wazuh/wazuh-indexer-plugins
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-indexer-plugins.git synced 2025-12-10 12:50:43 -06:00
Code Issues Packages Projects Releases Wiki Activity
wazuh-indexer-plugins/ecs
History
Jorge Sánchez 877477e59c
New workflows names and triggers (#291) 
* Workflows renamed according to the convention and deleted extras

* Workflos trigger fixed

* Fixed test workflow trigger

* Used the new VERSION.json and fixed it to work with push

* Changed the default inputs work in push events

* Include a new linck checker workflow

* Modifies names and adds useful workflows and needed files (CHANGELOG.md)

* Deleted extra workflow files

* Corrects build docs execution

* Fixes link

* Updates codeql-action to v3 and limits scan to /plugins

* Updates ubuntu, lychee-action and checkout versions

* Adds paths to avoid innecesary workflow execution

* Deletes  statements

These statements, without the ci build, inserted the default values to avoid workflow failure. We go back to use build on push

* Updates ubuntu version

* Fixes adding default to the plugins builder values by calling it with an onpush workflow

* Apply suggestions from code review

Signed-off-by: Álex Ruiz <alejandro.ruiz.becerra@wazuh.com>

* Format and renaming

* Fix broken links

* More renaming

* Exclude gnu links

* Add .editorconfig

* Add id to build on push

---------

Signed-off-by: Álex Ruiz <alejandro.ruiz.becerra@wazuh.com>
Co-authored-by: abbonno <abbogonluq@gmail.com>
Co-authored-by: Álex Ruiz <alejandro.ruiz.becerra@wazuh.com>
2025-03-04 16:48:13 +01:00
..
agent
Migrate code and documentation from wazuh-indexer (#265)
2025-02-10 18:13:14 +01:00
alerts/fields
Add CTI link to states-vulnerabilities and alerts (#286)
2025-02-20 15:17:15 +01:00
command
Migrate code and documentation from wazuh-indexer (#265)
2025-02-10 18:13:14 +01:00
docs
New workflows names and triggers (#291)
2025-03-04 16:48:13 +01:00
generator
Migrate code and documentation from wazuh-indexer (#265)
2025-02-10 18:13:14 +01:00
scripts
Update base branch references from 'master' to 'main' (#271)
2025-02-10 18:33:34 +01:00
states-fim
Migrate code and documentation from wazuh-indexer (#265)
2025-02-10 18:13:14 +01:00
states-inventory-hardware
Migrate code and documentation from wazuh-indexer (#265)
2025-02-10 18:13:14 +01:00
states-inventory-hotfixes
Migrate code and documentation from wazuh-indexer (#265)
2025-02-10 18:13:14 +01:00
states-inventory-networks
Migrate code and documentation from wazuh-indexer (#265)
2025-02-10 18:13:14 +01:00
states-inventory-packages
Migrate code and documentation from wazuh-indexer (#265)
2025-02-10 18:13:14 +01:00
states-inventory-ports
Migrate code and documentation from wazuh-indexer (#265)
2025-02-10 18:13:14 +01:00
states-inventory-processes
Migrate code and documentation from wazuh-indexer (#265)
2025-02-10 18:13:14 +01:00
states-inventory-system
Migrate code and documentation from wazuh-indexer (#265)
2025-02-10 18:13:14 +01:00
states-vulnerabilities
Add CTI link to states-vulnerabilities and alerts (#286)
2025-02-20 15:17:15 +01:00
.gitignore
Migrate code and documentation from wazuh-indexer (#265)
2025-02-10 18:13:14 +01:00
README.md
Migrate code and documentation from wazuh-indexer (#265)
2025-02-10 18:13:14 +01:00

README.md

ECS mappings generator

This script generates the ECS mappings for the Wazuh indices.

Requirements

Folder structure

There is a folder for each module. Inside each folder, there is a fields folder with the required files to generate the mappings. These are the inputs for the ECS generator.

Usage

  1. Execute the mapping-generator tool 
    bash ecs/generator/mapping-generator.sh run <MODULE_NAME>
  2. (Optional) Run the tool's cleanup

    The tool stops the container automatically, but it is recommended to run the down command if the tool is not going to be used anymore.

    bash ecs/generator/mapping-generator.sh down

Output

A new mappings folder will be created inside the module folder, containing all the generated files. The files are versioned using the ECS version, so different versions of the same module can be generated. For our use case, the most important files are under mappings/<ECS_VERSION>/generated/elasticsearch/legacy/:

  • template.json: Elasticsearch compatible index template for the module
  • opensearch-template.json: OpenSearch compatible index template for the module

The original output is template.json, which is not compatible with OpenSearch by default. In order to make this template compatible with OpenSearch, the following changes are made:

  • The order property is renamed to priority.
  • The mappings and settings properties are nested under the template property.

The script takes care of these changes automatically, generating the opensearch-template.json file as a result.

Upload

You can either upload the index template using cURL or the UI (dev tools).

curl -u admin:admin -k -X PUT "https://indexer:9200/_index_template/wazuh-states-vulnerabilities" -H "Content-Type: application/json" -d @opensearch-template.json

Notes:

  • PUT and POST are interchangeable.
  • The name of the index template does not matter. Any name can be used.
  • Adjust credentials and URL accordingly.

Adding new mappings

The easiest way to create mappings for a new module is to take a previous one as a base. Copy a folder and rename it to the new module name. Then, edit the fields files to match the new module fields.

The name of the folder will be the name of the module to be passed to the script. All 3 files are required.

  • fields/subset.yml: This file contains the subset of ECS fields to be used for the module.
  • fields/template-settings-legacy.json: This file contains the legacy template settings for the module.
  • fields/template-settings.json: This file contains the composable template settings for the module.

Event generator

Each module contains a Python script to generate events for its module. The script prompts for the required parameters, so it can be launched without arguments:

./event_generator.py

The script will generate a JSON file with the events, and will also ask whether to upload them to the indexer. If the upload option is selected, the script will ask for the indexer URL and port, credentials, and index name. The script uses log file. Check it out for debugging or additional information.

Automatic PR creation tool

The generate-pr-to-plugins.sh script found in the ecs/scripts folder is a tool that detects modified ECS modules, generates new templates, commits the changes to a target repository, and creates or updates a pull request.

Requirements

  • Docker Compose
  • GitHub CLI (gh)

Usage

To use the script, run the following command:

./update-ecs-templates.sh -t <GITHUB_TOKEN>

Options

  • -b <BRANCH_NAME>: (Optional) Branch name to create or update the pull request. Default is current branch.
  • -t <GITHUB_TOKEN>: (Optional) GitHub token to authenticate with the GitHub API. If not provided, the script will use the GITHUB_TOKEN environment variable.

Script Workflow

  1. Validate Dependencies

    • Checks if the required commands (docker, docker-compose, and gh) are installed.

  2. Detect Modified Modules

    • Fetches and extracts modified ECS modules by comparing the current branch with the base branch.
    • Identifies relevant ECS modules that have been modified.

  3. Run ECS Generator

    • Runs the ECS generator script for each relevant module to generate new ECS templates.

  4. Clone Target Repository

    • Clones the target repository (wazuh/wazuh-indexer-plugins) if it does not already exist.
    • Configures Git and GitHub CLI with the provided GitHub token.

  5. Commit and Push Changes

    • Copies the generated ECS templates to the appropriate directory in the target repository.
    • Commits and pushes the changes to the specified branch.

  6. Create or Update Pull Request

    • Creates a new pull request or updates an existing pull request with the modified ECS templates.

References