wazuh/wazuh-indexer-plugins
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-indexer-plugins.git synced 2025-12-10 14:32:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Bump WCS to ECS v9.1.0 (#600)

Browse Source 
* Bump WCS to ECS v9.1.0

* Add changelog entry
This commit is contained in:
Álex Ruiz Becerra 2025-10-27 15:48:20 +01:00 committed by GitHub
parent 85465e3e87
commit dc98e42c32
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
59 changed files with 8907 additions and 138804 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -40,6 +40,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
- Update index templates with agent fields [(#578)](https://github.com/wazuh/wazuh-indexer-plugins/pull/578)
- Rename indices from *-5.x-* to *-v5-* [(#597)](https://github.com/wazuh/wazuh-indexer-plugins/pull/597)
- Use stricter field limits for the WCS indices [(#589)](https://github.com/wazuh/wazuh-indexer-plugins/pull/589)
- Bump WCS to ECS v9.1.0 [(#600)](https://github.com/wazuh/wazuh-indexer-plugins/pull/600)
### Deprecated
-

71
ecs/generator/count_and_update_total_fields.sh Normal file → Executable file
View File

@ -1,6 +1,9 @@
#!/usr/bin/env bash
# Count fields in a generated index template and update mapping.total_fields.limit
# Count fields and nested fields in a generated index template and update mapping limits
# This script analyzes OpenSearch index templates to:
# - Count total fields and update mapping.total_fields.limit
# - Count nested fields and update mapping.nested_fields.limit
# Usage:
# ./count_and_update_total_fields.sh <module|all> [--apply]
# If --apply is not passed the script runs in dry-run mode and prints proposed values.
@ -88,6 +91,9 @@ process_module() {
# jq filter to count fields
JQ_FILTER='def count_fields: (keys_unsorted | length) + ( map( if type == "object" then (.properties | select(.) | count_fields) // 0 + (.fields | select(.) | count_fields) // 0 else 0 end ) | add ); .mappings.properties | count_fields'
# jq filter to count nested fields
JQ_NESTED_FILTER='def count_nested: [ .. | objects | select(.type == "nested") ] | length; .mappings.properties | count_nested'
TOTAL_FIELDS=$(jq -r "$JQ_FILTER" "$REPO_ROOT/$INDEX_TEMPLATE_PATH" 2> /tmp/jq_error.log) || {
echo "Error: Could not parse JSON or find .mappings.properties in $INDEX_TEMPLATE_PATH" >&2
cat /tmp/jq_error.log >&2 || true
@ -96,14 +102,32 @@ process_module() {
}
rm -f /tmp/jq_error.log
# compute next multiple of 500
PROPOSED=$(( ( (TOTAL_FIELDS + 499) / 500 ) * 500 ))
NESTED_FIELDS=$(jq -r "$JQ_NESTED_FILTER" "$REPO_ROOT/$INDEX_TEMPLATE_PATH" 2> /tmp/jq_nested_error.log) || {
echo "Error: Could not count nested fields in $INDEX_TEMPLATE_PATH" >&2
cat /tmp/jq_nested_error.log >&2 || true
rm -f /tmp/jq_nested_error.log
return 1
}
rm -f /tmp/jq_nested_error.log
# compute next multiple of 500 for total fields
PROPOSED_TOTAL=$(( ( (TOTAL_FIELDS + 499) / 500 ) * 500 ))
# compute next multiple of 50 for nested fields (smaller increment due to lower typical counts)
PROPOSED_NESTED=$(( ( (NESTED_FIELDS + 49) / 50 ) * 50 ))
# Ensure minimum of 50 for nested fields if any nested fields exist
if [[ $NESTED_FIELDS -gt 0 && $PROPOSED_NESTED -lt 50 ]]; then
PROPOSED_NESTED=50
fi
cat <<EOF
Module: $MODULE
Index template: $INDEX_TEMPLATE_PATH
Total fields: $TOTAL_FIELDS
Proposed mapping.total_fields.limit: $PROPOSED
Proposed mapping.total_fields.limit: $PROPOSED_TOTAL
Nested fields: $NESTED_FIELDS
Proposed mapping.nested_fields.limit: $PROPOSED_NESTED
EOF
if ! $APPLY; then
@ -118,26 +142,49 @@ EOF
echo "Skipping missing file: $file" >&2
return
fi
if jq -e '.template? and .template.settings? and .template.settings["mapping.total_fields.limit"]' "$REPO_ROOT/$file" > /dev/null 2>&1; then
local updated=false
# Handle .template.settings structure
if jq -e '.template? and .template.settings?' "$REPO_ROOT/$file" > /dev/null 2>&1; then
tmpfile=$(mktemp)
last_hex=$(tail -c1 "$REPO_ROOT/$file" 2> /dev/null | od -An -t x1 | tr -d ' \t\n' || true)
jq ".template.settings[\"mapping.total_fields.limit\"] = $PROPOSED" "$REPO_ROOT/$file" > "$tmpfile"
# Update both total_fields.limit and nested_fields.limit
jq_update_cmd=".template.settings[\"mapping.total_fields.limit\"] = $PROPOSED_TOTAL"
if [[ $NESTED_FIELDS -gt 0 ]]; then
jq_update_cmd="$jq_update_cmd | .template.settings[\"mapping.nested_fields.limit\"] = $PROPOSED_NESTED"
fi
jq "$jq_update_cmd" "$REPO_ROOT/$file" > "$tmpfile"
if [[ -n "$last_hex" && "$last_hex" != "0a" ]]; then
perl -0777 -pe 's/\n\z//' "$tmpfile" > "${tmpfile}.fix" && mv "${tmpfile}.fix" "$tmpfile"
fi
mv "$tmpfile" "$REPO_ROOT/$file"
echo "Updated $file -> $PROPOSED"
elif jq -e '.settings? and .settings["mapping.total_fields.limit"]' "$REPO_ROOT/$file" > /dev/null 2>&1; then
echo "Updated $file -> total_fields: $PROPOSED_TOTAL, nested_fields: $PROPOSED_NESTED"
updated=true
# Handle .settings structure
elif jq -e '.settings?' "$REPO_ROOT/$file" > /dev/null 2>&1; then
tmpfile=$(mktemp)
last_hex=$(tail -c1 "$REPO_ROOT/$file" 2> /dev/null | od -An -t x1 | tr -d ' \t\n' || true)
jq ".settings[\"mapping.total_fields.limit\"] = $PROPOSED" "$REPO_ROOT/$file" > "$tmpfile"
# Update both total_fields.limit and nested_fields.limit
jq_update_cmd=".settings[\"mapping.total_fields.limit\"] = $PROPOSED_TOTAL"
if [[ $NESTED_FIELDS -gt 0 ]]; then
jq_update_cmd="$jq_update_cmd | .settings[\"mapping.nested_fields.limit\"] = $PROPOSED_NESTED"
fi
jq "$jq_update_cmd" "$REPO_ROOT/$file" > "$tmpfile"
if [[ -n "$last_hex" && "$last_hex" != "0a" ]]; then
perl -0777 -pe 's/\n\z//' "$tmpfile" > "${tmpfile}.fix" && mv "${tmpfile}.fix" "$tmpfile"
fi
mv "$tmpfile" "$REPO_ROOT/$file"
echo "Updated $file -> $PROPOSED"
else
echo "No mapping.total_fields.limit key found in $file. Skipping." >&2
echo "Updated $file -> total_fields: $PROPOSED_TOTAL, nested_fields: $PROPOSED_NESTED"
updated=true
fi
if [[ "$updated" == "false" ]]; then
echo "No mapping limits found in $file. Skipping." >&2
fi
}

2660
ecs/stateless-access-management/docs/fields.csv
View File

File diff suppressed because it is too large Load Diff

341
ecs/stateless-access-management/fields/subset.yml
View File

@ -97,6 +97,8 @@ fields:
fields: "*"
file:
fields: "*"
gen_ai:
fields: "*"
geo:
fields: "*"
group:
@ -128,7 +130,340 @@ fields:
pe:
fields: "*"
process:
fields: "*"
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
entry_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
entry_meta:
fields:
type: {}
source:
fields:
ip: {}
executable: {}
interactive: {}
name: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
attested_user:
fields:
id: {}
name: {}
attested_groups:
fields:
name: {}
entry_meta:
fields:
type:
docs_only: True
env_vars: {}
executable: {}
exit_code: {}
group_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
hash:
fields: "*"
interactive: {}
io:
fields: "*"
macho:
fields: "*"
name: {}
parent:
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
executable: {}
exit_code: {}
group_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
hash:
fields: "*"
interactive: {}
macho:
fields: "*"
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
start: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
uptime: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
previous:
fields:
args: {}
args_count: {}
executable: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
same_as_process:
docs_only: True
saved_group:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
start: {}
supplemental_groups:
fields:
id: {}
name: {}
session_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields: "*"
uptime: {}
user:
fields:
id: {}
name: {}
working_directory: {}
registry:
fields: "*"
related:
@ -259,13 +594,17 @@ fields:
roles: {}
vlan:
fields: "*"
volume:
fields: "*"
vulnerability:
fields: "*"
x509:
fields: "*"
# Wazuh specific fields
wazuh:
fields: "*"
check:
fields: "*"
policy:
fields: "*"
# Integration fields

4
ecs/stateless-access-management/fields/template-settings-legacy.json
View File

@ -5,8 +5,8 @@
"order": 1,
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-access-management",
"mapping.total_fields.limit": 5500,
"mapping.nested_fields.limit": 100,
"mapping.total_fields.limit": 2500,
"mapping.nested_fields.limit": 50,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

4
ecs/stateless-access-management/fields/template-settings.json
View File

@ -6,8 +6,8 @@
"template": {
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-access-management",
"mapping.total_fields.limit": 5500,
"mapping.nested_fields.limit": 100,
"mapping.total_fields.limit": 2500,
"mapping.nested_fields.limit": 50,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

2660
ecs/stateless-applications/docs/fields.csv
View File

File diff suppressed because it is too large Load Diff

341
ecs/stateless-applications/fields/subset.yml
View File

@ -97,6 +97,8 @@ fields:
fields: "*"
file:
fields: "*"
gen_ai:
fields: "*"
geo:
fields: "*"
group:
@ -128,7 +130,340 @@ fields:
pe:
fields: "*"
process:
fields: "*"
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
entry_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
entry_meta:
fields:
type: {}
source:
fields:
ip: {}
executable: {}
interactive: {}
name: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
attested_user:
fields:
id: {}
name: {}
attested_groups:
fields:
name: {}
entry_meta:
fields:
type:
docs_only: True
env_vars: {}
executable: {}
exit_code: {}
group_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
hash:
fields: "*"
interactive: {}
io:
fields: "*"
macho:
fields: "*"
name: {}
parent:
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
executable: {}
exit_code: {}
group_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
hash:
fields: "*"
interactive: {}
macho:
fields: "*"
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
start: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
uptime: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
previous:
fields:
args: {}
args_count: {}
executable: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
same_as_process:
docs_only: True
saved_group:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
start: {}
supplemental_groups:
fields:
id: {}
name: {}
session_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields: "*"
uptime: {}
user:
fields:
id: {}
name: {}
working_directory: {}
registry:
fields: "*"
related:
@ -259,16 +594,20 @@ fields:
roles: {}
vlan:
fields: "*"
volume:
fields: "*"
vulnerability:
fields: "*"
x509:
fields: "*"
# Wazuh specific fields
wazuh:
fields: "*"
check:
fields: "*"
policy:
fields: "*"
# Integration fields
apache-tomcat:
fields: "*"
iis:

4
ecs/stateless-applications/fields/template-settings-legacy.json
View File

@ -5,8 +5,8 @@
"order": 1,
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-applications",
"mapping.total_fields.limit": 6000,
"mapping.nested_fields.limit": 100,
"mapping.total_fields.limit": 3000,
"mapping.nested_fields.limit": 50,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

4
ecs/stateless-applications/fields/template-settings.json
View File

@ -6,8 +6,8 @@
"template": {
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-applications",
"mapping.total_fields.limit": 6000,
"mapping.nested_fields.limit": 100,
"mapping.total_fields.limit": 3000,
"mapping.nested_fields.limit": 50,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

2660
ecs/stateless-cloud-services-aws/docs/fields.csv
View File

File diff suppressed because it is too large Load Diff

341
ecs/stateless-cloud-services-aws/fields/subset.yml
View File

@ -97,6 +97,8 @@ fields:
fields: "*"
file:
fields: "*"
gen_ai:
fields: "*"
geo:
fields: "*"
group:
@ -128,7 +130,340 @@ fields:
pe:
fields: "*"
process:
fields: "*"
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
entry_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
entry_meta:
fields:
type: {}
source:
fields:
ip: {}
executable: {}
interactive: {}
name: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
attested_user:
fields:
id: {}
name: {}
attested_groups:
fields:
name: {}
entry_meta:
fields:
type:
docs_only: True
env_vars: {}
executable: {}
exit_code: {}
group_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
hash:
fields: "*"
interactive: {}
io:
fields: "*"
macho:
fields: "*"
name: {}
parent:
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
executable: {}
exit_code: {}
group_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
hash:
fields: "*"
interactive: {}
macho:
fields: "*"
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
start: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
uptime: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
previous:
fields:
args: {}
args_count: {}
executable: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
same_as_process:
docs_only: True
saved_group:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
start: {}
supplemental_groups:
fields:
id: {}
name: {}
session_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields: "*"
uptime: {}
user:
fields:
id: {}
name: {}
working_directory: {}
registry:
fields: "*"
related:
@ -259,16 +594,20 @@ fields:
roles: {}
vlan:
fields: "*"
volume:
fields: "*"
vulnerability:
fields: "*"
x509:
fields: "*"
# Wazuh specific fields
wazuh:
fields: "*"
check:
fields: "*"
policy:
fields: "*"
# Integration fields
amazon-security-lake:
fields: "*"
aws:

4
ecs/stateless-cloud-services-aws/fields/template-settings-legacy.json
View File

@ -5,8 +5,8 @@
"order": 10,
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services-aws",
"mapping.total_fields.limit": 6500,
"mapping.nested_fields.limit": 250,
"mapping.total_fields.limit": 3500,
"mapping.nested_fields.limit": 200,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

4
ecs/stateless-cloud-services-aws/fields/template-settings.json
View File

@ -6,8 +6,8 @@
"template": {
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services-aws",
"mapping.total_fields.limit": 6500,
"mapping.nested_fields.limit": 250,
"mapping.total_fields.limit": 3500,
"mapping.nested_fields.limit": 200,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

2660
ecs/stateless-cloud-services-azure/docs/fields.csv
View File

File diff suppressed because it is too large Load Diff

341
ecs/stateless-cloud-services-azure/fields/subset.yml
View File

@ -97,6 +97,8 @@ fields:
fields: "*"
file:
fields: "*"
gen_ai:
fields: "*"
geo:
fields: "*"
group:
@ -128,7 +130,340 @@ fields:
pe:
fields: "*"
process:
fields: "*"
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
entry_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
entry_meta:
fields:
type: {}
source:
fields:
ip: {}
executable: {}
interactive: {}
name: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
attested_user:
fields:
id: {}
name: {}
attested_groups:
fields:
name: {}
entry_meta:
fields:
type:
docs_only: True
env_vars: {}
executable: {}
exit_code: {}
group_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
hash:
fields: "*"
interactive: {}
io:
fields: "*"
macho:
fields: "*"
name: {}
parent:
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
executable: {}
exit_code: {}
group_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
hash:
fields: "*"
interactive: {}
macho:
fields: "*"
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
start: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
uptime: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
previous:
fields:
args: {}
args_count: {}
executable: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
same_as_process:
docs_only: True
saved_group:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
start: {}
supplemental_groups:
fields:
id: {}
name: {}
session_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields: "*"
uptime: {}
user:
fields:
id: {}
name: {}
working_directory: {}
registry:
fields: "*"
related:
@ -259,16 +594,20 @@ fields:
roles: {}
vlan:
fields: "*"
volume:
fields: "*"
vulnerability:
fields: "*"
x509:
fields: "*"
# Wazuh specific fields
wazuh:
fields: "*"
check:
fields: "*"
policy:
fields: "*"
# Integration fields
azure:
fields: "*"
azure-app-service:

4
ecs/stateless-cloud-services-azure/fields/template-settings-legacy.json
View File

@ -5,8 +5,8 @@
"order": 10,
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services-azure",
"mapping.total_fields.limit": 6000,
"mapping.nested_fields.limit": 100,
"mapping.total_fields.limit": 3000,
"mapping.nested_fields.limit": 50,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

4
ecs/stateless-cloud-services-azure/fields/template-settings.json
View File

@ -6,8 +6,8 @@
"template": {
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services-azure",
"mapping.total_fields.limit": 6000,
"mapping.nested_fields.limit": 100,
"mapping.total_fields.limit": 3000,
"mapping.nested_fields.limit": 50,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

2660
ecs/stateless-cloud-services-gcp/docs/fields.csv
View File

File diff suppressed because it is too large Load Diff

341
ecs/stateless-cloud-services-gcp/fields/subset.yml
View File

@ -97,6 +97,8 @@ fields:
fields: "*"
file:
fields: "*"
gen_ai:
fields: "*"
geo:
fields: "*"
group:
@ -128,7 +130,340 @@ fields:
pe:
fields: "*"
process:
fields: "*"
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
entry_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
entry_meta:
fields:
type: {}
source:
fields:
ip: {}
executable: {}
interactive: {}
name: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
attested_user:
fields:
id: {}
name: {}
attested_groups:
fields:
name: {}
entry_meta:
fields:
type:
docs_only: True
env_vars: {}
executable: {}
exit_code: {}
group_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
hash:
fields: "*"
interactive: {}
io:
fields: "*"
macho:
fields: "*"
name: {}
parent:
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
executable: {}
exit_code: {}
group_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
hash:
fields: "*"
interactive: {}
macho:
fields: "*"
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
start: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
uptime: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
previous:
fields:
args: {}
args_count: {}
executable: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
same_as_process:
docs_only: True
saved_group:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
start: {}
supplemental_groups:
fields:
id: {}
name: {}
session_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields: "*"
uptime: {}
user:
fields:
id: {}
name: {}
working_directory: {}
registry:
fields: "*"
related:
@ -259,16 +594,20 @@ fields:
roles: {}
vlan:
fields: "*"
volume:
fields: "*"
vulnerability:
fields: "*"
x509:
fields: "*"
# Wazuh specific fields
wazuh:
fields: "*"
check:
fields: "*"
policy:
fields: "*"
# Integration fields
gcp:
fields: "*"
google-scc:

2
ecs/stateless-cloud-services-gcp/fields/template-settings-legacy.json
View File

@ -5,7 +5,7 @@
"order": 10,
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services-gcp",
"mapping.total_fields.limit": 6000,
"mapping.total_fields.limit": 3000,
"mapping.nested_fields.limit": 100,
"index": {
"number_of_shards": "3",

2
ecs/stateless-cloud-services-gcp/fields/template-settings.json
View File

@ -6,7 +6,7 @@
"template": {
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services-gcp",
"mapping.total_fields.limit": 6000,
"mapping.total_fields.limit": 3000,
"mapping.nested_fields.limit": 100,
"index": {
"number_of_shards": "3",

2660
ecs/stateless-cloud-services/docs/fields.csv
View File

File diff suppressed because it is too large Load Diff

341
ecs/stateless-cloud-services/fields/subset.yml
View File

@ -97,6 +97,8 @@ fields:
fields: "*"
file:
fields: "*"
gen_ai:
fields: "*"
geo:
fields: "*"
group:
@ -128,7 +130,340 @@ fields:
pe:
fields: "*"
process:
fields: "*"
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
entry_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
entry_meta:
fields:
type: {}
source:
fields:
ip: {}
executable: {}
interactive: {}
name: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
attested_user:
fields:
id: {}
name: {}
attested_groups:
fields:
name: {}
entry_meta:
fields:
type:
docs_only: True
env_vars: {}
executable: {}
exit_code: {}
group_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
hash:
fields: "*"
interactive: {}
io:
fields: "*"
macho:
fields: "*"
name: {}
parent:
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
executable: {}
exit_code: {}
group_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
hash:
fields: "*"
interactive: {}
macho:
fields: "*"
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
start: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
uptime: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
previous:
fields:
args: {}
args_count: {}
executable: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
same_as_process:
docs_only: True
saved_group:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
start: {}
supplemental_groups:
fields:
id: {}
name: {}
session_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields: "*"
uptime: {}
user:
fields:
id: {}
name: {}
working_directory: {}
registry:
fields: "*"
related:
@ -259,15 +594,19 @@ fields:
roles: {}
vlan:
fields: "*"
volume:
fields: "*"
vulnerability:
fields: "*"
x509:
fields: "*"
# Wazuh specific fields
wazuh:
fields: "*"
check:
fields: "*"
policy:
fields: "*"
# Integration fields
cisco-umbrella:
fields: "*"

4
ecs/stateless-cloud-services/fields/template-settings-legacy.json
View File

@ -5,8 +5,8 @@
"order": 1,
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services",
"mapping.total_fields.limit": 5500,
"mapping.nested_fields.limit": 100,
"mapping.total_fields.limit": 2500,
"mapping.nested_fields.limit": 50,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

4
ecs/stateless-cloud-services/fields/template-settings.json
View File

@ -6,8 +6,8 @@
"template": {
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services",
"mapping.total_fields.limit": 5500,
"mapping.nested_fields.limit": 100,
"mapping.total_fields.limit": 2500,
"mapping.nested_fields.limit": 50,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

2660
ecs/stateless-network-activity/docs/fields.csv
View File

File diff suppressed because it is too large Load Diff

341
ecs/stateless-network-activity/fields/subset.yml
View File

@ -97,6 +97,8 @@ fields:
fields: "*"
file:
fields: "*"
gen_ai:
fields: "*"
geo:
fields: "*"
group:
@ -128,7 +130,340 @@ fields:
pe:
fields: "*"
process:
fields: "*"
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
entry_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
entry_meta:
fields:
type: {}
source:
fields:
ip: {}
executable: {}
interactive: {}
name: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
attested_user:
fields:
id: {}
name: {}
attested_groups:
fields:
name: {}
entry_meta:
fields:
type:
docs_only: True
env_vars: {}
executable: {}
exit_code: {}
group_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
hash:
fields: "*"
interactive: {}
io:
fields: "*"
macho:
fields: "*"
name: {}
parent:
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
executable: {}
exit_code: {}
group_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
hash:
fields: "*"
interactive: {}
macho:
fields: "*"
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
start: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
uptime: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
previous:
fields:
args: {}
args_count: {}
executable: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
same_as_process:
docs_only: True
saved_group:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
start: {}
supplemental_groups:
fields:
id: {}
name: {}
session_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields: "*"
uptime: {}
user:
fields:
id: {}
name: {}
working_directory: {}
registry:
fields: "*"
related:
@ -259,16 +594,20 @@ fields:
roles: {}
vlan:
fields: "*"
volume:
fields: "*"
vulnerability:
fields: "*"
x509:
fields: "*"
# Wazuh specific fields
wazuh:
fields: "*"
check:
fields: "*"
policy:
fields: "*"
# Integration fields
checkpoint:
fields: "*"
cisco-aironet:

4
ecs/stateless-network-activity/fields/template-settings-legacy.json
View File

@ -5,8 +5,8 @@
"order": 1,
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-network-activity",
"mapping.total_fields.limit": 7000,
"mapping.nested_fields.limit": 100,
"mapping.total_fields.limit": 4000,
"mapping.nested_fields.limit": 50,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

4
ecs/stateless-network-activity/fields/template-settings.json
View File

@ -6,8 +6,8 @@
"template": {
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-network-activity",
"mapping.total_fields.limit": 7000,
"mapping.nested_fields.limit": 100,
"mapping.total_fields.limit": 4000,
"mapping.nested_fields.limit": 50,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

2660
ecs/stateless-other/docs/fields.csv
View File

File diff suppressed because it is too large Load Diff

341
ecs/stateless-other/fields/subset.yml
View File

@ -97,6 +97,8 @@ fields:
fields: "*"
file:
fields: "*"
gen_ai:
fields: "*"
geo:
fields: "*"
group:
@ -128,7 +130,340 @@ fields:
pe:
fields: "*"
process:
fields: "*"
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
entry_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
entry_meta:
fields:
type: {}
source:
fields:
ip: {}
executable: {}
interactive: {}
name: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
attested_user:
fields:
id: {}
name: {}
attested_groups:
fields:
name: {}
entry_meta:
fields:
type:
docs_only: True
env_vars: {}
executable: {}
exit_code: {}
group_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
hash:
fields: "*"
interactive: {}
io:
fields: "*"
macho:
fields: "*"
name: {}
parent:
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
executable: {}
exit_code: {}
group_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
hash:
fields: "*"
interactive: {}
macho:
fields: "*"
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
start: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
uptime: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
previous:
fields:
args: {}
args_count: {}
executable: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
same_as_process:
docs_only: True
saved_group:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
start: {}
supplemental_groups:
fields:
id: {}
name: {}
session_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields: "*"
uptime: {}
user:
fields:
id: {}
name: {}
working_directory: {}
registry:
fields: "*"
related:
@ -259,13 +594,17 @@ fields:
roles: {}
vlan:
fields: "*"
volume:
fields: "*"
vulnerability:
fields: "*"
x509:
fields: "*"
# Wazuh specific fields
wazuh:
fields: "*"
check:
fields: "*"
policy:
fields: "*"
# Integration fields

4
ecs/stateless-other/fields/template-settings-legacy.json
View File

@ -5,8 +5,8 @@
"order": 1,
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-other",
"mapping.total_fields.limit": 5500,
"mapping.nested_fields.limit": 100,
"mapping.total_fields.limit": 2500,
"mapping.nested_fields.limit": 50,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

4
ecs/stateless-other/fields/template-settings.json
View File

@ -6,8 +6,8 @@
"template": {
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-other",
"mapping.total_fields.limit": 5500,
"mapping.nested_fields.limit": 100,
"mapping.total_fields.limit": 2500,
"mapping.nested_fields.limit": 50,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

2660
ecs/stateless-security/docs/fields.csv
View File

File diff suppressed because it is too large Load Diff

341
ecs/stateless-security/fields/subset.yml
View File

@ -97,6 +97,8 @@ fields:
fields: "*"
file:
fields: "*"
gen_ai:
fields: "*"
geo:
fields: "*"
group:
@ -128,7 +130,340 @@ fields:
pe:
fields: "*"
process:
fields: "*"
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
entry_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
entry_meta:
fields:
type: {}
source:
fields:
ip: {}
executable: {}
interactive: {}
name: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
attested_user:
fields:
id: {}
name: {}
attested_groups:
fields:
name: {}
entry_meta:
fields:
type:
docs_only: True
env_vars: {}
executable: {}
exit_code: {}
group_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
hash:
fields: "*"
interactive: {}
io:
fields: "*"
macho:
fields: "*"
name: {}
parent:
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
executable: {}
exit_code: {}
group_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
hash:
fields: "*"
interactive: {}
macho:
fields: "*"
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
start: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
uptime: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
previous:
fields:
args: {}
args_count: {}
executable: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
same_as_process:
docs_only: True
saved_group:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
start: {}
supplemental_groups:
fields:
id: {}
name: {}
session_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields: "*"
uptime: {}
user:
fields:
id: {}
name: {}
working_directory: {}
registry:
fields: "*"
related:
@ -259,16 +594,20 @@ fields:
roles: {}
vlan:
fields: "*"
volume:
fields: "*"
vulnerability:
fields: "*"
x509:
fields: "*"
# Wazuh specific fields
wazuh:
fields: "*"
check:
fields: "*"
policy:
fields: "*"
# Integration fields
modsecurity:
fields: "*"
snort:

4
ecs/stateless-security/fields/template-settings-legacy.json
View File

@ -5,8 +5,8 @@
"order": 1,
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-security",
"mapping.total_fields.limit": 6000,
"mapping.nested_fields.limit": 100,
"mapping.total_fields.limit": 3000,
"mapping.nested_fields.limit": 50,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

4
ecs/stateless-security/fields/template-settings.json
View File

@ -6,8 +6,8 @@
"template": {
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-security",
"mapping.total_fields.limit": 6000,
"mapping.nested_fields.limit": 100,
"mapping.total_fields.limit": 3000,
"mapping.nested_fields.limit": 50,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

2660
ecs/stateless-system-activity/docs/fields.csv
View File

File diff suppressed because it is too large Load Diff

341
ecs/stateless-system-activity/fields/subset.yml
View File

@ -97,6 +97,8 @@ fields:
fields: "*"
file:
fields: "*"
gen_ai:
fields: "*"
geo:
fields: "*"
group:
@ -128,7 +130,340 @@ fields:
pe:
fields: "*"
process:
fields: "*"
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
entry_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
entry_meta:
fields:
type: {}
source:
fields:
ip: {}
executable: {}
interactive: {}
name: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
attested_user:
fields:
id: {}
name: {}
attested_groups:
fields:
name: {}
entry_meta:
fields:
type:
docs_only: True
env_vars: {}
executable: {}
exit_code: {}
group_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
hash:
fields: "*"
interactive: {}
io:
fields: "*"
macho:
fields: "*"
name: {}
parent:
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
executable: {}
exit_code: {}
group_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
hash:
fields: "*"
interactive: {}
macho:
fields: "*"
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
start: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
uptime: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
previous:
fields:
args: {}
args_count: {}
executable: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
same_as_process:
docs_only: True
saved_group:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
start: {}
supplemental_groups:
fields:
id: {}
name: {}
session_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields: "*"
uptime: {}
user:
fields:
id: {}
name: {}
working_directory: {}
registry:
fields: "*"
related:
@ -259,16 +594,20 @@ fields:
roles: {}
vlan:
fields: "*"
volume:
fields: "*"
vulnerability:
fields: "*"
x509:
fields: "*"
# Wazuh specific fields
wazuh:
fields: "*"
check:
fields: "*"
policy:
fields: "*"
# Integration fields
audit:
fields: "*"
microsoft-dhcp:

4
ecs/stateless-system-activity/fields/template-settings-legacy.json
View File

@ -5,8 +5,8 @@
"order": 1,
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-system-activity",
"mapping.total_fields.limit": 6000,
"mapping.nested_fields.limit": 100,
"mapping.total_fields.limit": 3000,
"mapping.nested_fields.limit": 50,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

4
ecs/stateless-system-activity/fields/template-settings.json
View File

@ -6,8 +6,8 @@
"template": {
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-events-v5-system-activity",
"mapping.total_fields.limit": 6000,
"mapping.nested_fields.limit": 100,
"mapping.total_fields.limit": 3000,
"mapping.nested_fields.limit": 50,
"index": {
"number_of_shards": "3",
"number_of_replicas": "0",

341
ecs/stateless-template/fields/subset.yml
View File

@ -97,6 +97,8 @@ fields:
fields: "*"
file:
fields: "*"
gen_ai:
fields: "*"
geo:
fields: "*"
group:
@ -128,7 +130,340 @@ fields:
pe:
fields: "*"
process:
fields: "*"
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
entry_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
entry_meta:
fields:
type: {}
source:
fields:
ip: {}
executable: {}
interactive: {}
name: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
attested_user:
fields:
id: {}
name: {}
attested_groups:
fields:
name: {}
entry_meta:
fields:
type:
docs_only: True
env_vars: {}
executable: {}
exit_code: {}
group_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
hash:
fields: "*"
interactive: {}
io:
fields: "*"
macho:
fields: "*"
name: {}
parent:
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
executable: {}
exit_code: {}
group_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
hash:
fields: "*"
interactive: {}
macho:
fields: "*"
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
start: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
uptime: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
pe:
fields: "*"
pid: {}
vpid: {}
previous:
fields:
args: {}
args_count: {}
executable: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
same_as_process:
docs_only: True
saved_group:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
start: {}
supplemental_groups:
fields:
id: {}
name: {}
session_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields: "*"
uptime: {}
user:
fields:
id: {}
name: {}
working_directory: {}
registry:
fields: "*"
related:
@ -259,13 +594,17 @@ fields:
roles: {}
vlan:
fields: "*"
volume:
fields: "*"
vulnerability:
fields: "*"
x509:
fields: "*"
# Wazuh specific fields
wazuh:
fields: "*"
check:
fields: "*"
policy:
fields: "*"
# Integration fields

3809
ecs/stateless/docs/fields.csv
View File

File diff suppressed because it is too large Load Diff

11
ecs/stateless/fields/subset.yml
View File

@ -1,5 +1,5 @@
---
name: wazuh-alerts
name: main
fields:
base:
fields: "*"
@ -97,6 +97,8 @@ fields:
fields: "*"
file:
fields: "*"
gen_ai:
fields: "*"
geo:
fields: "*"
group:
@ -358,6 +360,10 @@ fields:
args: {}
args_count: {}
executable: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
@ -588,10 +594,13 @@ fields:
roles: {}
vlan:
fields: "*"
volume:
fields: "*"
vulnerability:
fields: "*"
x509:
fields: "*"
# Wazuh specific fields
wazuh:
fields: "*"
check:

2
ecs/stateless/fields/template-settings-legacy.json
View File

@ -2,7 +2,7 @@
"index_patterns": ["wazuh-alerts-v5-*"],
"order": 1,
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-alerts",
"plugins.index_state_management.rollover_alias": "wazuh-alerts-v5",
"mapping.total_fields.limit": 2500,
"index": {
"number_of_shards": "3",

2
ecs/stateless/fields/template-settings.json
View File

@ -3,7 +3,7 @@
"priority": 1,
"template": {
"settings": {
"plugins.index_state_management.rollover_alias": "wazuh-alerts",
"plugins.index_state_management.rollover_alias": "wazuh-alerts-v5",
"mapping.total_fields.limit": 2500,
"index": {
"number_of_shards": "3",

11267
plugins/setup/src/main/resources/index-template-access-management.json
View File

File diff suppressed because it is too large Load Diff

360
plugins/setup/src/main/resources/index-template-alerts.json
View File

@ -1030,6 +1030,10 @@
"type": "keyword"
}
}
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
@ -1044,6 +1048,10 @@
"exists": {
"type": "boolean"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
@ -1060,6 +1068,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"thumbprint_sha256": {
"ignore_above": 64,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
@ -1073,6 +1085,10 @@
},
"hash": {
"properties": {
"cdhash": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
@ -1107,6 +1123,14 @@
"ignore_above": 1024,
"type": "keyword"
},
"origin_referrer_url": {
"ignore_above": 8192,
"type": "keyword"
},
"origin_url": {
"ignore_above": 8192,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
@ -1298,6 +1322,10 @@
},
"hash": {
"properties": {
"cdhash": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
@ -1558,7 +1586,7 @@
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
}
}
@ -1616,6 +1644,10 @@
"exists": {
"type": "boolean"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
@ -1632,6 +1664,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"thumbprint_sha256": {
"ignore_above": 64,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
@ -1825,6 +1861,10 @@
},
"hash": {
"properties": {
"cdhash": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
@ -1932,6 +1972,14 @@
"ignore_above": 1024,
"type": "keyword"
},
"origin_referrer_url": {
"ignore_above": 8192,
"type": "keyword"
},
"origin_url": {
"ignore_above": 8192,
"type": "keyword"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
@ -2154,6 +2202,142 @@
}
}
},
"gen_ai": {
"properties": {
"agent": {
"properties": {
"description": {
"doc_values": false,
"index": false,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"operation": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"output": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"request": {
"properties": {
"choice": {
"properties": {
"count": {
"type": "integer"
}
}
},
"encoding_formats": {
"type": "nested"
},
"frequency_penalty": {
"type": "double"
},
"max_tokens": {
"type": "integer"
},
"model": {
"ignore_above": 1024,
"type": "keyword"
},
"presence_penalty": {
"type": "double"
},
"seed": {
"type": "integer"
},
"stop_sequences": {
"type": "nested"
},
"temperature": {
"type": "double"
},
"top_k": {
"type": "double"
},
"top_p": {
"type": "double"
}
}
},
"response": {
"properties": {
"finish_reasons": {
"type": "nested"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"model": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"system": {
"ignore_above": 1024,
"type": "keyword"
},
"token": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tool": {
"properties": {
"call": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"usage": {
"properties": {
"input_tokens": {
"type": "integer"
},
"output_tokens": {
"type": "integer"
}
}
}
}
},
"group": {
"properties": {
"domain": {
@ -3158,6 +3342,10 @@
"exists": {
"type": "boolean"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
@ -3174,6 +3362,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"thumbprint_sha256": {
"ignore_above": 64,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
@ -3599,17 +3791,24 @@
"type": "keyword"
},
"executable": {
"fields": {
"text": {
"type": "keyword"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"exit_code": {
"type": "long"
},
"group": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"group_leader": {
"properties": {
"args": {
@ -3791,6 +3990,10 @@
},
"hash": {
"properties": {
"cdhash": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
@ -3936,6 +4139,10 @@
"exists": {
"type": "boolean"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
@ -3952,6 +4159,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"thumbprint_sha256": {
"ignore_above": 64,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
@ -4167,6 +4378,10 @@
},
"hash": {
"properties": {
"cdhash": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
@ -4353,9 +4568,6 @@
}
}
},
"pgid": {
"type": "long"
},
"pid": {
"type": "long"
},
@ -4599,9 +4811,6 @@
}
}
},
"pgid": {
"type": "long"
},
"pid": {
"type": "long"
},
@ -4974,11 +5183,6 @@
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "keyword"
}
},
"ignore_above": 1024,
"type": "keyword"
}
@ -4988,11 +5192,6 @@
"type": "long"
},
"working_directory": {
"fields": {
"text": {
"type": "keyword"
}
},
"ignore_above": 1024,
"type": "keyword"
}
@ -5674,6 +5873,10 @@
"exists": {
"type": "boolean"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
@ -5690,6 +5893,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"thumbprint_sha256": {
"ignore_above": 64,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
@ -5883,6 +6090,10 @@
},
"hash": {
"properties": {
"cdhash": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
@ -5932,6 +6143,14 @@
"ignore_above": 1024,
"type": "keyword"
},
"origin_referrer_url": {
"ignore_above": 8192,
"type": "keyword"
},
"origin_url": {
"ignore_above": 8192,
"type": "keyword"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
@ -6331,7 +6550,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
@ -6595,6 +6814,10 @@
"exists": {
"type": "boolean"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
@ -6611,6 +6834,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"thumbprint_sha256": {
"ignore_above": 64,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
@ -6804,6 +7031,10 @@
},
"hash": {
"properties": {
"cdhash": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
@ -6853,6 +7084,14 @@
"ignore_above": 1024,
"type": "keyword"
},
"origin_referrer_url": {
"ignore_above": 8192,
"type": "keyword"
},
"origin_url": {
"ignore_above": 8192,
"type": "keyword"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
@ -7130,6 +7369,10 @@
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
@ -7252,7 +7495,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
@ -7872,7 +8115,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
@ -8214,6 +8457,71 @@
}
}
},
"volume": {
"properties": {
"bus_type": {
"ignore_above": 1024,
"type": "keyword"
},
"default_access": {
"ignore_above": 1024,
"type": "keyword"
},
"device_name": {
"ignore_above": 1024,
"type": "keyword"
},
"device_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dos_name": {
"ignore_above": 1024,
"type": "keyword"
},
"file_system_type": {
"ignore_above": 1024,
"type": "keyword"
},
"mount_name": {
"ignore_above": 1024,
"type": "keyword"
},
"nt_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product_id": {
"ignore_above": 1024,
"type": "keyword"
},
"product_name": {
"ignore_above": 1024,
"type": "keyword"
},
"removable": {
"type": "boolean"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"size": {
"type": "long"
},
"vendor_id": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor_name": {
"ignore_above": 1024,
"type": "keyword"
},
"writable": {
"type": "boolean"
}
}
},
"vulnerability": {
"properties": {
"category": {
@ -8332,6 +8640,6 @@
"refresh_interval": "2s"
},
"mapping.total_fields.limit": 2500,
"plugins.index_state_management.rollover_alias": "wazuh-alerts"
"plugins.index_state_management.rollover_alias": "wazuh-alerts-v5"
}
}

11267
plugins/setup/src/main/resources/index-template-applications.json
View File

File diff suppressed because it is too large Load Diff

360
plugins/setup/src/main/resources/index-template-archives.json
View File

@ -1030,6 +1030,10 @@
"type": "keyword"
}
}
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
@ -1044,6 +1048,10 @@
"exists": {
"type": "boolean"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
@ -1060,6 +1068,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"thumbprint_sha256": {
"ignore_above": 64,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
@ -1073,6 +1085,10 @@
},
"hash": {
"properties": {
"cdhash": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
@ -1107,6 +1123,14 @@
"ignore_above": 1024,
"type": "keyword"
},
"origin_referrer_url": {
"ignore_above": 8192,
"type": "keyword"
},
"origin_url": {
"ignore_above": 8192,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
@ -1298,6 +1322,10 @@
},
"hash": {
"properties": {
"cdhash": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
@ -1558,7 +1586,7 @@
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
}
}
@ -1616,6 +1644,10 @@
"exists": {
"type": "boolean"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
@ -1632,6 +1664,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"thumbprint_sha256": {
"ignore_above": 64,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
@ -1825,6 +1861,10 @@
},
"hash": {
"properties": {
"cdhash": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
@ -1932,6 +1972,14 @@
"ignore_above": 1024,
"type": "keyword"
},
"origin_referrer_url": {
"ignore_above": 8192,
"type": "keyword"
},
"origin_url": {
"ignore_above": 8192,
"type": "keyword"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
@ -2154,6 +2202,142 @@
}
}
},
"gen_ai": {
"properties": {
"agent": {
"properties": {
"description": {
"doc_values": false,
"index": false,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"operation": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"output": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"request": {
"properties": {
"choice": {
"properties": {
"count": {
"type": "integer"
}
}
},
"encoding_formats": {
"type": "nested"
},
"frequency_penalty": {
"type": "double"
},
"max_tokens": {
"type": "integer"
},
"model": {
"ignore_above": 1024,
"type": "keyword"
},
"presence_penalty": {
"type": "double"
},
"seed": {
"type": "integer"
},
"stop_sequences": {
"type": "nested"
},
"temperature": {
"type": "double"
},
"top_k": {
"type": "double"
},
"top_p": {
"type": "double"
}
}
},
"response": {
"properties": {
"finish_reasons": {
"type": "nested"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"model": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"system": {
"ignore_above": 1024,
"type": "keyword"
},
"token": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tool": {
"properties": {
"call": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"usage": {
"properties": {
"input_tokens": {
"type": "integer"
},
"output_tokens": {
"type": "integer"
}
}
}
}
},
"group": {
"properties": {
"domain": {
@ -3158,6 +3342,10 @@
"exists": {
"type": "boolean"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
@ -3174,6 +3362,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"thumbprint_sha256": {
"ignore_above": 64,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
@ -3599,17 +3791,24 @@
"type": "keyword"
},
"executable": {
"fields": {
"text": {
"type": "keyword"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"exit_code": {
"type": "long"
},
"group": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"group_leader": {
"properties": {
"args": {
@ -3791,6 +3990,10 @@
},
"hash": {
"properties": {
"cdhash": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
@ -3936,6 +4139,10 @@
"exists": {
"type": "boolean"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
@ -3952,6 +4159,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"thumbprint_sha256": {
"ignore_above": 64,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
@ -4167,6 +4378,10 @@
},
"hash": {
"properties": {
"cdhash": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
@ -4353,9 +4568,6 @@
}
}
},
"pgid": {
"type": "long"
},
"pid": {
"type": "long"
},
@ -4599,9 +4811,6 @@
}
}
},
"pgid": {
"type": "long"
},
"pid": {
"type": "long"
},
@ -4974,11 +5183,6 @@
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "keyword"
}
},
"ignore_above": 1024,
"type": "keyword"
}
@ -4988,11 +5192,6 @@
"type": "long"
},
"working_directory": {
"fields": {
"text": {
"type": "keyword"
}
},
"ignore_above": 1024,
"type": "keyword"
}
@ -5674,6 +5873,10 @@
"exists": {
"type": "boolean"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
@ -5690,6 +5893,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"thumbprint_sha256": {
"ignore_above": 64,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
@ -5883,6 +6090,10 @@
},
"hash": {
"properties": {
"cdhash": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
@ -5932,6 +6143,14 @@
"ignore_above": 1024,
"type": "keyword"
},
"origin_referrer_url": {
"ignore_above": 8192,
"type": "keyword"
},
"origin_url": {
"ignore_above": 8192,
"type": "keyword"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
@ -6331,7 +6550,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
@ -6595,6 +6814,10 @@
"exists": {
"type": "boolean"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
@ -6611,6 +6834,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"thumbprint_sha256": {
"ignore_above": 64,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
@ -6804,6 +7031,10 @@
},
"hash": {
"properties": {
"cdhash": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
@ -6853,6 +7084,14 @@
"ignore_above": 1024,
"type": "keyword"
},
"origin_referrer_url": {
"ignore_above": 8192,
"type": "keyword"
},
"origin_url": {
"ignore_above": 8192,
"type": "keyword"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
@ -7130,6 +7369,10 @@
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
@ -7252,7 +7495,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
@ -7872,7 +8115,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
@ -8214,6 +8457,71 @@
}
}
},
"volume": {
"properties": {
"bus_type": {
"ignore_above": 1024,
"type": "keyword"
},
"default_access": {
"ignore_above": 1024,
"type": "keyword"
},
"device_name": {
"ignore_above": 1024,
"type": "keyword"
},
"device_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dos_name": {
"ignore_above": 1024,
"type": "keyword"
},
"file_system_type": {
"ignore_above": 1024,
"type": "keyword"
},
"mount_name": {
"ignore_above": 1024,
"type": "keyword"
},
"nt_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product_id": {
"ignore_above": 1024,
"type": "keyword"
},
"product_name": {
"ignore_above": 1024,
"type": "keyword"
},
"removable": {
"type": "boolean"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"size": {
"type": "long"
},
"vendor_id": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor_name": {
"ignore_above": 1024,
"type": "keyword"
},
"writable": {
"type": "boolean"
}
}
},
"vulnerability": {
"properties": {
"category": {
@ -8332,6 +8640,6 @@
"refresh_interval": "2s"
},
"mapping.total_fields.limit": 2500,
"plugins.index_state_management.rollover_alias": "wazuh-archives"
"plugins.index_state_management.rollover_alias": "wazuh-archives-v5"
}
}

11267
plugins/setup/src/main/resources/index-template-cloud-services-aws.json
View File

File diff suppressed because it is too large Load Diff

11267
plugins/setup/src/main/resources/index-template-cloud-services-azure.json
View File

File diff suppressed because it is too large Load Diff

11265
plugins/setup/src/main/resources/index-template-cloud-services-gcp.json
View File

File diff suppressed because it is too large Load Diff

11267
plugins/setup/src/main/resources/index-template-cloud-services.json
View File

File diff suppressed because it is too large Load Diff

11267
plugins/setup/src/main/resources/index-template-network-activity.json
View File

File diff suppressed because it is too large Load Diff

11267
plugins/setup/src/main/resources/index-template-other.json
View File

File diff suppressed because it is too large Load Diff

11267
plugins/setup/src/main/resources/index-template-security.json
View File

File diff suppressed because it is too large Load Diff

11267
plugins/setup/src/main/resources/index-template-system-activity.json
View File

File diff suppressed because it is too large Load Diff