wazuh/wazuh-indexer-plugins
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-indexer-plugins.git synced 2025-12-15 21:33:00 -06:00
Code Issues Packages Projects Releases Wiki Activity

Index templates for SCA (#352)

Browse Source 
* Create index template and corresponding event generator for states-sca-stateless

* Create index template and corresponding event generator for states-sca-stateless

* Modify and correct event generators

* Update changelog

* Modify generate-and-push-templates.sh to include new templates

* Fix scv generation

* Update documentation reference manual with new sca indexes

* Fix generate-and-push-templates.sh naming

* Modify stateless sca messages configuration

The stateless messages don't need event-generators and form part of the alerts so the custom fields check and policies are added, event already exists

* Fix states-sca configuration

* Update ECS templates for modified modules: alerts states-sca

* Resolve conflict ref description in documentation

* Modify sca event generator and include http option

* Include sca indexTemplate to setup plugin

* Correct event_generator code

* Apply suggestions from code review

Signed-off-by: Álex Ruiz <alex-r-b@hotmail.com>

* Update SCA index description

* Improve descriptions of the SCA mappings

* Add short descriptions

* Update ECS templates for modified modules: alerts states-sca

---------

Signed-off-by: Alvaro Gonzalez Luque <91375045+abbonno@users.noreply.github.com>
Signed-off-by: Álex Ruiz <alex-r-b@hotmail.com>
Co-authored-by: Wazuh Indexer Bot <github_devel_xdrsiem_indexer@wazuh.com>
Co-authored-by: Álex Ruiz <alejandro.ruiz.becerra@wazuh.com>
This commit is contained in:
Alvaro Gonzalez Luque 2025-04-02 16:24:15 +02:00 committed by GitHub
parent ad5d2a1012
commit d93403fbd7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
23 changed files with 1321 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
- Implement CTI snapshot indexing [(#338)](https://github.com/wazuh/wazuh-indexer-plugins/pull/338)
- Implement content "update" command [(#339)](https://github.com/wazuh/wazuh-indexer-plugins/pull/339)
- Add mappings for Wazuh rules (stage 1) to the Alerts index [#345](https://github.com/wazuh/wazuh-indexer-plugins/pull/345)
- Add index templates for SCA [(#351)](https://github.com/wazuh/wazuh-indexer-plugins/issues/351)
- Implement CVE ECS definition and index template [(#337)](https://github.com/wazuh/wazuh-indexer-plugins/pull/337)
- Implement a time-based management of the agent.status attribute in the wazuh-agents index [(#349)](https://github.com/wazuh/wazuh-indexer-plugins/pull/349)

5
docs/ref/description.md
View File

@ -23,8 +23,9 @@ The Wazuh indexer stores the data collected by the Wazuh agents in separate indi
| wazuh-states-inventory-ports | Basic information about open network ports on the endpoint. |
| wazuh-states-inventory-processes | Stores the detected running processes on the endpoints. |
| wazuh-states-inventory-system | Operating system information, hostname and architecture. |
| wazuh-states-sca | Stores Security Configuration Assessment (SCA) results. |
| wazuh-states-vulnerabilities | Active vulnerabilities on the endpoint and its details. |
| wazuharchives | Stores all events (archive data) received by the [Wazuh server](https://documentation.wazuh.com/current/getting-started/components/wazuh-server.html), whether they trip a rule. |
| wazuh-internal-users | Stores information about internal users, including authentication details and role-based access control (RBAC) permissions. |
| wazuh-custom-users | Stores information about custom users defined by administrators, including user-specific roles and permissions. |
| wazuh-cve | Stores information about Common Vulnerabilities and Exposures (CVEs) and their details. |
| wazuh-custom-users | Stores information about custom users defined by administrators, including user-specific roles and permissions. |
| wazuh-cve | Stores information about Common Vulnerabilities and Exposures (CVEs) and their details. |

1
ecs/README.md
View File

@ -13,6 +13,7 @@ The Wazuh Common Schema is a derivation of the [Elastic Common Schema](https://w
- [states-inventory-ports](states-inventory-ports/docs/README.md)
- [states-inventory-processes](states-inventory-processes/docs/README.md)
- [states-inventory-system](states-inventory-system/docs/README.md)
- [states-sca](states-sca/docs/README.md)
- [states-vulnerabilities](states-vulnerabilities/docs/README.md)
- [users](users/docs/README.md)

16
ecs/alerts/docs/fields.csv
View File

@ -67,6 +67,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,check,check.compliance,keyword,custom,array,"[""cis:1.1.1"",""cis_csc:5.2""]",CIS compliance standard.
8.11.0,true,check,check.condition,keyword,custom,,all,Relationship between the rules.
8.11.0,true,check,check.description,keyword,custom,,"""The password history setting determines the number of unique new passwords a user must use before an old password can be reused.""",Extended description of the check.
8.11.0,true,check,check.id,keyword,custom,,26000,The ID of the SCA policy check.
8.11.0,true,check,check.name,keyword,custom,,Ensure 'Enforce password history' is set to '24 or more password(s)'.,The name of the SCA policy check.
8.11.0,true,check,check.rationale,keyword,custom,,"""The longer a user uses the same password, the more likely it is that the password will be compromised.""",The reason for the check. Why it is important.
8.11.0,true,check,check.reason,keyword,custom,,"""The password history setting is not set to 24 or more password(s).""",Reason for the check result.
8.11.0,true,check,check.references,keyword,custom,array,"[""https://workbench.cisecurity.org""]",References for the check.
8.11.0,true,check,check.remediation,keyword,custom,,"""To establish the recommended configuration, set the following registry value to 24 or more password(s):""",Actions to take to remediate the check.
8.11.0,true,check,check.result,keyword,custom,,failed,Result of the check.
8.11.0,true,check,check.rules,keyword,custom,array,"""[\""c:net.exe accounts -> n:Maximum password age \(days\):\s+(\d+) compare > 0\"","" > ""\""c:net.exe accounts -> n:Length of password history maintained:\s+(\d+) compare >= 24\""]""",Rules to be evaluated.
8.11.0,true,client,client.address,keyword,extended,,,Client network address.
8.11.0,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
8.11.0,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
@ -674,6 +685,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,package,package.size,long,extended,,62231,Package size in bytes.
8.11.0,true,package,package.type,keyword,extended,,rpm,Package type
8.11.0,true,package,package.version,keyword,extended,,1.12.9,Package version
8.11.0,true,policy,policy.description,keyword,custom,,"""The CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 is a comprehensive security configuration guide that provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Windows 11 Enterprise.""",Extended description of the policy.
8.11.0,true,policy,policy.file,keyword,custom,,cis_win11_enterprise.yml,The file name of the SCA policy.
8.11.0,true,policy,policy.id,keyword,custom,,cis_win11_enterprise_21H2,The ID of the SCA policy.
8.11.0,true,policy,policy.name,keyword,custom,,CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0,The name of the SCA policy.
8.11.0,true,policy,policy.references,keyword,custom,array,"[""https://www.cisecurity.org/cis-benchmarks/""]",References for the policy.
8.11.0,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
8.11.0,true,process,process.args_count,long,extended,,4,Length of the process.args array.
8.11.0,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.

1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
67 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
68 8.11.0 true agent agent.type keyword core filebeat Type of the agent.
69 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
70 8.11.0 true check check.compliance keyword custom array ["cis:1.1.1","cis_csc:5.2"] CIS compliance standard.
71 8.11.0 true check check.condition keyword custom all Relationship between the rules.
72 8.11.0 true check check.description keyword custom "The password history setting determines the number of unique new passwords a user must use before an old password can be reused." Extended description of the check.
73 8.11.0 true check check.id keyword custom 26000 The ID of the SCA policy check.
74 8.11.0 true check check.name keyword custom Ensure 'Enforce password history' is set to '24 or more password(s)'. The name of the SCA policy check.
75 8.11.0 true check check.rationale keyword custom "The longer a user uses the same password, the more likely it is that the password will be compromised." The reason for the check. Why it is important.
76 8.11.0 true check check.reason keyword custom "The password history setting is not set to 24 or more password(s)." Reason for the check result.
77 8.11.0 true check check.references keyword custom array ["https://workbench.cisecurity.org"] References for the check.
78 8.11.0 true check check.remediation keyword custom "To establish the recommended configuration, set the following registry value to 24 or more password(s):" Actions to take to remediate the check.
79 8.11.0 true check check.result keyword custom failed Result of the check.
80 8.11.0 true check check.rules keyword custom array "[\"c:net.exe accounts -> n:Maximum password age \(days\):\s+(\d+) compare > 0\"," > "\"c:net.exe accounts -> n:Length of password history maintained:\s+(\d+) compare >= 24\"]" Rules to be evaluated.
81 8.11.0 true client client.address keyword extended Client network address.
82 8.11.0 true client client.as.number long extended 15169 Unique number allocated to the autonomous system.
83 8.11.0 true client client.as.organization.name keyword extended Google LLC Organization name.
685 8.11.0 true package package.size long extended 62231 Package size in bytes.
686 8.11.0 true package package.type keyword extended rpm Package type
687 8.11.0 true package package.version keyword extended 1.12.9 Package version
688 8.11.0 true policy policy.description keyword custom "The CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 is a comprehensive security configuration guide that provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Windows 11 Enterprise." Extended description of the policy.
689 8.11.0 true policy policy.file keyword custom cis_win11_enterprise.yml The file name of the SCA policy.
690 8.11.0 true policy policy.id keyword custom cis_win11_enterprise_21H2 The ID of the SCA policy.
691 8.11.0 true policy policy.name keyword custom CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 The name of the SCA policy.
692 8.11.0 true policy policy.references keyword custom array ["https://www.cisecurity.org/cis-benchmarks/"] References for the policy.
693 8.11.0 true process process.args keyword extended array ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] Array of process arguments.
694 8.11.0 true process process.args_count long extended 4 Length of the process.args array.
695 8.11.0 true process process.code_signature.digest_algorithm keyword extended sha256 Hashing algorithm used to sign the process.

99
ecs/alerts/fields/custom/check.yml Normal file
View File

@ -0,0 +1,99 @@
---
- name: check
title: SCA policy check
description: >
Custom fields for SCA policy check.
type: group
group: 2
fields:
- name: id
type: keyword
level: custom
description: The ID of the SCA policy check.
example: "26000"
- name: name
type: keyword
level: custom
description: The name of the SCA policy check.
example: "Ensure 'Enforce password history' is set to '24 or more password(s)'."
- name: description
type: keyword
level: custom
description: Extended description of the check.
example: >
"The password history setting determines the number of unique new passwords a user must use before an old password can be reused."
- name: rationale
type: keyword
level: custom
description: The reason for the check. Why it is important.
example: >
"The longer a user uses the same password, the more likely it is that the password will be compromised."
- name: remediation
type: keyword
level: custom
description: Actions to take to remediate the check.
example: >
"To establish the recommended configuration, set the following registry value to 24 or more password(s):"
- name: references
type: keyword
level: custom
short: References for the check.
description: >
References for the check. This can include links to documentation, articles, or other resources that provide additional information about the check, such as Common Configuration Enumeration (CCE).
Note: this field should contain an array of values.
normalize:
- array
example: '["https://workbench.cisecurity.org"]'
- name: condition
type: keyword
level: custom
short: Relationship between the rules.
description: >
Describes the relationship between the rules. This field indicates how the rules should be evaluated to determine the overall result of the check.
The allowed values are:
- `all`: All rules must be satisfied.
- `any`: Any of the rules is sufficient.
- `none`: None of the rules must be satisfied.
example: "all"
- name: compliance
type: keyword
level: custom
short: CIS compliance standard.
description: >
CIS compliance standard under which the check is defined. This field indicates the specific compliance standard that the check is associated with, such as CIS benchmarks or other compliance frameworks.
Note: this field should contain an array of values.
normalize:
- array
example: '["cis:1.1.1","cis_csc:5.2"]'
- name: rules
type: keyword
level: custom
short: Rules to be evaluated.
description: >
Expression to be evaluated. This field contains the specific rules or expressions that need to be evaluated to determine the result of the check. The rules are typically defined using a specific syntax or format that allows for logical comparisons and evaluations.
The rules can include various conditions, operators, and values that are used to assess the compliance status of the system or configuration being checked.
Note: this field should contain an array of values.
normalize:
- array
example: >
"[\"c:net.exe accounts -> n:Maximum password age \(days\):\s+(\d+) compare > 0\"," >
"\"c:net.exe accounts -> n:Length of password history maintained:\s+(\d+) compare >= 24\"]"
- name: result
type: keyword
level: custom
short: Result of the check.
description: >
The result of the check. This field indicates whether the check passed or failed based on the evaluation of the rules. The result is typically represented as a boolean value, where "passed" indicates that the check was successful and "failed" indicates that the check did not meet the specified criteria.
example: "failed"
- name: reason
type: keyword
level: custom
short: Reason for the check result.
description: >
The reason for the check result. This field provides additional information or context about the result of the check. It may include details about why the check passed or failed, any specific conditions that were not met, or any other relevant information that helps to understand the outcome of the check.
example: >
"The password history setting is not set to 24 or more password(s)."

40
ecs/alerts/fields/custom/policy.yml Normal file
View File

@ -0,0 +1,40 @@
---
- name: policy
title: SCA policies
description: >
Custom fields for SCA policies.
type: group
group: 2
fields:
- name: id
type: keyword
level: custom
description: The ID of the SCA policy.
example: "cis_win11_enterprise_21H2"
- name: name
type: keyword
level: custom
description: The name of the SCA policy.
example: "CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0"
- name: file
type: keyword
level: custom
description: The file name of the SCA policy.
example: "cis_win11_enterprise.yml"
- name: description
type: keyword
level: custom
description: Extended description of the policy.
example: >
"The CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 is a comprehensive security configuration guide that provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Windows 11 Enterprise."
- name: references
type: keyword
level: custom
short: References for the policy.
description: >
References for the policy. This can include links to documentation, articles, or other resources that provide additional information about the policy, such as Common Configuration Enumeration (CCE).
Note: this field should contain an array of values.
normalize:
- array
example: '["https://www.cisecurity.org/cis-benchmarks/"]'

4
ecs/alerts/fields/subset.yml
View File

@ -45,6 +45,8 @@ fields:
id: {}
name: {}
roles: {}
check:
fields: "*"
cloud:
fields: "*"
code_signature:
@ -134,6 +136,8 @@ fields:
fields: "*"
pe:
fields: "*"
policy:
fields: "*"
process:
fields:
args: {}

1
ecs/scripts/generate-and-push-templates.sh
View File

@ -81,6 +81,7 @@ detect_modified_modules() {
[states-inventory-processes]="index-template-processes.json"
[states-inventory-scheduled-commands]="index-template-scheduled-commands.json"
[states-inventory-system]="index-template-system.json"
[states-sca]="index-template-sca.json"
[states-vulnerabilities]="index-template-vulnerabilities.json"
[users]="index-template-users.json"
[cve]="index-template-cve.json"

7
ecs/states-sca/docs/README.md Normal file
View File

@ -0,0 +1,7 @@
## `wazuh-states-sca` index data model
### Fields summary
The fields are based on https://github.com/wazuh/wazuh-indexer-plugins/issues/351#issue-2956934075
The detail of the fields can be found in csv file [SCA Fields](fields.csv).

106
ecs/states-sca/docs/fields.csv Normal file
View File

@ -0,0 +1,106 @@
ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.11.0,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
8.11.0,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
8.11.0,true,agent,agent.groups,keyword,custom,array,"[""group1"", ""group2""]",List of groups the agent belongs to.
8.11.0,true,agent,agent.host.architecture,keyword,core,,x86_64,Operating system architecture.
8.11.0,true,agent,agent.host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
8.11.0,true,agent,agent.host.cpu.usage,float,extended,,,"Percent CPU used, between 0 and 1."
8.11.0,true,agent,agent.host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
8.11.0,true,agent,agent.host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
8.11.0,true,agent,agent.host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
8.11.0,true,agent,agent.host.geo.city_name,keyword,core,,Montreal,City name.
8.11.0,true,agent,agent.host.geo.continent_code,keyword,core,,NA,Continent code.
8.11.0,true,agent,agent.host.geo.continent_name,keyword,core,,North America,Name of the continent.
8.11.0,true,agent,agent.host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
8.11.0,true,agent,agent.host.geo.country_name,keyword,core,,Canada,Country name.
8.11.0,true,agent,agent.host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
8.11.0,true,agent,agent.host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
8.11.0,true,agent,agent.host.geo.postal_code,keyword,core,,94040,Postal code.
8.11.0,true,agent,agent.host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
8.11.0,true,agent,agent.host.geo.region_name,keyword,core,,Quebec,Region name.
8.11.0,true,agent,agent.host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
8.11.0,true,agent,agent.host.hostname,keyword,core,,,Hostname of the host.
8.11.0,true,agent,agent.host.id,keyword,core,,,Unique host id.
8.11.0,true,agent,agent.host.ip,ip,core,array,,Host ip addresses.
8.11.0,true,agent,agent.host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
8.11.0,true,agent,agent.host.name,keyword,core,,,Name of the host.
8.11.0,true,agent,agent.host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
8.11.0,true,agent,agent.host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
8.11.0,true,agent,agent.host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
8.11.0,true,agent,agent.host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
8.11.0,true,agent,agent.host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
8.11.0,true,agent,agent.host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
8.11.0,true,agent,agent.host.os.full.text,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
8.11.0,true,agent,agent.host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
8.11.0,true,agent,agent.host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
8.11.0,true,agent,agent.host.os.name.text,keyword,extended,,Mac OS X,"Operating system name, without the version."
8.11.0,true,agent,agent.host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
8.11.0,true,agent,agent.host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
8.11.0,true,agent,agent.host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
8.11.0,true,agent,agent.host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
8.11.0,true,agent,agent.host.type,keyword,core,,,Type of host.
8.11.0,true,agent,agent.host.uptime,long,extended,,1325,Seconds the host has been up.
8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.11.0,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.11.0,true,check,check.compliance,keyword,custom,array,"[""cis:1.1.1"",""cis_csc:5.2""]",CIS compliance standard.
8.11.0,true,check,check.condition,keyword,custom,,all,Relationship between the rules.
8.11.0,true,check,check.description,keyword,custom,,"""The password history setting determines the number of unique new passwords a user must use before an old password can be reused.""",Extended description of the check.
8.11.0,true,check,check.id,keyword,custom,,26000,The ID of the SCA policy check.
8.11.0,true,check,check.name,keyword,custom,,Ensure 'Enforce password history' is set to '24 or more password(s)'.,The name of the SCA policy check.
8.11.0,true,check,check.rationale,keyword,custom,,"""The longer a user uses the same password, the more likely it is that the password will be compromised.""",The reason for the check. Why it is important.
8.11.0,true,check,check.reason,keyword,custom,,"""The password history setting is not set to 24 or more password(s).""",Reason for the check result.
8.11.0,true,check,check.references,keyword,custom,array,"[""https://workbench.cisecurity.org""]",References for the check.
8.11.0,true,check,check.remediation,keyword,custom,,"""To establish the recommended configuration, set the following registry value to 24 or more password(s):""",Actions to take to remediate the check.
8.11.0,true,check,check.result,keyword,custom,,failed,Result of the check.
8.11.0,true,check,check.rules,keyword,custom,array,"""[\""c:net.exe accounts -> n:Maximum password age \(days\):\s+(\d+) compare > 0\"","" > ""\""c:net.exe accounts -> n:Length of password history maintained:\s+(\d+) compare >= 24\""]""",Rules to be evaluated.
8.11.0,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
8.11.0,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
8.11.0,true,host,host.cpu.usage,float,extended,,,"Percent CPU used, between 0 and 1."
8.11.0,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
8.11.0,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
8.11.0,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
8.11.0,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
8.11.0,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
8.11.0,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
8.11.0,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
8.11.0,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
8.11.0,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
8.11.0,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
8.11.0,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
8.11.0,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
8.11.0,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
8.11.0,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
8.11.0,true,host,host.hostname,keyword,core,,,Hostname of the host.
8.11.0,true,host,host.id,keyword,core,,,Unique host id.
8.11.0,true,host,host.ip,ip,core,array,,Host ip addresses.
8.11.0,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
8.11.0,true,host,host.name,keyword,core,,,Name of the host.
8.11.0,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
8.11.0,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
8.11.0,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
8.11.0,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
8.11.0,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
8.11.0,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
8.11.0,true,host,host.os.full.text,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
8.11.0,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
8.11.0,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
8.11.0,true,host,host.os.name.text,keyword,extended,,Mac OS X,"Operating system name, without the version."
8.11.0,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
8.11.0,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
8.11.0,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
8.11.0,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
8.11.0,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
8.11.0,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
8.11.0,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
8.11.0,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
8.11.0,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
8.11.0,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
8.11.0,true,host,host.type,keyword,core,,,Type of host.
8.11.0,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
8.11.0,true,policy,policy.description,keyword,custom,,"""The CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 is a comprehensive security configuration guide that provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Windows 11 Enterprise.""",Extended description of the policy.
8.11.0,true,policy,policy.file,keyword,custom,,cis_win11_enterprise.yml,The file name of the SCA policy.
8.11.0,true,policy,policy.id,keyword,custom,,cis_win11_enterprise_21H2,The ID of the SCA policy.
8.11.0,true,policy,policy.name,keyword,custom,,CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0,The name of the SCA policy.
8.11.0,true,policy,policy.references,keyword,custom,array,"[""https://www.cisecurity.org/cis-benchmarks/""]",References for the policy.
1 ECS_Version Indexed Field_Set Field Type Level Normalization Example Description
2 8.11.0 true base @timestamp date core 2016-05-23T08:05:34.853Z Date/time when the event originated.
3 8.11.0 true base tags keyword core array ["production", "env2"] List of keywords used to tag each event.
4 8.11.0 true agent agent.groups keyword custom array ["group1", "group2"] List of groups the agent belongs to.
5 8.11.0 true agent agent.host.architecture keyword core x86_64 Operating system architecture.
6 8.11.0 true agent agent.host.boot.id keyword extended 88a1f0ed-5ae5-41ee-af6b-41921c311872 Linux boot uuid taken from /proc/sys/kernel/random/boot_id
7 8.11.0 true agent agent.host.cpu.usage float extended Percent CPU used, between 0 and 1.
8 8.11.0 true agent agent.host.disk.read.bytes long extended The number of bytes read by all disks.
9 8.11.0 true agent agent.host.disk.write.bytes long extended The number of bytes written on all disks.
10 8.11.0 true agent agent.host.domain keyword extended CONTOSO Name of the directory the group is a member of.
11 8.11.0 true agent agent.host.geo.city_name keyword core Montreal City name.
12 8.11.0 true agent agent.host.geo.continent_code keyword core NA Continent code.
13 8.11.0 true agent agent.host.geo.continent_name keyword core North America Name of the continent.
14 8.11.0 true agent agent.host.geo.country_iso_code keyword core CA Country ISO code.
15 8.11.0 true agent agent.host.geo.country_name keyword core Canada Country name.
16 8.11.0 true agent agent.host.geo.location geo_point core { "lon": -73.614830, "lat": 45.505918 } Longitude and latitude.
17 8.11.0 true agent agent.host.geo.name keyword extended boston-dc User-defined description of a location.
18 8.11.0 true agent agent.host.geo.postal_code keyword core 94040 Postal code.
19 8.11.0 true agent agent.host.geo.region_iso_code keyword core CA-QC Region ISO code.
20 8.11.0 true agent agent.host.geo.region_name keyword core Quebec Region name.
21 8.11.0 true agent agent.host.geo.timezone keyword core America/Argentina/Buenos_Aires Time zone.
22 8.11.0 true agent agent.host.hostname keyword core Hostname of the host.
23 8.11.0 true agent agent.host.id keyword core Unique host id.
24 8.11.0 true agent agent.host.ip ip core array Host ip addresses.
25 8.11.0 true agent agent.host.mac keyword core array ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] Host MAC addresses.
26 8.11.0 true agent agent.host.name keyword core Name of the host.
27 8.11.0 true agent agent.host.network.egress.bytes long extended The number of bytes sent on all network interfaces.
28 8.11.0 true agent agent.host.network.egress.packets long extended The number of packets sent on all network interfaces.
29 8.11.0 true agent agent.host.network.ingress.bytes long extended The number of bytes received on all network interfaces.
30 8.11.0 true agent agent.host.network.ingress.packets long extended The number of packets received on all network interfaces.
31 8.11.0 true agent agent.host.os.family keyword extended debian OS family (such as redhat, debian, freebsd, windows).
32 8.11.0 true agent agent.host.os.full keyword extended Mac OS Mojave Operating system name, including the version or code name.
33 8.11.0 true agent agent.host.os.full.text keyword extended Mac OS Mojave Operating system name, including the version or code name.
34 8.11.0 true agent agent.host.os.kernel keyword extended 4.4.0-112-generic Operating system kernel version as a raw string.
35 8.11.0 true agent agent.host.os.name keyword extended Mac OS X Operating system name, without the version.
36 8.11.0 true agent agent.host.os.name.text keyword extended Mac OS X Operating system name, without the version.
37 8.11.0 true agent agent.host.os.platform keyword extended darwin Operating system platform (such centos, ubuntu, windows).
38 8.11.0 true agent agent.host.os.type keyword extended macos Which commercial OS family (one of: linux, macos, unix, windows, ios or android).
39 8.11.0 true agent agent.host.os.version keyword extended 10.14.1 Operating system version as a raw string.
40 8.11.0 true agent agent.host.pid_ns_ino keyword extended 256383 Pid namespace inode
41 8.11.0 true agent agent.host.type keyword core Type of host.
42 8.11.0 true agent agent.host.uptime long extended 1325 Seconds the host has been up.
43 8.11.0 true agent agent.id keyword core 8a4f500d Unique identifier of this agent.
44 8.11.0 true agent agent.name keyword core foo Custom name of the agent.
45 8.11.0 true agent agent.type keyword core filebeat Type of the agent.
46 8.11.0 true agent agent.version keyword core 6.0.0-rc2 Version of the agent.
47 8.11.0 true check check.compliance keyword custom array ["cis:1.1.1","cis_csc:5.2"] CIS compliance standard.
48 8.11.0 true check check.condition keyword custom all Relationship between the rules.
49 8.11.0 true check check.description keyword custom "The password history setting determines the number of unique new passwords a user must use before an old password can be reused." Extended description of the check.
50 8.11.0 true check check.id keyword custom 26000 The ID of the SCA policy check.
51 8.11.0 true check check.name keyword custom Ensure 'Enforce password history' is set to '24 or more password(s)'. The name of the SCA policy check.
52 8.11.0 true check check.rationale keyword custom "The longer a user uses the same password, the more likely it is that the password will be compromised." The reason for the check. Why it is important.
53 8.11.0 true check check.reason keyword custom "The password history setting is not set to 24 or more password(s)." Reason for the check result.
54 8.11.0 true check check.references keyword custom array ["https://workbench.cisecurity.org"] References for the check.
55 8.11.0 true check check.remediation keyword custom "To establish the recommended configuration, set the following registry value to 24 or more password(s):" Actions to take to remediate the check.
56 8.11.0 true check check.result keyword custom failed Result of the check.
57 8.11.0 true check check.rules keyword custom array "[\"c:net.exe accounts -> n:Maximum password age \(days\):\s+(\d+) compare > 0\"," > "\"c:net.exe accounts -> n:Length of password history maintained:\s+(\d+) compare >= 24\"]" Rules to be evaluated.
58 8.11.0 true host host.architecture keyword core x86_64 Operating system architecture.
59 8.11.0 true host host.boot.id keyword extended 88a1f0ed-5ae5-41ee-af6b-41921c311872 Linux boot uuid taken from /proc/sys/kernel/random/boot_id
60 8.11.0 true host host.cpu.usage float extended Percent CPU used, between 0 and 1.
61 8.11.0 true host host.disk.read.bytes long extended The number of bytes read by all disks.
62 8.11.0 true host host.disk.write.bytes long extended The number of bytes written on all disks.
63 8.11.0 true host host.domain keyword extended CONTOSO Name of the directory the group is a member of.
64 8.11.0 true host host.geo.city_name keyword core Montreal City name.
65 8.11.0 true host host.geo.continent_code keyword core NA Continent code.
66 8.11.0 true host host.geo.continent_name keyword core North America Name of the continent.
67 8.11.0 true host host.geo.country_iso_code keyword core CA Country ISO code.
68 8.11.0 true host host.geo.country_name keyword core Canada Country name.
69 8.11.0 true host host.geo.location geo_point core { "lon": -73.614830, "lat": 45.505918 } Longitude and latitude.
70 8.11.0 true host host.geo.name keyword extended boston-dc User-defined description of a location.
71 8.11.0 true host host.geo.postal_code keyword core 94040 Postal code.
72 8.11.0 true host host.geo.region_iso_code keyword core CA-QC Region ISO code.
73 8.11.0 true host host.geo.region_name keyword core Quebec Region name.
74 8.11.0 true host host.geo.timezone keyword core America/Argentina/Buenos_Aires Time zone.
75 8.11.0 true host host.hostname keyword core Hostname of the host.
76 8.11.0 true host host.id keyword core Unique host id.
77 8.11.0 true host host.ip ip core array Host ip addresses.
78 8.11.0 true host host.mac keyword core array ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] Host MAC addresses.
79 8.11.0 true host host.name keyword core Name of the host.
80 8.11.0 true host host.network.egress.bytes long extended The number of bytes sent on all network interfaces.
81 8.11.0 true host host.network.egress.packets long extended The number of packets sent on all network interfaces.
82 8.11.0 true host host.network.ingress.bytes long extended The number of bytes received on all network interfaces.
83 8.11.0 true host host.network.ingress.packets long extended The number of packets received on all network interfaces.
84 8.11.0 true host host.os.family keyword extended debian OS family (such as redhat, debian, freebsd, windows).
85 8.11.0 true host host.os.full keyword extended Mac OS Mojave Operating system name, including the version or code name.
86 8.11.0 true host host.os.full.text keyword extended Mac OS Mojave Operating system name, including the version or code name.
87 8.11.0 true host host.os.kernel keyword extended 4.4.0-112-generic Operating system kernel version as a raw string.
88 8.11.0 true host host.os.name keyword extended Mac OS X Operating system name, without the version.
89 8.11.0 true host host.os.name.text keyword extended Mac OS X Operating system name, without the version.
90 8.11.0 true host host.os.platform keyword extended darwin Operating system platform (such centos, ubuntu, windows).
91 8.11.0 true host host.os.type keyword extended macos Which commercial OS family (one of: linux, macos, unix, windows, ios or android).
92 8.11.0 true host host.os.version keyword extended 10.14.1 Operating system version as a raw string.
93 8.11.0 true host host.pid_ns_ino keyword extended 256383 Pid namespace inode
94 8.11.0 true host host.risk.calculated_level keyword extended High A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
95 8.11.0 true host host.risk.calculated_score float extended 880.73 A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
96 8.11.0 true host host.risk.calculated_score_norm float extended 88.73 A normalized risk score calculated by an internal system.
97 8.11.0 true host host.risk.static_level keyword extended High A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.
98 8.11.0 true host host.risk.static_score float extended 830.0 A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.
99 8.11.0 true host host.risk.static_score_norm float extended 83.0 A normalized risk score calculated by an external system.
100 8.11.0 true host host.type keyword core Type of host.
101 8.11.0 true host host.uptime long extended 1325 Seconds the host has been up.
102 8.11.0 true policy policy.description keyword custom "The CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 is a comprehensive security configuration guide that provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Windows 11 Enterprise." Extended description of the policy.
103 8.11.0 true policy policy.file keyword custom cis_win11_enterprise.yml The file name of the SCA policy.
104 8.11.0 true policy policy.id keyword custom cis_win11_enterprise_21H2 The ID of the SCA policy.
105 8.11.0 true policy policy.name keyword custom CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 The name of the SCA policy.
106 8.11.0 true policy policy.references keyword custom array ["https://www.cisecurity.org/cis-benchmarks/"] References for the policy.

219
ecs/states-sca/event-generator/event_generator.py Normal file
View File

@ -0,0 +1,219 @@
#!/bin/python3
import argparse
import datetime
import json
import logging
import random
import requests
import urllib3
# Constants and Configuration
LOG_FILE = 'generate_data.log'
GENERATED_DATA_FILE = 'generatedData.json'
DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ"
# Default values
INDEX_NAME = "wazuh-states-sca"
USERNAME = "admin"
PASSWORD = "admin"
IP = "127.0.0.1"
PORT = "9200"
# Configure logging
logging.basicConfig(filename=LOG_FILE, level=logging.INFO)
# Suppress warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def generate_random_date():
start_date = datetime.datetime.now()
end_date = start_date - datetime.timedelta(days=10)
random_date = start_date + (end_date - start_date) * random.random()
return random_date.strftime(DATE_FORMAT)
def generate_random_agent():
agent = {
'id': f'agent{random.randint(0, 99)}',
'name': f'Agent{random.randint(0, 99)}',
'type': random.choice(['filebeat', 'windows', 'linux', 'macos']),
'version': f'v{random.randint(0, 9)}-stable',
'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'],
'host': generate_random_host(False)
}
return agent
def generate_random_host(is_root_level=False):
if is_root_level:
host = {
'architecture': random.choice(['x86_64', 'arm64']),
'hostname': f'host{random.randint(0, 1000)}',
'os': {
'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}',
'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}',
'name': random.choice(['Linux', 'Windows', 'macOS']),
'platform': random.choice(['platform1', 'platform2']),
'type': random.choice(['os_type1', 'os_type2']),
'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}'
}
}
else:
family = random.choice(
['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL'])
version = f'{random.randint(0, 99)}.{random.randint(0, 99)}'
host = {
'architecture': random.choice(['x86_64', 'arm64']),
'boot': {
'id': f'boot{random.randint(0, 9999)}'
},
'cpu': {
'usage': random.uniform(0, 100)
},
'disk': {
'read': {
'bytes': random.randint(0, 1000000)
},
'write': {
'bytes': random.randint(0, 1000000)
}
},
'domain': f'domain{random.randint(0, 999)}',
'geo': {
'city_name': random.choice(['San Francisco', 'New York', 'Berlin', 'Tokyo']),
'continent_code': random.choice(['NA', 'EU', 'AS']),
'continent_name': random.choice(['North America', 'Europe', 'Asia']),
'country_iso_code': random.choice(['US', 'DE', 'JP']),
'country_name': random.choice(['United States', 'Germany', 'Japan']),
'location': {
'lat': round(random.uniform(-90.0, 90.0), 6),
'lon': round(random.uniform(-180.0, 180.0), 6)
},
'name': f'geo{random.randint(0, 999)}',
'postal_code': f'{random.randint(10000, 99999)}',
'region_iso_code': f'region{random.randint(0, 999)}',
'region_name': f'Region {random.randint(0, 999)}',
'timezone': random.choice(['PST', 'EST', 'CET', 'JST'])
},
'hostname': f'host{random.randint(0, 9999)}',
'id': f'hostid{random.randint(0, 9999)}',
'ip': f'{random.randint(1, 255)}.{random.randint(1, 255)}.{random.randint(1, 255)}.{random.randint(1, 255)}',
'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}',
'name': f'hostname{random.randint(0, 9999)}',
'network': {
'egress': {
'bytes': random.randint(0, 1000000),
'packets': random.randint(0, 1000000)
},
'ingress': {
'bytes': random.randint(0, 1000000),
'packets': random.randint(0, 1000000)
}
},
'os': {
'family': family,
'full': f'{family} {version}',
'kernel': f'kernel{random.randint(0, 999)}',
'name': family,
'platform': random.choice(['linux', 'windows', 'macos']),
'type': family,
'version': version
},
'pid_ns_ino': f'{random.randint(1000000, 9999999)}',
'uptime': random.randint(0, 1000000)
}
return host
def generate_random_policy():
policy = {
'id': f'policy{random.randint(0, 999)}',
'name': f'Policy {random.randint(0, 999)}',
'file': f'policy{random.randint(0, 999)}.yml',
'description': 'Generated policy description.',
'references': [f'https://example.com/policy{random.randint(0, 999)}']
}
return policy
def generate_random_check():
check = {
'id': f'check{random.randint(0, 9999)}',
'name': 'Check Example',
'description': 'Generated check description.',
'rationale': 'Generated rationale.',
'remediation': 'Generated remediation.',
'references': [f'https://example.com/check{random.randint(0, 9999)}'],
'condition': 'all',
'compliance': [f'cis:{random.randint(1, 10)}.{random.randint(1, 10)}.{random.randint(1, 10)}'],
'rules': [f'Rule {random.randint(1, 100)}', f'Rule {random.randint(1, 100)}'],
'result': 'pass',
'reason': 'Randomly passed.'
}
return check
def generate_random_data(number):
data = []
for _ in range(number):
event_data = {
'@timestamp': generate_random_date(),
'agent': generate_random_agent(),
'host': generate_random_host(),
'policy': generate_random_policy(),
'check': generate_random_check()
}
data.append(event_data)
return data
def inject_events(protocol, ip, port, index, username, password, data):
url = f'{protocol}://{ip}:{port}/{index}/_doc'
session = requests.Session()
session.auth = (username, password)
session.verify = False
headers = {'Content-Type': 'application/json'}
try:
for event_data in data:
response = session.post(url, json=event_data, headers=headers)
if response.status_code != 201:
logging.error(f'Error: {response.status_code}')
logging.error(response.text)
break
logging.info('Data injection completed successfully.')
except Exception as e:
logging.error(f'Error: {str(e)}')
def main():
parser = argparse.ArgumentParser(
description="Generate and optionally inject events into an OpenSearch index or Command Manager."
)
parser.add_argument(
"--protocol",
choices=['http', 'https'],
default='https',
help="Specify the protocol to use: http or https."
)
args = parser.parse_args()
try:
number = int(input("How many events do you want to generate? "))
except ValueError:
logging.error("Invalid input. Please enter a valid number.")
return
logging.info(f"Generating {number} events...")
data = generate_random_data(number)
with open(GENERATED_DATA_FILE, 'a') as outfile:
for event_data in data:
json.dump(event_data, outfile)
outfile.write('\n')
logging.info('Data generation completed.')
if input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() == 'y':
ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP
port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT
index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME
username = input(f"Username (default: '{USERNAME}'): ") or USERNAME
password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD
inject_events(args.protocol, ip, port, index, username, password, data)
if __name__ == "__main__":
main()

15
ecs/states-sca/fields/custom/agent.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: agent
title: Wazuh Agents
short: Wazuh Inc. custom fields.
type: group
group: 2
fields:
- name: groups
type: keyword
level: custom
description: >
List of groups the agent belongs to.
normalize:
- array
example: "[\"group1\", \"group2\"]"

99
ecs/states-sca/fields/custom/check.yml Normal file
View File

@ -0,0 +1,99 @@
---
- name: check
title: SCA policy check
description: >
Custom fields for SCA policy check.
type: group
group: 2
fields:
- name: id
type: keyword
level: custom
description: The ID of the SCA policy check.
example: "26000"
- name: name
type: keyword
level: custom
description: The name of the SCA policy check.
example: "Ensure 'Enforce password history' is set to '24 or more password(s)'."
- name: description
type: keyword
level: custom
description: Extended description of the check.
example: >
"The password history setting determines the number of unique new passwords a user must use before an old password can be reused."
- name: rationale
type: keyword
level: custom
description: The reason for the check. Why it is important.
example: >
"The longer a user uses the same password, the more likely it is that the password will be compromised."
- name: remediation
type: keyword
level: custom
description: Actions to take to remediate the check.
example: >
"To establish the recommended configuration, set the following registry value to 24 or more password(s):"
- name: references
type: keyword
level: custom
short: References for the check.
description: >
References for the check. This can include links to documentation, articles, or other resources that provide additional information about the check, such as Common Configuration Enumeration (CCE).
Note: this field should contain an array of values.
normalize:
- array
example: '["https://workbench.cisecurity.org"]'
- name: condition
type: keyword
level: custom
short: Relationship between the rules.
description: >
Describes the relationship between the rules. This field indicates how the rules should be evaluated to determine the overall result of the check.
The allowed values are:
- `all`: All rules must be satisfied.
- `any`: Any of the rules is sufficient.
- `none`: None of the rules must be satisfied.
example: "all"
- name: compliance
type: keyword
level: custom
short: CIS compliance standard.
description: >
CIS compliance standard under which the check is defined. This field indicates the specific compliance standard that the check is associated with, such as CIS benchmarks or other compliance frameworks.
Note: this field should contain an array of values.
normalize:
- array
example: '["cis:1.1.1","cis_csc:5.2"]'
- name: rules
type: keyword
level: custom
short: Rules to be evaluated.
description: >
Expression to be evaluated. This field contains the specific rules or expressions that need to be evaluated to determine the result of the check. The rules are typically defined using a specific syntax or format that allows for logical comparisons and evaluations.
The rules can include various conditions, operators, and values that are used to assess the compliance status of the system or configuration being checked.
Note: this field should contain an array of values.
normalize:
- array
example: >
"[\"c:net.exe accounts -> n:Maximum password age \(days\):\s+(\d+) compare > 0\"," >
"\"c:net.exe accounts -> n:Length of password history maintained:\s+(\d+) compare >= 24\"]"
- name: result
type: keyword
level: custom
short: Result of the check.
description: >
The result of the check. This field indicates whether the check passed or failed based on the evaluation of the rules. The result is typically represented as a boolean value, where "passed" indicates that the check was successful and "failed" indicates that the check did not meet the specified criteria.
example: "failed"
- name: reason
type: keyword
level: custom
short: Reason for the check result.
description: >
The reason for the check result. This field provides additional information or context about the result of the check. It may include details about why the check passed or failed, any specific conditions that were not met, or any other relevant information that helps to understand the outcome of the check.
example: >
"The password history setting is not set to 24 or more password(s)."

6
ecs/states-sca/fields/custom/host.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: host
reusable:
top_level: true
expected:
- { at: agent, as: host }

6
ecs/states-sca/fields/custom/os.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: os
reusable:
top_level: false
expected:
- agent.host

40
ecs/states-sca/fields/custom/policy.yml Normal file
View File

@ -0,0 +1,40 @@
---
- name: policy
title: SCA policies
description: >
Custom fields for SCA policies.
type: group
group: 2
fields:
- name: id
type: keyword
level: custom
description: The ID of the SCA policy.
example: "cis_win11_enterprise_21H2"
- name: name
type: keyword
level: custom
description: The name of the SCA policy.
example: "CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0"
- name: file
type: keyword
level: custom
description: The file name of the SCA policy.
example: "cis_win11_enterprise.yml"
- name: description
type: keyword
level: custom
description: Extended description of the policy.
example: >
"The CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 is a comprehensive security configuration guide that provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Windows 11 Enterprise."
- name: references
type: keyword
level: custom
short: References for the policy.
description: >
References for the policy. This can include links to documentation, articles, or other resources that provide additional information about the policy, such as Common Configuration Enumeration (CCE).
Note: this field should contain an array of values.
normalize:
- array
example: '["https://www.cisecurity.org/cis-benchmarks/"]'

4
ecs/states-sca/fields/mapping-settings.json Normal file
View File

@ -0,0 +1,4 @@
{
"dynamic": "strict",
"date_detection": false
}

23
ecs/states-sca/fields/subset.yml Normal file
View File

@ -0,0 +1,23 @@
---
name: wazuh-states-sca
fields:
base:
fields:
tags: []
"@timestamp": {}
agent:
fields:
groups: {}
id: {}
name: {}
type: {}
version: {}
host:
fields: "*"
check:
fields: "*"
host:
fields: "*"
policy:
fields: "*"

23
ecs/states-sca/fields/template-settings-legacy.json Normal file
View File

@ -0,0 +1,23 @@
{
"index_patterns": ["wazuh-states-sca*"],
"order": 1,
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"agent.id",
"agent.groups",
"check.name",
"check.id",
"host.name",
"host.os.type",
"host.os.version",
"policy.id",
"policy.name",
"policy.file"
]
}
}
}

25
ecs/states-sca/fields/template-settings.json Normal file
View File

@ -0,0 +1,25 @@
{
"index_patterns": ["wazuh-states-sca*"],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"agent.id",
"agent.groups",
"check.name",
"check.id",
"host.name",
"host.os.type",
"host.os.version",
"policy.id",
"policy.name",
"policy.file"
]
}
}
}
}

1
plugins/setup/src/main/java/com/wazuh/setup/index/WazuhIndices.java
View File

@ -75,6 +75,7 @@ public class WazuhIndices {
this.indexTemplates.put(
"index-template-users", List.of("wazuh-internal-users", "wazuh-custom-users"));
this.indexTemplates.put("index-template-cve", List.of("wazuh-cve"));
this.indexTemplates.put("index-template-sca", List.of("wazuh-states-sca"));
}
/**

72
plugins/setup/src/main/resources/index-template-alerts.json
View File

@ -283,6 +283,54 @@
}
}
},
"check": {
"properties": {
"compliance": {
"ignore_above": 1024,
"type": "keyword"
},
"condition": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"rationale": {
"ignore_above": 1024,
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"references": {
"ignore_above": 1024,
"type": "keyword"
},
"remediation": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
},
"rules": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"client": {
"properties": {
"address": {
@ -3057,6 +3105,30 @@
}
}
},
"policy": {
"properties": {
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"references": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"process": {
"properties": {
"args": {

510
plugins/setup/src/main/resources/index-template-sca.json Normal file
View File

@ -0,0 +1,510 @@
{
"index_patterns": [
"wazuh-states-sca*"
],
"mappings": {
"date_detection": false,
"dynamic": "strict",
"properties": {
"@timestamp": {
"type": "date"
},
"agent": {
"properties": {
"groups": {
"ignore_above": 1024,
"type": "keyword"
},
"host": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"boot": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"cpu": {
"properties": {
"usage": {
"type": "float"
}
}
},
"disk": {
"properties": {
"read": {
"properties": {
"bytes": {
"type": "long"
}
}
},
"write": {
"properties": {
"bytes": {
"type": "long"
}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"network": {
"properties": {
"egress": {
"properties": {
"bytes": {
"type": "long"
},
"packets": {
"type": "long"
}
}
},
"ingress": {
"properties": {
"bytes": {
"type": "long"
},
"packets": {
"type": "long"
}
}
}
}
},
"os": {
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pid_ns_ino": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uptime": {
"type": "long"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"check": {
"properties": {
"compliance": {
"ignore_above": 1024,
"type": "keyword"
},
"condition": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"rationale": {
"ignore_above": 1024,
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"references": {
"ignore_above": 1024,
"type": "keyword"
},
"remediation": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
},
"rules": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"host": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"boot": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"cpu": {
"properties": {
"usage": {
"type": "float"
}
}
},
"disk": {
"properties": {
"read": {
"properties": {
"bytes": {
"type": "long"
}
}
},
"write": {
"properties": {
"bytes": {
"type": "long"
}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"network": {
"properties": {
"egress": {
"properties": {
"bytes": {
"type": "long"
},
"packets": {
"type": "long"
}
}
},
"ingress": {
"properties": {
"bytes": {
"type": "long"
},
"packets": {
"type": "long"
}
}
}
}
},
"os": {
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pid_ns_ino": {
"ignore_above": 1024,
"type": "keyword"
},
"risk": {
"properties": {
"calculated_level": {
"ignore_above": 1024,
"type": "keyword"
},
"calculated_score": {
"type": "float"
},
"calculated_score_norm": {
"type": "float"
},
"static_level": {
"ignore_above": 1024,
"type": "keyword"
},
"static_score": {
"type": "float"
},
"static_score_norm": {
"type": "float"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uptime": {
"type": "long"
}
}
},
"policy": {
"properties": {
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"references": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"order": 1,
"settings": {
"index": {
"number_of_replicas": "0",
"number_of_shards": "1",
"query.default_field": [
"agent.id",
"agent.groups",
"check.name",
"check.id",
"host.name",
"host.os.type",
"host.os.version",
"policy.id",
"policy.name",
"policy.file"
],
"refresh_interval": "5s"
}
}
}