bytes."
 8.11.0,true,host,host.serial_number,keyword,custom,,DJGAQS4CW5,Serial Number of the device.
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.

ecs/states-inventory-hardware/event-generator/event_generator.py

@@ -34,6 +34,9 @@ def generate_random_data(number):
             "checksum": generate_random_checksum(),
             "host": generate_random_host(True),
             "wazuh": generate_random_wazuh(),
+            "state": {
+                "modified_at": generate_random_date()
+            }
         }
         data.append(event_data)
     return data

ecs/states-inventory-hardware/fields/custom/state.yml

@@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.

ecs/states-inventory-hardware/fields/subset.yml

@@ -26,5 +26,8 @@ fields:
           cores: {}
           speed: {}
       serial_number: {}
+  state:
+    fields:
+      modified_at: {}
   wazuh:
     fields: "*"

ecs/states-inventory-hardware/fields/template-settings-legacy.json

@@ -15,6 +15,7 @@
         "agent.version",
         "agent.host.ip",
         "host.serial_number",
+        "state.modified_at",
         "wazuh.cluster.name",
         "wazuh.cluster.node",
         "wazuh.schema.version"

ecs/states-inventory-hardware/fields/template-settings.json

@@ -18,6 +18,7 @@
           "agent.version",
           "agent.host.ip",
           "host.serial_number",
+          "state.modified_at",
           "wazuh.cluster.name",
           "wazuh.cluster.node",
           "wazuh.schema.version"

ecs/states-inventory-hotfixes/docs/README.md

@@ -30,3 +30,4 @@ The detail of the fields can be found in csv file [States inventory hotfixes Fie
 | cluster_node   | string  | Wazuh cluster node                                             | wazuh.cluster.node      | TRUE   |
 | schema_version | string  | Wazuh schema version                                           | wazuh.schema.version    | TRUE   |
 | checksum       | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1      | TRUE   |
+| scan_time      | date    | Date/time when the state was last modified.                           | state.modified_at       | TRUE   |

ecs/states-inventory-hotfixes/docs/fields.csv

@@ -7,6 +7,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent.
 8.11.0,true,package,package.hotfix,object,custom,,,Hotfix related data.
 8.11.0,true,package,package.hotfix.name,keyword,custom,,,Name of the Hotfix.
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.

ecs/states-inventory-hotfixes/event-generator/event_generator.py

@@ -34,6 +34,9 @@ def generate_random_data(number):
             "checksum": generate_random_checksum(),
             "package": generate_random_package(),
             "wazuh": generate_random_wazuh(),
+            "state": {
+                "modified_at": generate_random_date(),
+            },
         }
         data.append(event_data)
     return data

ecs/states-inventory-hotfixes/fields/custom/state.yml

@@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.

ecs/states-inventory-hotfixes/fields/subset.yml

@@ -21,5 +21,8 @@ fields:
       hotfix:
         fields:
           name: {}
+  state:
+    fields:
+      modified_at: {}
   wazuh:
     fields: "*"

ecs/states-inventory-hotfixes/fields/template-settings-legacy.json

@@ -14,6 +14,7 @@
         "agent.name",
         "agent.version",
         "package.hotfix.name",
+        "state.modified_at",
         "wazuh.cluster.name",
         "wazuh.cluster.node",
         "wazuh.schema.version"

ecs/states-inventory-hotfixes/fields/template-settings.json

@@ -17,6 +17,7 @@
         "agent.name",
         "agent.version",
         "package.hotfix.name",
+        "state.modified_at",
         "wazuh.cluster.name",
         "wazuh.cluster.node",
         "wazuh.schema.version"

ecs/states-inventory-interfaces/docs/README.md

@@ -40,3 +40,4 @@ The detail of the fields can be found in csv file [States inventory interfaces F
 | cluster_node   | string  | Wazuh cluster node                                             | wazuh.cluster.node           | TRUE   |
 | schema_version | string  | Wazuh schema version                                           | wazuh.schema.version         | TRUE   |
 | checksum       | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1           | TRUE   |
+| scan_time      | date    | Date/time when the state was last modified.                           | state.modified_at            | TRUE   |

ecs/states-inventory-interfaces/docs/fields.csv

@@ -19,6 +19,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,interface,interface.name,keyword,extended,,eth0,Interface name
 8.11.0,true,interface,interface.state,keyword,custom,,,State of the network interface.
 8.11.0,true,interface,interface.type,keyword,custom,,,Interface type.
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.

ecs/states-inventory-interfaces/event-generator/event_generator.py

@@ -35,6 +35,9 @@ def generate_random_data(number):
             "host": generate_random_host(True),
             "interface": generate_random_interface(),
             "wazuh": generate_random_wazuh(),
+            "state": {
+                "modified_at": generate_random_date(),
+            },
         }
         data.append(event_data)
     return data

ecs/states-inventory-interfaces/fields/custom/state.yml

@@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.

ecs/states-inventory-interfaces/fields/subset.yml

@@ -40,5 +40,8 @@ fields:
       name: {}
       state: {}
       type: {}
+  state:
+    fields:
+      modified_at: {}
   wazuh:
     fields: "*"

ecs/states-inventory-interfaces/fields/template-settings-legacy.json

@@ -15,6 +15,7 @@
         "host.mac",
         "interface.name",
         "interface.alias",
+        "state.modified_at",
         "wazuh.cluster.name",
         "wazuh.cluster.node"
       ]

ecs/states-inventory-interfaces/fields/template-settings.json

@@ -18,6 +18,7 @@
           "host.mac",
           "interface.name",
           "interface.alias",
+          "state.modified_at",
           "wazuh.cluster.name",
           "wazuh.cluster.node"
         ]

ecs/states-inventory-networks/docs/README.md

@@ -34,3 +34,4 @@ The detail of the fields can be found in csv file [States inventory networks Fie
 | cluster_node   | string  | Wazuh cluster node                                               | wazuh.cluster.node   | TRUE   |
 | schema_version | string  | Wazuh schema version                                             | wazuh.schema.version | TRUE   |
 | checksum       | keyword | SHA1 hash used as checksum of the data collected by the agent.   | checksum.hash.sha1   | TRUE   |
+| scan_time      | date    | Date/time when the state was last modified.                             | state.modified_at    | TRUE   |

ecs/states-inventory-networks/docs/fields.csv

@@ -12,6 +12,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,network,network.metric,long,custom,,,Metric of the network protocol
 8.11.0,true,network,network.netmask,ip,custom,,,Network mask
 8.11.0,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.

ecs/states-inventory-networks/event-generator/event_generator.py

@@ -34,7 +34,10 @@ def generate_random_data(number):
             "checksum": generate_random_checksum(),
             "interface": generate_random_interface(),
             "network": generate_random_network(),
-            "wazuh": generate_random_wazuh()
+            "wazuh": generate_random_wazuh(),
+            "state": {
+                "modified_at": generate_random_date(),
+            },
         }
         data.append(event_data)
     return data

ecs/states-inventory-networks/fields/custom/state.yml

@@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.

ecs/states-inventory-networks/fields/subset.yml

@@ -27,5 +27,8 @@ fields:
       metric: {}
       netmask: {}
       type: {}
+  state:
+    fields:
+      modified_at: {}
   wazuh:
     fields: "*"

ecs/states-inventory-networks/fields/template-settings-legacy.json

@@ -15,6 +15,7 @@
         "interface.name",
         "network.ip",
         "network.name",
+        "state.modified_at",
         "wazuh.cluster.name",
         "wazuh.cluster.node"
       ]

ecs/states-inventory-networks/fields/template-settings.json

@@ -18,6 +18,7 @@
           "interface.name",
           "network.ip",
           "network.name",
+          "state.modified_at",
           "wazuh.cluster.name",
           "wazuh.cluster.node"
         ]

ecs/states-inventory-packages/docs/README.md

@@ -38,3 +38,4 @@ The detail of the fields can be found in csv file [States inventory packages Fie
 | cluster_node   | string  | Wazuh cluster node                                             | wazuh.cluster.node   | TRUE   |
 | schema_version | string  | Wazuh schema version                                           | wazuh.schema.version | TRUE   |
 | checksum       | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1   | TRUE   |
+| scan_time      | date    | Date/time when the state was last modified.                           | state.modified_at    | TRUE   |

ecs/states-inventory-packages/docs/fields.csv

@@ -18,6 +18,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,package,package.type,keyword,extended,,rpm,Package type
 8.11.0,true,package,package.vendor,keyword,custom,,,Vendor or maintainer of the package
 8.11.0,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.

ecs/states-inventory-packages/event-generator/event_generator.py

@@ -34,6 +34,9 @@ def generate_random_data(number):
             "checksum": generate_random_checksum(),
             "package": generate_random_package(),
             "wazuh": generate_random_wazuh(),
+            "state": {
+                "modified_at": generate_random_date(),
+            },
         }
         data.append(event_data)
     return data

ecs/states-inventory-packages/fields/custom/state.yml

@@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.

ecs/states-inventory-packages/fields/subset.yml

@@ -31,5 +31,8 @@ fields:
       type: {}
       vendor: {}
       version: {}
+  state:
+    fields:
+      modified_at: {}
   wazuh:
     fields: "*"

ecs/states-inventory-packages/fields/template-settings-legacy.json

@@ -26,6 +26,7 @@
         "package.type",
         "package.vendor",
         "package.version",
+        "state.modified_at",
         "wazuh.cluster.name",
         "wazuh.cluster.node",
         "wazuh.schema.version"

ecs/states-inventory-packages/fields/template-settings.json

@@ -27,6 +27,7 @@
           "package.type",
           "package.vendor",
           "package.version",
+          "state.modified_at",
           "wazuh.cluster.name",
           "wazuh.cluster.node",
           "wazuh.schema.version"

ecs/states-inventory-ports/docs/README.md

@@ -41,3 +41,4 @@ The detail of the fields can be found in csv file [States inventory ports Fields
 | cluster_node   | string  | Wazuh cluster node                                             | wazuh.cluster.node         | TRUE   |
 | schema_version | string  | Wazuh schema version                                           | wazuh.schema.version       | TRUE   |
 | checksum       | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1         | TRUE   |
+| scan_time      | date    | Date/time when the state was last modified.                           | state.modified_at    | TRUE   |

ecs/states-inventory-ports/docs/fields.csv

@@ -17,6 +17,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,process,process.pid,long,core,,4242,Process id.
 8.11.0,true,source,source.ip,ip,core,,,IP address of the source.
 8.11.0,true,source,source.port,long,core,,,Port of the source.
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.

ecs/states-inventory-ports/event-generator/event_generator.py

@@ -40,6 +40,9 @@ def generate_random_data(number):
             "process": generate_random_process(),
             "source": generate_random_source(),
             "wazuh": generate_random_wazuh(),
+            "state": {
+                "modified_at": generate_random_date()
+            }
         }
         data.append(event_data)
     return data

ecs/states-inventory-ports/fields/custom/state.yml

@@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.

ecs/states-inventory-ports/fields/subset.yml

@@ -47,5 +47,8 @@ fields:
     fields:
       ip: {}
       port: {}
+  state:
+    fields:
+      modified_at: {}
   wazuh:
     fields: "*"

ecs/states-inventory-ports/fields/template-settings-legacy.json

@@ -22,6 +22,7 @@
         "process.pid",
         "source.ip",
         "destination.ip",
+        "state.modified_at",
         "wazuh.cluster.name",
         "wazuh.cluster.node",
         "wazuh.schema.version"

ecs/states-inventory-ports/fields/template-settings.json

@@ -25,6 +25,7 @@
           "process.pid",
           "source.ip",
           "destination.ip",
+          "state.modified_at",
           "wazuh.cluster.name",
           "wazuh.cluster.node",
           "wazuh.schema.version"

ecs/states-inventory-processes/docs/README.md

@@ -35,3 +35,4 @@ The detail of the fields can be found in csv file [States inventory processes Fi
 |                | date    | The time the process started                                   | process.start        | FALSE  |
 |                | long    | Length of the process.args array.                              | process.args_count   | FALSE  |
 | checksum       | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1   | TRUE   |
+| scan_time      | date    | Date/time when the state was last modified.                           | state.modified_at    | TRUE   |

ecs/states-inventory-processes/docs/fields.csv

@@ -17,6 +17,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,process,process.state,keyword,custom,,,Current process state
 8.11.0,true,process,process.stime,long,custom,,,System mode CPU time used
 8.11.0,true,process,process.utime,long,custom,,,User mode CPU time used
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.

ecs/states-inventory-processes/event-generator/event_generator.py

@@ -34,6 +34,9 @@ def generate_random_data(number):
             "checksum": generate_random_checksum(),
             "process": generate_random_process(),
             "wazuh": generate_random_wazuh(),
+            "state": {
+                "modified_at": generate_random_date()
+            }
         }
         data.append(event_data)
     return data

ecs/states-inventory-processes/fields/custom/state.yml

@@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.

ecs/states-inventory-processes/fields/subset.yml

@@ -30,5 +30,8 @@ fields:
       state: {}
       stime: {}
       utime: {}
+  state:
+    fields:
+      modified_at: {}
   wazuh:
     fields: "*"

ecs/states-inventory-processes/fields/template-settings-legacy.json

@@ -23,6 +23,7 @@
         "process.state",
         "process.stime",
         "process.utime",
+        "state.modified_at",
         "wazuh.cluster.name",
         "wazuh.cluster.node",
         "wazuh.schema.version"

ecs/states-inventory-processes/fields/template-settings.json

@@ -24,6 +24,7 @@
           "process.state",
           "process.stime",
           "process.utime",
+          "state.modified_at",
           "wazuh.cluster.name",
           "wazuh.cluster.node",
           "wazuh.schema.version"

ecs/states-inventory-protocols/docs/README.md

@@ -31,3 +31,4 @@ The detail of the fields can be found in csv file [States inventory protocols Fi
 | cluster_node   | string  | Wazuh cluster node                                             | wazuh.cluster.node   | TRUE   |
 | schema_version | string  | Wazuh schema version                                           | wazuh.schema.version | TRUE   |
 | checksum       | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1   | TRUE   |
+| scan_time      | date    | Date/time when the state was last modified.                           | state.modified_at    | TRUE   |

ecs/states-inventory-protocols/docs/fields.csv

@@ -10,6 +10,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,network,network.gateway,ip,custom,,,Gateway address
 8.11.0,true,network,network.metric,long,custom,,,Metric of the network protocol
 8.11.0,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.

ecs/states-inventory-protocols/event-generator/event_generator.py

@@ -35,6 +35,9 @@ def generate_random_data(number):
             "network": generate_random_network(),
             "interface": generate_random_interface(),
             "wazuh": generate_random_wazuh(),
+            "state": {
+                "modified_at": generate_random_date()
+            }
         }
         data.append(event_data)
     return data

ecs/states-inventory-protocols/fields/custom/state.yml

@@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.

ecs/states-inventory-protocols/fields/subset.yml

@@ -25,5 +25,8 @@ fields:
   interface:
     fields:
       name: {}
+  state:
+    fields:
+      modified_at: {}
   wazuh:
     fields: "*"

ecs/states-inventory-protocols/fields/template-settings-legacy.json

@@ -15,6 +15,7 @@
         "agent.version",
         "network.type",
         "interface.name",
+        "state.modified_at",
         "wazuh.cluster.name",
         "wazuh.cluster.node",
         "wazuh.schema.version"

ecs/states-inventory-protocols/fields/template-settings.json

@@ -18,6 +18,7 @@
           "agent.version",
           "network.type",
           "interface.name",
+          "state.modified_at",
           "wazuh.cluster.name",
           "wazuh.cluster.node",
           "wazuh.schema.version"

ecs/states-inventory-system/docs/README.md

@@ -42,3 +42,4 @@ The detail of the fields can be found in csv file [States inventory system Field
 | schema_version     | string  | Wazuh schema version                                                              | wazuh.schema.version         | TRUE   |
 |                    | string  | Which commercial OS family (one of: linux, macos, unix, windows, ios or android). | host.os.type                 | FALSE  |
 | checksum           | keyword | SHA1 hash used as checksum of the data collected by the agent.                    | checksum.hash.sha1           | TRUE   |
+| scan_time          | date    | Date/time when the state was last modified.                                              | state.modified_at            | TRUE   |

ecs/states-inventory-system/docs/fields.csv

@@ -23,6 +23,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
 8.11.0,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
 8.11.0,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.

ecs/states-inventory-system/event-generator/event_generator.py

@@ -34,6 +34,9 @@ def generate_random_data(number):
             "checksum": generate_random_checksum(),
             "host": generate_random_host(True),
             "wazuh": generate_random_wazuh(),
+            "state": {
+                "modified_at": generate_random_date(),
+            },
         }
         data.append(event_data)
     return data

ecs/states-inventory-system/fields/custom/state.yml

@@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.

ecs/states-inventory-system/fields/subset.yml

@@ -40,5 +40,8 @@ fields:
           platform: {}
           type: {}
           version: {}
+  state:
+    fields:
+      modified_at: {}
   wazuh:
     fields: "*"

ecs/states-inventory-system/fields/template-settings-legacy.json

@@ -29,6 +29,7 @@
         "host.os.platform",
         "host.os.type",
         "host.os.version",
+        "state.modified_at",
         "wazuh.cluster.name",
         "wazuh.cluster.node",
         "wazuh.schema.version"

ecs/states-inventory-system/fields/template-settings.json

@@ -32,6 +32,7 @@
           "host.os.platform",
           "host.os.type",
           "host.os.version",
+          "state.modified_at",
           "wazuh.cluster.name",
           "wazuh.cluster.node",
           "wazuh.schema.version"

ecs/states-inventory-users/docs/fields.csv

@@ -10,6 +10,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,login,login.tty,keyword,custom,,,"Terminal associated with the login session (e.g., pts/1)."
 8.11.0,true,login,login.type,keyword,custom,,,"Type of login session. Example values: ""user"", ""system"", ""remote""."
 8.11.0,true,process,process.pid,long,core,,4242,Process id.
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
 8.11.0,true,user,user.auth_failures.count,integer,custom,,,Number of failed authentication attempts.
 8.11.0,true,user,user.auth_failures.timestamp,date,custom,,,Timestamp of the last authentication failure.
 8.11.0,true,user,user.created,date,custom,,,Datetime when the user was created.

ecs/states-inventory-users/event-generator/event_generator.py

@@ -80,8 +80,17 @@ def generate_random_user():
             "type": random.choice(["ssh", "console", "remote"])
         },
         "wazuh": generate_random_wazuh(),
+        "state": {
+            "modified_at": generate_random_date()
+        },
     }
 
+def generate_random_date():
+    start_date = datetime.datetime.now()
+    end_date = start_date - datetime.timedelta(days=10)
+    random_date = start_date + (end_date - start_date) * random.random()
+    return random_date.strftime(DATE_FORMAT)
+
 
 def generate_random_agent():
     return {

ecs/states-inventory-users/fields/custom/state.yml

@@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.

ecs/states-inventory-users/fields/subset.yml

@@ -62,5 +62,8 @@ fields:
       status: {}
       type: {}
       tty: {}
+  state:
+    fields:
+      modified_at: {}
   wazuh:
     fields: "*"

ecs/states-inventory-users/fields/template-settings-legacy.json

@@ -30,7 +30,8 @@
                 "user.roles",
                 "user.last_login",
                 "process.pid",
-                "host.ip"
+                "host.ip",
+                "state.modified_at"
             ]
         }
     }

ecs/states-inventory-users/fields/template-settings.json

@@ -31,7 +31,8 @@
                     "user.roles",
                     "user.last_login",
                     "process.pid",
-                    "host.ip"
+                    "host.ip",
+                    "state.modified_at"
                 ]
             }
         }

ecs/states-sca/docs/fields.csv

@@ -21,6 +21,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,policy,policy.id,keyword,custom,,cis_win11_enterprise_21H2,The ID of the SCA policy.
 8.11.0,true,policy,policy.name,keyword,custom,,CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0,The name of the SCA policy.
 8.11.0,true,policy,policy.references,keyword,custom,array,"[""https://www.cisecurity.org/cis-benchmarks/""]",References for the policy.
+8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified.
 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.

ecs/states-sca/event-generator/event_generator.py

@@ -76,11 +76,20 @@ def generate_random_data(number):
             'policy': generate_random_policy(),
             'check': generate_random_check(),
             'checksum': generate_random_checksum(),
-            'wazuh': generate_random_wazuh()
+            'wazuh': generate_random_wazuh(),
+            'state': {
+                'modified_at': generate_random_date()
+            },
         }
         data.append(event_data)
     return data
 
+def generate_random_date():
+    start_date = datetime.datetime.now()
+    end_date = start_date - datetime.timedelta(days=10)
+    random_date = start_date + (end_date - start_date) * random.random()
+    return random_date.strftime(DATE_FORMAT)
+
 def generate_random_checksum():
     return {
         "hash": {

ecs/states-sca/fields/custom/state.yml

@@ -0,0 +1,11 @@
+---
+- name: state
+  title: State
+  description: >
+    State custom fields
+  fields:
+    - name: modified_at
+      type: date
+      level: custom
+      description: >
+        Date/time when the state was last modified.