wazuh/wazuh-indexer-plugins
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-indexer-plugins.git synced 2025-12-11 01:07:02 -06:00
Code Issues Packages Projects Releases Wiki Activity
wazuh-indexer-plugins/ecs/stateless/docs/README.md
Álex Ruiz Becerra c26e75f505
Add index definition for stateless indices (#554) 
* Add index definition for stateless indices

Backported from 6.0.0

* Add module to the the automation list

Extend event generator with SCA stuff

* Force automation run

* Revert

* Update ECS templates for modified modules: stateless

* Add back ISM settings and automate the creation of the index template for the wazuh-archives indices

* Update ECS templates for modified modules: stateless

* Update script

* Trigger automation

* Update ECS templates for modified modules: stateless

* Fix output path for the generated archives template

* Update ECS templates for modified modules: stateless

* Increase mappings limit

* Add trailing new lines

---------

Co-authored-by: Wazuh Indexer Bot <github_devel_xdrsiem_indexer@wazuh.com>
2025-08-19 09:59:27 +02:00

829 B
Raw Blame History

wazuh-alerts-5.x time series index

The wazuh-alerts-* indices store events received from monitored endpoints that trigger alerts when they match a detection rule.

This is a time-based (stateless) index. The wazuh-archives-5.x index uses the same mappings and settings. The template is generated programatically off the wazuh-alerts-5.x index.

Fields summary

For this stage, we are using all the fields of the ECS. Dynamic mode is temporarily set to false to avoid the creation of new fields while allowing the indexing of events containing fields not in the schema. These fields can be retrieved from the original event (_source).

The detail of the fields can be found in csv file Stateless Fields.