wazuh/wazuh-indexer-plugins
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-indexer-plugins.git synced 2025-12-10 14:32:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
wazuh-indexer-plugins/ecs/docs/states-fim.md
Álex Ruiz f04d6fcd90
Migrate code and documentation from wazuh-indexer (#265) 
* Migrate code and documentation from wazuh-indexer

* Migrate operational--integrations_maintenance_request.md

* Add ECS folder and workflow

* Add ECS workflow badge

* Adapt ECS workflow generator

* Trigger workflow

* Update ECS templates for modified modules: agent alerts command states-fim states-inventory-hardware states-inventory-hotfixes states-inventory-networks states-inventory-packages states-inventory-ports states-inventory-processes states-inventory-system states-vulnerabilities

* Remove unused code

* Update ECS templates for modified modules: agent alerts command states-fim states-inventory-hardware states-inventory-hotfixes states-inventory-networks states-inventory-packages states-inventory-ports states-inventory-processes states-inventory-system states-vulnerabilities

* Clean-up

---------

Co-authored-by: Wazuh Indexer Bot <github_devel_xdrsiem_indexer@wazuh.com>
2025-02-10 18:13:14 +01:00

6.5 KiB
Raw Blame History

wazuh-states-fim index data model

Fields summary

The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189377542

Based on ECS:

Field Type Description Example
agent.* object All the agent fields. `
file.attributes keyword Array of file attributes. ["readonly", "system"]
file.gid keyword Primary group ID (GID) of the file. 1001
file.group keyword Primary group name of the file. alice
file.inode keyword Inode representing the file in the filesystem. 256383
file.name keyword Name of the file including the extension, without the directory. example.png
file.mode keyword File permissions in octal mode. 0640
file.mtime date Last time the file's metadata changed.
file.owner keyword File owners username.
file.path keyword Full path to the file, including the file name. It should include the drive letter, when appropriate. /home/alice/example.png
file.size long File size in bytes. 16384
file.target_path keyword Target path for symlinks.
file.type keyword File type (file, dir, or symlink). file
file.uid keyword User ID (UID) of the file owner. 1001
file.hash.md5 keyword MD5 hash of the file.
file.hash.sha1 keyword SHA1 hash of the file.
file.hash.sha256 keyword SHA256 hash of the file.
registry.key keyword Hive-relative path of keys. SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
registry.value keyword Name of the value written. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger

* Custom field.

ECS mapping

---
name: wazuh-states-fim
fields:
  base:
    fields:
      tags: []
  agent:
    fields:
      groups: {}
      id: {}
      name: {}
      type: {}
      version: {}
      host:
        fields: "*"
  file:
    fields:
      attributes: {}
      name: {}
      path: {}
      gid: {}
      group: {}
      inode: {}
      hash:
        fields:
          md5: {}
          sha1: {}
          sha256: {}
      mtime: {}
      mode: {}
      size: {}
      target_path: {}
      type: {}
      uid: {}
      owner: {}
  registry:
    fields:
      key: {}
      value: {}

Index settings

{
  "index_patterns": ["wazuh-states-fim*"],
  "priority": 1,
  "template": {
    "settings": {
      "index": {
        "number_of_shards": "1",
        "number_of_replicas": "0",
        "refresh_interval": "5s",
        "query.default_field": [
          "agent.id",
          "agent.groups",
          "file.name",
          "file.path",
          "file.target_path",
          "file.group",
          "file.uid",
          "file.gid"
        ]
      }
    }
  }
}