mirror of
https://github.com/wazuh/wazuh-indexer-plugins.git
synced 2025-12-10 12:50:43 -06:00
f04d6fcd90
* Migrate code and documentation from wazuh-indexer * Migrate operational--integrations_maintenance_request.md * Add ECS folder and workflow * Add ECS workflow badge * Adapt ECS workflow generator * Trigger workflow * Update ECS templates for modified modules: agent alerts command states-fim states-inventory-hardware states-inventory-hotfixes states-inventory-networks states-inventory-packages states-inventory-ports states-inventory-processes states-inventory-system states-vulnerabilities * Remove unused code * Update ECS templates for modified modules: agent alerts command states-fim states-inventory-hardware states-inventory-hotfixes states-inventory-networks states-inventory-packages states-inventory-ports states-inventory-processes states-inventory-system states-vulnerabilities * Clean-up --------- Co-authored-by: Wazuh Indexer Bot <github_devel_xdrsiem_indexer@wazuh.com>
6.9 KiB
6.9 KiB
commands index data model
Note
rev 0.1 - September 18th, 2024: Add initial model. rev 0.2 - September 30th, 2024: Change type of
request_id,order_idandidto keyword. rev 0.3 - October 3rd, 2024: Change descriptions forcommand.type,command.action.type,command.request_id,command.order_id. rev 0.4 - October 9th, 2024: Apply changes described in https://github.com/wazuh/wazuh-indexer-plugins/issues/96#issue-2576028654. rev 0.5 - December 3rd, 2024: Added@timestampanddelivery_timestampdate fields. rev 0.6 - January 24th, 2025: Rename index towazuh-commands. The index is now visible to users.
Fields summary
This index stores information about the commands executed by the agents. The index appears in 5.0.0 for the first time.
| Field | Type | Description | |
|---|---|---|---|
| * | agent.groups |
keyword | List of groups the agent belong to. |
| * | command.source |
keyword | Origin of the request. One of [Users/Services (via Management API), Engine (via Management API), Content manager (directly)]. |
| * | command.user |
keyword | The user that originated the request. This user may represent a Management API or Indexer API user depending on the source. |
| * | command.target.id |
keyword | Unique identifier of the destination to send the command to. |
| * | command.target.type |
keyword | The destination type. One of [group, agent, server], |
| * | command.action.name |
keyword | The requested action type. Examples: restart, update, change_group, apply_policy, ... |
| * | command.action.args |
object | Command arguments. The Object type allows for ad-hoc format of the value. |
| * | command.action.version |
keyword | Version of the command's schema. |
| * | command.timeout |
short | Time window in which the command has to be sent to its target. |
| * | command.status |
keyword | Status within the Command Manager's context. One of [pending, sent, success, failure]. |
| * | command.result.code |
short | Status code returned by the target. |
| * | command.result.message |
keyword | Result message returned by the target. |
| * | command.result.data |
keyword | Result data returned by the target. |
| * | command.request_id |
keyword | UUID generated by the Command Manager. |
| * | command.order_id |
keyword | UUID generated by the Command Manager. |
* Custom field.
ECS mapping
---
name: command
fields:
base:
fields:
tags: []
"@timestamp": {}
"delivery_timestamp": {}
agent:
fields:
groups: {}
command:
fields: "*"
---
- name: command
title: Wazuh commands
short: Wazuh Inc. custom fields.
description: >
This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers.
type: group
group: 2
fields:
- name: source
type: keyword
level: custom
description: >
Origin of the request.
- name: user
type: keyword
level: custom
description: >
The user that originated the request.
- name: target.id
type: keyword
level: custom
description: >
Unique identifier of the destination to send the command to.
- name: target.type
type: keyword
level: custom
description: >
The destination type. One of [`group`, `agent`, `server`]
- name: action.name
type: keyword
level: custom
description: >
The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ...
- name: action.args
type: keyword
level: custom
description: >
Array of command arguments, starting with the absolute path to the executable.
- name: action.version
type: keyword
level: custom
description: >
Version of the command's schema.
- name: timeout
type: short
level: custom
description: >
Time window in which the command has to be sent to its target.
- name: status
type: keyword
level: custom
description: >
Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure'].
- name: result.code
type: short
level: custom
description: >
Status code returned by the target.
- name: result.message
type: keyword
level: custom
description: >
Result message returned by the target.
- name: result.data
type: keyword
level: custom
description: >
Result data returned by the target.
- name: request_id
type: keyword
level: custom
description: >
UUID generated by the Command Manager.
- name: order_id
type: keyword
level: custom
description: >
UUID generated by the Command Manager.
- name: base
title: Wazuh base fields
root: true
fields:
- name: delivery_timestamp
type: date
level: custom
description: >
The latest date-time for the command to be delivered. Calculated as the current timestamp plus the timeout.
Index settings
{
"index_patterns": ["wazuh-commands*"],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"command.source",
"command.target.type",
"command.status",
"command.action.name"
]
}
}
}
}