mirror of
https://github.com/wazuh/wazuh-indexer-plugins.git
synced 2025-12-10 00:28:51 -06:00
f04d6fcd90
* Migrate code and documentation from wazuh-indexer * Migrate operational--integrations_maintenance_request.md * Add ECS folder and workflow * Add ECS workflow badge * Adapt ECS workflow generator * Trigger workflow * Update ECS templates for modified modules: agent alerts command states-fim states-inventory-hardware states-inventory-hotfixes states-inventory-networks states-inventory-packages states-inventory-ports states-inventory-processes states-inventory-system states-vulnerabilities * Remove unused code * Update ECS templates for modified modules: agent alerts command states-fim states-inventory-hardware states-inventory-hotfixes states-inventory-networks states-inventory-packages states-inventory-ports states-inventory-processes states-inventory-system states-vulnerabilities * Clean-up --------- Co-authored-by: Wazuh Indexer Bot <github_devel_xdrsiem_indexer@wazuh.com>
17 KiB
17 KiB
wazuh-alerts-5.x time series index
Stateless index.
Fields summary
For this stage, we are using all the fields of the ECS. No custom fields are used. As a result, we are using the default mapping of the ECS.
The generated template must match this one.
ECS mapping
---
name: main
fields:
base:
fields: "*"
agent:
fields: "*"
as:
fields: "*"
client:
fields:
address: {}
as:
fields: "*"
bytes: {}
domain: {}
geo:
fields: "*"
ip: {}
mac: {}
nat:
fields:
ip: {}
port: {}
packets: {}
port: {}
subdomain: {}
registered_domain: {}
top_level_domain: {}
user:
fields:
domain: {}
email: {}
full_name: {}
group:
fields: "*"
hash: {}
id: {}
name: {}
roles: {}
cloud:
fields: "*"
code_signature:
fields: "*"
container:
fields: "*"
data_stream:
fields: "*"
destination:
fields:
address: {}
as:
fields: "*"
bytes: {}
domain: {}
geo:
fields: "*"
ip: {}
mac: {}
nat:
fields:
ip: {}
port: {}
packets: {}
port: {}
subdomain: {}
registered_domain: {}
top_level_domain: {}
user:
fields:
domain: {}
email: {}
full_name: {}
group:
fields: "*"
hash: {}
id: {}
name: {}
roles: {}
device:
fields: "*"
dll:
fields: "*"
dns:
fields: "*"
ecs:
fields: "*"
elf:
fields: "*"
email:
fields: "*"
error:
fields: "*"
event:
fields: "*"
faas:
fields: "*"
file:
fields: "*"
geo:
fields: "*"
group:
fields: "*"
hash:
fields: "*"
host:
fields: "*"
http:
fields: "*"
interface:
fields: "*"
log:
fields: "*"
macho:
fields: "*"
network:
fields: "*"
observer:
fields: "*"
orchestrator:
fields: "*"
organization:
fields: "*"
os:
fields: "*"
package:
fields: "*"
pe:
fields: "*"
process:
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
entry_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
entry_meta:
fields:
type: {}
source:
fields:
ip: {}
executable: {}
interactive: {}
name: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
attested_user:
fields:
id: {}
name: {}
attested_groups:
fields:
name: {}
entry_meta:
fields:
type:
docs_only: True
env_vars: {}
executable: {}
exit_code: {}
group_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
hash:
fields: "*"
interactive: {}
io:
fields: "*"
macho:
fields: "*"
name: {}
parent:
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
executable: {}
exit_code: {}
group_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
hash:
fields: "*"
interactive: {}
macho:
fields: "*"
name: {}
pe:
fields: "*"
pgid: {}
pid: {}
vpid: {}
start: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
uptime: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
pe:
fields: "*"
pgid: {}
pid: {}
vpid: {}
previous:
fields:
args: {}
args_count: {}
executable: {}
real_group:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
same_as_process:
docs_only: True
saved_group:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
start: {}
supplemental_groups:
fields:
id: {}
name: {}
session_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
vpid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
parent:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
vpid: {}
start: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
effective: {}
permitted: {}
title: {}
tty:
fields: "*"
uptime: {}
user:
fields:
id: {}
name: {}
working_directory: {}
registry:
fields: "*"
related:
fields: "*"
risk:
fields: "*"
rule:
fields: "*"
server:
fields:
address: {}
as:
fields: "*"
bytes: {}
domain: {}
geo:
fields: "*"
ip: {}
mac: {}
nat:
fields:
ip: {}
port: {}
packets: {}
port: {}
subdomain: {}
registered_domain: {}
top_level_domain: {}
user:
fields:
domain: {}
email: {}
full_name: {}
group:
fields: "*"
hash: {}
id: {}
name: {}
roles: {}
service:
fields: "*"
source:
fields:
address: {}
as:
fields: "*"
bytes: {}
domain: {}
geo:
fields: "*"
ip: {}
mac: {}
nat:
fields:
ip: {}
port: {}
packets: {}
port: {}
subdomain: {}
registered_domain: {}
top_level_domain: {}
user:
fields:
domain: {}
email: {}
full_name: {}
group:
fields: "*"
hash: {}
id: {}
name: {}
roles: {}
threat:
fields: "*"
tls:
fields: "*"
tracing:
fields: "*"
url:
fields: "*"
user_agent:
fields: "*"
user:
fields:
changes:
fields:
domain: {}
email: {}
group:
fields: "*"
full_name: {}
hash: {}
id: {}
name: {}
roles: {}
domain: {}
effective:
fields:
domain: {}
email: {}
group:
fields: "*"
full_name: {}
hash: {}
id: {}
name: {}
roles: {}
email: {}
group:
fields: "*"
full_name: {}
hash: {}
id: {}
name: {}
risk:
fields: "*"
roles: {}
target:
fields:
domain: {}
email: {}
group:
fields: "*"
full_name: {}
hash: {}
id: {}
name: {}
roles: {}
vlan:
fields: "*"
vulnerability:
fields: "*"
x509:
fields: "*"
Template settings
{
"index_patterns": [
"wazuh-alerts-5.x-*"
],
"priority": 1,
"template": {
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": 2500
}
},
"refresh_interval": "5s"
}
}
}
}
Mapping settings
{
"dynamic": true,
"date_detection": false
}