diff --git a/CHANGELOG.md b/CHANGELOG.md index f9d11cdb..440cd48b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - Migrate WCS changes from 4.x [(#488)](https://github.com/wazuh/wazuh-indexer-plugins/pull/488) [(#552)](https://github.com/wazuh/wazuh-indexer-plugins/pull/552) - Implement checksum fields into stateful ECS mappings [(#519)](https://github.com/wazuh/wazuh-indexer-plugins/pull/519) - FIM indices rework [(#509)](https://github.com/wazuh/wazuh-indexer-plugins/pull/509) +- Add state.modified_at to stateful indexes [(#561)](https://github.com/wazuh/wazuh-indexer-plugins/pull/561) ### Deprecated - diff --git a/ecs/states-fim-files/docs/README.md b/ecs/states-fim-files/docs/README.md index 6cba5c18..12add670 100644 --- a/ecs/states-fim-files/docs/README.md +++ b/ecs/states-fim-files/docs/README.md @@ -41,4 +41,5 @@ The detail of the fields can be found in csv file [States FIM files Fields](fiel | attributes | string | List of attributes related to the file. | file.attributes | | | dev/device | string | Device that is the source of the file. | file.device | | | perm/permissions | string | List of permissions related to the file. | file.permissions | TRUE | +| scan_time | date | Date/time when the state was last modified. | state.modified_at | TRUE | diff --git a/ecs/states-fim-files/docs/fields.csv b/ecs/states-fim-files/docs/fields.csv index 1f871f42..3ffc243d 100644 --- a/ecs/states-fim-files/docs/fields.csv +++ b/ecs/states-fim-files/docs/fields.csv @@ -20,6 +20,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,file,file.permissions,keyword,custom,array,,List of permissions related to the file. 8.11.0,true,file,file.size,long,extended,,16384,File size in bytes. 8.11.0,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified. 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name. 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version. diff --git a/ecs/states-fim-files/event-generator/event_generator.py b/ecs/states-fim-files/event-generator/event_generator.py index ebee4442..24e76f19 100644 --- a/ecs/states-fim-files/event-generator/event_generator.py +++ b/ecs/states-fim-files/event-generator/event_generator.py @@ -34,6 +34,9 @@ def generate_random_data(number): "file": generate_random_file(), "wazuh": generate_random_wazuh(), "checksum": generate_random_checksum(), + "state": { + "modified_at": generate_random_date() + } } data.append(event_data) return data diff --git a/ecs/states-fim-files/fields/custom/state.yml b/ecs/states-fim-files/fields/custom/state.yml new file mode 100644 index 00000000..c275eccf --- /dev/null +++ b/ecs/states-fim-files/fields/custom/state.yml @@ -0,0 +1,11 @@ +--- +- name: state + title: State + description: > + State custom fields + fields: + - name: modified_at + type: date + level: custom + description: > + Date/time when the state was last modified. diff --git a/ecs/states-fim-files/fields/subset.yml b/ecs/states-fim-files/fields/subset.yml index 43b24e5e..87963a4d 100644 --- a/ecs/states-fim-files/fields/subset.yml +++ b/ecs/states-fim-files/fields/subset.yml @@ -34,5 +34,8 @@ fields: permissions: {} size: {} uid: {} + state: + fields: + modified_at: {} wazuh: fields: "*" diff --git a/ecs/states-fim-files/fields/template-settings-legacy.json b/ecs/states-fim-files/fields/template-settings-legacy.json index 17a86fed..15aeb182 100644 --- a/ecs/states-fim-files/fields/template-settings-legacy.json +++ b/ecs/states-fim-files/fields/template-settings-legacy.json @@ -29,6 +29,7 @@ "file.permissions", "file.size", "file.uid", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-fim-files/fields/template-settings.json b/ecs/states-fim-files/fields/template-settings.json index 57a8af6b..66a509ea 100644 --- a/ecs/states-fim-files/fields/template-settings.json +++ b/ecs/states-fim-files/fields/template-settings.json @@ -30,6 +30,7 @@ "file.permissions", "file.size", "file.uid", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-fim-registry-keys/docs/README.md b/ecs/states-fim-registry-keys/docs/README.md index 6cdb82f6..af5601b9 100644 --- a/ecs/states-fim-registry-keys/docs/README.md +++ b/ecs/states-fim-registry-keys/docs/README.md @@ -37,3 +37,4 @@ The detail of the fields can be found in csv file [States FIM registries Fields] | user_name/owner | string | Name of the owner of the entity (user). | registry.owner | TRUE | | permissions/perm | string | Permissions associated with the registry key. | registry.permissions | TRUE | | checksum | string | SHA1 hash of the file. | checksum.hash.sha1 | TRUE | +| scan_time | date | Date/time when the state was last modified. | state.modified_at | TRUE | diff --git a/ecs/states-fim-registry-keys/docs/fields.csv b/ecs/states-fim-registry-keys/docs/fields.csv index e9232581..ed2853c4 100644 --- a/ecs/states-fim-registry-keys/docs/fields.csv +++ b/ecs/states-fim-registry-keys/docs/fields.csv @@ -15,6 +15,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" 8.11.0,true,registry,registry.permissions,keyword,custom,array,,Permissions associated with the registry key. 8.11.0,true,registry,registry.uid,keyword,custom,,,User ID associated with the entity +8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified. 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name. 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version. diff --git a/ecs/states-fim-registry-keys/event-generator/event_generator.py b/ecs/states-fim-registry-keys/event-generator/event_generator.py index c2381faf..81a7b5cf 100644 --- a/ecs/states-fim-registry-keys/event-generator/event_generator.py +++ b/ecs/states-fim-registry-keys/event-generator/event_generator.py @@ -34,6 +34,9 @@ def generate_random_data(number): "registry": generate_random_registry(), "wazuh": generate_random_wazuh(), "checksum": generate_random_checksum(), + "state": { + "modified_at": generate_random_date() + } } data.append(event_data) return data diff --git a/ecs/states-fim-registry-keys/fields/custom/state.yml b/ecs/states-fim-registry-keys/fields/custom/state.yml new file mode 100644 index 00000000..c275eccf --- /dev/null +++ b/ecs/states-fim-registry-keys/fields/custom/state.yml @@ -0,0 +1,11 @@ +--- +- name: state + title: State + description: > + State custom fields + fields: + - name: modified_at + type: date + level: custom + description: > + Date/time when the state was last modified. diff --git a/ecs/states-fim-registry-keys/fields/subset.yml b/ecs/states-fim-registry-keys/fields/subset.yml index 9a4d7b0c..92b5a04d 100644 --- a/ecs/states-fim-registry-keys/fields/subset.yml +++ b/ecs/states-fim-registry-keys/fields/subset.yml @@ -28,6 +28,9 @@ fields: path: {} permissions: {} uid: {} + state: + fields: + modified_at: {} wazuh: fields: "*" diff --git a/ecs/states-fim-registry-keys/fields/template-settings-legacy.json b/ecs/states-fim-registry-keys/fields/template-settings-legacy.json index fb6e591b..45986fe3 100644 --- a/ecs/states-fim-registry-keys/fields/template-settings-legacy.json +++ b/ecs/states-fim-registry-keys/fields/template-settings-legacy.json @@ -24,6 +24,7 @@ "registry.path", "registry.permissions", "registry.uid", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-fim-registry-keys/fields/template-settings.json b/ecs/states-fim-registry-keys/fields/template-settings.json index b85baeb1..69b80ef2 100644 --- a/ecs/states-fim-registry-keys/fields/template-settings.json +++ b/ecs/states-fim-registry-keys/fields/template-settings.json @@ -25,6 +25,7 @@ "registry.path", "registry.permissions", "registry.uid", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-fim-registry-values/docs/README.md b/ecs/states-fim-registry-values/docs/README.md index 6f481a4a..3e0eff6b 100644 --- a/ecs/states-fim-registry-values/docs/README.md +++ b/ecs/states-fim-registry-values/docs/README.md @@ -37,3 +37,4 @@ The detail of the fields can be found in csv file [States FIM registries Fields] | name/value | string | Name of the registry value. | registry.value | | | value_type | string | Type of the registry value, e.g., "REG_SZ". | registry.data.type | | | checksum | string | SHA1 hash of the file. | checksum.hash.sha1 | TRUE | +| scan_time | date | Date/time when the state was last modified. | state.modified_at | TRUE | diff --git a/ecs/states-fim-registry-values/docs/fields.csv b/ecs/states-fim-registry-values/docs/fields.csv index 56d2691b..2b009e16 100644 --- a/ecs/states-fim-registry-values/docs/fields.csv +++ b/ecs/states-fim-registry-values/docs/fields.csv @@ -15,6 +15,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" 8.11.0,true,registry,registry.size,long,custom,,,Size of the file or registry value (in bytes) 8.11.0,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified. 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name. 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version. diff --git a/ecs/states-fim-registry-values/event-generator/event_generator.py b/ecs/states-fim-registry-values/event-generator/event_generator.py index 739a6331..8d6ef3fe 100644 --- a/ecs/states-fim-registry-values/event-generator/event_generator.py +++ b/ecs/states-fim-registry-values/event-generator/event_generator.py @@ -34,6 +34,9 @@ def generate_random_data(number): "registry": generate_random_registry(), "wazuh": generate_random_wazuh(), "checksum": generate_random_checksum(), + "state": { + "modified_at": generate_random_date() + } } data.append(event_data) return data diff --git a/ecs/states-fim-registry-values/fields/custom/state.yml b/ecs/states-fim-registry-values/fields/custom/state.yml new file mode 100644 index 00000000..c275eccf --- /dev/null +++ b/ecs/states-fim-registry-values/fields/custom/state.yml @@ -0,0 +1,11 @@ +--- +- name: state + title: State + description: > + State custom fields + fields: + - name: modified_at + type: date + level: custom + description: > + Date/time when the state was last modified. diff --git a/ecs/states-fim-registry-values/fields/subset.yml b/ecs/states-fim-registry-values/fields/subset.yml index c5d6afc7..f9742deb 100644 --- a/ecs/states-fim-registry-values/fields/subset.yml +++ b/ecs/states-fim-registry-values/fields/subset.yml @@ -32,5 +32,8 @@ fields: path: {} size: {} value: {} + state: + fields: + modified_at: {} wazuh: fields: "*" diff --git a/ecs/states-fim-registry-values/fields/template-settings-legacy.json b/ecs/states-fim-registry-values/fields/template-settings-legacy.json index 0145e969..4ee82071 100644 --- a/ecs/states-fim-registry-values/fields/template-settings-legacy.json +++ b/ecs/states-fim-registry-values/fields/template-settings-legacy.json @@ -24,6 +24,7 @@ "registry.path", "registry.size", "registry.value", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-fim-registry-values/fields/template-settings.json b/ecs/states-fim-registry-values/fields/template-settings.json index b834e02e..4cee5503 100644 --- a/ecs/states-fim-registry-values/fields/template-settings.json +++ b/ecs/states-fim-registry-values/fields/template-settings.json @@ -25,6 +25,7 @@ "registry.path", "registry.size", "registry.value", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-inventory-groups/docs/fields.csv b/ecs/states-inventory-groups/docs/fields.csv index f48d5e93..65985020 100644 --- a/ecs/states-inventory-groups/docs/fields.csv +++ b/ecs/states-inventory-groups/docs/fields.csv @@ -12,6 +12,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,group,group.name,keyword,extended,,,Name of the group. 8.11.0,true,group,group.users,keyword,custom,array,,List of users that belong to the group. 8.11.0,true,group,group.uuid,keyword,custom,,,Unique group ID. +8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified. 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name. 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version. diff --git a/ecs/states-inventory-groups/event-generator/event_generator.py b/ecs/states-inventory-groups/event-generator/event_generator.py index 9808c51e..c0d49b30 100644 --- a/ecs/states-inventory-groups/event-generator/event_generator.py +++ b/ecs/states-inventory-groups/event-generator/event_generator.py @@ -46,8 +46,16 @@ def generate_random_group(): "uuid": ''.join(random.choices("ABCDEF0123456789", k=32)) }, "wazuh": generate_random_wazuh(), + "state": { + "modified_at": generate_random_date() + } } +def generate_random_date(): + start_date = datetime.datetime.now() + end_date = start_date - datetime.timedelta(days=10) + random_date = start_date + (end_date - start_date) * random.random() + return random_date.strftime(DATE_FORMAT) def generate_random_agent(): return { diff --git a/ecs/states-inventory-groups/fields/custom/state.yml b/ecs/states-inventory-groups/fields/custom/state.yml new file mode 100644 index 00000000..c275eccf --- /dev/null +++ b/ecs/states-inventory-groups/fields/custom/state.yml @@ -0,0 +1,11 @@ +--- +- name: state + title: State + description: > + State custom fields + fields: + - name: modified_at + type: date + level: custom + description: > + Date/time when the state was last modified. diff --git a/ecs/states-inventory-groups/fields/subset.yml b/ecs/states-inventory-groups/fields/subset.yml index f43e4e9f..db972536 100644 --- a/ecs/states-inventory-groups/fields/subset.yml +++ b/ecs/states-inventory-groups/fields/subset.yml @@ -25,6 +25,9 @@ fields: uuid: {} is_hidden: {} users: {} + state: + fields: + modified_at: {} wazuh: fields: "*" diff --git a/ecs/states-inventory-groups/fields/template-settings-legacy.json b/ecs/states-inventory-groups/fields/template-settings-legacy.json index 6d23b915..d9f357a9 100644 --- a/ecs/states-inventory-groups/fields/template-settings-legacy.json +++ b/ecs/states-inventory-groups/fields/template-settings-legacy.json @@ -14,7 +14,8 @@ "group.description", "group.id_signed", "group.uuid", - "group.users" + "group.users", + "state.modified_at" ] } } diff --git a/ecs/states-inventory-groups/fields/template-settings.json b/ecs/states-inventory-groups/fields/template-settings.json index 28a50515..e229540c 100644 --- a/ecs/states-inventory-groups/fields/template-settings.json +++ b/ecs/states-inventory-groups/fields/template-settings.json @@ -15,7 +15,8 @@ "group.description", "group.id_signed", "group.uuid", - "group.users" + "group.users", + "state.modified_at" ] } } diff --git a/ecs/states-inventory-hardware/docs/README.md b/ecs/states-inventory-hardware/docs/README.md index 5794699e..2072ccd0 100644 --- a/ecs/states-inventory-hardware/docs/README.md +++ b/ecs/states-inventory-hardware/docs/README.md @@ -33,3 +33,4 @@ The detail of the fields can be found in csv file [States inventory hardware Fie | cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE | | schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE | | checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE | +| scan_time | date | Date/time when the state was last modified. | state.modified_at | TRUE | diff --git a/ecs/states-inventory-hardware/docs/fields.csv b/ecs/states-inventory-hardware/docs/fields.csv index f951ccc9..3e20c640 100644 --- a/ecs/states-inventory-hardware/docs/fields.csv +++ b/ecs/states-inventory-hardware/docs/fields.csv @@ -13,6 +13,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,host,host.memory.usage,scaled_float,custom,,0.75,"Percent memory used, between 0 and 1." 8.11.0,true,host,host.memory.used,long,custom,,123456,"Used memory, in Bytes." 8.11.0,true,host,host.serial_number,keyword,custom,,DJGAQS4CW5,Serial Number of the device. +8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified. 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name. 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version. diff --git a/ecs/states-inventory-hardware/event-generator/event_generator.py b/ecs/states-inventory-hardware/event-generator/event_generator.py index d203d0f0..6961efc7 100644 --- a/ecs/states-inventory-hardware/event-generator/event_generator.py +++ b/ecs/states-inventory-hardware/event-generator/event_generator.py @@ -34,6 +34,9 @@ def generate_random_data(number): "checksum": generate_random_checksum(), "host": generate_random_host(True), "wazuh": generate_random_wazuh(), + "state": { + "modified_at": generate_random_date() + } } data.append(event_data) return data diff --git a/ecs/states-inventory-hardware/fields/custom/state.yml b/ecs/states-inventory-hardware/fields/custom/state.yml new file mode 100644 index 00000000..c275eccf --- /dev/null +++ b/ecs/states-inventory-hardware/fields/custom/state.yml @@ -0,0 +1,11 @@ +--- +- name: state + title: State + description: > + State custom fields + fields: + - name: modified_at + type: date + level: custom + description: > + Date/time when the state was last modified. diff --git a/ecs/states-inventory-hardware/fields/subset.yml b/ecs/states-inventory-hardware/fields/subset.yml index 10c72253..9ca416cc 100644 --- a/ecs/states-inventory-hardware/fields/subset.yml +++ b/ecs/states-inventory-hardware/fields/subset.yml @@ -26,5 +26,8 @@ fields: cores: {} speed: {} serial_number: {} + state: + fields: + modified_at: {} wazuh: fields: "*" diff --git a/ecs/states-inventory-hardware/fields/template-settings-legacy.json b/ecs/states-inventory-hardware/fields/template-settings-legacy.json index f18e5fa2..7c90d8ac 100644 --- a/ecs/states-inventory-hardware/fields/template-settings-legacy.json +++ b/ecs/states-inventory-hardware/fields/template-settings-legacy.json @@ -15,6 +15,7 @@ "agent.version", "agent.host.ip", "host.serial_number", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-inventory-hardware/fields/template-settings.json b/ecs/states-inventory-hardware/fields/template-settings.json index 02d01c23..83edd9cd 100644 --- a/ecs/states-inventory-hardware/fields/template-settings.json +++ b/ecs/states-inventory-hardware/fields/template-settings.json @@ -18,6 +18,7 @@ "agent.version", "agent.host.ip", "host.serial_number", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-inventory-hotfixes/docs/README.md b/ecs/states-inventory-hotfixes/docs/README.md index 1449658e..9a473f77 100644 --- a/ecs/states-inventory-hotfixes/docs/README.md +++ b/ecs/states-inventory-hotfixes/docs/README.md @@ -30,3 +30,4 @@ The detail of the fields can be found in csv file [States inventory hotfixes Fie | cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE | | schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE | | checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE | +| scan_time | date | Date/time when the state was last modified. | state.modified_at | TRUE | diff --git a/ecs/states-inventory-hotfixes/docs/fields.csv b/ecs/states-inventory-hotfixes/docs/fields.csv index 6dbbe477..9ed311a6 100644 --- a/ecs/states-inventory-hotfixes/docs/fields.csv +++ b/ecs/states-inventory-hotfixes/docs/fields.csv @@ -7,6 +7,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,checksum,checksum.hash.sha1,keyword,custom,,,SHA1 hash used as checksum of the data collected by the agent. 8.11.0,true,package,package.hotfix,object,custom,,,Hotfix related data. 8.11.0,true,package,package.hotfix.name,keyword,custom,,,Name of the Hotfix. +8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified. 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name. 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version. diff --git a/ecs/states-inventory-hotfixes/event-generator/event_generator.py b/ecs/states-inventory-hotfixes/event-generator/event_generator.py index acb1dda8..f119c178 100644 --- a/ecs/states-inventory-hotfixes/event-generator/event_generator.py +++ b/ecs/states-inventory-hotfixes/event-generator/event_generator.py @@ -34,6 +34,9 @@ def generate_random_data(number): "checksum": generate_random_checksum(), "package": generate_random_package(), "wazuh": generate_random_wazuh(), + "state": { + "modified_at": generate_random_date(), + }, } data.append(event_data) return data diff --git a/ecs/states-inventory-hotfixes/fields/custom/state.yml b/ecs/states-inventory-hotfixes/fields/custom/state.yml new file mode 100644 index 00000000..c275eccf --- /dev/null +++ b/ecs/states-inventory-hotfixes/fields/custom/state.yml @@ -0,0 +1,11 @@ +--- +- name: state + title: State + description: > + State custom fields + fields: + - name: modified_at + type: date + level: custom + description: > + Date/time when the state was last modified. diff --git a/ecs/states-inventory-hotfixes/fields/subset.yml b/ecs/states-inventory-hotfixes/fields/subset.yml index 96bdd538..bf7ef89f 100644 --- a/ecs/states-inventory-hotfixes/fields/subset.yml +++ b/ecs/states-inventory-hotfixes/fields/subset.yml @@ -21,5 +21,8 @@ fields: hotfix: fields: name: {} + state: + fields: + modified_at: {} wazuh: fields: "*" diff --git a/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json b/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json index 292a0a51..20bab38b 100644 --- a/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json +++ b/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json @@ -14,6 +14,7 @@ "agent.name", "agent.version", "package.hotfix.name", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-inventory-hotfixes/fields/template-settings.json b/ecs/states-inventory-hotfixes/fields/template-settings.json index fa3f7af8..f758a417 100644 --- a/ecs/states-inventory-hotfixes/fields/template-settings.json +++ b/ecs/states-inventory-hotfixes/fields/template-settings.json @@ -17,6 +17,7 @@ "agent.name", "agent.version", "package.hotfix.name", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-inventory-interfaces/docs/README.md b/ecs/states-inventory-interfaces/docs/README.md index 6ac7c286..e4fb3197 100644 --- a/ecs/states-inventory-interfaces/docs/README.md +++ b/ecs/states-inventory-interfaces/docs/README.md @@ -40,3 +40,4 @@ The detail of the fields can be found in csv file [States inventory interfaces F | cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE | | schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE | | checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE | +| scan_time | date | Date/time when the state was last modified. | state.modified_at | TRUE | diff --git a/ecs/states-inventory-interfaces/docs/fields.csv b/ecs/states-inventory-interfaces/docs/fields.csv index 7ca60d92..c64c52f7 100644 --- a/ecs/states-inventory-interfaces/docs/fields.csv +++ b/ecs/states-inventory-interfaces/docs/fields.csv @@ -19,6 +19,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,interface,interface.name,keyword,extended,,eth0,Interface name 8.11.0,true,interface,interface.state,keyword,custom,,,State of the network interface. 8.11.0,true,interface,interface.type,keyword,custom,,,Interface type. +8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified. 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name. 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version. diff --git a/ecs/states-inventory-interfaces/event-generator/event_generator.py b/ecs/states-inventory-interfaces/event-generator/event_generator.py index d45c6294..5d3ad27a 100644 --- a/ecs/states-inventory-interfaces/event-generator/event_generator.py +++ b/ecs/states-inventory-interfaces/event-generator/event_generator.py @@ -35,6 +35,9 @@ def generate_random_data(number): "host": generate_random_host(True), "interface": generate_random_interface(), "wazuh": generate_random_wazuh(), + "state": { + "modified_at": generate_random_date(), + }, } data.append(event_data) return data diff --git a/ecs/states-inventory-interfaces/fields/custom/state.yml b/ecs/states-inventory-interfaces/fields/custom/state.yml new file mode 100644 index 00000000..c275eccf --- /dev/null +++ b/ecs/states-inventory-interfaces/fields/custom/state.yml @@ -0,0 +1,11 @@ +--- +- name: state + title: State + description: > + State custom fields + fields: + - name: modified_at + type: date + level: custom + description: > + Date/time when the state was last modified. diff --git a/ecs/states-inventory-interfaces/fields/subset.yml b/ecs/states-inventory-interfaces/fields/subset.yml index a2f38a1f..070a5a71 100644 --- a/ecs/states-inventory-interfaces/fields/subset.yml +++ b/ecs/states-inventory-interfaces/fields/subset.yml @@ -40,5 +40,8 @@ fields: name: {} state: {} type: {} + state: + fields: + modified_at: {} wazuh: fields: "*" diff --git a/ecs/states-inventory-interfaces/fields/template-settings-legacy.json b/ecs/states-inventory-interfaces/fields/template-settings-legacy.json index 939ede56..6e37c056 100644 --- a/ecs/states-inventory-interfaces/fields/template-settings-legacy.json +++ b/ecs/states-inventory-interfaces/fields/template-settings-legacy.json @@ -15,6 +15,7 @@ "host.mac", "interface.name", "interface.alias", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node" ] diff --git a/ecs/states-inventory-interfaces/fields/template-settings.json b/ecs/states-inventory-interfaces/fields/template-settings.json index 999621a2..3edd754c 100644 --- a/ecs/states-inventory-interfaces/fields/template-settings.json +++ b/ecs/states-inventory-interfaces/fields/template-settings.json @@ -18,6 +18,7 @@ "host.mac", "interface.name", "interface.alias", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node" ] diff --git a/ecs/states-inventory-networks/docs/README.md b/ecs/states-inventory-networks/docs/README.md index 24958a36..c131125a 100644 --- a/ecs/states-inventory-networks/docs/README.md +++ b/ecs/states-inventory-networks/docs/README.md @@ -34,3 +34,4 @@ The detail of the fields can be found in csv file [States inventory networks Fie | cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE | | schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE | | checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE | +| scan_time | date | Date/time when the state was last modified. | state.modified_at | TRUE | diff --git a/ecs/states-inventory-networks/docs/fields.csv b/ecs/states-inventory-networks/docs/fields.csv index 7dd0cf98..12707210 100644 --- a/ecs/states-inventory-networks/docs/fields.csv +++ b/ecs/states-inventory-networks/docs/fields.csv @@ -12,6 +12,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,network,network.metric,long,custom,,,Metric of the network protocol 8.11.0,true,network,network.netmask,ip,custom,,,Network mask 8.11.0,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified. 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name. 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version. diff --git a/ecs/states-inventory-networks/event-generator/event_generator.py b/ecs/states-inventory-networks/event-generator/event_generator.py index c9e9ff87..2adc9818 100644 --- a/ecs/states-inventory-networks/event-generator/event_generator.py +++ b/ecs/states-inventory-networks/event-generator/event_generator.py @@ -34,7 +34,10 @@ def generate_random_data(number): "checksum": generate_random_checksum(), "interface": generate_random_interface(), "network": generate_random_network(), - "wazuh": generate_random_wazuh() + "wazuh": generate_random_wazuh(), + "state": { + "modified_at": generate_random_date(), + }, } data.append(event_data) return data diff --git a/ecs/states-inventory-networks/fields/custom/state.yml b/ecs/states-inventory-networks/fields/custom/state.yml new file mode 100644 index 00000000..c275eccf --- /dev/null +++ b/ecs/states-inventory-networks/fields/custom/state.yml @@ -0,0 +1,11 @@ +--- +- name: state + title: State + description: > + State custom fields + fields: + - name: modified_at + type: date + level: custom + description: > + Date/time when the state was last modified. diff --git a/ecs/states-inventory-networks/fields/subset.yml b/ecs/states-inventory-networks/fields/subset.yml index fb962989..e391bdc1 100644 --- a/ecs/states-inventory-networks/fields/subset.yml +++ b/ecs/states-inventory-networks/fields/subset.yml @@ -27,5 +27,8 @@ fields: metric: {} netmask: {} type: {} + state: + fields: + modified_at: {} wazuh: fields: "*" diff --git a/ecs/states-inventory-networks/fields/template-settings-legacy.json b/ecs/states-inventory-networks/fields/template-settings-legacy.json index 002f70e3..d893f4d9 100644 --- a/ecs/states-inventory-networks/fields/template-settings-legacy.json +++ b/ecs/states-inventory-networks/fields/template-settings-legacy.json @@ -15,6 +15,7 @@ "interface.name", "network.ip", "network.name", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node" ] diff --git a/ecs/states-inventory-networks/fields/template-settings.json b/ecs/states-inventory-networks/fields/template-settings.json index 05810427..6cdb4711 100644 --- a/ecs/states-inventory-networks/fields/template-settings.json +++ b/ecs/states-inventory-networks/fields/template-settings.json @@ -18,6 +18,7 @@ "interface.name", "network.ip", "network.name", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node" ] diff --git a/ecs/states-inventory-packages/docs/README.md b/ecs/states-inventory-packages/docs/README.md index 65584fdc..9223ea4c 100644 --- a/ecs/states-inventory-packages/docs/README.md +++ b/ecs/states-inventory-packages/docs/README.md @@ -38,3 +38,4 @@ The detail of the fields can be found in csv file [States inventory packages Fie | cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE | | schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE | | checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE | +| scan_time | date | Date/time when the state was last modified. | state.modified_at | TRUE | diff --git a/ecs/states-inventory-packages/docs/fields.csv b/ecs/states-inventory-packages/docs/fields.csv index f6b2ad3f..a375a328 100644 --- a/ecs/states-inventory-packages/docs/fields.csv +++ b/ecs/states-inventory-packages/docs/fields.csv @@ -18,6 +18,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,package,package.type,keyword,extended,,rpm,Package type 8.11.0,true,package,package.vendor,keyword,custom,,,Vendor or maintainer of the package 8.11.0,true,package,package.version,keyword,extended,,1.12.9,Package version +8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified. 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name. 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version. diff --git a/ecs/states-inventory-packages/event-generator/event_generator.py b/ecs/states-inventory-packages/event-generator/event_generator.py index 12659d9e..93aebe61 100644 --- a/ecs/states-inventory-packages/event-generator/event_generator.py +++ b/ecs/states-inventory-packages/event-generator/event_generator.py @@ -34,6 +34,9 @@ def generate_random_data(number): "checksum": generate_random_checksum(), "package": generate_random_package(), "wazuh": generate_random_wazuh(), + "state": { + "modified_at": generate_random_date(), + }, } data.append(event_data) return data diff --git a/ecs/states-inventory-packages/fields/custom/state.yml b/ecs/states-inventory-packages/fields/custom/state.yml new file mode 100644 index 00000000..c275eccf --- /dev/null +++ b/ecs/states-inventory-packages/fields/custom/state.yml @@ -0,0 +1,11 @@ +--- +- name: state + title: State + description: > + State custom fields + fields: + - name: modified_at + type: date + level: custom + description: > + Date/time when the state was last modified. diff --git a/ecs/states-inventory-packages/fields/subset.yml b/ecs/states-inventory-packages/fields/subset.yml index a28218cb..e0e7c250 100644 --- a/ecs/states-inventory-packages/fields/subset.yml +++ b/ecs/states-inventory-packages/fields/subset.yml @@ -31,5 +31,8 @@ fields: type: {} vendor: {} version: {} + state: + fields: + modified_at: {} wazuh: fields: "*" diff --git a/ecs/states-inventory-packages/fields/template-settings-legacy.json b/ecs/states-inventory-packages/fields/template-settings-legacy.json index 9b13e156..aadb853c 100644 --- a/ecs/states-inventory-packages/fields/template-settings-legacy.json +++ b/ecs/states-inventory-packages/fields/template-settings-legacy.json @@ -26,6 +26,7 @@ "package.type", "package.vendor", "package.version", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-inventory-packages/fields/template-settings.json b/ecs/states-inventory-packages/fields/template-settings.json index 056c9115..c71f3c97 100644 --- a/ecs/states-inventory-packages/fields/template-settings.json +++ b/ecs/states-inventory-packages/fields/template-settings.json @@ -27,6 +27,7 @@ "package.type", "package.vendor", "package.version", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-inventory-ports/docs/README.md b/ecs/states-inventory-ports/docs/README.md index 47980694..77d38ea6 100644 --- a/ecs/states-inventory-ports/docs/README.md +++ b/ecs/states-inventory-ports/docs/README.md @@ -41,3 +41,4 @@ The detail of the fields can be found in csv file [States inventory ports Fields | cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE | | schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE | | checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE | +| scan_time | date | Date/time when the state was last modified. | state.modified_at | TRUE | diff --git a/ecs/states-inventory-ports/docs/fields.csv b/ecs/states-inventory-ports/docs/fields.csv index 41841dce..76737bb5 100644 --- a/ecs/states-inventory-ports/docs/fields.csv +++ b/ecs/states-inventory-ports/docs/fields.csv @@ -17,6 +17,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,process,process.pid,long,core,,4242,Process id. 8.11.0,true,source,source.ip,ip,core,,,IP address of the source. 8.11.0,true,source,source.port,long,core,,,Port of the source. +8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified. 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name. 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version. diff --git a/ecs/states-inventory-ports/event-generator/event_generator.py b/ecs/states-inventory-ports/event-generator/event_generator.py index d741a5ad..861ae661 100644 --- a/ecs/states-inventory-ports/event-generator/event_generator.py +++ b/ecs/states-inventory-ports/event-generator/event_generator.py @@ -40,6 +40,9 @@ def generate_random_data(number): "process": generate_random_process(), "source": generate_random_source(), "wazuh": generate_random_wazuh(), + "state": { + "modified_at": generate_random_date() + } } data.append(event_data) return data diff --git a/ecs/states-inventory-ports/fields/custom/state.yml b/ecs/states-inventory-ports/fields/custom/state.yml new file mode 100644 index 00000000..c275eccf --- /dev/null +++ b/ecs/states-inventory-ports/fields/custom/state.yml @@ -0,0 +1,11 @@ +--- +- name: state + title: State + description: > + State custom fields + fields: + - name: modified_at + type: date + level: custom + description: > + Date/time when the state was last modified. diff --git a/ecs/states-inventory-ports/fields/subset.yml b/ecs/states-inventory-ports/fields/subset.yml index 6e4f34a6..3b75a9a3 100644 --- a/ecs/states-inventory-ports/fields/subset.yml +++ b/ecs/states-inventory-ports/fields/subset.yml @@ -47,5 +47,8 @@ fields: fields: ip: {} port: {} + state: + fields: + modified_at: {} wazuh: fields: "*" diff --git a/ecs/states-inventory-ports/fields/template-settings-legacy.json b/ecs/states-inventory-ports/fields/template-settings-legacy.json index 9816b21a..6cd4452d 100644 --- a/ecs/states-inventory-ports/fields/template-settings-legacy.json +++ b/ecs/states-inventory-ports/fields/template-settings-legacy.json @@ -22,6 +22,7 @@ "process.pid", "source.ip", "destination.ip", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-inventory-ports/fields/template-settings.json b/ecs/states-inventory-ports/fields/template-settings.json index df9174c0..aa6c2be9 100644 --- a/ecs/states-inventory-ports/fields/template-settings.json +++ b/ecs/states-inventory-ports/fields/template-settings.json @@ -25,6 +25,7 @@ "process.pid", "source.ip", "destination.ip", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-inventory-processes/docs/README.md b/ecs/states-inventory-processes/docs/README.md index d6a63b38..ba4436fe 100644 --- a/ecs/states-inventory-processes/docs/README.md +++ b/ecs/states-inventory-processes/docs/README.md @@ -35,3 +35,4 @@ The detail of the fields can be found in csv file [States inventory processes Fi | | date | The time the process started | process.start | FALSE | | | long | Length of the process.args array. | process.args_count | FALSE | | checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE | +| scan_time | date | Date/time when the state was last modified. | state.modified_at | TRUE | diff --git a/ecs/states-inventory-processes/docs/fields.csv b/ecs/states-inventory-processes/docs/fields.csv index 526d0f3c..b4f8b532 100644 --- a/ecs/states-inventory-processes/docs/fields.csv +++ b/ecs/states-inventory-processes/docs/fields.csv @@ -17,6 +17,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,process,process.state,keyword,custom,,,Current process state 8.11.0,true,process,process.stime,long,custom,,,System mode CPU time used 8.11.0,true,process,process.utime,long,custom,,,User mode CPU time used +8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified. 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name. 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version. diff --git a/ecs/states-inventory-processes/event-generator/event_generator.py b/ecs/states-inventory-processes/event-generator/event_generator.py index cd316341..da47e693 100644 --- a/ecs/states-inventory-processes/event-generator/event_generator.py +++ b/ecs/states-inventory-processes/event-generator/event_generator.py @@ -34,6 +34,9 @@ def generate_random_data(number): "checksum": generate_random_checksum(), "process": generate_random_process(), "wazuh": generate_random_wazuh(), + "state": { + "modified_at": generate_random_date() + } } data.append(event_data) return data diff --git a/ecs/states-inventory-processes/fields/custom/state.yml b/ecs/states-inventory-processes/fields/custom/state.yml new file mode 100644 index 00000000..c275eccf --- /dev/null +++ b/ecs/states-inventory-processes/fields/custom/state.yml @@ -0,0 +1,11 @@ +--- +- name: state + title: State + description: > + State custom fields + fields: + - name: modified_at + type: date + level: custom + description: > + Date/time when the state was last modified. diff --git a/ecs/states-inventory-processes/fields/subset.yml b/ecs/states-inventory-processes/fields/subset.yml index e3da8c50..b4724f01 100644 --- a/ecs/states-inventory-processes/fields/subset.yml +++ b/ecs/states-inventory-processes/fields/subset.yml @@ -30,5 +30,8 @@ fields: state: {} stime: {} utime: {} + state: + fields: + modified_at: {} wazuh: fields: "*" diff --git a/ecs/states-inventory-processes/fields/template-settings-legacy.json b/ecs/states-inventory-processes/fields/template-settings-legacy.json index 1662d40a..e6614bf1 100644 --- a/ecs/states-inventory-processes/fields/template-settings-legacy.json +++ b/ecs/states-inventory-processes/fields/template-settings-legacy.json @@ -23,6 +23,7 @@ "process.state", "process.stime", "process.utime", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-inventory-processes/fields/template-settings.json b/ecs/states-inventory-processes/fields/template-settings.json index d4cfbd7f..fecfd142 100644 --- a/ecs/states-inventory-processes/fields/template-settings.json +++ b/ecs/states-inventory-processes/fields/template-settings.json @@ -24,6 +24,7 @@ "process.state", "process.stime", "process.utime", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-inventory-protocols/docs/README.md b/ecs/states-inventory-protocols/docs/README.md index 0e6f58e5..f85ddea7 100644 --- a/ecs/states-inventory-protocols/docs/README.md +++ b/ecs/states-inventory-protocols/docs/README.md @@ -31,3 +31,4 @@ The detail of the fields can be found in csv file [States inventory protocols Fi | cluster_node | string | Wazuh cluster node | wazuh.cluster.node | TRUE | | schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE | | checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE | +| scan_time | date | Date/time when the state was last modified. | state.modified_at | TRUE | diff --git a/ecs/states-inventory-protocols/docs/fields.csv b/ecs/states-inventory-protocols/docs/fields.csv index f1bb329d..2b864ea7 100644 --- a/ecs/states-inventory-protocols/docs/fields.csv +++ b/ecs/states-inventory-protocols/docs/fields.csv @@ -10,6 +10,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,network,network.gateway,ip,custom,,,Gateway address 8.11.0,true,network,network.metric,long,custom,,,Metric of the network protocol 8.11.0,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified. 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name. 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version. diff --git a/ecs/states-inventory-protocols/event-generator/event_generator.py b/ecs/states-inventory-protocols/event-generator/event_generator.py index 8f9aac99..b7b2e118 100644 --- a/ecs/states-inventory-protocols/event-generator/event_generator.py +++ b/ecs/states-inventory-protocols/event-generator/event_generator.py @@ -35,6 +35,9 @@ def generate_random_data(number): "network": generate_random_network(), "interface": generate_random_interface(), "wazuh": generate_random_wazuh(), + "state": { + "modified_at": generate_random_date() + } } data.append(event_data) return data diff --git a/ecs/states-inventory-protocols/fields/custom/state.yml b/ecs/states-inventory-protocols/fields/custom/state.yml new file mode 100644 index 00000000..c275eccf --- /dev/null +++ b/ecs/states-inventory-protocols/fields/custom/state.yml @@ -0,0 +1,11 @@ +--- +- name: state + title: State + description: > + State custom fields + fields: + - name: modified_at + type: date + level: custom + description: > + Date/time when the state was last modified. diff --git a/ecs/states-inventory-protocols/fields/subset.yml b/ecs/states-inventory-protocols/fields/subset.yml index 5a4fb1d0..efd36b08 100644 --- a/ecs/states-inventory-protocols/fields/subset.yml +++ b/ecs/states-inventory-protocols/fields/subset.yml @@ -25,5 +25,8 @@ fields: interface: fields: name: {} + state: + fields: + modified_at: {} wazuh: fields: "*" diff --git a/ecs/states-inventory-protocols/fields/template-settings-legacy.json b/ecs/states-inventory-protocols/fields/template-settings-legacy.json index af41d970..17559ae3 100644 --- a/ecs/states-inventory-protocols/fields/template-settings-legacy.json +++ b/ecs/states-inventory-protocols/fields/template-settings-legacy.json @@ -15,6 +15,7 @@ "agent.version", "network.type", "interface.name", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-inventory-protocols/fields/template-settings.json b/ecs/states-inventory-protocols/fields/template-settings.json index 6196038a..162ae599 100644 --- a/ecs/states-inventory-protocols/fields/template-settings.json +++ b/ecs/states-inventory-protocols/fields/template-settings.json @@ -18,6 +18,7 @@ "agent.version", "network.type", "interface.name", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-inventory-system/docs/README.md b/ecs/states-inventory-system/docs/README.md index d9b8912d..bc406f63 100644 --- a/ecs/states-inventory-system/docs/README.md +++ b/ecs/states-inventory-system/docs/README.md @@ -42,3 +42,4 @@ The detail of the fields can be found in csv file [States inventory system Field | schema_version | string | Wazuh schema version | wazuh.schema.version | TRUE | | | string | Which commercial OS family (one of: linux, macos, unix, windows, ios or android). | host.os.type | FALSE | | checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE | +| scan_time | date | Date/time when the state was last modified. | state.modified_at | TRUE | diff --git a/ecs/states-inventory-system/docs/fields.csv b/ecs/states-inventory-system/docs/fields.csv index f519e243..fc6263a8 100644 --- a/ecs/states-inventory-system/docs/fields.csv +++ b/ecs/states-inventory-system/docs/fields.csv @@ -23,6 +23,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." 8.11.0,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." 8.11.0,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified. 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name. 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version. diff --git a/ecs/states-inventory-system/event-generator/event_generator.py b/ecs/states-inventory-system/event-generator/event_generator.py index db975fe7..debae4df 100644 --- a/ecs/states-inventory-system/event-generator/event_generator.py +++ b/ecs/states-inventory-system/event-generator/event_generator.py @@ -34,6 +34,9 @@ def generate_random_data(number): "checksum": generate_random_checksum(), "host": generate_random_host(True), "wazuh": generate_random_wazuh(), + "state": { + "modified_at": generate_random_date(), + }, } data.append(event_data) return data diff --git a/ecs/states-inventory-system/fields/custom/state.yml b/ecs/states-inventory-system/fields/custom/state.yml new file mode 100644 index 00000000..c275eccf --- /dev/null +++ b/ecs/states-inventory-system/fields/custom/state.yml @@ -0,0 +1,11 @@ +--- +- name: state + title: State + description: > + State custom fields + fields: + - name: modified_at + type: date + level: custom + description: > + Date/time when the state was last modified. diff --git a/ecs/states-inventory-system/fields/subset.yml b/ecs/states-inventory-system/fields/subset.yml index 6b10745c..2a3a2d59 100644 --- a/ecs/states-inventory-system/fields/subset.yml +++ b/ecs/states-inventory-system/fields/subset.yml @@ -40,5 +40,8 @@ fields: platform: {} type: {} version: {} + state: + fields: + modified_at: {} wazuh: fields: "*" diff --git a/ecs/states-inventory-system/fields/template-settings-legacy.json b/ecs/states-inventory-system/fields/template-settings-legacy.json index 88be7490..ec661db8 100644 --- a/ecs/states-inventory-system/fields/template-settings-legacy.json +++ b/ecs/states-inventory-system/fields/template-settings-legacy.json @@ -29,6 +29,7 @@ "host.os.platform", "host.os.type", "host.os.version", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-inventory-system/fields/template-settings.json b/ecs/states-inventory-system/fields/template-settings.json index 51e74c3e..44b0270c 100644 --- a/ecs/states-inventory-system/fields/template-settings.json +++ b/ecs/states-inventory-system/fields/template-settings.json @@ -32,6 +32,7 @@ "host.os.platform", "host.os.type", "host.os.version", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-inventory-users/docs/fields.csv b/ecs/states-inventory-users/docs/fields.csv index 35f104cd..a0de1d5b 100644 --- a/ecs/states-inventory-users/docs/fields.csv +++ b/ecs/states-inventory-users/docs/fields.csv @@ -10,6 +10,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,login,login.tty,keyword,custom,,,"Terminal associated with the login session (e.g., pts/1)." 8.11.0,true,login,login.type,keyword,custom,,,"Type of login session. Example values: ""user"", ""system"", ""remote""." 8.11.0,true,process,process.pid,long,core,,4242,Process id. +8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified. 8.11.0,true,user,user.auth_failures.count,integer,custom,,,Number of failed authentication attempts. 8.11.0,true,user,user.auth_failures.timestamp,date,custom,,,Timestamp of the last authentication failure. 8.11.0,true,user,user.created,date,custom,,,Datetime when the user was created. diff --git a/ecs/states-inventory-users/event-generator/event_generator.py b/ecs/states-inventory-users/event-generator/event_generator.py index a7894248..bd900ef1 100644 --- a/ecs/states-inventory-users/event-generator/event_generator.py +++ b/ecs/states-inventory-users/event-generator/event_generator.py @@ -80,8 +80,17 @@ def generate_random_user(): "type": random.choice(["ssh", "console", "remote"]) }, "wazuh": generate_random_wazuh(), + "state": { + "modified_at": generate_random_date() + }, } +def generate_random_date(): + start_date = datetime.datetime.now() + end_date = start_date - datetime.timedelta(days=10) + random_date = start_date + (end_date - start_date) * random.random() + return random_date.strftime(DATE_FORMAT) + def generate_random_agent(): return { diff --git a/ecs/states-inventory-users/fields/custom/state.yml b/ecs/states-inventory-users/fields/custom/state.yml new file mode 100644 index 00000000..c275eccf --- /dev/null +++ b/ecs/states-inventory-users/fields/custom/state.yml @@ -0,0 +1,11 @@ +--- +- name: state + title: State + description: > + State custom fields + fields: + - name: modified_at + type: date + level: custom + description: > + Date/time when the state was last modified. diff --git a/ecs/states-inventory-users/fields/subset.yml b/ecs/states-inventory-users/fields/subset.yml index 3afa4a2d..38f1e0cf 100644 --- a/ecs/states-inventory-users/fields/subset.yml +++ b/ecs/states-inventory-users/fields/subset.yml @@ -62,5 +62,8 @@ fields: status: {} type: {} tty: {} + state: + fields: + modified_at: {} wazuh: fields: "*" diff --git a/ecs/states-inventory-users/fields/template-settings-legacy.json b/ecs/states-inventory-users/fields/template-settings-legacy.json index d8fc1c77..12b23f63 100644 --- a/ecs/states-inventory-users/fields/template-settings-legacy.json +++ b/ecs/states-inventory-users/fields/template-settings-legacy.json @@ -30,7 +30,8 @@ "user.roles", "user.last_login", "process.pid", - "host.ip" + "host.ip", + "state.modified_at" ] } } diff --git a/ecs/states-inventory-users/fields/template-settings.json b/ecs/states-inventory-users/fields/template-settings.json index fab1eec4..74688a9d 100644 --- a/ecs/states-inventory-users/fields/template-settings.json +++ b/ecs/states-inventory-users/fields/template-settings.json @@ -31,7 +31,8 @@ "user.roles", "user.last_login", "process.pid", - "host.ip" + "host.ip", + "state.modified_at" ] } } diff --git a/ecs/states-sca/docs/fields.csv b/ecs/states-sca/docs/fields.csv index c6fd15f1..7382adfb 100644 --- a/ecs/states-sca/docs/fields.csv +++ b/ecs/states-sca/docs/fields.csv @@ -21,6 +21,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,policy,policy.id,keyword,custom,,cis_win11_enterprise_21H2,The ID of the SCA policy. 8.11.0,true,policy,policy.name,keyword,custom,,CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0,The name of the SCA policy. 8.11.0,true,policy,policy.references,keyword,custom,array,"[""https://www.cisecurity.org/cis-benchmarks/""]",References for the policy. +8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified. 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name. 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name. 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version. diff --git a/ecs/states-sca/event-generator/event_generator.py b/ecs/states-sca/event-generator/event_generator.py index ff896272..39a2fa91 100644 --- a/ecs/states-sca/event-generator/event_generator.py +++ b/ecs/states-sca/event-generator/event_generator.py @@ -76,11 +76,20 @@ def generate_random_data(number): 'policy': generate_random_policy(), 'check': generate_random_check(), 'checksum': generate_random_checksum(), - 'wazuh': generate_random_wazuh() + 'wazuh': generate_random_wazuh(), + 'state': { + 'modified_at': generate_random_date() + }, } data.append(event_data) return data +def generate_random_date(): + start_date = datetime.datetime.now() + end_date = start_date - datetime.timedelta(days=10) + random_date = start_date + (end_date - start_date) * random.random() + return random_date.strftime(DATE_FORMAT) + def generate_random_checksum(): return { "hash": { diff --git a/ecs/states-sca/fields/custom/state.yml b/ecs/states-sca/fields/custom/state.yml new file mode 100644 index 00000000..c275eccf --- /dev/null +++ b/ecs/states-sca/fields/custom/state.yml @@ -0,0 +1,11 @@ +--- +- name: state + title: State + description: > + State custom fields + fields: + - name: modified_at + type: date + level: custom + description: > + Date/time when the state was last modified. diff --git a/ecs/states-sca/fields/subset.yml b/ecs/states-sca/fields/subset.yml index 09ac9b25..7307eb63 100644 --- a/ecs/states-sca/fields/subset.yml +++ b/ecs/states-sca/fields/subset.yml @@ -19,5 +19,8 @@ fields: fields: "*" policy: fields: "*" + state: + fields: + modified_at: {} wazuh: fields: "*" diff --git a/ecs/states-sca/fields/template-settings-legacy.json b/ecs/states-sca/fields/template-settings-legacy.json index fe78cad9..b8252f64 100644 --- a/ecs/states-sca/fields/template-settings-legacy.json +++ b/ecs/states-sca/fields/template-settings-legacy.json @@ -18,6 +18,7 @@ "policy.id", "policy.name", "policy.file", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-sca/fields/template-settings.json b/ecs/states-sca/fields/template-settings.json index 403674f6..dc8bb778 100644 --- a/ecs/states-sca/fields/template-settings.json +++ b/ecs/states-sca/fields/template-settings.json @@ -19,6 +19,7 @@ "policy.id", "policy.name", "policy.file", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-vulnerabilities/docs/README.md b/ecs/states-vulnerabilities/docs/README.md index 9bca3042..79a8978e 100644 --- a/ecs/states-vulnerabilities/docs/README.md +++ b/ecs/states-vulnerabilities/docs/README.md @@ -71,3 +71,4 @@ The detail of the fields can be found in csv file [States vulnerabilities Fields | wazuh.cluster.node | keyword | Wazuh cluster node name. | wazuh.cluster.node | TRUE | | wazuh.schema.version | keyword | Wazuh schema version. | wazuh.schema.version | TRUE | | checksum | keyword | SHA1 hash used as checksum of the data collected by the agent. | checksum.hash.sha1 | TRUE | +| scan_time | date | Date/time when the state was last modified. | state.modified_at | TRUE | diff --git a/ecs/states-vulnerabilities/docs/fields.csv b/ecs/states-vulnerabilities/docs/fields.csv index d90720a9..90568b42 100644 --- a/ecs/states-vulnerabilities/docs/fields.csv +++ b/ecs/states-vulnerabilities/docs/fields.csv @@ -27,6 +27,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.11.0,true,package,package.size,long,extended,,62231,Package size in bytes. 8.11.0,true,package,package.type,keyword,extended,,rpm,Package type 8.11.0,true,package,package.version,keyword,extended,,1.12.9,Package version +8.11.0,true,state,state.modified_at,date,custom,,,Date/time when the state was last modified. 8.11.0,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. 8.11.0,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. 8.11.0,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. diff --git a/ecs/states-vulnerabilities/event-generator/event_generator.py b/ecs/states-vulnerabilities/event-generator/event_generator.py index f3ec6b19..0dae268a 100755 --- a/ecs/states-vulnerabilities/event-generator/event_generator.py +++ b/ecs/states-vulnerabilities/event-generator/event_generator.py @@ -379,6 +379,9 @@ def generate_random_data(number): "package": generate_random_package(), "vulnerability": generate_random_vulnerability(), "wazuh": generate_random_wazuh(), + "state": { + "modified_at": generate_random_date() + } } data.append(event_data) return data diff --git a/ecs/states-vulnerabilities/fields/custom/state.yml b/ecs/states-vulnerabilities/fields/custom/state.yml new file mode 100644 index 00000000..c275eccf --- /dev/null +++ b/ecs/states-vulnerabilities/fields/custom/state.yml @@ -0,0 +1,11 @@ +--- +- name: state + title: State + description: > + State custom fields + fields: + - name: modified_at + type: date + level: custom + description: > + Date/time when the state was last modified. diff --git a/ecs/states-vulnerabilities/fields/subset.yml b/ecs/states-vulnerabilities/fields/subset.yml index 04020c5b..0edc8251 100644 --- a/ecs/states-vulnerabilities/fields/subset.yml +++ b/ecs/states-vulnerabilities/fields/subset.yml @@ -22,5 +22,8 @@ fields: version: "" vulnerability: fields: "*" + state: + fields: + modified_at: {} wazuh: fields: "*" diff --git a/ecs/states-vulnerabilities/fields/template-settings-legacy.json b/ecs/states-vulnerabilities/fields/template-settings-legacy.json index 756130c4..c5ca0a66 100644 --- a/ecs/states-vulnerabilities/fields/template-settings-legacy.json +++ b/ecs/states-vulnerabilities/fields/template-settings-legacy.json @@ -30,6 +30,7 @@ "vulnerability.id", "vulnerability.description", "vulnerability.severity", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/ecs/states-vulnerabilities/fields/template-settings.json b/ecs/states-vulnerabilities/fields/template-settings.json index 6c64fe1c..86ffd779 100644 --- a/ecs/states-vulnerabilities/fields/template-settings.json +++ b/ecs/states-vulnerabilities/fields/template-settings.json @@ -31,6 +31,7 @@ "vulnerability.id", "vulnerability.description", "vulnerability.severity", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/plugins/setup/src/main/resources/index-template-fim-files.json b/plugins/setup/src/main/resources/index-template-fim-files.json index 1910df5a..6c9ef891 100644 --- a/plugins/setup/src/main/resources/index-template-fim-files.json +++ b/plugins/setup/src/main/resources/index-template-fim-files.json @@ -107,6 +107,13 @@ } } }, + "state": { + "properties": { + "modified_at": { + "type": "date" + } + } + }, "wazuh": { "properties": { "cluster": { @@ -161,6 +168,7 @@ "file.permissions", "file.size", "file.uid", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/plugins/setup/src/main/resources/index-template-fim-registry-keys.json b/plugins/setup/src/main/resources/index-template-fim-registry-keys.json index d83a3927..65cb757c 100644 --- a/plugins/setup/src/main/resources/index-template-fim-registry-keys.json +++ b/plugins/setup/src/main/resources/index-template-fim-registry-keys.json @@ -88,6 +88,13 @@ } } }, + "state": { + "properties": { + "modified_at": { + "type": "date" + } + } + }, "wazuh": { "properties": { "cluster": { @@ -137,6 +144,7 @@ "registry.path", "registry.permissions", "registry.uid", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/plugins/setup/src/main/resources/index-template-fim-registry-values.json b/plugins/setup/src/main/resources/index-template-fim-registry-values.json index 57d52192..2f6aa5c5 100644 --- a/plugins/setup/src/main/resources/index-template-fim-registry-values.json +++ b/plugins/setup/src/main/resources/index-template-fim-registry-values.json @@ -96,6 +96,13 @@ } } }, + "state": { + "properties": { + "modified_at": { + "type": "date" + } + } + }, "wazuh": { "properties": { "cluster": { @@ -145,6 +152,7 @@ "registry.path", "registry.size", "registry.value", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/plugins/setup/src/main/resources/index-template-groups.json b/plugins/setup/src/main/resources/index-template-groups.json index 3f019ec5..da427bdc 100644 --- a/plugins/setup/src/main/resources/index-template-groups.json +++ b/plugins/setup/src/main/resources/index-template-groups.json @@ -73,6 +73,13 @@ } } }, + "state": { + "properties": { + "modified_at": { + "type": "date" + } + } + }, "wazuh": { "properties": { "cluster": { @@ -110,7 +117,8 @@ "group.description", "group.id_signed", "group.uuid", - "group.users" + "group.users", + "state.modified_at" ], "refresh_interval": "5s" } diff --git a/plugins/setup/src/main/resources/index-template-hardware.json b/plugins/setup/src/main/resources/index-template-hardware.json index cf65cd77..fd865f34 100644 --- a/plugins/setup/src/main/resources/index-template-hardware.json +++ b/plugins/setup/src/main/resources/index-template-hardware.json @@ -84,6 +84,13 @@ } } }, + "state": { + "properties": { + "modified_at": { + "type": "date" + } + } + }, "wazuh": { "properties": { "cluster": { @@ -124,6 +131,7 @@ "agent.version", "agent.host.ip", "host.serial_number", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/plugins/setup/src/main/resources/index-template-hotfixes.json b/plugins/setup/src/main/resources/index-template-hotfixes.json index 4a3a5224..b1a3abd4 100644 --- a/plugins/setup/src/main/resources/index-template-hotfixes.json +++ b/plugins/setup/src/main/resources/index-template-hotfixes.json @@ -58,6 +58,13 @@ } } }, + "state": { + "properties": { + "modified_at": { + "type": "date" + } + } + }, "wazuh": { "properties": { "cluster": { @@ -97,6 +104,7 @@ "agent.name", "agent.version", "package.hotfix.name", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/plugins/setup/src/main/resources/index-template-interfaces.json b/plugins/setup/src/main/resources/index-template-interfaces.json index 09806356..63cac189 100644 --- a/plugins/setup/src/main/resources/index-template-interfaces.json +++ b/plugins/setup/src/main/resources/index-template-interfaces.json @@ -112,6 +112,13 @@ } } }, + "state": { + "properties": { + "modified_at": { + "type": "date" + } + } + }, "wazuh": { "properties": { "cluster": { @@ -152,6 +159,7 @@ "host.mac", "interface.name", "interface.alias", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node" ], diff --git a/plugins/setup/src/main/resources/index-template-networks.json b/plugins/setup/src/main/resources/index-template-networks.json index 3c97af53..2b97f2a0 100644 --- a/plugins/setup/src/main/resources/index-template-networks.json +++ b/plugins/setup/src/main/resources/index-template-networks.json @@ -76,6 +76,13 @@ } } }, + "state": { + "properties": { + "modified_at": { + "type": "date" + } + } + }, "wazuh": { "properties": { "cluster": { @@ -116,6 +123,7 @@ "interface.name", "network.ip", "network.name", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node" ], diff --git a/plugins/setup/src/main/resources/index-template-packages.json b/plugins/setup/src/main/resources/index-template-packages.json index 5352309c..dc9dfccf 100644 --- a/plugins/setup/src/main/resources/index-template-packages.json +++ b/plugins/setup/src/main/resources/index-template-packages.json @@ -99,6 +99,13 @@ } } }, + "state": { + "properties": { + "modified_at": { + "type": "date" + } + } + }, "wazuh": { "properties": { "cluster": { @@ -150,6 +157,7 @@ "package.type", "package.vendor", "package.version", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/plugins/setup/src/main/resources/index-template-ports.json b/plugins/setup/src/main/resources/index-template-ports.json index 3661e328..c6928333 100644 --- a/plugins/setup/src/main/resources/index-template-ports.json +++ b/plugins/setup/src/main/resources/index-template-ports.json @@ -122,6 +122,13 @@ } } }, + "state": { + "properties": { + "modified_at": { + "type": "date" + } + } + }, "wazuh": { "properties": { "cluster": { @@ -169,6 +176,7 @@ "process.pid", "source.ip", "destination.ip", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/plugins/setup/src/main/resources/index-template-processes.json b/plugins/setup/src/main/resources/index-template-processes.json index 1e7bc75c..bc78a3ce 100644 --- a/plugins/setup/src/main/resources/index-template-processes.json +++ b/plugins/setup/src/main/resources/index-template-processes.json @@ -86,6 +86,13 @@ } } }, + "state": { + "properties": { + "modified_at": { + "type": "date" + } + } + }, "wazuh": { "properties": { "cluster": { @@ -134,6 +141,7 @@ "process.state", "process.stime", "process.utime", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/plugins/setup/src/main/resources/index-template-protocols.json b/plugins/setup/src/main/resources/index-template-protocols.json index ef8dc3f7..2df5188e 100644 --- a/plugins/setup/src/main/resources/index-template-protocols.json +++ b/plugins/setup/src/main/resources/index-template-protocols.json @@ -70,6 +70,13 @@ } } }, + "state": { + "properties": { + "modified_at": { + "type": "date" + } + } + }, "wazuh": { "properties": { "cluster": { @@ -110,6 +117,7 @@ "agent.version", "network.type", "interface.name", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/plugins/setup/src/main/resources/index-template-sca.json b/plugins/setup/src/main/resources/index-template-sca.json index 00789cc3..f6f63fb5 100644 --- a/plugins/setup/src/main/resources/index-template-sca.json +++ b/plugins/setup/src/main/resources/index-template-sca.json @@ -117,6 +117,13 @@ } } }, + "state": { + "properties": { + "modified_at": { + "type": "date" + } + } + }, "wazuh": { "properties": { "cluster": { @@ -160,6 +167,7 @@ "policy.id", "policy.name", "policy.file", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/plugins/setup/src/main/resources/index-template-system.json b/plugins/setup/src/main/resources/index-template-system.json index 6880edb7..b04ad158 100644 --- a/plugins/setup/src/main/resources/index-template-system.json +++ b/plugins/setup/src/main/resources/index-template-system.json @@ -125,6 +125,13 @@ } } }, + "state": { + "properties": { + "modified_at": { + "type": "date" + } + } + }, "wazuh": { "properties": { "cluster": { @@ -179,6 +186,7 @@ "host.os.platform", "host.os.type", "host.os.version", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version" diff --git a/plugins/setup/src/main/resources/index-template-users.json b/plugins/setup/src/main/resources/index-template-users.json index e111faa8..bc8d784d 100644 --- a/plugins/setup/src/main/resources/index-template-users.json +++ b/plugins/setup/src/main/resources/index-template-users.json @@ -74,6 +74,13 @@ } } }, + "state": { + "properties": { + "modified_at": { + "type": "date" + } + } + }, "user": { "properties": { "auth_failures": { @@ -235,7 +242,8 @@ "user.roles", "user.last_login", "process.pid", - "host.ip" + "host.ip", + "state.modified_at" ], "refresh_interval": "5s" } diff --git a/plugins/setup/src/main/resources/index-template-vulnerabilities.json b/plugins/setup/src/main/resources/index-template-vulnerabilities.json index c65d25f2..18d4bbdc 100644 --- a/plugins/setup/src/main/resources/index-template-vulnerabilities.json +++ b/plugins/setup/src/main/resources/index-template-vulnerabilities.json @@ -136,6 +136,13 @@ } } }, + "state": { + "properties": { + "modified_at": { + "type": "date" + } + } + }, "vulnerability": { "properties": { "category": { @@ -273,6 +280,7 @@ "vulnerability.id", "vulnerability.description", "vulnerability.severity", + "state.modified_at", "wazuh.cluster.name", "wazuh.cluster.node", "wazuh.schema.version"